Add Pingback Payloads

lib/metasploit/framework/data_service/proxy/data_proxy_auto_loader.rb

@@ -41,4 +41,4 @@ module DataProxyAutoLoader
   include VulnAttemptDataProxy
   include MsfDataProxy
   include PayloadDataProxy
-end
+end

lib/metasploit/framework/data_service/proxy/payload_data_proxy.rb

@@ -3,7 +3,6 @@ module PayloadDataProxy
   def payloads(opts)
     begin
       self.data_service_operation do |data_service|
-        add_opts_workspace(opts)
         data_service.payloads(opts)
       end
     rescue => e
@@ -14,7 +13,6 @@ def payloads(opts)
   def create_payload(opts)
     begin
       self.data_service_operation do |data_service|
-        add_opts_workspace(opts)
         data_service.create_payload(opts)
       end
     rescue => e

lib/metasploit/framework/data_service/remote/http/data_service_auto_loader.rb

@@ -41,5 +41,4 @@ module DataServiceAutoLoader
   include RemoteMsfDataService
   include RemoteDbImportDataService
   include RemotePayloadDataService
-
 end

lib/msf/base/sessions/meterpreter.rb

@@ -14,6 +14,7 @@ module Sessions
 # with the server instance both at an API level as well as at a console level.
 #
 ###
+
 class Meterpreter < Rex::Post::Meterpreter::Client
 
   include Msf::Session

lib/msf/base/sessions/pingback.rb

@@ -0,0 +1,100 @@
+# -*- coding: binary -*-
+require 'msf/base'
+
+module Msf
+module Sessions
+
+###
+#
+# This class provides the ability to receive a pingback UUID
+#
+###
+class Pingback
+
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session
+  include Msf::Session::Basic
+
+  #
+  # Returns the type of session.
+  #
+  def self.type
+    "pingback"
+  end
+
+  def initialize(rstream, opts = {})
+    super
+    self.platform ||= ""
+    self.arch     ||= ""
+    datastore = opts[:datastore]
+  end
+
+  def self.create_session(rstream, opts = {})
+    Msf::Sessions::Pingback.new(rstream, opts)
+  end
+
+  def process_autoruns(datastore)
+    uuid_read
+    cleanup
+  end
+
+  def cleanup
+    if rstream
+      # this is also a best-effort
+      rstream.close rescue nil
+      rstream = nil
+    end
+  end
+
+  def uuid_read
+    uuid_raw = rstream.get_once(16, 1)
+    if uuid_raw
+      self.uuid_string = uuid_raw.each_byte.map { |b| "%02x" % b.to_i() }.join
+      print_status("Incoming UUID = #{uuid_string}")
+      if framework.db.active
+        begin
+          payload = framework.db.payloads(uuid: uuid_string).first
+          if payload.nil?
+            print_warning("Provided UUID (#{uuid_string}) was not found in database!")
+          else
+            print_good("UUID identified (#{uuid_string})")
+          end
+        rescue ActiveRecord::ConnectionNotEstablished
+          print_status("WARNING: UUID verification and logging is not available, because the database is not active.")
+        rescue => e
+          # TODO: Can we have a more specific exception handler?
+          # Test: what if we send no bytes back?  What if we send less than 16 bytes?  Or more than?
+          elog("Can't get original UUID")
+          elog("Exception Class: #{e.class.name}")
+          elog("Exception Message: #{e.message}")
+          elog("Exception Backtrace: #{e.backtrace}")
+        end
+      else
+        print_warning("WARNING: UUID verification and logging is not available, because the database is not active.")
+      end
+    end
+    nil
+  end
+
+  #
+  # Returns the session description.
+  #
+  def desc
+    "Pingback"
+  end
+
+  #
+  # Calls the class method
+  #
+  def type
+    self.class.type
+  end
+
+  attr_accessor :arch
+  attr_accessor :platform
+  attr_accessor :uuid_string
+end
+end
+end

