metasploit-aggregator 0.2.3 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6c24ff901cb886de3f7096625742249f2874803b
-  data.tar.gz: 5fb0ea51cc770c8cb7c5a6775c7c02f4418f7464
+  metadata.gz: 309e4618d12318d87a16f47501dadddd40d1f22e
+  data.tar.gz: 4311c39b35821464b197ac1ab674529d13e04559
 SHA512:
-  metadata.gz: ebb542338918a8489423ce6055db118c80750ebebb0239e5ed0680ce7b4ffd60f299c9bb6ce11aa9c710ae92be40d2996b7dec6f307f4dff4b9f21a8636a2767
-  data.tar.gz: c20ba09eb3c27047cfeda64e4aac3c03c7569d43df56f48773e943f0bd321cb5b38f4ec6ed1af8a5cc458b9b62182778bcc234727b712c0f2a95e16107bc2a78
+  metadata.gz: 2217561262a7f697e016c314505353f887a221ee3ccfde1f90760589ea5c702f7b80e1eb55aecf1e50feb5ff1e22f013c4489f091200a9a8b73d7534f9d058b6
+  data.tar.gz: b40d75c19d279a179c63273acca9300817f36f239223f86cac718ec9434a233d12f6f3c8f08408edbf8da4a3c0022de105a105fd3d680929df13f57aafd70dbe

data.tar.gz.sig

@@ -1,3 +1 @@
-"..S~s?
϶6��֧fOL�JG|p�E��H��~3��c�+Ѳ��=榃D������m���;�
-q00؏�ϐ��TbUҔ�X�A�}��R���ء�
-���{�߼�&�e�����>��F�m!�Poఠw&&�V68H��(�.�
��[Ȱ�=K�M:�֔6ݴf�����TDC�HܶBlM
 ډ��n�7÷p�T�c@�� w4�T��W��v��'��D��3Y
+v�1�~�ܸ�[��]��,.�����?�v�7?��n�[�UY����v�6Ht��F��:��L�y��Nal�g�E�?�g[z9����<�.$t�?-ٶ�D�c"3E�)���>������2nI����%�T��}�K�E�L/I�x�?���O(�dpU&m�vK��v]�c=d���zO�"���Kr[��Ȧ-٭��ִx�
�jy�ܧGIF"��V^�(��mb̌�������K��fIɎ��B7��

data/lib/metasploit/aggregator/http/request.rb

@@ -25,16 +25,39 @@ module Metasploit
 
         # provide a default response in Request form
         def self.parked()
-          parked_message = []
-          parked_message << 'HTTP/1.1 200 OK'
-          parked_message << 'Content-Type: application/octet-stream'
-          parked_message << 'Connection: close'
-          parked_message << 'Server: Apache'
-          parked_message << 'Content-Length: 0'
-          parked_message << ' '
-          parked_message << ' '
-          self.new(parked_message, '', nil)
+          generate_response(nil)
         end
+
+        def self.generate_response(http_request)
+          socket = nil
+          body = ''
+          unless http_request.nil? || http_request.body.nil?
+            body = http_request.body
+          end
+          message_headers = []
+          message_headers << 'HTTP/1.1 200 OK' + "\n"
+          message_headers << 'Content-Type: application/octet-stream' + "\n"
+          message_headers << 'Connection: close' + "\n"
+          message_headers << 'Server: Apache' + "\n"
+          message_headers << 'Content-Length: ' + body.length.to_s + "\n"
+          message_headers << '' + "\n"
+          message_headers << '' + "\n"
+          self.new(message_headers, body, socket)
+        end
+
+        def self.forge_request(uri, body, socket = nil)
+          message_headers = []
+          message_headers << "POST #{uri}/ HTTP/1.1" + "\n"
+          message_headers << 'Accept-Encoding: identity' + "\n"
+          message_headers << 'Content-Length: ' + body.length.to_s + "\n"
+          message_headers << 'Host: 127.0.0.1:2447' + "\n" # this value is defaulted to reflect the aggregator
+          message_headers << 'Content-Type: application/octet-stream' + "\n"
+          message_headers << 'Connection: close' + "\n"
+          message_headers << 'User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'+ "\n"
+          message_headers << '' + "\n"
+          self.new(message_headers, body, socket)
+        end
+
       end
     end
   end

