From 7baf199f50a8a1813502cb2247cb578148cd7fb3 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 9 Oct 2023 15:41:19 +0100 Subject: [PATCH 1/5] Add support for loading of encrypted libraries --- lib/rex/post/meterpreter/client_core.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 3d86d4636b3b..8cd645ebd38d 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -258,7 +258,8 @@ def load_library(opts) end if library_image - request.add_tlv(TLV_TYPE_DATA, library_image, false, client.capabilities[:zlib]) + decrypted_library_image = ::MetasploitPayloads.decrypt_payload(payload: library_image) + request.add_tlv(TLV_TYPE_DATA, decrypted_library_image, false, client.capabilities[:zlib]) else raise RuntimeError, "Failed to serialize library #{library_path}.", caller end From 1140efc8b4874af2bdd4a44e912ec9adf981e266 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Mon, 9 Oct 2023 17:58:00 +0100 Subject: [PATCH 2/5] Support adding encrypted files to archives & jars --- lib/msf/core/payload/android.rb | 8 +++++- lib/msf/core/payload/java.rb | 27 ++++++++++++++++--- lib/msf/util/exe.rb | 9 ++++++- .../exploits/multi/misc/java_jmx_server.rb | 8 +++++- .../exploits/multi/misc/java_rmi_server.rb | 8 +++++- 5 files changed, 53 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/payload/android.rb b/lib/msf/core/payload/android.rb index 9f6cd14748b1..a1c0e0f3093e 100644 --- a/lib/msf/core/payload/android.rb +++ b/lib/msf/core/payload/android.rb @@ -127,7 +127,13 @@ def generate_jar(opts={}) [ "AndroidManifest.xml" ], [ "resources.arsc" ] ] - jar.add_files(files, MetasploitPayloads.path("android", "apk")) + + files.each do |file| + path = ['android', 'apk', file].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + jar.add_file(file.join('/'), contents) + end + jar.add_file("classes.dex", fix_dex_header(classes)) jar.build_manifest diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb index 466a272a4bab..ee7f5aa1a256 100644 --- a/lib/msf/core/payload/java.rb +++ b/lib/msf/core/payload/java.rb @@ -58,7 +58,14 @@ def generate_jar(opts={}) jar = Rex::Zip::Jar.new jar.add_sub("metasploit") if opts[:random] jar.add_file("metasploit.dat", stager_config(opts)) - jar.add_files(paths, ::MetasploitPayloads.path('java')) + jar.add_file('metasploit/', '') # Create the metasploit dir + + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + jar.add_file(path_parts.join('/'), contents) + end + jar.build_manifest(:main_class => main_class) jar @@ -103,7 +110,14 @@ def generate_war(opts={}) zip.add_file('WEB-INF/', '') zip.add_file('WEB-INF/web.xml', web_xml) zip.add_file("WEB-INF/classes/", "") - zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/') + zip.add_file('metasploit/', '') # Create the metasploit dir + + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + zip.add_file(path_parts.join('/'), contents) + end + zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts)) zip @@ -138,7 +152,14 @@ def generate_axis2(opts={}) zip = Rex::Zip::Jar.new zip.add_file('META-INF/', '') zip.add_file('META-INF/services.xml', services_xml) - zip.add_files(paths, MetasploitPayloads.path('java')) + zip.add_file('metasploit/', '') # Create the metasploit dir + + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + zip.add_file(path_parts.join('/'), contents) + end + zip.add_file('metasploit.dat', stager_config(opts)) zip.build_manifest(:app_name => app_name) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 274f30416739..e198006b6aef 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -1599,7 +1599,14 @@ def self.to_jar(exe, opts = {}) paths = [ [ "metasploit", "Payload.class" ], ] - zip.add_files(paths, MetasploitPayloads.path('java')) + + zip.add_file('metasploit/', '') + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + zip.add_file(path_parts.join('/'), contents) + end + zip.build_manifest :main_class => "metasploit.Payload" config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n" zip.add_file("metasploit.dat", config) diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb index dacd058d6df2..1df274dee158 100644 --- a/modules/exploits/multi/misc/java_jmx_server.rb +++ b/modules/exploits/multi/misc/java_jmx_server.rb @@ -69,7 +69,13 @@ def on_request_uri(cli, request) ["metasploit", "JMXPayloadMBean.class"], ["metasploit", "JMXPayload.class"], ] - @jar.add_files(paths, MetasploitPayloads.path('java')) + + @jar.add_file('metasploit/', '') + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + @jar.add_file(path_parts.join('/'), contents) + end end if request.uri =~ /mlet$/ diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb index 2838deb488ee..b74350a3105f 100644 --- a/modules/exploits/multi/misc/java_rmi_server.rb +++ b/modules/exploits/multi/misc/java_rmi_server.rb @@ -173,7 +173,13 @@ def on_request_uri(cli, request) [ "metasploit", "RMILoader.class" ], [ "metasploit", "RMIPayload.class" ], ] - jar.add_files(paths, MetasploitPayloads.path('java')) + + jar.add_file('metasploit/', '') # create metasploit dir + paths.each do |path_parts| + path = ['java', path_parts].flatten.join('/') + contents = ::MetasploitPayloads.read(path) + jar.add_file(path_parts.join('/'), contents) + end send_response(cli, jar.pack, { From