Land #12699, add payload uuid/temp file fixes

rapid7 · Dec 12, 2019 · 1e3158e · 1e3158e
2 parents 8977d2a + 35075d5
commit 1e3158e
Show file tree

Hide file tree

Showing 8 changed files with 30 additions and 30 deletions.
diff --git a/lib/metasploit/framework/compiler/mingw.rb b/lib/metasploit/framework/compiler/mingw.rb
@@ -8,8 +8,8 @@ module Mingw
         MINGW_X86 = 'i686-w64-mingw32-gcc'
         MINGW_X64 = 'x86_64-w64-mingw32-gcc'
 
-        INCLUDE_DIR = File.join(Msf::Config.install_root, 'data', 'headers', 'windows', 'c_payload_util')
-        UTILITY_DIR = File.join(Msf::Config.install_root, 'data', 'utilities', 'encrypted_payload')
+        INCLUDE_DIR = File.join(Msf::Config.data_directory, 'headers', 'windows', 'c_payload_util')
+        UTILITY_DIR = File.join(Msf::Config.data_directory, 'utilities', 'encrypted_payload')
 
         def compile_c(src)
           cmd = build_cmd(src)
@@ -19,18 +19,19 @@ def compile_c(src)
         end
 
         def build_cmd(src)
+          src_file = "#{self.file_name}.c"
+          exe_file = "#{self.file_name}.exe"
+
           cmd = ''
           link_options = '-Wl,'
 
-          src_file = File.basename(self.file_name, '.exe')
-          path = File.join(Msf::Config.install_root, "#{src_file}.c")
-          File.write(path, src)
+          File.write(src_file, src)
 
           opt_level = [ 'Os', 'O0', 'O1', 'O2', 'O3', 'Og' ].include?(self.opt_lvl) ? "-#{self.opt_lvl} " : "-O2 "
 
           cmd << "#{self.mingw_bin} "
-          cmd << "#{path} -I #{INCLUDE_DIR} "
-          cmd << "-o #{Msf::Config.install_root}/#{self.file_name} "
+          cmd << "#{src_file} -I #{INCLUDE_DIR} "
+          cmd << "-o #{exe_file} "
 
           # gives each function its own section
           # allowing them to be reordered
@@ -50,17 +51,15 @@ def build_cmd(src)
         end
 
         def cleanup_files
-          file_base = File.basename(self.file_name, '.exe')
-          src_file = "#{file_base}.c"
-          exe_file = "#{file_base}.exe"
-          file_path = Msf::Config.install_root
+          src_file = "#{self.file_name}.c"
+          exe_file = "#{self.file_name}.exe"
 
           unless self.keep_src
-            File.delete("#{file_path}/#{src_file}") if File.exist?("#{file_path}/#{src_file}")
+            File.delete(src_file) if File.exist?(src_file)
           end
 
           unless self.keep_exe
-            File.delete("#{file_path}/#{exe_file}") if File.exist?("#{file_path}/#{exe_file}")
+            File.delete(exe_file) if File.exist?(exe_file)
           end
         rescue Errno::ENOENT
           print_error("Failed to delete file")

diff --git a/lib/msf/core/payload/stager.rb b/lib/msf/core/payload/stager.rb
@@ -160,9 +160,9 @@ def sends_hex_uuid?
     false
   end
 
-  def format_uuid(uuid)
+  def format_uuid(uuid_raw)
     if sends_hex_uuid?
-      return uuid
+      return uuid_raw
     end
 
     return Msf::Payload::UUID.new({raw: uuid_raw})

diff --git a/lib/msf/core/payload/windows/encrypted_payload_opts.rb b/lib/msf/core/payload/windows/encrypted_payload_opts.rb
@@ -5,7 +5,7 @@ module Msf
   module Payload::Windows::EncryptedPayloadOpts
     include Msf::Payload::UUID::Options
 
-    LINK_SCRIPT_PATH = File.join(Msf::Config.install_root, 'data', 'utilities', 'encrypted_payload')
+    LINK_SCRIPT_PATH = File.join(Msf::Config.data_directory, 'utilities', 'encrypted_payload')
 
