From e6ea5511ca3a992efeac4d66eb2ba15bf4dfd192 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 28 Apr 2015 14:04:37 -0500 Subject: [PATCH] update linux and windows meterpreters to use metasploit-payloads --- Gemfile.lock | 4 ++-- lib/msf/core/payload/windows/stageless_meterpreter.rb | 4 ++-- .../core/payload/windows/x64/stageless_meterpreter.rb | 4 ++-- lib/rex/post/meterpreter.rb | 2 +- lib/rex/post/meterpreter/client_core.rb | 9 +++------ lib/rex/post/meterpreter/extensions/priv/priv.rb | 2 +- lib/rex/post/meterpreter/extensions/stdapi/ui.rb | 4 ++-- .../meterpreter/ui/console/command_dispatcher/core.rb | 8 ++++---- metasploit-framework.gemspec | 2 +- modules/payloads/stages/linux/x86/meterpreter.rb | 9 ++------- modules/payloads/stages/windows/meterpreter.rb | 2 +- modules/payloads/stages/windows/patchupmeterpreter.rb | 2 +- modules/payloads/stages/windows/x64/meterpreter.rb | 2 +- scripts/meterpreter/metsvc.rb | 2 +- spec/lib/rex/post/meterpreter_spec.rb | 4 ++-- 15 files changed, 26 insertions(+), 34 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 923133b8ff..3edac33e45 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -9,7 +9,7 @@ PATH json metasploit-concern (= 0.4.0) metasploit-model (~> 0.29.0) - meterpreter_bins (= 0.0.22) + metasploit-payloads (= 0.0.2) msgpack nokogiri packetfu (= 1.1.9) @@ -123,6 +123,7 @@ GEM metasploit-model (0.29.2) activesupport railties (< 4.0.0) + metasploit-payloads (0.0.2) metasploit_data_models (0.24.0) activerecord (>= 3.2.13, < 4.0.0) activesupport @@ -132,7 +133,6 @@ GEM pg railties (< 4.0.0) recog (~> 1.0) - meterpreter_bins (0.0.22) method_source (0.8.2) mime-types (1.25.1) mini_portile (0.6.2) diff --git a/lib/msf/core/payload/windows/stageless_meterpreter.rb b/lib/msf/core/payload/windows/stageless_meterpreter.rb index 47df1bcae6..136e7e0d7c 100644 --- a/lib/msf/core/payload/windows/stageless_meterpreter.rb +++ b/lib/msf/core/payload/windows/stageless_meterpreter.rb @@ -52,7 +52,7 @@ module Payload::Windows::StagelessMeterpreter end def generate_stageless_x86(url = nil) - dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x86.dll')) + dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll')) conf = { :rdi_offset => offset, @@ -104,7 +104,7 @@ module Payload::Windows::StagelessMeterpreter unless datastore['EXTENSIONS'].nil? datastore['EXTENSIONS'].split(',').each do |e| e = e.strip.downcase - ext, o = load_rdi_dll(MeterpreterBinaries.path("ext_server_#{e}", 'x86.dll')) + ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{e}", 'x86.dll')) # append the size, offset to RDI and the payload itself dll << [ext.length].pack('V') + ext diff --git a/lib/msf/core/payload/windows/x64/stageless_meterpreter.rb b/lib/msf/core/payload/windows/x64/stageless_meterpreter.rb index 869f1a51bf..98bf26cc48 100644 --- a/lib/msf/core/payload/windows/x64/stageless_meterpreter.rb +++ b/lib/msf/core/payload/windows/x64/stageless_meterpreter.rb @@ -52,7 +52,7 @@ module Payload::Windows::StagelessMeterpreter_x64 end def generate_stageless_x64(url = nil) - dll, offset = load_rdi_dll(MeterpreterBinaries.path('metsrv', 'x64.dll')) + dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll')) conf = { :rdi_offset => offset, @@ -104,7 +104,7 @@ module Payload::Windows::StagelessMeterpreter_x64 unless datastore['EXTENSIONS'].nil? datastore['EXTENSIONS'].split(',').each do |e| e = e.strip.downcase - ext, o = load_rdi_dll(MeterpreterBinaries.path("ext_server_#{e}", 'x64.dll')) + ext, o = load_rdi_dll(MetasploitPayloads.meterpreter_path("ext_server_#{e}", 'x64.dll')) # append the size, offset to RDI and the payload itself dll << [ext.length].pack('V') + ext diff --git a/lib/rex/post/meterpreter.rb b/lib/rex/post/meterpreter.rb index 8986c6f0b4..9c3b98160a 100644 --- a/lib/rex/post/meterpreter.rb +++ b/lib/rex/post/meterpreter.rb @@ -1,5 +1,5 @@ # -*- coding: binary -*- -require 'meterpreter_bins' +require 'metasploit-payloads' require 'rex/post/meterpreter/client' require 'rex/post/meterpreter/ui/console' diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index b3b24be473..ac5e641c41 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -249,7 +249,7 @@ class ClientCore < Extension # Get us to the installation root and then into data/meterpreter, where # the file is expected to be modname = "ext_server_#{mod.downcase}" - path = MeterpreterBinaries.path(modname, client.binary_suffix) + path = MetasploitPayloads.meterpreter_path(modname, client.binary_suffix) if opts['ExtensionPath'] path = ::File.expand_path(opts['ExtensionPath']) @@ -633,7 +633,7 @@ class ClientCore < Extension # Create the migrate stager migrate_stager = c.new() - dll = MeterpreterBinaries.path('metsrv',binary_suffix) + dll = MetasploitPayloads.meterpreter_path('metsrv', binary_suffix) if dll.nil? raise RuntimeError, "metsrv.#{binary_suffix} not found", caller end @@ -669,10 +669,7 @@ class ClientCore < Extension end def generate_linux_stub - file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin") - blob = ::File.open(file, "rb") {|f| - f.read(f.stat.size) - } + blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob, :expiration => self.client.expiration, diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb index 71575128f9..96a2e4fc6f 100644 --- a/lib/rex/post/meterpreter/extensions/priv/priv.rb +++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb @@ -45,7 +45,7 @@ class Priv < Extension elevator_name = Rex::Text.rand_text_alpha_lower( 6 ) - elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix) + elevator_path = MetasploitPayloads.meterpreter_path('elevator', client.binary_suffix) if elevator_path.nil? raise RuntimeError, "elevator.#{binary_suffix} not found", caller end diff --git a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb index f176d7f84c..338e89642d 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb @@ -157,7 +157,7 @@ class UI < Rex::Post::UI # include the x64 screenshot dll if the host OS is x64 if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ ) - screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll') + screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x64.dll') if screenshot_path.nil? raise RuntimeError, "screenshot.x64.dll not found", caller end @@ -172,7 +172,7 @@ class UI < Rex::Post::UI end # but always include the x86 screenshot dll as we can use it for wow64 processes if we are on x64 - screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll') + screenshot_path = MetasploitPayloads.meterpreter_path('screenshot','x86.dll') if screenshot_path.nil? raise RuntimeError, "screenshot.x86.dll not found", caller end diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb index 62027c6748..6cd1bb14ab 100644 --- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb +++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb @@ -689,8 +689,8 @@ class Console::CommandDispatcher::Core case opt when "-l" exts = SortedSet.new - msf_path = MeterpreterBinaries.metasploit_data_dir - gem_path = MeterpreterBinaries.local_dir + msf_path = MetasploitPayloads.msf_meterpreter_dir + gem_path = MetasploitPayloads.local_meterpreter_dir [msf_path, gem_path].each do |path| ::Dir.entries(path).each { |f| if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ ) @@ -737,8 +737,8 @@ class Console::CommandDispatcher::Core def cmd_load_tabs(str, words) tabs = SortedSet.new - msf_path = MeterpreterBinaries.metasploit_data_dir - gem_path = MeterpreterBinaries.local_dir + msf_path = MetasploitPayloads.msf_meterpreter_dir + gem_path = MetasploitPayloads.local_meterpreter_dir [msf_path, gem_path].each do |path| ::Dir.entries(path).each { |f| if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ ) diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index 51ddcae76c..0e495481b4 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -64,7 +64,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model', '~> 0.29.0' # Needed for Meterpreter on Windows, soon others. - spec.add_runtime_dependency 'meterpreter_bins', '0.0.22' + spec.add_runtime_dependency 'metasploit-payloads', '0.0.2' # Needed by msfgui and other rpc components spec.add_runtime_dependency 'msgpack' # Needed by anemone crawler diff --git a/modules/payloads/stages/linux/x86/meterpreter.rb b/modules/payloads/stages/linux/x86/meterpreter.rb index cd85b395cb..cd6b74c9a0 100644 --- a/modules/payloads/stages/linux/x86/meterpreter.rb +++ b/modules/payloads/stages/linux/x86/meterpreter.rb @@ -100,12 +100,7 @@ module Metasploit3 end def generate_stage - #file = File.join(Msf::Config.data_directory, "msflinker_linux_x86.elf") - file = File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin") - - blob = File.open(file, "rb") {|f| - f.read(f.stat.size) - } + blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin') Rex::Payloads::Meterpreter::Patch.patch_timeouts!(blob, :expiration => datastore['SessionExpirationTimeout'].to_i, @@ -113,6 +108,6 @@ module Metasploit3 :retry_total => datastore['SessionRetryTotal'].to_i, :retry_wait => datastore['SessionRetryWait'].to_i) - return blob + blob end end diff --git a/modules/payloads/stages/windows/meterpreter.rb b/modules/payloads/stages/windows/meterpreter.rb index 91fa58c645..7e6504255c 100644 --- a/modules/payloads/stages/windows/meterpreter.rb +++ b/modules/payloads/stages/windows/meterpreter.rb @@ -35,7 +35,7 @@ module Metasploit3 end def library_path - MeterpreterBinaries.path('metsrv','x86.dll') + MetasploitPayloads.meterpreter_path('metsrv','x86.dll') end end diff --git a/modules/payloads/stages/windows/patchupmeterpreter.rb b/modules/payloads/stages/windows/patchupmeterpreter.rb index 4fb6d06b91..fc66ab5998 100644 --- a/modules/payloads/stages/windows/patchupmeterpreter.rb +++ b/modules/payloads/stages/windows/patchupmeterpreter.rb @@ -41,7 +41,7 @@ module Metasploit3 end def library_path - MeterpreterBinaries.path('metsrv','x86.dll') + MetasploitPayloads.meterpreter_path('metsrv','x86.dll') end end diff --git a/modules/payloads/stages/windows/x64/meterpreter.rb b/modules/payloads/stages/windows/x64/meterpreter.rb index 5cbf5d4343..d7362f65b3 100644 --- a/modules/payloads/stages/windows/x64/meterpreter.rb +++ b/modules/payloads/stages/windows/x64/meterpreter.rb @@ -35,7 +35,7 @@ module Metasploit3 end def library_path - MeterpreterBinaries.path('metsrv','x64.dll') + MetasploitPayloads.meterpreter_path('metsrv','x64.dll') end end diff --git a/scripts/meterpreter/metsvc.rb b/scripts/meterpreter/metsvc.rb index 861b6cc6d8..253de080f8 100644 --- a/scripts/meterpreter/metsvc.rb +++ b/scripts/meterpreter/metsvc.rb @@ -92,7 +92,7 @@ if client.platform =~ /win32|win64/ to ||= from print_status(" >> Uploading #{from}...") fd = client.fs.file.new(tempdir + "\\" + to, "wb") - path = (from == 'metsrv.x86.dll') ? MeterpreterBinaries.path('metsrv','x86.dll') : File.join(based, from) + path = (from == 'metsrv.x86.dll') ? MetasploitPayloads.meterpreter_path('metsrv','x86.dll') : File.join(based, from) fd.write(::File.read(path, ::File.size(path))) fd.close end diff --git a/spec/lib/rex/post/meterpreter_spec.rb b/spec/lib/rex/post/meterpreter_spec.rb index cf917d1032..ef7d53faa3 100644 --- a/spec/lib/rex/post/meterpreter_spec.rb +++ b/spec/lib/rex/post/meterpreter_spec.rb @@ -1,8 +1,8 @@ require 'spec_helper' require 'rex/post/meterpreter' -describe MeterpreterBinaries do +describe MetasploitPayloads do it 'is available' do - expect(described_class).to eq(MeterpreterBinaries) + expect(described_class).to eq(MetasploitPayloads) end end