Land rapid7#8973, remove obsolete code from Meterpreter client core

Brent Cook · Brent Cook · commit faeffc365b6a · 2017-09-19T08:07:35.000-05:00
diff --git a/lib/msf/base/sessions/meterpreter_options.rb b/lib/msf/base/sessions/meterpreter_options.rb
@@ -3,30 +3,74 @@
 require 'shellwords'
 
 module Msf
-module Sessions
-module MeterpreterOptions
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions
 
-  def initialize(info = {})
-    super(info)
+      TIMEOUT_SESSION = 24 * 3600 * 7  # 1 week
+      TIMEOUT_COMMS = 300              # 5 minutes
+      TIMEOUT_RETRY_TOTAL = 60 * 60    # 1 hour
+      TIMEOUT_RETRY_WAIT = 10          # 10 seconds
 
-    register_advanced_options(
-      [
-        OptBool.new('AutoLoadStdapi', [true, "Automatically load the Stdapi extension", true]),
-        OptBool.new('AutoVerifySession', [true, "Automatically verify and drop invalid sessions", true]),
-        OptInt.new('AutoVerifySessionTimeout', [false, "Timeout period to wait for session validation to occur, in seconds", 30]),
-        OptString.new('InitialAutoRunScript', [false, "An initial script to run on session creation (before AutoRunScript)", '']),
-        OptString.new('AutoRunScript', [false, "A script to run automatically on session creation.", '']),
-        OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
-        OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
-        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
-        OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
-        OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
-        OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),
-        OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', Rex::Post::Meterpreter::ClientCore::TIMEOUT_COMMS])
-      ], self.class)
-  end
+      def initialize(info = {})
+        super(info)
 
+        register_advanced_options(
+          [
+            OptBool.new(
+              'AutoLoadStdapi',
+              [true, "Automatically load the Stdapi extension", true]
+            ),
+            OptBool.new(
+              'AutoVerifySession',
+              [true, "Automatically verify and drop invalid sessions", true]
+            ),
+            OptInt.new(
+              'AutoVerifySessionTimeout',
+              [false, "Timeout period to wait for session validation to occur, in seconds", 30]
+            ),
+            OptString.new(
+              'InitialAutoRunScript',
+              [false, "An initial script to run on session creation (before AutoRunScript)", '']
+            ),
+            OptString.new(
+              'AutoRunScript',
+              [false, "A script to run automatically on session creation.", '']
+            ),
+            OptBool.new(
+              'AutoSystemInfo',
+              [true, "Automatically capture system information on initialization.", true]
+            ),
+            OptBool.new(
+              'EnableUnicodeEncoding',
+              [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]
+            ),
+            OptPath.new(
+              'HandlerSSLCert',
+              [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]
+            ),
+            OptInt.new(
+              'SessionRetryTotal',
+              [false, "Number of seconds try reconnecting for on network failure", TIMEOUT_RETRY_TOTAL]
+            ),
+            OptInt.new(
+              'SessionRetryWait',
+              [false, "Number of seconds to wait between reconnect attempts", TIMEOUT_RETRY_WAIT]
+            ),
+            OptInt.new(
+              'SessionExpirationTimeout',
+              [ false, 'The number of seconds before this session should be forcibly shut down', TIMEOUT_SESSION]
+            ),
+            OptInt.new(
+              'SessionCommunicationTimeout',
+              [ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS]
+            )
+          ],
+          self.class
+        )
+      end
+    end
+  end
 end
-end
-end
-
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -34,24 +34,12 @@ module Meterpreter
 ###
 class ClientCore < Extension
 
-  UNIX_PATH_MAX = 108
-  DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
-
-  METERPRETER_TRANSPORT_SSL   = 0
-  METERPRETER_TRANSPORT_HTTP  = 1
-  METERPRETER_TRANSPORT_HTTPS = 2
-
-  TIMEOUT_SESSION = 24*3600*7  # 1 week
-  TIMEOUT_COMMS = 300          # 5 minutes
-  TIMEOUT_RETRY_TOTAL = 60*60  # 1 hour
-  TIMEOUT_RETRY_WAIT = 10      # 10 seconds
-
-  VALID_TRANSPORTS = {
-    'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
-    'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
-    'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
-    'bind_tcp'      => METERPRETER_TRANSPORT_SSL
-  }
+  VALID_TRANSPORTS = [
+    'reverse_tcp',
+    'reverse_http',
+    'reverse_https',
+    'bind_tcp'
+  ]
 
   include Rex::Payloads::Meterpreter::UriChecksum
 
@@ -577,46 +565,12 @@ def migrate(target_pid, writable_dir = nil, opts = {})
       raise RuntimeError, 'Cannot migrate into current process', caller
     end
 
-    if client.platform == 'linux'
-      if writable_dir.to_s.strip.empty?
-        writable_dir = tmp_folder
-      end
-
-      stat_dir = client.fs.filestat.new(writable_dir)
-
-      unless stat_dir.directory?
-        raise RuntimeError, "Directory #{writable_dir} not found", caller
-      end
-      # Rex::Post::FileStat#writable? isn't available
-    end
-
     migrate_stub = generate_migrate_stub(target_process)
     migrate_payload = generate_migrate_payload(target_process)
 