data/lib/metasploit/aggregator/http/responder.rb

@@ -1,5 +1,6 @@
 require "metasploit/aggregator/session_detail_service"
 require "metasploit/aggregator/http/request"
+require "metasploit/aggregator/logger"
 
 module Metasploit
   module Aggregator
@@ -50,7 +51,17 @@ module Metasploit
               # now get the response once available and send back using this connection
               begin
                 request_obj = recv.pop
-                @session_service.add_request(request_task, @uri)
+                @session_service.add_request(request_obj, @uri)
+                tlv_response = @session_service.eval_tlv_enc(request_obj)
+                unless tlv_response.nil?
+                  # build a new request with a the new tlv
+                  suppression = Metasploit::Aggregator::Http::Request.forge_request(@uri, tlv_response.to_r, connection)
+                  send << suppression
+                  log "Suppressing cryptTLV on session #{@uri}"
+                  send << request_task
+                  request_obj = recv.pop
+                  @session_service.add_request(suppression, @uri)
+                end
                 @pending_request = nil
                 request_obj.headers.each do |line|
                   connection.write line
@@ -59,9 +70,10 @@ module Metasploit
                   connection.write request_obj.body
                 end
                 connection.flush
+                @session_service.add_request(request_obj, @uri)
                 log 'message delivered from console'
-              rescue
-                log $!
+              rescue Exception
+                log "error processing console response for #{@uri}"
               end
               close_connection(connection)
             rescue Exception => e
@@ -82,10 +94,18 @@ module Metasploit
         def send_parked_response(connection)
           address = connection.peeraddr[3]
           log "sending parked response to #{address}"
-          Metasploit::Aggregator::Http::Request.parked.headers.each do |line|
-            connection.puts line
+          send_response(Metasploit::Aggregator::Http::Request.parked, connection)
+        end
+
+        def send_response(request_obj, connection)
+          @pending_request = nil
+          request_obj.headers.each do |line|
+            connection.write line
+          end
+          unless request_obj.body.nil?
+            connection.write request_obj.body
           end
-          close_connection(connection)
+          connection.flush
         end
 
         def self.get_data(connection, guaranteed_length)
@@ -114,7 +134,7 @@ module Metasploit
               body += connection.read(content_length - body.length)
             end
           end
-          Request.new request_lines, body, connection
+          Metasploit::Aggregator::Http::Request.new request_lines, body, connection
         end
 
         def get_connection(host, port)

data/lib/metasploit/aggregator/session_detail_service.rb

@@ -1,7 +1,7 @@
 require 'digest/md5'
 require 'singleton'
+require 'metasploit/aggregator/logger'
 require 'metasploit/aggregator/tlv/packet'
-require 'metasploit/aggregator/tlv/packet_parser'
 require 'metasploit/aggregator/tlv/uuid'
 
 module Metasploit
@@ -12,19 +12,22 @@ module Metasploit
       def initialize
         @mutex = Mutex.new
         @tlv_queue = Queue.new
-        @thread = Thread.new { process_tlv }
-        # for now since all data is http no cipher is required on the parser
-        @parser = Metasploit::Aggregator::Tlv::PacketParser.new
-        @r, @w = IO.pipe
+        @thread = create_processor
         @payloads_count = 0;
         @detail_cache = {}
       end
 
       def add_request(request, payload)
-        @tlv_queue << [ request, payload ]
-        if @detail_cache[payload] && @detail_cache[payload]['REMOTE_SOCKET'].nil?
-          @detail_cache[payload]['REMOTE_SOCKET'] = "#{request.socket.peeraddr[3]}:#{request.socket.peeraddr[1]}"
-          @detail_cache[payload]['LOCAL_SOCKET'] = "#{request.socket.addr[3]}:#{request.socket.addr[1]}"
+        @mutex.synchronize do
+          @tlv_queue << [ request, payload ]
+        end
+        begin
+          if @detail_cache[payload] && @detail_cache[payload]['REMOTE_SOCKET'].nil? && request.socket
+            @detail_cache[payload]['REMOTE_SOCKET'] = "#{request.socket.peeraddr[3]}:#{request.socket.peeraddr[1]}"
+            @detail_cache[payload]['LOCAL_SOCKET'] = "#{request.socket.addr[3]}:#{request.socket.addr[1]}"
+          end
+        rescue Exception
+          Logger.log "error retrieving socket details"
         end
       end
 
