Land rapid7#7507, Fix payload uuid/arch/platform tracking

Author: Brent Cook

.ruby-version

@@ -1 +1 @@
-2.3.1
+2.3.2

.travis.yml

@@ -10,7 +10,7 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.3.1'
+  - '2.3.2'
 
 env:
   - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true

Gemfile.lock

@@ -14,9 +14,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.1.29)
+      metasploit-payloads (= 1.2.1)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.0.8)
+      metasploit_payloads-mettle (= 0.1.2)
       msgpack
       nessus_rest
       net-ssh
@@ -33,7 +33,7 @@ PATH
       rb-readline-r7
       recog
       redcarpet
-      rex-arch
+      rex-arch (= 0.1.2)
       rex-bin_tools
       rex-core
       rex-encoder
@@ -169,7 +169,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.1.29)
+    metasploit-payloads (1.2.1)
     metasploit_data_models (2.0.8)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -180,7 +180,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.0.8)
+    metasploit_payloads-mettle (0.1.2)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)

lib/msf/base/serializer/readable_text.rb

@@ -546,7 +546,11 @@ def self.dump_sessions(framework, opts={})
       row = []
       row << session.sid.to_s
       row << session.type.to_s
-      row[-1] << (" " + session.platform) if session.respond_to?(:platform)
+      if session.respond_to?(:session_type)
+        row[-1] << (" " + session.session_type)
+      elsif session.respond_to?(:platform)
+        row[-1] << (" " + session.platform)
+      end
 
       if show_extended
         if session.respond_to?(:last_checkin) && session.last_checkin

lib/msf/base/sessions/command_shell_options.rb

@@ -34,7 +34,15 @@ def on_session(session)
     if self.platform and self.platform.kind_of? Msf::Module::Platform
       session.platform = self.platform.realname.downcase
     end
-    session.arch     = self.arch if self.arch
+
+    if self.arch
+      if self.arch.kind_of?(Array)
+        session.arch = self.arch.join('')
+      else
+        session.arch = self.arch
+      end
+    end
+
   end
 
 end

lib/msf/base/sessions/mainframe_shell.rb

@@ -32,8 +32,8 @@ class MainframeShell < Msf::Sessions::CommandShell
   # initialize as mf shell session
   #
   def initialize(*args)
-    self.platform = "mainframe"
-    self.arch = "zarch"
+    self.platform = 'mainframe'
+    self.arch = ARCH_ZARCH
     self.translate_1047 = true
     super
   end

lib/msf/base/sessions/meterpreter.rb

@@ -284,7 +284,7 @@ def run_cmd(cmd)
   #
   # Load the stdapi extension.
   #
-  def load_stdapi()
+  def load_stdapi
     original = console.disable_output
     console.disable_output = true
     console.run_single('load stdapi')
@@ -294,9 +294,8 @@ def load_stdapi()
   #
   # Load the priv extension.
   #
-  def load_priv()
+  def load_priv
     original = console.disable_output
-
     console.disable_output = true
     console.run_single('load priv')
     console.disable_output = original
@@ -310,7 +309,6 @@ def is_valid_session?(timeout=10)
 
     begin
       self.machine_id = self.core.machine_id(timeout)
-      self.payload_uuid ||= self.core.uuid(timeout)
 
       return true
     rescue ::Rex::Post::Meterpreter::RequestError
@@ -325,41 +323,18 @@ def is_valid_session?(timeout=10)
   def update_session_info
     username = self.sys.config.getuid
     sysinfo  = self.sys.config.sysinfo
-    tuple = self.platform.split('/')
 
-    #
-    # Windows meterpreter currently needs 'win32' or 'win64' to be in the
-    # second half of the platform tuple, in order for various modules and
-    # library code match on that specific string.
-    #
-    if self.platform !~ /win32|win64/
-
-      platform = case self.sys.config.sysinfo['OS']
-        when /windows/i
-          Msf::Module::Platform::Windows
-        when /darwin/i
-          Msf::Module::Platform::OSX
-        when /freebsd/i
-          Msf::Module::Platform::FreeBSD
-        when /netbsd/i
-          Msf::Module::Platform::NetBSD
-        when /openbsd/i
-          Msf::Module::Platform::OpenBSD
-        when /sunos/i
-          Msf::Module::Platform::Solaris
-        when /android/i
-          Msf::Module::Platform::Android
-        else
-          Msf::Module::Platform::Linux
-      end.realname.downcase
-
-      #
-      # This normalizes the platform from 'python/python' to 'python/linux'
-      #
-      self.platform = "#{tuple[0]}/#{platform}"
+    # when updating session information, we need to make sure we update the platform
+    # in the UUID to match what the target is actually running on, but only for a
+    # subset of platforms.
+    if ['java', 'python', 'php'].include?(self.platform)
+      new_platform = guess_target_platform(sysinfo['OS'])
+      if self.platform != new_platform
+        self.payload_uuid.platform = new_platform
+        self.core.set_uuid(self.payload_uuid)
+      end
     end
 
