pull in GUID fixes from rapid7#8818

Brent Cook · Brent Cook · commit c365db135af0 · 2017-09-07T01:39:49.000-05:00
diff --git a/lib/rex/post/meterpreter/packet.rb b/lib/rex/post/meterpreter/packet.rb
@@ -129,6 +129,12 @@ module Meterpreter
 LOAD_LIBRARY_FLAG_EXTENSION = (1 << 1)
 LOAD_LIBRARY_FLAG_LOCAL     = (1 << 2)
 
+#
+# Sane defaults
+#
+GUID_SIZE = 16
+NULL_GUID = "\x00" * GUID_SIZE
+
 ###
 #
 # Base TLV (Type-Length-Value) class
@@ -670,13 +676,10 @@ class Packet < GroupTlv
   ###
 
   XOR_KEY_SIZE = 4
-  SESSION_GUID_SIZE = 16
   ENCRYPTED_FLAGS_SIZE = 4
   PACKET_LENGTH_SIZE = 4
   PACKET_TYPE_SIZE = 4
-  PACKET_HEADER_SIZE = XOR_KEY_SIZE + SESSION_GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE
-
-  SESSION_NULL_GUID = "\x00" * SESSION_GUID_SIZE
+  PACKET_HEADER_SIZE = XOR_KEY_SIZE + GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE
 
   AES_IV_SIZE = 16
 
@@ -804,7 +807,7 @@ def aes_decrypt(key, iv, data)
   def to_r(session_guid = nil, key = nil)
     xor_key = (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr
 
-    raw = (session_guid || SESSION_NULL_GUID).dup
+    raw = (session_guid || NULL_GUID).dup
     tlv_data = GroupTlv.instance_method(:to_r).bind(self).call
 
     if key && key[:key] && key[:type] == ENC_FLAG_AES256
@@ -836,7 +839,7 @@ def decrypt_packet(key, encrypt_flags, data)
   end
 
   def parse_header!
-    xor_key = self.raw.unpack('A4')[0]
+    xor_key = self.raw.unpack('a4')[0]
     data = xor_bytes(xor_key, self.raw[0..PACKET_HEADER_SIZE])
     _, self.session_guid, self.encrypt_flags, self.length, self.type = data.unpack('a4a16NNN')
   end