@@ -32,15 +35,40 @@ module Metasploit
         @detail_cache[payload]
       end
 
+      def eval_tlv_enc(request)
+        # this is really expensive as we have to process every
+        # piece of information presented from the console to eval for enc requests
+        response = nil
+        begin
+        if request.body && request.body.length > 0
+          packet = Metasploit::Aggregator::Tlv::Packet.new(0)
+          packet.add_raw(request.body)
+          packet.from_r
+          if packet.has_tlv?(Metasploit::Aggregator::Tlv::TLV_TYPE_METHOD)
+            packet_val = packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_METHOD)
+            if packet_val == "core_negotiate_tlv_encryption"
+              response = Metasploit::Aggregator::Tlv::Packet.create_response(packet)
+              response.add_tlv(Metasploit::Aggregator::Tlv::TLV_TYPE_RESULT, 0)
+              response
+            end
+          end
+        end
+        rescue Exception
+          # any exception return nil
+          Logger.log "error evaluating tlv packet"
+          response = nil
+        end
+        response
+      end
+
       def process_tlv
         while true
           begin
             request, payload = @tlv_queue.pop
             if request.body && request.body.length > 0
-              # process body as tlv
-              @w.write(request.body)
-              packet = @parser.recv(@r)
-              next unless packet
+              packet = Metasploit::Aggregator::Tlv::Packet.new(0)
+              packet.add_raw(request.body)
+              packet.from_r
               unless @detail_cache[payload]
                 @detail_cache[payload] = { 'ID' => (@payloads_count += 1) }
               end
@@ -49,7 +77,12 @@ module Metasploit
                 @detail_cache[payload]['UUID'] = Metasploit::Aggregator::Tlv::UUID.new(args)
               end
               if packet.has_tlv?(Metasploit::Aggregator::Tlv::TLV_TYPE_MACHINE_ID)
-                @detail_cache[payload]['MachineID'] = Digest::MD5.hexdigest(packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_MACHINE_ID).downcase.strip)
+                machine_id = packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_MACHINE_ID)
+                @detail_cache[payload]['MachineID'] = Digest::MD5.hexdigest(machine_id.downcase.strip)
+                _user, computer_name = machine_id.split(":")
+                unless computer_name.nil?
+                  @detail_cache[payload]['HOSTNAME'] = computer_name
+                end
               end
               if packet.has_tlv?(Metasploit::Aggregator::Tlv::TLV_TYPE_USER_NAME)
                 @detail_cache[payload]['USER'] = packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_USER_NAME)
@@ -60,12 +93,35 @@ module Metasploit
               if packet.has_tlv?(Metasploit::Aggregator::Tlv::TLV_TYPE_OS_NAME)
                 @detail_cache[payload]['OS'] = packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_OS_NAME)
               end
+
+              # remove sessions that get shutdown
+              if packet.has_tlv?(Metasploit::Aggregator::Tlv::TLV_TYPE_METHOD)
+                packet_val = packet.get_tlv_value(Metasploit::Aggregator::Tlv::TLV_TYPE_METHOD)
+                if packet_val == "core_shutdown"
+                  @detail_cache.delete(payload)
+                end
+              end
+            end
+          rescue Exception
+            Logger.log "error processing tlv for session details"
+          end
+        end
+      end
+
+      def create_processor
+        processor = Thread.new do
+          while true # always restart the processor
+            begin
+              process_tlv
+            rescue Exception
+              Logger.log "tlv processing thread error -- restarting"
             end
-          rescue
-            Logger.log $!
           end
         end
+        processor
       end
+
+      private :create_processor
     end
   end
 end

data/lib/metasploit/aggregator/tlv/packet.rb

@@ -1,4 +1,6 @@
 # -*- coding: binary -*-
+require 'openssl'
+require 'rex/text'
 
