Merge branch 'master' into staging/rails-4.0

Conflicts:
	Gemfile.lock

Author: mbuck-r7

Gemfile.lock

@@ -56,7 +56,7 @@ PATH
       bcrypt
       jsobfu (~> 0.2.0)
       json
-      meterpreter_bins (= 0.0.17)
+      meterpreter_bins (= 0.0.18)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -152,7 +152,7 @@ GEM
     json (1.8.2)
     mail (2.6.3)
       mime-types (>= 1.16, < 3)
-    meterpreter_bins (0.0.17)
+    meterpreter_bins (0.0.18)
     method_source (0.8.2)
     mime-types (2.4.3)
     mini_portile (0.6.2)

data/meterpreter/ext_server_networkpug.lso

@@ -1,6 +1,7 @@
 #!/usr/bin/python
 import code
 import os
+import platform
 import random
 import select
 import socket
@@ -141,6 +142,8 @@
 TLV_TYPE_MIGRATE_PID           = TLV_META_TYPE_UINT    | 402
 TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403
 
+TLV_TYPE_MACHINE_ID            = TLV_META_TYPE_STRING  | 460
+
 TLV_TYPE_CIPHER_NAME           = TLV_META_TYPE_STRING  | 500
 TLV_TYPE_CIPHER_PARAMETERS     = TLV_META_TYPE_GROUP   | 501
 
@@ -566,6 +569,36 @@ def handle_dead_resource_channel(self, channel_id):
 		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 		self.send_packet(pkt)
 
+	def _core_machine_id(self, request, response):
+		serial = ''
+		machine_name = platform.uname()[1]
+		if has_windll:
+			from ctypes import wintypes
+
+			k32 = ctypes.windll.kernel32
+			sys_dir = ctypes.create_unicode_buffer(260)
+			if not k32.GetSystemDirectoryW(ctypes.byref(sys_dir), 260):
+				return ERROR_FAILURE_WINDOWS
+
+			vol_buf = ctypes.create_unicode_buffer(260)
+			fs_buf = ctypes.create_unicode_buffer(260)
+			serial_num = wintypes.DWORD(0)
+
+			if not k32.GetVolumeInformationW(ctypes.c_wchar_p(sys_dir.value[:3]),
+					vol_buf, ctypes.sizeof(vol_buf), ctypes.byref(serial_num), None,
+					None, fs_buf, ctypes.sizeof(fs_buf)):
+				return ERROR_FAILURE_WINDOWS
+			serial_num = serial_num.value
+			serial = "{0:04x}-{1:04x}".format((serial_num >> 16) & 0xFFFF, serial_num & 0xFFFF)
+		else:
+			for _, _, files in os.walk('/dev/disk/by-id/'):
+				for f in files:
+					if f[:4] == 'ata-':
+						serial = f[4:]
+						break
+		response += tlv_pack(TLV_TYPE_MACHINE_ID, "%s:%s" % (serial, machine_name))
+		return ERROR_SUCCESS, response
+
 	def _core_loadlib(self, request, response):
 		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:

data/meterpreter/ext_server_sniffer.lso

@@ -536,6 +536,7 @@ def self.dump_sessions(framework, opts={})
       ]
 
     columns << 'Via' if verbose
+    columns << 'PayloadId' if verbose
 
     tbl = Rex::Ui::Text::Table.new(
       'Indent'  => indent,
@@ -555,7 +556,11 @@ def self.dump_sessions(framework, opts={})
       if session.respond_to? :platform
         row[1] += " " + session.platform
       end
-      row << session.via_exploit if verbose and session.via_exploit
+
+      if verbose
+        row << session.via_exploit.to_s
+        row << session.payload_uuid.to_s
+      end
 
       tbl << row
     }
@@ -566,7 +571,7 @@ def self.dump_sessions(framework, opts={})
   # Dumps the list of running jobs.
   #
   # @param framework [Msf::Framework] the framework.
-  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH 
+  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
   #   and start time, if they exist, for each job.
   # @param indent [Integer] the indentation amount.
   # @param col [Integer] the column wrap width.

data/meterpreter/ext_server_stdapi.lso

@@ -124,6 +124,11 @@ def infer_vuln_from_session(session, wspace)
         mod_fullname = session.via_exploit
       end
       mod_detail = ::Mdm::Module::Detail.find_by_fullname(mod_fullname)
+      if mod_detail.nil?
+        # Then the cache isn't built yet, take the hit for instantiating the
+        # module
+        mod_detail = framework.modules.create(mod_fullname)
+      end
       mod_name = mod_detail.name
 
       vuln_info = {

data/meterpreter/meterpreter.py

@@ -198,6 +198,9 @@ def create_session(conn, opts={})
       # and any relevant information
       s.set_from_exploit(assoc_exploit)
 
+      # Pass along any associated payload uuid if specified
+      s.payload_uuid = opts[:payload_uuid] if opts[:payload_uuid]
+
       # If the session is valid, register it with the framework and
       # notify any waiters we may have.
       if (s)

data/meterpreter/msflinker_linux_x86.bin

@@ -215,17 +215,25 @@ def lookup_proxy_settings
   #
   def on_request(cli, req, obj)
     resp = Rex::Proto::Http::Response.new
+    info = process_uri_resource(req.relative_resource)
+    uuid = info[:uuid] || Msf::Payload::UUID.new
 
-    print_status("#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}...")
+    # Configure the UUID architecture and payload if necessary
+    uuid.arch      ||= obj.arch
+    uuid.platform  ||= obj.platform
 
-    uri_match = process_uri_resource(req.relative_resource)
+    print_status "#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}... (UUID:#{uuid.to_s})"
+
+    conn_id = nil
+    if info[:mode] && info[:mode] != :connect
+      conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
+    end
 
     self.pending_connections += 1
 
     # Process the requested resource.
-    case uri_match
-      when /^\/INITPY/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    case info[:mode]
+      when :init_python
         url = payload_uri(req) + conn_id + '/'
 
         blob = ""
@@ -256,10 +264,10 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/INITJM/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+      when :init_java
         url = payload_uri(req) + conn_id + "/\x00"
 
         blob = ""
@@ -283,11 +291,11 @@ def on_request(cli, req, obj)
           :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-          :ssl                => ssl?
+          :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/A?INITM?/
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+      when :init_native
         url = payload_uri(req) + conn_id + "/\x00"
 
         print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
@@ -323,13 +331,12 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
-      when /^\/CONN_.*\//
+      when :connect
         resp.body = ""
-        # Grab the checksummed version of CONN from the payload's request.
-        conn_id = req.relative_resource.gsub("/", "")
-
+        conn_id = req.relative_resource
         print_status("Incoming orphaned or stageless session #{conn_id}, attaching...")
 
         # Short-circuit the payload's handle_connection processing for create_session
@@ -340,10 +347,11 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
+          :payload_uuid       => uuid
         })
 
       else
-        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{uri_match} #{req.inspect}...")
+        print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{req.relative_resource} #{req.inspect}...")
         resp.code    = 200
         resp.message = "OK"
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s