Class: Rex::Post::Meterpreter::Packet

Inherits:
GroupTlv show all
Defined in:
lib/rex/post/meterpreter/packet.rb

Overview

The logical meterpreter packet class

Constant Summary collapse

XOR_KEY_SIZE =

The Packet container itself has a custom header that is slightly different than the typical TLV packets. The header contains the following:

XOR KEY - 4 bytes Session GUID - 16 bytes Encrypt flags - 4 bytes Packet length - 4 bytes Packet type - 4 bytes Packet data - X bytes

If the encrypt flags are zero, then the Packet data is just straight TLV values as per the normal TLV packet structure.

If the encrypt flags are non-zer, then the Packet data is encrypted based on the scheme.

Flag == 1 (AES256)

IV             - 16 bytes
Encrypted data - X bytes

The key that is required to decrypt the data is stored alongside the session data, and hence when the packet is initially parsed, only the header is accessed. The packet itself will need to be decrypted on the fly at the point that it is required and at that point the decryption key needs to be provided.

4
ENCRYPTED_FLAGS_SIZE = 
4
PACKET_LENGTH_SIZE = 
4
PACKET_TYPE_SIZE = 
4
PACKET_HEADER_SIZE = 
XOR_KEY_SIZE + GUID_SIZE + ENCRYPTED_FLAGS_SIZE + PACKET_LENGTH_SIZE + PACKET_TYPE_SIZE
AES_IV_SIZE = 
16
ENC_FLAG_NONE = 
0x0
ENC_FLAG_AES256 = 
0x1
ENC_FLAG_AES128 = 
0x2

Constants inherited from Tlv

Tlv::HEADER_SIZE

Instance Attribute Summary collapse

Attributes inherited from GroupTlv

#tlvs

Attributes inherited from Tlv

#compress, #type, #value

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from GroupTlv

#add_tlv, #add_tlvs, #each, #each_tlv, #each_tlv_with_index, #each_with_index, #get_tlv, #get_tlv_value, #get_tlv_values, #get_tlvs, #has_tlv?, #reset

Methods inherited from Tlv

#_tlv_type_string, #htonq, #inspect, #meta_type?, #ntohq, #type?, #value?

Constructor Details

#initialize(type = nil, method = nil) ⇒ Packet

Initializes the packet to the supplied packet type and method, if any. If the packet is a request, a request identifier is created.


856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
 
# File 'lib/rex/post/meterpreter/packet.rb', line 856

def initialize(type = nil, method = nil)
  super(type)

  if method
    self.method = method
  end

  self.created_at = ::Time.now
  self.raw = ''

  # If it's a request, generate a random request identifier
  if ((type == PACKET_TYPE_REQUEST) ||
      (type == PACKET_TYPE_PLAIN_REQUEST))
    rid = ''

    32.times { |val| rid << rand(10).to_s }

    add_tlv(TLV_TYPE_REQUEST_ID, rid)
  end
end

Instance Attribute Details

#created_atObject

Returns the value of attribute created_at.


757
758
759
 
# File 'lib/rex/post/meterpreter/packet.rb', line 757

def created_at
  @created_at
end

#encrypt_flagsObject

Returns the value of attribute encrypt_flags.


760
761
762
 
# File 'lib/rex/post/meterpreter/packet.rb', line 760

def encrypt_flags
  @encrypt_flags
end

#lengthObject

Returns the value of attribute length.


761
762
763
 
# File 'lib/rex/post/meterpreter/packet.rb', line 761

def length
  @length
end

#rawObject

Returns the value of attribute raw.


758
759
760
 
# File 'lib/rex/post/meterpreter/packet.rb', line 758

def raw
  @raw
end

#session_guidObject

Returns the value of attribute session_guid.


759
760
761
 
# File 'lib/rex/post/meterpreter/packet.rb', line 759

def session_guid
  @session_guid
end

Class Method Details

.create_request(method = nil) ⇒ Object

Creates a request with the supplied method.


812
813
814
 
# File 'lib/rex/post/meterpreter/packet.rb', line 812

def Packet.create_request(method = nil)
  Packet.new(PACKET_TYPE_REQUEST, method)
end

.create_response(request = nil) ⇒ Object

Creates a response to a request if one is provided.