 module Metasploit
   module Aggregator
@@ -80,7 +82,7 @@ module Metasploit
       TLV_TYPE_LIBRARY_PATH        = TLV_META_TYPE_STRING | 400
       TLV_TYPE_TARGET_PATH         = TLV_META_TYPE_STRING | 401
       TLV_TYPE_MIGRATE_PID         = TLV_META_TYPE_UINT   | 402
-      TLV_TYPE_MIGRATE_LEN         = TLV_META_TYPE_UINT   | 403
+      TLV_TYPE_MIGRATE_PAYLOAD_LEN = TLV_META_TYPE_UINT   | 403
       TLV_TYPE_MIGRATE_PAYLOAD     = TLV_META_TYPE_STRING | 404
       TLV_TYPE_MIGRATE_ARCH        = TLV_META_TYPE_UINT   | 405
       TLV_TYPE_MIGRATE_BASE_ADDR   = TLV_META_TYPE_UINT   | 407
@@ -105,9 +107,21 @@ module Metasploit
 
       TLV_TYPE_MACHINE_ID          = TLV_META_TYPE_STRING | 460
       TLV_TYPE_UUID                = TLV_META_TYPE_RAW    | 461
+      TLV_TYPE_SESSION_GUID        = TLV_META_TYPE_RAW    | 462
+
+      TLV_TYPE_RSA_PUB_KEY         = TLV_META_TYPE_STRING | 550
+      TLV_TYPE_SYM_KEY_TYPE        = TLV_META_TYPE_UINT   | 551
+      TLV_TYPE_SYM_KEY             = TLV_META_TYPE_RAW    | 552
+      TLV_TYPE_ENC_SYM_KEY         = TLV_META_TYPE_RAW    | 553
+
+#
+# Pivots
+#
+      TLV_TYPE_PIVOT_ID              = TLV_META_TYPE_RAW    |  650
+      TLV_TYPE_PIVOT_STAGE_DATA      = TLV_META_TYPE_RAW    |  651
+      TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_META_TYPE_UINT   |  652
+      TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_META_TYPE_STRING |  653
 
-      TLV_TYPE_CIPHER_NAME         = TLV_META_TYPE_STRING | 500
-      TLV_TYPE_CIPHER_PARAMETERS   = TLV_META_TYPE_GROUP  | 501
 
 #
 # Core flags
@@ -129,6 +143,12 @@ module Metasploit
       TLV_TYPE_LOGGED_ON_USER_COUNT   = TLV_META_TYPE_UINT    | 1047
       TLV_TYPE_LOCAL_DATETIME         = TLV_META_TYPE_STRING  | 1048
 
+#
+# Sane defaults
+#
+      GUID_SIZE = 16
+      NULL_GUID = "\x00" * GUID_SIZE
+
 ###
 #
 # Base TLV (Type-Length-Value) class
@@ -137,6 +157,8 @@ module Metasploit
       class Tlv
         attr_accessor :type, :value, :compress
 
+        HEADER_SIZE = 8
+
         ##
         #
         # Constructor
@@ -254,7 +276,7 @@ module Metasploit
           end
 
           # check if the tlv is to be compressed...
-          if( @compress )
+          if @compress
             raw_uncompressed = raw
             # compress the raw data
             raw_compressed = Rex::Text.zlib_deflate( raw_uncompressed )
@@ -270,7 +292,7 @@ module Metasploit
             end
           end
 
-          return [raw.length + 8, self.type].pack("NN") + raw
+          [raw.length + HEADER_SIZE, self.type].pack("NN") + raw
         end
 
         #
@@ -286,19 +308,22 @@ module Metasploit
             # set this TLV as using compression
             @compress = true
             # remove the TLV_META_TYPE_COMPRESSED flag from the tlv type to restore the
-            # tlv type to its origional, allowing for transparent data compression.
+            # tlv type to its original, allowing for transparent data compression.
             self.type = self.type ^ TLV_META_TYPE_COMPRESSED
             # decompress the compressed data (skipping the length and type DWORD's)
-            raw_decompressed = Rex::Text.zlib_inflate( raw[8..length-1] )
-            # update the length to reflect the decompressed data length (+8 for the length and type DWORD's)
-            length = raw_decompressed.length + 8
-            # update the raw buffer with the new length, decompressed data and updated type.
-            raw = [length, self.type].pack("NN") + raw_decompressed
+
+            # disable raw_decompression for now - not needed by aggregator at this time
+            # raw_decompressed = Rex::Text.zlib_inflate( raw[HEADER_SIZE..length-1] )
+            #
+            # # update the length to reflect the decompressed data length (+HEADER_SIZE for the length and type DWORD's)
+            # length = raw_decompressed.length + HEADER_SIZE
+            # # update the raw buffer with the new length, decompressed data and updated type.
+            # raw = [length, self.type].pack("NN") + raw_decompressed
           end
 