b428736e0334e57b977d94a73f2a99e45c77a89e Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Wed, 11 Oct 2023 14:08:50 +0100 Subject: [PATCH 3/5] Add support for injection of encrypted dll payloads --- lib/msf/core/post/windows/reflective_dll_injection.rb | 5 +++-- lib/msf/core/reflective_dll_loader.rb | 7 ++++--- lib/rex/post/meterpreter/extensions/priv/priv.rb | 7 ++----- modules/exploits/windows/local/ms15_078_atmfd_bof.rb | 4 ++-- 4 files changed, 11 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb index 6278514b95df..151ea9703689 100644 --- a/lib/msf/core/post/windows/reflective_dll_injection.rb +++ b/lib/msf/core/post/windows/reflective_dll_injection.rb @@ -78,8 +78,9 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', # @return [Array] Tuple of allocated memory address and offset to the # +ReflectiveLoader+ function. def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) - dll_mem = inject_into_process(process, dll_data) + decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) + dll_mem = inject_into_process(process, decrypted_dll_data) return dll_mem, offset end diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb index b1433262b0a8..a2abd90d7073 100644 --- a/lib/msf/core/reflective_dll_loader.rb +++ b/lib/msf/core/reflective_dll_loader.rb @@ -24,8 +24,8 @@ module Msf::ReflectiveDLLLoader # @return [Array] Tuple of DLL contents and offset to the # +ReflectiveLoader+ function within the DLL. def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - dll = '' - ::File.open(dll_path, 'rb') { |f| dll = f.read } + encrypted_dll = ::File.binread(dll_path) + dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal) @@ -43,7 +43,8 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO # # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL. def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - offset = parse_pe(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) + decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) unless offset raise 'Cannot find the ReflectiveLoader entry point in DLL data' diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb index ee6c9b830e97..6cff9029d125 100644 --- a/lib/rex/post/meterpreter/extensions/priv/priv.rb +++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb @@ -82,11 +82,8 @@ def getsystem(technique=TECHNIQUE[:any]) raise RuntimeError, "#{elevators.chomp(', ')} not found", caller end - elevator_data = '' - - ::File.open(elevator_path, 'rb') { |f| - elevator_data += f.read(f.stat.size) - } + encrypted_elevator_data = ::File.binread(elevator_path) + elevator_data = ::MetasploitPayloads.decrypt_payload(payload: encrypted_elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length) diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb index 1702730ff345..eb0f8abf4b1e 100644 --- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb +++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb @@ -384,8 +384,8 @@ def exploit library_path = ::File.expand_path(library_path) print_status("Reflectively injecting the exploit DLL into #{process.pid}...") - dll = '' - ::File.open(library_path, 'rb') { |f| dll = f.read } + encrypted_dll = ::File.binread(library_path) + dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) patch_win32k_offsets(dll) patch_nt_offsets(dll) From daa8b8ae999b6ff074c5fd0b7d5245395ce45652 Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Thu, 12 Oct 2023 17:33:58 +0100 Subject: [PATCH 4/5] Use Metasploit-Payloads Crypto to decrypt payloads --- lib/msf/core/payload/windows/dll_inject.rb | 5 ++--- .../core/post/windows/reflective_dll_injection.rb | 2 +- lib/msf/core/reflective_dll_loader.rb | 4 ++-- lib/rex/post/meterpreter/client_core.rb | 2 +- lib/rex/post/meterpreter/extensions/priv/priv.rb | 2 +- lib/rex/post/meterpreter/extensions/stdapi/ui.rb | 12 ++++-------- modules/exploits/windows/local/ms15_078_atmfd_bof.rb | 2 +- 7 files changed, 12 insertions(+), 17 deletions(-) diff --git a/lib/msf/core/payload/windows/dll_inject.rb b/lib/msf/core/payload/windows/dll_inject.rb index 7ad07c693879..4852d83d557a 100644 --- a/lib/msf/core/payload/windows/dll_inject.rb +++ b/lib/msf/core/payload/windows/dll_inject.rb @@ -205,9 +205,8 @@ def handle_connection_stage(conn, opts = {}) data = library_name + "\x00" begin - File.open(library_path, "rb") { |f| - data += f.read - } + encrypted_contents = ::File.binread(library_path) + data += ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_contents) rescue print_error("Failed to load DLL: #{$!