lib/msf/core/db_manager/payload.rb

@@ -8,7 +8,6 @@ def create_payload(opts)
         end
       end
 
-      wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
       Mdm::Payload.create!(opts)
     end
   end
@@ -20,7 +19,7 @@ def payloads(opts)
       else
         # Check the database for a matching UUID, returning an empty array if no results are found
         begin
-          return Array.wrap(Mdm::Payload.find(uuid: opts[:uuid]))
+          return Array.wrap(Mdm::Payload.where(uuid: opts[:uuid]))
         rescue ActiveRecord::RecordNotFound
           return []
         end
@@ -30,9 +29,6 @@ def payloads(opts)
 
   def update_payload(opts)
     ::ActiveRecord::Base.connection_pool.with_connection do
-      wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework, false)
-      opts[:workspace] = wspace if wspace
-
       id = opts.delete(:id)
       Mdm::Payload.update(id, opts)
     end

lib/msf/core/exploit.rb

@@ -273,6 +273,10 @@ def self.mixins
     return mixins
   end
 
+  class << self
+    attr_accessor :needs_cleanup
+  end
+
   #
   # Creates an instance of the exploit module.  Mad skillz.
   #
@@ -400,6 +404,10 @@ def autofilter_services
     @autofilter_services || []
   end
 
+  def needs_cleanup
+    @needs_cleanup || false
+  end
+
   #
   # Adds a port into the list of ports
   #
@@ -752,6 +760,10 @@ def is_payload_compatible?(name)
     # what not?
     return false if !compatible?(pi)
 
+    if defined?(@needs_cleanup) && @needs_cleanup && !pi.can_cleanup
+      return false
+    end
+
     # If the payload is privileged but the exploit does not give
     # privileged access, then fail it.
     return false if !self.privileged && pi.privileged

lib/msf/core/exploit/file_dropper.rb

@@ -6,6 +6,7 @@ module Exploit::FileDropper
   def initialize(info = {})
     super
 
+    @needs_cleanup = true
     @dropped_files = []
     @dropped_dirs = []
 

lib/msf/core/modules/metadata/obj.rb

@@ -81,6 +81,8 @@ def initialize(module_instance, obj_hash = nil)
     @path               = module_instance.file_path
     @mod_time           = ::File.mtime(@path) rescue Time.now
     @ref_name           = module_instance.refname
+    @needs_cleanup      = module_instance.respond_to?(:needs_cleanup) && module_instance.needs_cleanup
+
     if module_instance.respond_to?(:autofilter_ports)
       @autofilter_ports = module_instance.autofilter_ports
     end
@@ -134,7 +136,8 @@ def to_json(*args)
       'check'              => @check,
       'post_auth'          => @post_auth,
       'default_credential' => @default_credential,
-      'notes'              => @notes
+      'notes'              => @notes,
+      'needs_cleanup'      => @needs_cleanup
     }.to_json(*args)
   end
 
@@ -183,6 +186,8 @@ def init_from_hash(obj_hash)
     @post_auth          = obj_hash['post_auth']
     @default_credential = obj_hash['default_credential']
     @notes              = obj_hash['notes'].nil? ? {} : obj_hash['notes']
+    @needs_cleanup      = obj_hash['needs_cleanup']
+
   end
 
   def sort_platform_string

lib/msf/core/payload.rb

@@ -68,7 +68,7 @@ module Type
   #
   def initialize(info = {})
     super
-
+    self.can_cleanup = true
     # If this is a staged payload but there is no stage information,
     # then this is actually a stager + single combination.  Set up the
     # information hash accordingly.
@@ -537,6 +537,11 @@ def on_session(session)
 
   end
 
+  #
+  # This attribute designates if the payload supports onsession()
+  # method calls (typically to clean up artifacts)
+  #
+  attr_accessor :can_cleanup
   #
   # This attribute holds the string that should be prepended to the buffer
   # when it's generated.
@@ -668,6 +673,7 @@ def internal_generate
   # Merge the name to prefix the existing one and separate them
   # with a comma
   #
+
   def merge_name(info, val)
     if (info['Name'])
       info['Name'] = val + ',' + info['Name']