           if (self.type & TLV_META_TYPE_STRING == TLV_META_TYPE_STRING)
             if (raw.length > 0)
-              self.value = raw[8..length-2]
+              self.value = raw[HEADER_SIZE..length-2]
             else
               self.value = nil
             end
@@ -316,23 +341,24 @@ module Metasploit
               self.value = false
             end
           else
-            self.value = raw[8..length-1]
+            self.value = raw[HEADER_SIZE..length-1]
           end
 
-          return length;
+          length
         end
 
         protected
 
-        def htonq( value )
-          if( [1].pack( 's' ) == [1].pack( 'n' ) )
+        def htonq(value)
+          if [1].pack( 's' ) == [1].pack('n')
             return value
+          else
+            [value].pack('Q<').reverse.unpack('Q<').first
           end
-          return [ value ].pack( 'Q<' ).reverse.unpack( 'Q<' ).first
         end
 
-        def ntohq( value )
-          return htonq( value )
+        def ntohq(value)
+          htonq(value)
         end
 
       end
@@ -358,7 +384,7 @@ module Metasploit
         def initialize(type)
           super(type)
 
-          self.tlvs = [ ]
+          self.tlvs = []
         end
 
         ##
@@ -399,8 +425,8 @@ module Metasploit
         # Returns an array of TLVs for the given type.
         #
         def get_tlvs(type)
-          if (type == TLV_TYPE_ANY)
-            return self.tlvs
+          if type == TLV_TYPE_ANY
+            self.tlvs
           else
             type_tlvs = []
 
@@ -410,7 +436,7 @@ module Metasploit
               end
             }
 
-            return type_tlvs
+            type_tlvs
           end
         end
 
@@ -426,7 +452,7 @@ module Metasploit
         def add_tlv(type, value = nil, replace = false, compress=false)
 
           # If we should replace any TLVs with the same type...remove them first
-          if (replace)
+          if replace
             each(type) { |tlv|
               if (tlv.type == type)
                 self.tlvs.delete(tlv)
@@ -442,14 +468,14 @@ module Metasploit
 
           self.tlvs << tlv
 
-          return tlv
+          tlv
         end
 
         #
         # Adds zero or more TLVs to the packet.
         #
         def add_tlvs(tlvs)
-          if (tlvs != nil)
+          if tlvs
             tlvs.each { |tlv|
               add_tlv(tlv['type'], tlv['value'])
             }
@@ -462,11 +488,12 @@ module Metasploit
         def get_tlv(type, index = 0)
           type_tlvs = get_tlvs(type)
 
-          if (type_tlvs.length > index)
-            return type_tlvs[index]
+          if type_tlvs.length > index
+            type_tlvs[index]
+          else
+            nil
           end
 
-          return nil
         end
 
         #
@@ -475,7 +502,7 @@ module Metasploit
         def get_tlv_value(type, index = 0)
           tlv = get_tlv(type, index)
 
-          return (tlv != nil) ? tlv.value : nil
+          (tlv != nil) ? tlv.value : nil
         end
 
         #
@@ -489,7 +516,7 @@ module Metasploit
         # Checks to see if the container has a TLV of a given type.
         #
         def has_tlv?(type)
-          return get_tlv(type) != nil
+          get_tlv(type) != nil
         end
 
         #
@@ -516,7 +543,7 @@ module Metasploit
             raw << tlv.to_r
           }
 
-          return [raw.length + 8, self.type].pack("NN") + raw
+          [raw.length + HEADER_SIZE, self.type].pack("NN") + raw
         end
 
         #
@@ -524,19 +551,19 @@ module Metasploit
         # TLVs.
         #
         def from_r(raw)
-          offset = 8
+          offset = HEADER_SIZE
 
