From 4bd14ed5eae1961ba43f790bbc92c99c19b2c10e Mon Sep 17 00:00:00 2001 From: Sean Verity Date: Wed, 17 Sep 2014 14:11:37 -0400 Subject: [PATCH] Uses a hash for options as opposed to numerous methods on blob --- lib/rex/payloads/meterpreter/patch.rb | 29 ++++++++++---- lib/rex/post/meterpreter/client_core.rb | 50 ++++++++----------------- 2 files changed, 37 insertions(+), 42 deletions(-) diff --git a/lib/rex/payloads/meterpreter/patch.rb b/lib/rex/payloads/meterpreter/patch.rb index 86f4e336df..3b88a9173b 100644 --- a/lib/rex/payloads/meterpreter/patch.rb +++ b/lib/rex/payloads/meterpreter/patch.rb @@ -19,7 +19,6 @@ module Rex blob[i, str.length] = str end - return blob end # Replace the URL @@ -31,7 +30,6 @@ module Rex blob[i, str.length] = str end - return blob end # Replace the session expiration timeout @@ -43,7 +41,6 @@ module Rex blob[i, str.length] = str end - return blob end # Replace the session communication timeout @@ -55,18 +52,17 @@ module Rex blob[i, str.length] = str end - return blob end # Replace the user agent string with our option def patch_ua! blob, ua + ua = ua[0,255] + "\x00" i = blob.index("METERPRETER_UA\x00") if i blob[i, ua.length] = ua end - return blob end # Activate a custom proxy @@ -93,7 +89,6 @@ module Rex end end - return blob end # Proxy authentification @@ -112,7 +107,27 @@ module Rex blob[proxy_password_loc, proxy_password.length] = proxy_password end - return blob + end + + # Patch options into metsrv for reverse HTTP payloads + def patch_passive_service! blob, options + + blob.patch_transport! blob, options[:ssl] + blob.patch_url! blob, options[:url] + blob.patch_expiration! blob, options[:expiration] + blob.patch_comm_timeout! blob, options[:comm_timeout] + blob.patch_ua! blob, options[:ua] + blob.patch_proxy!(blob, + options[:proxyhost], + options[:proxyport], + options[:proxy_type] + ) + blob.patch_proxy_auth!(blob, + options[:proxy_username], + options[:proxy_password], + options[:proxy_type] + ) + end end diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 7c51dd1231..b355a70e22 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -231,42 +231,22 @@ class ClientCore < Extension if client.passive_service - blob.extend(Rex::Payloads::Meterpreter::Patch) + blob.extend Rex::Payloads::Meterpreter::Patch - # Replace the transport string first (TRANSPORT_SOCKET_SSL) - blob.patch_transport!(blob, client.ssl) - - # Replace the URL - blob.patch_url!(blob, self.client.url) - - # Replace the session expiration timeout - blob.patch_expiration!(blob, self.client.expiration) - - # Replace the session communication timeout - blob.patch_comm_timeout!(blob, self.client.comm_timeout) - - # Replace the user agent string with our option - blob.patch_ua!( - blob, - client.exploit_datastore['MeterpreterUserAgent'][0,255] + "\x00" - ) - - # Activate a custom proxy - blob.patch_proxy!( - blob, - client.exploit_datastore['PROXYHOST'], - client.exploit_datastore['PROXYPORT'], - client.exploit_datastore['PROXY_TYPE'] - ) - # Proxy authentication - blob.patch_proxy_auth!( - blob, - client.exploit_datastore['PROXY_USERNAME'], - client.exploit_datastore['PROXY_PASSWORD'], - client.exploit_datastore['PROXY_TYPE'] - ) - - conn_id = self.client.conn_id + # + # Patch options into metsrv for reverse HTTP payloads + # + blob.patch_passive_service! blob, + :ssl => client.ssl, + :url => self.client.url, + :expiration => self.client.expiration, + :comm_timeout => self.client.comm_timeout, + :ua => client.exploit_datastore['MeterpreterUserAgent'], + :proxyhost => client.exploit_datastore['PROXYHOST'], + :proxyport => client.exploit_datastore['PROXYPORT'], + :proxy_type => client.exploit_datastore['PROXY_TYPE'], + :proxy_username => client.exploit_datastore['PROXY_USERNAME'], + :proxy_password => client.exploit_datastore['PROXY_PASSWORD'] end