Land rapid7#8523, Add support for session GUIDs

Author: Brent Cook

Gemfile.lock

@@ -15,9 +15,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.2.32)
+      metasploit-payloads (= 1.2.33)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.1.9)
+      metasploit_payloads-mettle (= 0.1.10)
       msgpack
       nessus_rest
       net-ssh
@@ -196,7 +196,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.2.32)
+    metasploit-payloads (1.2.33)
     metasploit_data_models (2.0.14)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -207,7 +207,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.1.9)
+    metasploit_payloads-mettle (0.1.10)
     method_source (0.8.2)
     mime-types (3.1)
       mime-types-data (~> 3.2015)

lib/msf/base/serializer/readable_text.rb

@@ -618,7 +618,6 @@ def self.dump_sessions_verbose(framework, opts={})
       sess_luri    = session.exploit_datastore['LURI'] || ""
 
       sess_checkin = "<none>"
-      sess_machine_id = session.machine_id.to_s
       sess_registration = "No"
 
       if session.respond_to? :platform
@@ -642,15 +641,12 @@ def self.dump_sessions_verbose(framework, opts={})
       out << "      Tunnel: #{sess_tunnel}\n"
       out << "         Via: #{sess_via}\n"
       out << "        UUID: #{sess_uuid}\n"
-      out << "   MachineID: #{sess_machine_id}\n"
       out << "     CheckIn: #{sess_checkin}\n"
       out << "  Registered: #{sess_registration}\n"
-      if !sess_luri.empty?
+      unless sess_luri.empty?
         out << "        LURI: #{sess_luri}\n"
       end
 
-
-
       out << "\n"
     end
 

lib/msf/base/sessions/meterpreter_options.rb

@@ -51,6 +51,17 @@ def on_session(session)
     end
 
     if valid
+      # always make sure that the new session has a new guid if it's not already known
+      guid = session.core.get_session_guid
+      if guid == '00000000-0000-0000-0000-000000000000'
+        guid = SecureRandom.uuid
+        session.core.set_session_guid(guid)
+        session.guid = guid
+        # TODO: New statgeless session, do some account in the DB so we can track it later.
+      else
+        session.guid = guid
+        # TODO: This session was either staged or previously known, and so we shold do some accounting here!
+      end
 
       if datastore['AutoLoadStdapi']
 
@@ -71,7 +82,7 @@ def on_session(session)
       end
 
       [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
-        if !datastore[key].empty?
+        unless datastore[key].empty?
           args = Shellwords.shellwords( datastore[key] )
           print_status("Session ID #{session.sid} (#{session.tunnel_to_s}) processing #{key} '#{datastore[key]}'")
           session.execute_script(args.shift, *args)

lib/msf/base/sessions/mettle_config.rb

@@ -3,6 +3,7 @@
 require 'msf/core/payload/transport_config'
 require 'msf/core/payload/uuid/options'
 require 'base64'
+require 'securerandom'
 
 module Msf
   module Sessions
@@ -53,6 +54,7 @@ def generate_tcp_uri(opts)
 
       def generate_config(opts={})
         opts[:uuid] ||= generate_payload_uuid
+
         case opts[:scheme]
         when 'http'
           transport = transport_config_reverse_http(opts)
@@ -66,8 +68,15 @@ def generate_config(opts={})
         else
           raise ArgumentError, "Unknown scheme: #{opts[:scheme]}"
         end
+
         opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip
-        opts.slice(:uuid, :uri, :debug, :log_file)
+        guid = "\x00" * 16
+        unless opts[:stageless] == true
+          guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
+        end
+        opts[:session_guid] = Base64.encode64(guid)
+
+        opts.slice(:uuid, :session_guid, :uri, :debug, :log_file)
       end
 
     end

lib/msf/core/payload/android.rb

@@ -51,7 +51,8 @@ def generate_config(opts={})
       arch:       opts[:uuid].arch,
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: opts[:transport_config] || [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)],
+      stageless:  opts[:stageless] == true
     }
 
     config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b

lib/msf/core/payload/java/meterpreter_loader.rb

@@ -69,7 +69,8 @@ def generate_config(opts={})
       arch:       opts[:uuid].arch,
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
-      transports: opts[:transport_config] || [transport_config(opts)]
+      transports: opts[:transport_config] || [transport_config(opts)],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -74,6 +74,13 @@ def stage_meterpreter(opts={})
     uuid = Rex::Text.to_hex(uuid.to_raw, prefix = '')
     met.sub!("PAYLOAD_UUID = \'\'", "PAYLOAD_UUID = \'#{uuid}\'")
 
+    if opts[:stageless] == true
+      session_guid = '\x00' * 16
+    else
+      session_guid = SecureRandom.uuid.gsub(/-/, '').gsub(/(..)/, '\\x\1')
+    end
+    met.sub!("SESSION_GUID = \'\'", "SESSION_GUID = \'#{session_guid}\'")
+
     http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent']
     http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST']
     http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT']

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -82,7 +82,8 @@ def generate_config(opts={})
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
       transports: opts[:transport_config] || [transport_config(opts)],
-      extensions: []
+      extensions: [],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/payload/windows/x64/meterpreter_loader.rb

@@ -84,7 +84,8 @@ def generate_config(opts={})
       expiration: ds['SessionExpirationTimeout'].to_i,
       uuid:       opts[:uuid],
       transports: opts[:transport_config] || [transport_config(opts)],
-      extensions: []
+      extensions: [],
+      stageless:  opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters

lib/msf/core/session.rb

@@ -385,6 +385,10 @@ def session_type
   #
   attr_accessor :machine_id
   #
+  # The guid that identifies an active Meterpreter session
+  #
+  attr_accessor :guid
+  #
   # The actual exploit module instance that created this session
   #
   attr_accessor :exploit