Land #3481, meterpreter bins

.gitignore

@@ -15,8 +15,6 @@ Gemfile.local.lock
 config/database.yml
 # simplecov coverage data
 coverage
-data/meterpreter/ext_server_pivot.x86.dll
-data/meterpreter/ext_server_pivot.x64.dll
 doc/
 external/source/meterpreter/java/bin
 external/source/meterpreter/java/build
@@ -53,3 +51,22 @@ tags
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
 external/source/exploits/**/Release
+
+# Avoid checking in Meterpreter binaries. These are supplied upstream by
+# the meterpreter_bins gem.
+data/meterpreter/elevator.*.dll
+data/meterpreter/ext_server_espia.*.dll
+data/meterpreter/ext_server_extapi.*.dll
+data/meterpreter/ext_server_incognito.*.dll
+data/meterpreter/ext_server_kiwi.*.dll
+data/meterpreter/ext_server_lanattacks.*.dll
+data/meterpreter/ext_server_mimikatz.*.dll
+data/meterpreter/ext_server_priv.*.dll
+data/meterpreter/ext_server_stdapi.*.dll
+data/meterpreter/metsrv.*.dll
+data/meterpreter/screenshot.*.dll
+
+# Avoid checking in Meterpreter libs that are built from
+# private source. If you're interested in this functionality,
+# check out Metasploit Pro: http://metasploit.com/download
+data/meterpreter/ext_server_pivot.*.dll

Gemfile

@@ -6,6 +6,8 @@ gem 'activesupport', '>= 3.0.0', '< 4.0.0'
 gem 'bcrypt'
 # Needed for some admin modules (scrutinizer_add_user.rb)
 gem 'json'
+# Needed for Meterpreter on Windows, soon others.
+gem 'meterpreter_bins', '0.0.6'
 # Needed by msfgui and other rpc components
 gem 'msgpack'
 # Needed by anemone crawler

Gemfile.lock

@@ -26,6 +26,7 @@ GEM
       activerecord (>= 3.2.13)
       activesupport
       pg
+    meterpreter_bins (0.0.6)
     mini_portile (0.5.1)
     msgpack (0.5.5)
     multi_json (1.0.4)
@@ -70,6 +71,7 @@ DEPENDENCIES
   fivemat (= 1.2.1)
   json
   metasploit_data_models (= 0.17.0)
+  meterpreter_bins (= 0.0.6)
   msgpack
   network_interface (~> 0.0.1)
   nokogiri

lib/rex/post/meterpreter.rb

@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
 
+require 'meterpreter_bins'
 require 'rex/post/meterpreter/client'
 require 'rex/post/meterpreter/ui/console'

lib/rex/post/meterpreter/client_core.rb

@@ -149,7 +149,8 @@ class ClientCore < Extension
     end
     # Get us to the installation root and then into data/meterpreter, where
     # the file is expected to be
-    path = ::File.join(Msf::Config.data_directory, 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}")
+    modname = "ext_server_#{mod.downcase}"
+    path = MeterpreterBinaries.path(modname, client.binary_suffix)
 
     if (opts['ExtensionPath'])
       path = opts['ExtensionPath']
@@ -221,7 +222,7 @@ class ClientCore < Extension
 
     # Create the migrate stager
     migrate_stager = c.new()
-    migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.data_directory, "meterpreter", "metsrv.#{binary_suffix}" )
+    migrate_stager.datastore['DLL'] = MeterpreterBinaries.path('metsrv',binary_suffix)
 
     blob = migrate_stager.stage_payload
 

lib/rex/post/meterpreter/extensions/priv/priv.rb

@@ -45,7 +45,7 @@ class Priv < Extension
 
     elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
 
-    elevator_path = ::File.join( Msf::Config.data_directory, "meterpreter", "elevator.#{client.binary_suffix}" )
+    elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix)
 
     elevator_path = ::File.expand_path( elevator_path )
 

lib/rex/post/meterpreter/extensions/stdapi/ui.rb

@@ -156,7 +156,7 @@ class UI < Rex::Post::UI
     request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
     # include the x64 screenshot dll if the host OS is x64
     if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
-      screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x64.dll' )
+      screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll')
       screenshot_path = ::File.expand_path( screenshot_path )
       screenshot_dll  = ''
       ::File.open( screenshot_path, 'rb' ) do |f|
@@ -166,7 +166,7 @@ class UI < Rex::Post::UI
       request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
     end
     # but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
-    screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x86.dll' )
+    screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll')
     screenshot_path = ::File.expand_path( screenshot_path )
     screenshot_dll  = ''
     ::File.open( screenshot_path, 'rb' ) do |f|

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+require 'set'
 require 'rex/post/meterpreter'
 require 'rex/parser/arguments'
 
@@ -415,20 +416,23 @@ class Console::CommandDispatcher::Core
 
     @@load_opts.parse(args) { |opt, idx, val|
       case opt
-        when "-l"
-          exts = []
-          path = ::File.join(Msf::Config.data_directory, 'meterpreter')
+      when "-l"
+        exts = SortedSet.new
+        msf_path = MeterpreterBinaries.metasploit_data_dir
+        gem_path = MeterpreterBinaries.local_dir
+        [msf_path, gem_path].each do |path|
           ::Dir.entries(path).each { |f|
             if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
-              exts.push($1)
+              exts.add($1)
             end
           }
-          print(exts.sort.join("\n") + "\n")
+        end
+        print(exts.to_a.join("\n") + "\n")
 