-
     safe_info = "#{username} @ #{sysinfo['Computer']}"
     safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
     # Should probably be using Rex::Text.ascii_safe_hex but leave
@@ -369,6 +344,24 @@ def update_session_info
     self.info = safe_info
   end
 
+  def guess_target_platform(os)
+    case os
+    when /windows/i
+      Msf::Module::Platform::Windows.realname.downcase
+    when /darwin/i
+      Msf::Module::Platform::OSX.realname.downcase
+    when /mac os ?x/i
+      # this happens with java on OSX (for real!)
+      Msf::Module::Platform::OSX.realname.downcase
+    when /freebsd/i
+      Msf::Module::Platform::FreeBSD.realname.downcase
+    when /openbsd/i, /netbsd/i
+      Msf::Module::Platform::BSD.realname.downcase
+    else
+      Msf::Module::Platform::Linux.realname.downcase
+    end
+  end
+
   #
   # Populate the session information.
   #
@@ -493,20 +486,79 @@ def create(param)
 
     sock = net.socket.create(param)
 
-    # sf: unsure if we should raise an exception or just return nil. returning nil for now.
-    #if( sock == nil )
-    #  raise Rex::UnsupportedProtocol.new(param.proto), caller
-    #end
-
     # Notify now that we've created the socket
     notify_socket_created(self, sock, param)
 
     # Return the socket to the caller
     sock
   end
 
-  attr_accessor :platform
-  attr_accessor :binary_suffix
+  #
+  # Get a string representation of the current session platform
+  #
+  def platform
+    if self.payload_uuid
+      # return the actual platform of the current session if it's there
+      self.payload_uuid.platform
+    else
+      # otherwise just use the base for the session type tied to this handler.
+      # If we don't do this, storage of sessions in the DB dies
+      self.base_platform
+    end
+  end
+
+  #
+  # Get a string representation of the current session architecture
+  #
+  def arch
+    if self.payload_uuid
+      # return the actual arch of the current session if it's there
+      self.payload_uuid.arch
+    else
+      # otherwise just use the base for the session type tied to this handler.
+      # If we don't do this, storage of sessions in the DB dies
+      self.base_arch
+    end
+  end
+
+  #
+  # Generate a binary suffix based on arch
+  #
+  def binary_suffix
+    # generate a file/binary suffix based on the current arch and platform.
+    # Platform-agnostic archs go first
+    case self.arch
+    when 'java'
+      'jar'
+    when 'php'
+      'php'
+    when 'python'
+      'py'
+    else
+      # otherwise we fall back to the platform
+      case self.platform
+      when 'windows'
+        "#{self.arch}.dll"
+      when 'linux' , 'aix' , 'hpux' , 'irix' , 'unix'
+        'lso'
+      when 'android', 'java'
+        'jar'
+      when 'php'
+        'php'
+      when 'python'
+        'py'
+      else
+        nil
+      end
+    end
+  end
+
+  # These are the base arch/platform for the original payload, required for when the
+  # session is first created thanks to the fact that the DB session recording
+  # happens before the session is even established.
+  attr_accessor :base_arch
+  attr_accessor :base_platform
+
   attr_accessor :console # :nodoc:
   attr_accessor :skip_ssl
   attr_accessor :skip_cleanup

lib/msf/base/sessions/meterpreter_android.rb

@@ -16,7 +16,8 @@ class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
 
   def initialize(rstream, opts={})
     super
-    self.platform = 'java/android'
+    self.base_platform = 'android'
+    self.base_arch = ARCH_JAVA
   end
 
   def load_android

lib/msf/base/sessions/meterpreter_armle_linux.rb

@@ -19,8 +19,8 @@ def supports_zlib?
   end
   def initialize(rstream, opts={})
     super
-    self.platform      = 'armle/linux'
-    self.binary_suffix = 'lso'
+    self.base_platform = 'linux'
+    self.base_arch = ARCH_ARMLE
   end
 end
 

lib/msf/base/sessions/meterpreter_java.rb

@@ -19,8 +19,8 @@ def supports_zlib?
   end
   def initialize(rstream, opts={})
     super
-    self.platform      = 'java/java'
-    self.binary_suffix = 'jar'
+    self.base_platform = 'java'
+    self.base_arch = ARCH_JAVA
   end
 end