819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
 
# File 'lib/rex/post/meterpreter/packet.rb', line 819

def Packet.create_response(request = nil)
  response_type = PACKET_TYPE_RESPONSE
  method = nil
  id = nil

  if (request)
    if (request.type?(PACKET_TYPE_PLAIN_REQUEST))
      response_type = PACKET_TYPE_PLAIN_RESPONSE
    end

    method = request.method

    if request.has_tlv?(TLV_TYPE_REQUEST_ID)
      id = request.get_tlv_value(TLV_TYPE_REQUEST_ID)
    end
  end

  packet = Packet.new(response_type, method)

  if id
    packet.add_tlv(TLV_TYPE_REQUEST_ID, id)
  end

  packet
end

Instance Method Details

#add_raw(bytes) ⇒ Object 


877
878
879
 
# File 'lib/rex/post/meterpreter/packet.rb', line 877

def add_raw(bytes)
  self.raw << bytes
end

#aes_decrypt(key, iv, data) ⇒ Object

Raises:

  • (ArgumentError) 

914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
 
# File 'lib/rex/post/meterpreter/packet.rb', line 914

def aes_decrypt(key, iv, data)
  size = key.length * 8
  raise ArgumentError.new('AES key width must be 128 or 256 bits') unless (size == 128 || size == 256)
  # Create the required cipher instance
  aes = OpenSSL::Cipher.new("AES-#{size}-CBC")
  # Generate a truly random IV

  # set up the encryption
  aes.decrypt
  aes.key = key
  aes.iv = iv

  # decrypt!
  aes.update(data) + aes.final
end

#aes_encrypt(key, data) ⇒ Object

Raises:

  • (ArgumentError) 

897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
 
# File 'lib/rex/post/meterpreter/packet.rb', line 897

def aes_encrypt(key, data)
  size = key.length * 8
  raise ArgumentError.new('AES key width must be 128 or 256 bits') unless (size == 128 || size == 256)
  # Create the required cipher instance
  aes = OpenSSL::Cipher.new("AES-#{size}-CBC")
  # Generate a truly random IV
  iv = aes.random_iv

  # set up the encryption
  aes.encrypt
  aes.key = key
  aes.iv = iv

  # encrypt and return the IV along with the result
  return iv, aes.update(data) + aes.final
end

#decrypt_packet(key, encrypt_flags, data) ⇒ Object

Decrypt the packet based on the content of the encryption flags.


958
959
960
961
962
963
964
965
966
967
968
 
# File 'lib/rex/post/meterpreter/packet.rb', line 958

def decrypt_packet(key, encrypt_flags, data)
  # TODO: throw an error if the expected encryption isn't the same as the given
  #       as this could be an indication of hijacking or side-channel packet addition
  #       as highlighted by Justin Steven on github.
  if key && key[:key] && key[:type] && encrypt_flags == key[:type] && (encrypt_flags == ENC_FLAG_AES128 || encrypt_flags == ENC_FLAG_AES256)
    iv = data[0, AES_IV_SIZE]
    aes_decrypt(key[:key], iv, data[iv.length..-1])
  else
    data
  end
end

#from_r(key = nil) ⇒ Object

Override the function that reads from a raw byte stream so that the XORing of data is included in the process prior to passing it on to the default functionality that can parse the TLV values.


982
983
984
985
986
987
988
 
# File 'lib/rex/post/meterpreter/packet.rb', line 982

def from_r(key=nil)
  self.parse_header!
  xor_key = self.raw.unpack('a4')[0]
  data = xor_bytes(xor_key, self.raw[PACKET_HEADER_SIZE..-1])
  raw = decrypt_packet(key, self.encrypt_flags, data)
  super([self.length, self.type, raw].pack('NNA*'))
end

#methodObject

Returns the value of the packet's method TLV.


1041
1042
1043
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1041

def method
  get_tlv_value(TLV_TYPE_COMMAND_ID)
end

#method=(method) ⇒ Object

Sets the packet's method TLV to the method supplied.

Raises:

  • (ArgumentError) 

1033
1034
1035
1036
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1033

def method=(method)
  raise ArgumentError.new("Packet.method must be an integer. Current value is #{method}") unless method.is_a?(Integer)
  add_tlv(TLV_TYPE_COMMAND_ID, method, true)
end

#method?(method) ⇒ Boolean

Checks to see if the packet's method is equal to the supplied method.