-          return true
-        when "-h"
-          cmd_load_help
-          return true
+        return true
+      when "-h"
+        cmd_load_help
+        return true
       end
     }
 
@@ -461,16 +465,19 @@ class Console::CommandDispatcher::Core
   end
 
   def cmd_load_tabs(str, words)
-    tabs = []
-    path = ::File.join(Msf::Config.data_directory, 'meterpreter')
+    tabs = SortedSet.new
+    msf_path = MeterpreterBinaries.metasploit_data_dir
+    gem_path = MeterpreterBinaries.local_dir
+    [msf_path, gem_path].each do |path|
     ::Dir.entries(path).each { |f|
       if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
         if (not extensions.include?($1))
-          tabs.push($1)
+          tabs.add($1)
         end
       end
     }
-    return tabs
+    end
+    return tabs.to_a
   end
 
   def cmd_use(*args)
@@ -730,10 +737,10 @@ class Console::CommandDispatcher::Core
 
     @@write_opts.parse(args) { |opt, idx, val|
       case opt
-        when "-f"
-          src_file = val
-        else
-          cid = val.to_i
+      when "-f"
+        src_file = val
+      else
+        cid = val.to_i
       end
     }
 

modules/payloads/stages/windows/meterpreter.rb

@@ -39,7 +39,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
+    MeterpreterBinaries.path('metsrv','x86.dll')
   end
 
 end

modules/payloads/stages/windows/patchupmeterpreter.rb

@@ -41,7 +41,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
+    MeterpreterBinaries.path('metsrv','x86.dll')
   end
 
 end

modules/payloads/stages/windows/x64/meterpreter.rb

@@ -34,7 +34,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join( Msf::Config.data_directory, "meterpreter", "metsrv.x64.dll" )
+    MeterpreterBinaries.path('metsrv','x64.dll')
   end
 
 end

spec/lib/rex/post/meterpreter/client_core_spec.rb

@@ -0,0 +1,53 @@
+require 'spec_helper'
+require 'rex/post/meterpreter/client_core'
+
+describe Rex::Post::Meterpreter::ClientCore do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::ClientCore)
+  end
+
+  describe "#use" do
+
+    before(:each) do
+      @response = double("response")
+      allow(@response).to receive(:result) { 0 }
+      allow(@response).to receive(:each) { [:help] }
+      @client = double("client")
+      allow(@client).to receive(:binary_suffix) { "x64.dll" }
+      allow(@client).to receive(:capabilities) { {:ssl => false, :zlib => false } }
+      allow(@client).to receive(:response_timeout) { 1 }
+      allow(@client).to receive(:send_packet_wait_response) { @response }
+      allow(@client).to receive(:add_extension) { true }
+    end
+
+    let(:client_core) {described_class.new(@client)}
+    it 'should respond to #use' do
+      expect(client_core).to respond_to(:use)
+    end
+
+    context 'with a gemified module' do
+      let(:mod) {"kiwi"}
+      it 'should be available' do
+        expect(client_core.use(mod)).to be_true
+      end
+    end
+
+    context 'with a local module' do
+      let(:mod) {"sniffer"}
+      it 'should be available' do
+        expect(client_core.use(mod)).to be_true
+      end
+    end
+
+    context 'with a missing a module' do
+      let(:mod) {"eaten_by_av"}
+      it 'should be available' do
+        expect { client_core.use(mod) }.to raise_error(TypeError)
+      end
+    end
+
+
+  end
+  
+end

spec/lib/rex/post/meterpreter/extensions/priv/priv_spec.rb

@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/priv/priv'
+
+describe Rex::Post::Meterpreter::Extensions::Priv::Priv do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::Extensions::Priv::Priv)
+  end
+
+  describe "#getsystem" do
+    before(:each) do
+      @client = double("client")
+      allow(@client).to receive(:register_extension_aliases) { [] }
+    end
+
+    let(:priv) {described_class.new(@client)}
+    it 'should respond to #getsystem' do
+      expect(priv).to respond_to(:getsystem)
+    end
+
+    it 'should return itself' do
+      expect(priv).to be_kind_of(described_class)
+    end
+
+    it 'should have some instance variables' do
+      expect(priv.instance_variables).to include(:@client)
+      expect(priv.instance_variables).to include(:@name)
+      expect(priv.instance_variables).to include(:@fs)
+    end
+
+    it 'should respond to fs' do
+      expect(priv).to respond_to(:fs)
+    end
+
+    it 'should have a name of priv' do
+      expect(priv.name).to eq("priv")
+    end
+
+  end
+end

spec/lib/rex/post/meterpreter/extensions/stdapi/ui_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+require 'rex/post/meterpreter'
+require 'rex/post/meterpreter/extensions/stdapi/ui'
+
+describe Rex::Post::Meterpreter::Extensions::Stdapi::UI do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::Extensions::Stdapi::UI)
+  end
+
+  describe "#screenshot" do
+
+    before(:each) do
+      @client = double("client")
+    end
+
+    let(:ui) { described_class.new(@client) }
+    it 'should respond to #screenshot' do
+      expect(ui).to respond_to(:screenshot)
+    end
+
+    it 'should return itself' do
+      expect(ui).to be_kind_of(described_class)
+    end
+
+    it 'should have an instance variable' do
+      expect(ui.instance_variables).to include(:@client)
+    end
+
+  end
+
+end
+

spec/lib/rex/post/meterpreter_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'rex/post/meterpreter'
+
+describe MeterpreterBinaries do
+  it 'is available' do
+    expect(described_class).to eq(MeterpreterBinaries)
+  end
+end