Land rapid7#4252 - Rework meterpreter SSL & pass datastore to handle_connection()

Author: wchen-r7

lib/msf/base/sessions/meterpreter.rb

@@ -30,10 +30,12 @@ class Meterpreter < Rex::Post::Meterpreter::Client
 
   include Msf::Session::Scriptable
 
-  # Override for server implementations that can't do ssl
+  # Override for server implementations that can't do SSL
   def supports_ssl?
     true
   end
+
+  # Override for server implementations that can't do zlib
   def supports_zlib?
     true
   end
@@ -49,11 +51,24 @@ def initialize(rstream, opts={})
       :ssl => supports_ssl?,
       :zlib => supports_zlib?
     }
+
+    # The caller didn't request to skip ssl, so make sure we support it
     if not opts[:skip_ssl]
-      # the caller didn't request to skip ssl, so make sure we support it
       opts.merge!(:skip_ssl => (not supports_ssl?))
     end
 
+    #
+    # Parse options passed in via the datastore
+    #
+
+    # Extract the HandlerSSLCert option if specified by the user
+    if opts[:datastore] and opts[:datastore]['HandlerSSLCert']
+      opts[:ssl_cert] = opts[:datastore]['HandlerSSLCert']
+    end
+
+    # Don't pass the datastore into the init_meterpreter method
+    opts.delete(:datastore)
+
     #
     # Initialize the meterpreter client
     #

lib/msf/base/sessions/meterpreter_options.rb

@@ -15,7 +15,8 @@ def initialize(info = {})
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
-        OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", true])
+        OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", true]),
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"])
       ], self.class)
   end
 

lib/msf/core/handler/bind_tcp.rb

@@ -146,7 +146,7 @@ def start_handler
         # to implement the Stream interface.
         conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy|
           begin
-            handle_connection(wrap_aes_socket(client_copy))
+            handle_connection(wrap_aes_socket(client_copy), { datastore: datastore })
           rescue
             elog("Exception raised from BindTcp.handle_connection: #{$!}")
           end

lib/msf/core/handler/find_port.rb

@@ -55,7 +55,7 @@ def handler(sock)
     # If this is a multi-stage payload, then we just need to blindly
     # transmit the stage and create the session, hoping that it works.
     if (self.payload_type != Msf::Payload::Type::Single)
-      handle_connection(sock)
+      handle_connection(sock, { datastore: datastore })
     # Otherwise, check to see if we found a session.  We really need
     # to improve this, as we could create a session when the exploit
     # really didn't succeed.

lib/msf/core/handler/reverse_tcp.rb

@@ -163,10 +163,10 @@ def start_handler
         begin
           if datastore['ReverseListenerThreaded']
             self.conn_threads << framework.threads.spawn("ReverseTcpHandlerSession-#{local_port}-#{client.peerhost}", false, client) { | client_copy|
-              handle_connection(wrap_aes_socket(client_copy))
+              handle_connection(wrap_aes_socket(client_copy), { datastore: datastore })
             }
           else
-            handle_connection(wrap_aes_socket(client))
+            handle_connection(wrap_aes_socket(client), { datastore: datastore })
           end
         rescue ::Exception
           elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")

lib/msf/core/handler/reverse_tcp_double.rb

@@ -120,7 +120,7 @@ def start_handler
           begin
             sock_inp, sock_out = detect_input_output(client_a_copy, client_b_copy)
             chan = TcpReverseDoubleSessionChannel.new(framework, sock_inp, sock_out)
-            handle_connection(chan.lsock)
+            handle_connection(chan.lsock, { datastore: datastore })
           rescue
             elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
           end

lib/msf/core/handler/reverse_tcp_double_ssl.rb

@@ -121,7 +121,7 @@ def start_handler
           begin
             sock_inp, sock_out = detect_input_output(client_a_copy, client_b_copy)
             chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp, sock_out)
-            handle_connection(chan.lsock)
+            handle_connection(chan.lsock, { datastore: datastore })
           rescue
             elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
           end

lib/rex/post/meterpreter/client.rb

@@ -42,9 +42,9 @@ class Client
   @@ext_hash = {}
 
   #
-  # Cached SSL certificate (required to scale)
+  # Cached auto-generated SSL certificate
   #
-  @@ssl_ctx = nil
+  @@ssl_cached_cert = nil
 
   #
   # Mutex to synchronize class-wide operations
@@ -106,7 +106,6 @@ def init_meterpreter(sock,opts={})
     self.capabilities = opts[:capabilities] || {}
     self.commands     = []
 