Returns:

  • (Boolean) 

1026
1027
1028
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1026

def method?(method)
  (get_tlv_value(TLV_TYPE_COMMAND_ID) == method)
end

#parse_header!Object 


970
971
972
973
974
 
# File 'lib/rex/post/meterpreter/packet.rb', line 970

def parse_header!
  xor_key = self.raw.unpack('a4')[0]
  data = xor_bytes(xor_key, self.raw[0..PACKET_HEADER_SIZE])
  _, self.session_guid, self.encrypt_flags, self.length, self.type = data.unpack('a4a16NNN')
end

#raw_bytes_requiredObject 


881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
 
# File 'lib/rex/post/meterpreter/packet.rb', line 881

def raw_bytes_required
  # if we have the xor bytes and length ...
  if self.raw.length >= PACKET_HEADER_SIZE
    # return a value based on the length of the data indicated by
    # the header
    xor_key = self.raw.unpack('a4')[0]
    decoded_bytes = xor_bytes(xor_key, raw[0, PACKET_HEADER_SIZE])
    _, _, _, length, _ = decoded_bytes.unpack('a4a16NNN')
    length + PACKET_HEADER_SIZE - HEADER_SIZE - self.raw.length
  else
    # Otherwise ask for the remaining bytes for the metadata to get the packet length
    # So we can do the rest of the calculation next time
    PACKET_HEADER_SIZE - self.raw.length
  end
end

#response?Boolean

Checks to see if the packet is a response.

Returns:

  • (Boolean) 

1013
1014
1015
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1013

def response?
  (self.type == PACKET_TYPE_RESPONSE || self.type == PACKET_TYPE_PLAIN_RESPONSE)
end

#resultObject

Gets the value of the packet's result TLV.


1063
1064
1065
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1063

def result
  get_tlv_value(TLV_TYPE_RESULT)
end

#result=(result) ⇒ Object

Sets the packet's result TLV.


1056
1057
1058
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1056

def result=(result)
  add_tlv(TLV_TYPE_RESULT, result, true)
end

#result?(result) ⇒ Boolean

Checks to see if the packet's result value is equal to the supplied result.

Returns:

  • (Boolean) 

1049
1050
1051
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1049

def result?(result)
  (get_tlv_value(TLV_TYPE_RESULT) == result)
end

#ridObject

Gets the value of the packet's request identifier TLV.


1070
1071
1072
 
# File 'lib/rex/post/meterpreter/packet.rb', line 1070

def rid
  get_tlv_value(TLV_TYPE_REQUEST_ID)
end

#to_r(session_guid = nil, key = nil) ⇒ Object

Override the function that creates the raw byte stream for sending so that it generates an XOR key, uses it to scramble the serialized TLV content, and then returns the key plus the scrambled data as the payload.


936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
 
# File 'lib/rex/post/meterpreter/packet.rb', line 936

def to_r(session_guid = nil, key = nil)
  xor_key = (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr + (rand(254) + 1).chr

  raw = (session_guid || NULL_GUID).dup
  tlv_data = GroupTlv.instance_method(:to_r).bind(self).call

  if key && key[:key] && (key[:type] == ENC_FLAG_AES128 || key[:type] == ENC_FLAG_AES256)
    # encrypt the data, but not include the length and type
    iv, ciphertext = aes_encrypt(key[:key], tlv_data[HEADER_SIZE..-1])
    # now manually add the length/type/iv/ciphertext
    raw << [key[:type], iv.length + ciphertext.length + HEADER_SIZE, self.type, iv, ciphertext].pack('NNNA*A*')
  else
    raw << [ENC_FLAG_NONE, tlv_data].pack('NA*')
  end

  # return the xor'd result with the key
  xor_key + xor_bytes(xor_key, raw)
end

#xor_bytes(xor_key, bytes) ⇒ Object

Xor a set of bytes with a given XOR key.


993
994
995
996
997
998
999
1000
1001
1002
 
# File 'lib/rex/post/meterpreter/packet.rb', line 993

def xor_bytes(xor_key, bytes)
  xor_key = xor_key.bytes
  result = ''
  i = 0
  bytes.each_byte do |b|
    result << (b ^ xor_key[i % xor_key.length]).chr
    i += 1
  end
  result
end