}.") diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb index 151ea9703689..dd703694efde 100644 --- a/lib/msf/core/post/windows/reflective_dll_injection.rb +++ b/lib/msf/core/post/windows/reflective_dll_injection.rb @@ -78,7 +78,7 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', # @return [Array] Tuple of allocated memory address and offset to the # +ReflectiveLoader+ function. def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data) offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) dll_mem = inject_into_process(process, decrypted_dll_data) diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb index a2abd90d7073..02e06351e395 100644 --- a/lib/msf/core/reflective_dll_loader.rb +++ b/lib/msf/core/reflective_dll_loader.rb @@ -25,7 +25,7 @@ module Msf::ReflectiveDLLLoader # +ReflectiveLoader+ function within the DLL. def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) encrypted_dll = ::File.binread(dll_path) - dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) + dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll) offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal) @@ -43,7 +43,7 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO # # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL. def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data) offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) unless offset diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb index 8cd645ebd38d..9100e99872e5 100644 --- a/lib/rex/post/meterpreter/client_core.rb +++ b/lib/rex/post/meterpreter/client_core.rb @@ -258,7 +258,7 @@ def load_library(opts) end if library_image - decrypted_library_image = ::MetasploitPayloads.decrypt_payload(payload: library_image) + decrypted_library_image = ::MetasploitPayloads::Crypto.decrypt(ciphertext: library_image) request.add_tlv(TLV_TYPE_DATA, decrypted_library_image, false, client.capabilities[:zlib]) else raise RuntimeError, "Failed to serialize library #{library_path}.", caller diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb index 6cff9029d125..30faaf70aca9 100644 --- a/lib/rex/post/meterpreter/extensions/priv/priv.rb +++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb @@ -83,7 +83,7 @@ def getsystem(technique=TECHNIQUE[:any]) end encrypted_elevator_data = ::File.binread(elevator_path) - elevator_data = ::MetasploitPayloads.decrypt_payload(payload: encrypted_elevator_data) + elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length) diff --git a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb index 00427630c3c1..39b9af0b95a3 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb @@ -185,10 +185,8 @@ def screenshot( quality=50 ) raise RuntimeError, "screenshot.x64.dll not found", caller end - screenshot_dll = '' - ::File.open( screenshot_path, 'rb' ) do |f| - screenshot_dll += f.read( f.stat.size ) - end + encrypted_screenshot_dll = ::File.binread(screenshot_path) + screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll) request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, screenshot_dll, false, true ) end @@ -199,10 +197,8 @@ def screenshot( quality=50 ) raise RuntimeError, "screenshot.x86.dll not found", caller end - screenshot_dll = '' - ::File.open( screenshot_path, 'rb' ) do |f| - screenshot_dll += f.read( f.stat.size ) - end + encrypted_screenshot_dll = ::File.binread(screenshot_path) + screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll) request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, screenshot_dll, false, true ) end diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb index eb0f8abf4b1e..33b91912eef9 100644 --- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb +++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb @@ -385,7 +385,7 @@ def exploit print_status("Reflectively injecting the exploit DLL into #{process.pid}...") encrypted_dll = ::File.binread(library_path) - dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) + dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll) patch_win32k_offsets(dll) patch_nt_offsets(dll) From c73e815974913043d72771bd0bdddfbce5369a1e Mon Sep 17 00:00:00 2001 From: sjanusz-r7 Date: Fri, 13 Oct 2023 14:36:28 +0100 Subject: [PATCH 5/5] Bump metasploit-payloads --- Gemfile.lock | 4 ++-- LICENSE_GEMS | 2 +- metasploit-framework.gemspec | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 7d4a1abeefe4..dc9623b665a4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,7 +33,7 @@ PATH metasploit-concern metasploit-credential metasploit-model - metasploit-payloads (= 2.0.156) + metasploit-payloads (= 2.0.159) metasploit_data_models metasploit_payloads-mettle (= 1.0.26) mqtt @@ -278,7 +278,7 @@ GEM activemodel (~> 7.0) activesupport (~> 7.0) railties (~> 7.0) - metasploit-payloads (2.0.156) + metasploit-payloads (2.0.159) metasploit_data_models (6.0.3) activerecord (~> 7.0) activesupport (~> 7.0) diff --git a/LICENSE_GEMS b/LICENSE_GEMS index b18568611b58..25b0cdde5160 100644 --- a/LICENSE_GEMS +++ b/LICENSE_GEMS @@ -82,7 +82,7 @@ metasploit-concern, 5.0.2, "New BSD" metasploit-credential, 6.0.6, "New BSD" metasploit-framework, 6.3.39, "New BSD" metasploit-model, 5.0.2, "New BSD" -metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD" +metasploit-payloads, 2.0.159, "3-clause (or ""modified"") BSD" metasploit_data_models, 6.0.3, "New BSD" metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD" method_source, 1.0.0, MIT diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec index a9102ad697fa..013dd8fd1f5d 100644 --- a/metasploit-framework.gemspec +++ b/metasploit-framework.gemspec @@ -72,7 +72,7 @@ Gem::Specification.new do |spec| # are needed when there's no database spec.add_runtime_dependency 'metasploit-model' # Needed for Meterpreter - spec.add_runtime_dependency 'metasploit-payloads', '2.0.156' + spec.add_runtime_dependency 'metasploit-payloads', '2.0.159' # Needed for the next-generation POSIX Meterpreter spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.26' # Needed by msfgui and other rpc components