     # Build the migration request
     request = Packet.create_request('core_migrate')
 
-    if client.platform == 'linux'
-      socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
-
-      if socket_path.length > UNIX_PATH_MAX - 1
-        raise RuntimeError, 'The writable dir is too long', caller
-      end
-
-      pos = migrate_payload.index(DEFAULT_SOCK_PATH)
-
-      if pos.nil?
-        raise RuntimeError, 'The meterpreter binary is wrong', caller
-      end
-
-      migrate_payload[pos, socket_path.length + 1] = socket_path + "\x00"
-
-      ep = elf_ep(migrate_payload)
-      request.add_tlv(TLV_TYPE_MIGRATE_BASE_ADDR, 0x20040000)
-      request.add_tlv(TLV_TYPE_MIGRATE_ENTRY_POINT, ep)
-      request.add_tlv(TLV_TYPE_MIGRATE_SOCKET_PATH, socket_path, false, client.capabilities[:zlib])
-    end
-
     request.add_tlv(TLV_TYPE_MIGRATE_PID, target_pid)
     request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD_LEN, migrate_payload.length)
     request.add_tlv(TLV_TYPE_MIGRATE_PAYLOAD, migrate_payload, false, client.capabilities[:zlib])
@@ -722,11 +676,8 @@ def shutdown
   # Indicates if the given transport is a valid transport option.
   #
   def valid_transport?(transport)
-    if transport
-      VALID_TRANSPORTS.has_key?(transport.downcase)
-    else
-      false
-    end
+    return false if transport.nil?
+    VALID_TRANSPORTS.include?(transport.downcase)
   end
 
   #
@@ -830,11 +781,11 @@ def transport_prepare_request(method, opts={})
       opts[:lhost] = nil
     end
 
-    transport = VALID_TRANSPORTS[opts[:transport]]
+    transport = opts[:transport].downcase
 
     request = Packet.create_request(method)
 
-    scheme = opts[:transport].split('_')[1]
+    scheme = transport.split('_')[1]
     url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
 
     if opts[:luri] && opts[:luri].length > 0
@@ -864,7 +815,7 @@ def transport_prepare_request(method, opts={})
     end
 
     # do more magic work for http(s) payloads
-    unless opts[:transport].ends_with?('tcp')
+    unless transport.ends_with?('tcp')
       if opts[:uri]
         url << '/' unless opts[:uri].start_with?('/')
         url << opts[:uri]
@@ -878,7 +829,7 @@ def transport_prepare_request(method, opts={})
       opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
       request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
 
-      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+      if transport == 'reverse_https' && opts[:cert]
         hash = Rex::Socket::X509Certificate.get_cert_file_hash(opts[:cert])
         request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
       end
@@ -902,24 +853,7 @@ def transport_prepare_request(method, opts={})
     request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
     request.add_tlv(TLV_TYPE_TRANS_URL, url)
 
-    return request
-  end
-
-
-  #
-  # Create a full migration payload specific to the target process.
-  #
-  def generate_migrate_payload(target_process)
-    case client.platform
-    when 'windows'
-      blob = generate_migrate_windows_payload(target_process)
-    when 'linux'
-      blob = generate_migrate_linux_payload
-    else
-      raise RuntimeError, "Unsupported platform '#{client.platform}'"
-    end
-
-    blob
+    request
   end
 
   #
@@ -945,34 +879,18 @@ def generate_migrate_windows_payload(target_process)
   end
 
   #
-  # Create a full Linux-specific migration payload specific to the target process.
-  #
-  def generate_migrate_linux_payload
-    MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
-  end
-
-  #
-  # Determine the elf entry poitn for the given payload.
-  #
-  def elf_ep(payload)
-    elf = Rex::ElfParsey::Elf.new( Rex::ImageSource::Memory.new( payload ) )
-    ep = elf.elf_header.e_entry
-    return ep
-  end
-
-  #
-  # Get the tmp folder for the session.
+  # Create a full migration payload specific to the target process.
   #
-  def tmp_folder
-    tmp = client.sys.config.getenv('TMPDIR')
-
-    if tmp.to_s.strip.empty?
-      tmp = '/tmp'
+  def generate_migrate_payload(target_process)
+    case client.platform
+    when 'windows'
+      blob = generate_migrate_windows_payload(target_process)
+    else
+      raise RuntimeError, "Unsupported platform '#{client.platform}'"
     end
 
-    tmp
+    blob
   end
-
 end
 
 end; end; end
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -142,7 +142,7 @@ def cmd_pivot_help
     print_line(@@pivot_opts.usage)
     print_line
     print_line('Supported pivot types:')
-    print_line('     - pipe (using named pipes over SMB)') 
+    print_line('     - pipe (using named pipes over SMB)')
     print_line('Supported arhiectures:')
     @@pivot_supported_archs.each do |a|
       print_line('     - ' + a)
@@ -757,7 +757,7 @@ def cmd_sleep(*args)
   # Arguments for transport switching
   #
   @@transport_opts = Rex::Parser::Arguments.new(
-    '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.keys.join(', ')}"],
+    '-t' => [true, "Transport type: #{Rex::Post::Meterpreter::ClientCore::VALID_TRANSPORTS.join(', ')}"],
     '-l' => [true, 'LHOST parameter (for reverse transports)'],
     '-p' => [true, 'LPORT parameter'],
     '-i' => [true, 'Specify transport by index (currently supported: remove)'],