           # Reset the TLVs array
           self.tlvs = []
           self.type = raw.unpack("NN")[1]
 
           # Enumerate all of the TLVs
-          while (offset < raw.length-1)
+          while offset < raw.length-1
 
             tlv = nil
 
             # Get the length and type
-            length, type = raw[offset..offset+8].unpack("NN")
+            length, type = raw[offset..offset+HEADER_SIZE].unpack("NN")
 
             if (type & TLV_META_TYPE_GROUP == TLV_META_TYPE_GROUP)
               tlv = GroupTlv.new(type)
@@ -563,6 +590,49 @@ module Metasploit
 ###
       class Packet < GroupTlv
         attr_accessor :created_at
+        attr_accessor :raw
+        attr_accessor :session_guid
+        attr_accessor :encrypt_flags
+        attr_accessor :length
+
+        ##
+        #
+        # The Packet container itself has a custom header that is slightly different to the
+        # typical TLV packets. The header contains the following:
+        #
+        # XOR KEY        - 4 bytes
+        # Session GUID   - 16 bytes
+        # Encrypt flags  - 4 bytes
+        # Packet length  - 4 bytes
+        # Packet type    - 4 bytes
+        # Packet data    - X bytes
+        #
+        # If the encrypt flags are zero, then the Packet data is just straight TLV values as
+        # per the normal TLV packet structure.
+        #
+        # If the encrypt flags are non-zer, then the Packet data is encrypted based on the scheme.
+        #
+        # Flag == 1 (AES256)
+        #    IV             - 16 bytes
+        #    Encrypted data - X bytes
+        #
+        # The key that is required to decrypt the data is stored alongside the session data,
+        # and hence when the packet is initially parsed, only the header is accessed. The
+        # packet itself will need to be decrypted on the fly at the point that it is required
+        # and at that point the decryption key needs to be provided.
+        #
+        ###
+
+        XOR_KEY_SIZE = 4
+        ENCRYPTED_FLAGS_SIZE = 4
+        PACKET_LENGTH_SIZE = 4
+        PACKET_TYPE_SIZE = 4
+        PACKET_HEADER_SIZE = XOR_KEY_SIZE + GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE
+
+        AES_IV_SIZE = 16
+
+        ENC_FLAG_NONE   = 0x0
+        ENC_FLAG_AES256 = 0x1
 
         ##
         #
@@ -574,7 +644,7 @@ module Metasploit
         # Creates a request with the supplied method.
         #
         def Packet.create_request(method = nil)
-          return Packet.new(PACKET_TYPE_REQUEST, method)
+          Packet.new(PACKET_TYPE_REQUEST, method)
         end
 
         #
@@ -583,6 +653,7 @@ module Metasploit
         def Packet.create_response(request = nil)
           response_type = PACKET_TYPE_RESPONSE
           method = nil
+          id = nil
 
           if (request)
             if (request.type?(PACKET_TYPE_PLAIN_REQUEST))
@@ -590,9 +661,19 @@ module Metasploit
             end
 
             method = request.method
+
+            if request.has_tlv?(TLV_TYPE_REQUEST_ID)
+              id = request.get_tlv_value(TLV_TYPE_REQUEST_ID)
+            end
+          end
+
+          packet = Packet.new(response_type, method)
+
+          if id
+            packet.add_tlv(TLV_TYPE_REQUEST_ID, id)
           end
 
-          return Packet.new(response_type, method)
+          packet
         end
 
         ##
@@ -609,11 +690,12 @@ module Metasploit
         def initialize(type = nil, method = nil)
           super(type)
 
-          if (method)
+          if method
             self.method = method
           end
 
           self.created_at = ::Time.now
+          self.raw = ''
 
           # If it's a request, generate a random request identifier
           if ((type == PACKET_TYPE_REQUEST) ||
@@ -626,20 +708,99 @@ module Metasploit
           end
         end
 
