Lands rapid7#4991, fixes a potential backcompat issue w/meterpreter

HD Moore · HD Moore · commit f6731f115f08 · 2015-03-23T20:00:35.000-05:00
diff --git a/lib/msf/core/payload/windows/stageless_meterpreter.rb b/lib/msf/core/payload/windows/stageless_meterpreter.rb
@@ -77,7 +77,12 @@ def generate_stageless_meterpreter(url = nil)
     # the URL might not be given, as it might be patched in some other way
     if url
       # Patch the URL using the patcher as this upports both ASCII and WCHAR.
-      Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+      unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+        # If the patching failed this could mean that we are somehow
+        # working with outdated binaries, so try to patch with the
+        # old stuff.
+        Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
+      end
     end
 
     # if a block is given then call that with the meterpreter dll
diff --git a/lib/rex/payloads/meterpreter/patch.rb b/lib/rex/payloads/meterpreter/patch.rb
@@ -18,7 +18,12 @@ def self.patch_transport!(blob, ssl)
 
         # Replace the URL
         def self.patch_url!(blob, url)
-          patch_string!(blob, "https://#{'X' * 512}", url)
+          unless patch_string!(blob, "https://#{'X' * 512}", url)
+            # If the patching failed this could mean that we are somehow
+            # working with outdated binaries, so try to patch with the
+            # old stuff.
+            patch_string!(blob, "https://#{'X' * 256}", url)
+          end
         end
 
         # Replace the session expiration timeout
@@ -122,16 +127,22 @@ def self.patch_passive_service!(blob, options)
         # Patch an ASCII value in the given payload. If not found, try WCHAR instead.
         #
         def self.patch_string!(blob, search, replacement)
+          result = false
+
           i = blob.index(search)
           if i
             blob[i, replacement.length] = replacement
+            result = true
           else
             i = blob.index(wchar(search))
             if i
               r = wchar(replacement)
               blob[i, r.length] = r
+              result = true
             end
           end
+
+          result
         end
 
         private
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -48,7 +48,14 @@ def get_loaded_extension_commands(extension_name)
     request = Packet.create_request('core_enumextcmd')
     request.add_tlv(TLV_TYPE_STRING, extension_name)
 
-    response = self.client.send_packet_wait_response(request, self.client.response_timeout)
+    begin
+      response = self.client.send_packet_wait_response(request, self.client.response_timeout)
+    rescue
+      # In the case where orphaned shells call back with OLD copies of the meterpreter
+      # binaries, we end up with a case where this fails. So here we just return the
+      # empty list of supported commands.
+      return []
+    end
 
     # No response?
     if response.nil?
