From 25b9f97a3208a1fda36daf76713eb52372c8b768 Mon Sep 17 00:00:00 2001
From: Adam Cammack <adam_cammack@rapid7.com>
Date: Wed, 27 Jun 2018 16:26:41 -0500
Subject: [PATCH] Update cached payload size update to support IPv6

---
 lib/msf/util/payload_cached_size.rb           | 38 +++++++++++++++++--
 .../linux/x86/shell_reverse_tcp_ipv6.rb       |  2 +-
 2 files changed, 36 insertions(+), 4 deletions(-)

diff --git a/lib/msf/util/payload_cached_size.rb b/lib/msf/util/payload_cached_size.rb
index b9ede5e9b0..aa69ce0fe1 100644
--- a/lib/msf/util/payload_cached_size.rb
+++ b/lib/msf/util/payload_cached_size.rb
@@ -36,6 +36,28 @@ class PayloadCachedSize
     'DisableNops' => true
   }
 
+  OPTS6 = {
+    'Format'      => 'raw',
+    'Options'     => {
+      'CPORT' => 4444,
+      'LPORT' => 4444,
+      'LHOST' => 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff',
+      'KHOST' => 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff',
+      'AHOST' => 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff',
+      'CMD' => '/bin/sh',
+      'URL' => 'http://a.com',
+      'PATH' => '/',
+      'BUNDLE' => 'data/isight.bundle',
+      'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
+      'RC4PASSWORD' => 'Metasploit',
+      'DNSZONE' => 'corelan.eu',
+      'PEXEC' => '/bin/sh',
+      'StagerURILength' => 5
+    },
+    'Encoder'     => nil,
+    'DisableNops' => true
+  }
+
   # Insert a new CachedSize value into the text of a payload module
   #
   # @param data [String] The source code of a payload module
@@ -82,6 +104,7 @@ class PayloadCachedSize
   # @return [Integer]
   def self.compute_cached_size(mod)
     return ":dynamic" if is_dynamic?(mod)
+    return mod.generate_simple(OPTS6).size if mod.shortname =~ /6/
     return mod.generate_simple(OPTS).size
   end
 
@@ -92,8 +115,13 @@ class PayloadCachedSize
   #   verify that the size is static.
   # @return [Integer]
   def self.is_dynamic?(mod, generation_count=5)
-    [*(1..generation_count)].map{|x|
-      mod.generate_simple(OPTS).size}.uniq.length != 1
+    [*(1..generation_count)].map do |x|
+      if mod.shortname =~ /6/
+        mod.generate_simple(OPTS6).size
+      else
+        mod.generate_simple(OPTS).size
+      end
+    end.uniq.length != 1
   end
 
   # Determines whether a payload's CachedSize is up to date
@@ -103,7 +131,11 @@ class PayloadCachedSize
   def self.is_cached_size_accurate?(mod)
     return true if mod.dynamic_size? && is_dynamic?(mod)
     return false if mod.cached_size.nil?
-    mod.cached_size == mod.generate_simple(OPTS).size
+    if mod.shortname =~ /6/
+      mod.cached_size == mod.generate_simple(OPTS6).size
+    else
+      mod.cached_size == mod.generate_simple(OPTS).size
+    end
   end
 
 end
diff --git a/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb b/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb
index 75b781c984..3457d06755 100644
--- a/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb
+++ b/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb
@@ -10,7 +10,7 @@ require 'msf/base/sessions/command_shell_options'
 
 module MetasploitModule
 
-  CachedSize = 167
+  CachedSize = 158
 
   include Msf::Payload::Single
   include Msf::Payload::Linux