     def initialize(info={})
       super
@@ -21,8 +21,8 @@ def initialize(info={})
       [
         OptBool.new('StripSymbols', [ false, 'Payload will be compiled without symbols', true ]),
         OptEnum.new('OptLevel', [ false, 'The optimization level to compile with', 'O2', [ 'Og', 'Os', 'O0', 'O1', 'O2', 'O3' ] ]),
-        OptBool.new('KeepSrc', [ false, 'Keep source code after compiling it', true ]),
-        OptBool.new('KeepExe', [ false, 'Keep executable after compiling the payload', true ]),
+        OptBool.new('KeepSrc', [ false, 'Keep source code after compiling it', false ]),
+        OptBool.new('KeepExe', [ false, 'Keep executable after compiling the payload', false ]),
         OptBool.new('PayloadUUIDTracking', [ true, 'Whether or not to automatically register generated UUIDs', true ])
       ], self.class)
     end

diff --git a/lib/msf/core/payload/windows/encrypted_reverse_tcp.rb b/lib/msf/core/payload/windows/encrypted_reverse_tcp.rb
@@ -59,7 +59,7 @@ def generate(opts={})
       opt_lvl:       datastore['OptLevel'],
       keep_src:      datastore['KeepSrc'],
       keep_exe:      datastore['KeepExe'],
-      f_name:        (staged? ? 'reverse_pic_stager.exe' : 'reverse_pic_stageless.exe'),
+      f_name:        Tempfile.new(staged? ? 'reverse_pic_stager' : 'reverse_pic_stageless').path,
       arch:          self.arch_to_s
     }
 
@@ -130,7 +130,7 @@ def generate_stage(opts={})
       linker_script: link_script,
       keep_src:      datastore['KeepSrc'],
       keep_exe:      datastore['KeepExe'],
-      f_name:        'reverse_pic_stage.exe',
+      f_name:        Tempfile.new('reverse_pic_stage').path,
       arch:          self.arch_to_s
     }
 
@@ -142,7 +142,6 @@ def generate_stage(opts={})
 
     stage_obj = Rex::Crypto::Chacha20.new(key, iv)
     stage_obj.chacha20_crypt(shellcode)
-    #Rex::Crypto.chacha_encrypt(key, iv, shellcode)
   end
 
   def generate_c_src(conf)
@@ -180,9 +179,9 @@ def get_compiled_shellcode(src, opts={})
       raise Metasploit::Framework::Compiler::Mingw::UncompilablePayloadError.new('Payload did not compile. Check the logs for further information.')
     end
 
-    comp_file = "#{Msf::Config.install_root}/#{opts[:f_name]}"
-    raise Metasploit::Framework::Compiler::Mingw::CompiledPayloadNotFoundError unless File.exist?("#{Msf::Config.install_root}/#{opts[:f_name]}")
-    bin = read_exe(comp_file)
+    comp_file = "#{opts[:f_name]}.exe"
+    raise Metasploit::Framework::Compiler::Mingw::CompiledPayloadNotFoundError unless File.exist?(comp_file)
+    bin = File.binread(comp_file).strip
     bin = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(bin))
 
     text_section = bin.sections.first
@@ -192,12 +191,6 @@ def get_compiled_shellcode(src, opts={})
     text_section.rawdata
   end
 
-  def read_exe(file)
-    bin = IO.binread(file)
-
-    bin.strip
-  end
-
   #
   # Options such as the LHOST and PORT
   # need to become a null-terminated array

diff --git a/modules/payloads/singles/windows/encrypted_shell_reverse_tcp.rb b/modules/payloads/singles/windows/encrypted_shell_reverse_tcp.rb
@@ -11,6 +11,8 @@
 
 module MetasploitModule
 
+  CachedSize = 4336
+
   include Msf::Payload::Windows
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/windows/x64/encrypted_shell_reverse_tcp.rb b/modules/payloads/singles/windows/x64/encrypted_shell_reverse_tcp.rb
@@ -10,6 +10,8 @@
 
 module MetasploitModule
 
+  CachedSize = 4064
+
   include Msf::Payload::Windows
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/stagers/windows/encrypted_reverse_tcp.rb b/modules/payloads/stagers/windows/encrypted_reverse_tcp.rb
@@ -8,6 +8,8 @@
 
 module MetasploitModule
 
+  CachedSize = 2848
+
   include Msf::Payload::Stager
   include Msf::Payload::Windows::EncryptedReverseTcp
   include Msf::Payload::Windows::EncryptedPayloadOpts

diff --git a/modules/payloads/stagers/windows/x64/encrypted_reverse_tcp.rb b/modules/payloads/stagers/windows/x64/encrypted_reverse_tcp.rb
@@ -8,6 +8,8 @@
 
 module MetasploitModule
 
+  CachedSize = 2576
+
   include Msf::Payload::Stager
   include Msf::Payload::Windows::EncryptedReverseTcp
   include Msf::Payload::Windows::EncryptedPayloadOpts