lib/msf/core/payload/pingback.rb

@@ -0,0 +1,38 @@
+# -*- coding => binary -*-
+
+require 'msf/core'
+require 'msf/core/module/platform'
+require 'rex/text'
+
+#
+# This class provides methods for calculating, extracting, and parsing
+# unique ID values used by payloads.
+#
+module Msf::Payload::Pingback
+
+  attr_accessor :pingback_uuid
+  attr_accessor :can_cleanup
+
+  # Generate a Pingback UUID and write it to the database
+  def generate_pingback_uuid
+    self.pingback_uuid ||= SecureRandom.uuid()
+    datastore['PingbackUUID'] = self.pingback_uuid
+    vprint_status("PingbackUUID = #{datastore['PingbackUUID'].gsub('-', '')}")
+    if framework.db.active
+      vprint_status("Writing UUID #{datastore['PingbackUUID'].gsub('-', '')} to database...")
+      framework.db.create_payload(name: datastore['PayloadUUIDName'],
+                           uuid: datastore['PingbackUUID'].gsub('-', ''),
+                           description: 'pingback',
+                           platform: platform.platforms.first.realname.downcase)
+    else
+      print_warning("Unable to save UUID #{datastore['PingbackUUID']} to database -- database support not active")
+    end
+    self.pingback_uuid
+  end
+
+  def initialize(info = {})
+    super(info)
+    self.can_cleanup = false
+    self
+  end
+end

lib/msf/core/payload/pingback/options.rb

@@ -0,0 +1,23 @@
+# -*- coding => binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/pingback'
+
+#
+# This module provides datastore option definitions and helper methods for payload modules that support UUIDs
+#
+module Msf::Payload::Pingback::Options
+
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        Msf::OptInt.new('PingbackRetries', [true, "How many additional successful pingbacks", 0]),
+        Msf::OptInt.new('PingbackSleep', [true, "Time (in seconds) to sleep between pingbacks", 30]),
+        Msf::OptString.new('PingbackUUID', [ false, 'A pingback UUID to use']),
+        Msf::OptBool.new('PingbackUUIDDatabase', [ true, 'Save the pingback UUID to the database', false]),
+      ], self.class)
+  end
+
+
+end

lib/msf/core/payload/transport_config.rb

@@ -1,13 +1,15 @@
 # -*- coding: binary -*-
 
 require 'msf/core/payload/uuid/options'
+require 'msf/core/payload/pingback/options'
 
 ##
 # This module contains helper functions for creating the transport
 # configuration stubs that are used for Meterpreter payloads.
 ##
 module Msf::Payload::TransportConfig
 
+  include Msf::Payload::Pingback::Options
   include Msf::Payload::UUID::Options
 
   def transport_config_reverse_tcp(opts={})

lib/msf/core/payload/windows/x64/reverse_tcp.rb

@@ -20,7 +20,6 @@ module Payload::Windows::ReverseTcp_x64
   include Msf::Payload::Windows
   include Msf::Payload::Windows::SendUUID_x64
   include Msf::Payload::Windows::BlockApi_x64
-  include Msf::Payload::Windows::Exitfunk_x64
 
   #
   # Register reverse_tcp specific options

lib/msf/core/payload_generator.rb

@@ -374,6 +374,10 @@ def generate_java_payload
     # methods in order based on the supplied options and returns the finished payload.
     # @return [String] A string containing the bytes of the payload in the format selected
     def generate_payload
+      if payload.include?("pingback") and framework.db.active == false
+        cli_print "[-] WARNING: UUID cannot be saved because database is inactive."
+      end
+
       if platform == "java" or arch == "java" or payload.start_with? "java/"
         raw_payload = generate_java_payload
         encoded_payload = raw_payload