-
     self.conn_id      = opts[:conn_id]
     self.url          = opts[:url]
     self.ssl          = opts[:ssl]
@@ -116,9 +115,21 @@ def init_meterpreter(sock,opts={})
 
     self.response_timeout = opts[:timeout] || self.class.default_timeout
     self.send_keepalives  = true
+
+    # TODO: Clarify why we don't allow unicode to be set in initial options
     # self.encode_unicode   = opts.has_key?(:encode_unicode) ? opts[:encode_unicode] : true
     self.encode_unicode = false
 
+    # The SSL certificate is being passed down as a file path
+    if opts[:ssl_cert]
+      if ! ::File.exists? opts[:ssl_cert]
+        elog("SSL certificate at #{opts[:ssl_cert]} does not exist and will be ignored")
+      else
+        # Load the certificate the same way that SslTcpServer does it
+        self.ssl_cert = ::File.read(opts[:ssl_cert])
+      end
+    end
+
     if opts[:passive_dispatcher]
       initialize_passive_dispatcher
 
@@ -200,68 +211,43 @@ def swap_sock_ssl_to_plain
   end
 
   def generate_ssl_context
-    @@ssl_mutex.synchronize do
-    if not @@ssl_ctx
-
-    wlog("Generating SSL certificate for Meterpreter sessions")
-
-    key  = OpenSSL::PKey::RSA.new(1024){ }
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial  = rand(0xFFFFFFFF)
-
-    # Depending on how the socket was created, getsockname will
-    # return either a struct sockaddr as a String (the default ruby
-    # Socket behavior) or an Array (the extend'd Rex::Socket::Tcp
-    # behavior). Avoid the ambiguity by always picking a random
-    # hostname. See #7350.
-    subject_cn = Rex::Text.rand_hostname
-
-    subject = OpenSSL::X509::Name.new([
-        ["C","US"],
-        ['ST', Rex::Text.rand_state()],
-        ["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["CN", subject_cn],
-      ])
-    issuer = OpenSSL::X509::Name.new([
-        ["C","US"],
-        ['ST', Rex::Text.rand_state()],
-        ["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["CN", Rex::Text.rand_text_alpha(rand(20) + 10)],
-      ])
-
-    cert.subject = subject
-    cert.issuer = issuer
-    cert.not_before = Time.now - (3600 * 365) + rand(3600 * 14)
-    cert.not_after = Time.now + (3600 * 365) + rand(3600 * 14)
-    cert.public_key = key.public_key
-    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
-    cert.extensions = [
-      ef.create_extension("basicConstraints","CA:FALSE"),
-      ef.create_extension("subjectKeyIdentifier","hash"),
-      ef.create_extension("extendedKeyUsage","serverAuth"),
-      ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
-    ]
-    ef.issuer_certificate = cert
-    cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-    cert.sign(key, OpenSSL::Digest::SHA1.new)
-
-    ctx = OpenSSL::SSL::SSLContext.new
-    ctx.key = key
-    ctx.cert = cert
 
-    ctx.session_id_context = Rex::Text.rand_text(16)
+    ctx = nil
+    ssl_cert_info = nil
 
-    wlog("Generated SSL certificate for Meterpreter sessions")
+    loop do
 
-    @@ssl_ctx = ctx
+      # Load a custom SSL certificate if one has been specified
+      if self.ssl_cert
+        wlog("Loading custom SSL certificate for Meterpreter session")
+        ssl_cert_info = Rex::Socket::SslTcpServer.ssl_parse_pem(self.ssl_cert)
+        wlog("Loaded custom SSL certificate for Meterpreter session")
+        break
+      end
 
-    end # End of if not @ssl_ctx
-    end # End of mutex.synchronize
+      # Generate a certificate if necessary and cache it
+      if ! @@ssl_cached_cert
+        @@ssl_mutex.synchronize do
+          wlog("Generating SSL certificate for Meterpreter sessions")
+          @@ssl_cached_cert = Rex::Socket::SslTcpServer.ssl_generate_certificate
+          wlog("Generated SSL certificate for Meterpreter sessions")
+        end
+      end
+
+      # Use the cached certificate
+      ssl_cert_info = @@ssl_cached_cert
+      break
+    end
 
-    @@ssl_ctx
+    # Create a new context for each session
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.key = ssl_cert_info[0]
+    ctx.cert = ssl_cert_info[1]
+    ctx.extra_chain_cert = ssl_cert_info[2]
+    ctx.options = 0
+    ctx.session_id_context = Rex::Text.rand_text(16)
+
+    ctx
   end
 
   ##
@@ -453,6 +439,10 @@ def unicode_filter_decode(str)
   #
   attr_accessor :ssl
   #
+  # Use this SSL Certificate (unified PEM)
+  #
+  attr_accessor :ssl_cert
+  #
   # The Session Expiration Timeout
   #
   attr_accessor :expiration