From 2ee5ec97e47e7c0e07320c167b88b4a2fc7fc0c2 Mon Sep 17 00:00:00 2001
From: Adam Cammack <adam_cammack@rapid7.com>
Date: Wed, 4 Sep 2019 16:06:44 -0500
Subject: [PATCH] Use smallest stager size

Since these stagers can shrink based on the expected size of the next
stage, do our best to anticipate a small size. This makes the cached
payload size consistent for now, though if the x64 mettle stager grows
past 128 bytes I think we'll see the stager start oscillating in size
again. If you run into that and are reading this, sorry :(
---
 lib/msf/core/payload/linux/reverse_tcp.rb         | 2 ++
 lib/msf/core/payload/linux/x64/reverse_tcp.rb     | 4 ++++
 modules/payloads/stagers/linux/x64/reverse_tcp.rb | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/payload/linux/reverse_tcp.rb b/lib/msf/core/payload/linux/reverse_tcp.rb
index 3be6e56bc5a4..f60c76ff53dd 100644
--- a/lib/msf/core/payload/linux/reverse_tcp.rb
+++ b/lib/msf/core/payload/linux/reverse_tcp.rb
@@ -94,6 +94,8 @@ def asm_reverse_tcp(opts={})
     if respond_to?(:generate_intermediate_stage)
       pay_mod = framework.payloads.create(self.refname)
       read_length = pay_mod.generate_intermediate_stage(pay_mod.generate_stage(datastore.to_h)).size
+    elsif !module_info['Stage']['Payload'].empty?
+      read_length = module_info['Stage']['Payload'].size
     else
       # If we don't know, at least use small instructions
       read_length = 0x0c00 + mprotect_flags
diff --git a/lib/msf/core/payload/linux/x64/reverse_tcp.rb b/lib/msf/core/payload/linux/x64/reverse_tcp.rb
index 9706f7827c31..abc0fbab7548 100644
--- a/lib/msf/core/payload/linux/x64/reverse_tcp.rb
+++ b/lib/msf/core/payload/linux/x64/reverse_tcp.rb
@@ -88,12 +88,16 @@ def asm_reverse_tcp(opts={})
     seconds = (opts[:sleep_seconds] || 5.0)
     sleep_seconds = seconds.to_i
     sleep_nanoseconds = (seconds % 1 * 1000000000).to_i
+
     if respond_to?(:generate_intermediate_stage)
       pay_mod = framework.payloads.create(self.refname)
       read_length = pay_mod.generate_intermediate_stage(pay_mod.generate_stage(datastore.to_h)).size
+    elsif !module_info['Stage']['Payload'].empty?
+      read_length = module_info['Stage']['Payload'].size
     else
       read_length = 4096
     end
+
     asm = %Q^
       mmap:
         xor    rdi, rdi
diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
index 15b116a15694..a2d14606c5e8 100644
--- a/modules/payloads/stagers/linux/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
@@ -8,7 +8,7 @@
 
 module MetasploitModule
 
-  CachedSize = 133
+  CachedSize = 130
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp_x64