+        def add_raw(bytes)
+          self.raw << bytes
+        end
+
+        def raw_bytes_required
+          # if we have the xor bytes and length ...
+          if self.raw.length >= PACKET_HEADER_SIZE
+            # return a value based on the length of the data indicated by
+            # the header
+            xor_key = self.raw.unpack('a4')[0]
+            decoded_bytes = xor_bytes(xor_key, raw[0, PACKET_HEADER_SIZE])
+            _, _, _, length, _ = decoded_bytes.unpack('a4a16NNN')
+            length + PACKET_HEADER_SIZE - HEADER_SIZE - self.raw.length
+          else
+            # Otherwise ask for the remaining bytes for the metadata to get the packet length
+            # So we can do the rest of the calculation next time
+            PACKET_HEADER_SIZE - self.raw.length
+          end
+        end
+
+        def aes_encrypt(key, data)
+          # Create the required cipher instance
+          aes = OpenSSL::Cipher.new('AES-256-CBC')
+          # Generate a truly random IV
+          iv = aes.random_iv
+
+          # set up the encryption
+          aes.encrypt
+          aes.key = key
+          aes.iv = iv
+
+          # encrypt and return the IV along with the result
+          return iv, aes.update(data) + aes.final
+        end
+
+        def aes_decrypt(key, iv, data)
+          # Create the required cipher instance
+          aes = OpenSSL::Cipher.new('AES-256-CBC')
+          # Generate a truly random IV
+
+          # set up the encryption
+          aes.decrypt
+          aes.key = key
+          aes.iv = iv
+
+          # decrypt!
+          aes.update(data) + aes.final
+        end
+
         #
         # Override the function that creates the raw byte stream for
         # sending so that it generates an XOR key, uses it to scramble
         # the serialized TLV content, and then returns the key plus the
         # scrambled data as the payload.
         #
-        def to_r
-          raw = super
-          xor_key = rand(254) + 1
-          xor_key |= (rand(254) + 1) << 8
-          xor_key |= (rand(254) + 1) << 16
-          xor_key |= (rand(254) + 1) << 24
-          result = [xor_key].pack('N') + xor_bytes(xor_key, raw)
-          result
+        def to_r(session_guid = nil, key = nil)
+          xor_key = (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr
+
+          raw = (session_guid || NULL_GUID).dup
+          tlv_data = GroupTlv.instance_method(:to_r).bind(self).call
+
+          if key && key[:key] && key[:type] == ENC_FLAG_AES256
+            # encrypt the data, but not include the length and type
+            iv, ciphertext = aes_encrypt(key[:key], tlv_data[HEADER_SIZE..-1])
+            # now manually add the length/type/iv/ciphertext
+            raw << [ENC_FLAG_AES256, iv.length + ciphertext.length + HEADER_SIZE, self.type, iv, ciphertext].pack('NNNA*A*')
+          else
+            raw << [ENC_FLAG_NONE, tlv_data].pack('NA*')
+          end
+
+          # return the xor'd result with the key
+          xor_key + xor_bytes(xor_key, raw)
+        end
+
+        #
+        # Decrypt the packet based on the content of the encryption flags.
+        #
+        def decrypt_packet(key, encrypt_flags, data)
+          # TODO: throw an error if the expected encryption isn't the same as the given
+          #       as this could be an indication of hijacking or side-channel packet addition
+          #       as highlighted by Justin Steven on github.
+          if key && key[:key] && key[:type] && encrypt_flags == ENC_FLAG_AES256 && encrypt_flags == key[:type]
+            iv = data[0, AES_IV_SIZE]
+            aes_decrypt(key[:key], iv, data[iv.length..-1])
+          else
+            data
+          end
+        end
+
+        def parse_header!
+          xor_key = self.raw.unpack('a4')[0]
+          data = xor_bytes(xor_key, self.raw[0..PACKET_HEADER_SIZE])
+          _, self.session_guid, self.encrypt_flags, self.length, self.type = data.unpack('a4a16NNN')
         end
 
         #
@@ -648,17 +809,20 @@ module Metasploit
         # passing it on to the default functionality that can parse
         # the TLV values.
         #
-        def from_r(bytes)
-          xor_key = bytes[0,4].unpack('N')[0]
-          super(xor_bytes(xor_key, bytes[4, bytes.length]))
+        def from_r(key=nil)
+          self.parse_header!
+          xor_key = self.raw.unpack('a4')[0]
+          data = xor_bytes(xor_key, self.raw[PACKET_HEADER_SIZE..-1])
+          raw = decrypt_packet(key, self.encrypt_flags, data)
+          super([self.length, self.type, raw].pack('NNA*'))
         end
 
         #
-        # Xor a set of bytes with a given DWORD xor key.
+        # Xor a set of bytes with a given XOR key.
         #
         def xor_bytes(xor_key, bytes)
           result = ''
-          bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b|
+          bytes.bytes.zip(xor_key.bytes.cycle).each do |b|
             result << (b[0].ord ^ b[1].ord).chr
           end
           result

data/lib/metasploit/aggregator/version.rb

@@ -1,5 +1,5 @@
 module Metasploit
   module Aggregator
-    VERSION = '0.2.3'
+    VERSION = '1.0.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: metasploit-aggregator
 version: !ruby/object:Gem::Version
-  version: 0.2.3
+  version: 1.0.0
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -88,7 +88,7 @@ cert_chain:
   G+Hmcg1v810agasPdoydE0RTVZgEOOMoQ07qu7JFXVWZ9ZQpHT7qJATWL/b2csFG
   8mVuTXnyJOKRJA==
   -----END CERTIFICATE-----
-date: 2017-10-06 00:00:00.000000000 Z
+date: 2017-10-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -223,7 +223,6 @@ files:
 - lib/metasploit/aggregator/router.rb
 - lib/metasploit/aggregator/session_detail_service.rb
 - lib/metasploit/aggregator/tlv/packet.rb
-- lib/metasploit/aggregator/tlv/packet_parser.rb
 - lib/metasploit/aggregator/tlv/uuid.rb
 - lib/metasploit/aggregator/version.rb
 - metasploit-aggregator.gemspec

data/lib/metasploit/aggregator/tlv/packet_parser.rb

@@ -1,103 +0,0 @@
-# -*- coding: binary -*-
-require 'metasploit/aggregator/tlv/packet'
-
-module Metasploit
-  module Aggregator
-    module Tlv
-      ###
-      #
-      # This class is responsible for reading in and decrypting meterpreter
-      # packets that arrive on a socket
-      #
-      ###
-      class PacketParser
-
-        # 4 byte xor
-        # 4 byte length
-        # 4 byte type
-        HEADER_SIZE = 12
-
-        #
-        # Initializes the packet parser context with an optional cipher.
-        #
-        def initialize(cipher = nil)
-          self.cipher = cipher
-
-          reset
-        end
-
-        #
-        # Resets the parser state so that a new packet can begin being parsed.
-        #
-        def reset
-          self.raw = ''
-          self.hdr_length_left = HEADER_SIZE
-          self.payload_length_left = 0
-        end
-
-        #
-        # Reads data from the wire and parse as much of the packet as possible.
-        #
-        def recv(sock)
-          # Create a typeless packet
-          packet = Packet.new(0)
-
-          if (self.hdr_length_left > 0)
-            buf = sock.read(self.hdr_length_left)
-
-            if (buf)
-              self.raw << buf
-
-              self.hdr_length_left -= buf.length
-            else
-              raise EOFError
-            end
-
-            # If we've finished reading the header, set the
-            # payload length left to the number of bytes
-            # specified in the length
-            if (self.hdr_length_left == 0)
-              xor_key = raw[0, 4].unpack('N')[0]
-              length_bytes = packet.xor_bytes(xor_key, raw[4, 4])
-              # header size doesn't include the xor key, which is always tacked on the front
-              self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4)
-            end
-          end
-          if (self.payload_length_left > 0)
-            buf = sock.read(self.payload_length_left)
-
-            if (buf)
-              self.raw << buf
-
-              self.payload_length_left -= buf.length
-            else
-              raise EOFError
-            end
-          end
-
-          # If we've finished reading the entire packet
-          if ((self.hdr_length_left == 0) &&
-              (self.payload_length_left == 0))
-
-            # TODO: cipher decryption
-            if (cipher)
-            end
-
-            # Deserialize the packet from the raw buffer
-            packet.from_r(self.raw)
-
-            # Reset our state
-            reset
-
-            return packet
-          end
-        end
-
-      protected
-        attr_accessor :cipher, :raw, :hdr_length_left, :payload_length_left  # :nodoc:
-
-      end
-    end
-  end
-end
-