TLV traffic obfuscation with 4-non-null-byte XOR

.gitignore

@@ -68,6 +68,8 @@ external/source/exploits/**/Release
 # Avoid checking in Meterpreter binaries. These are supplied upstream by
 # the metasploit-payloads gem.
 data/meterpreter/*.dll
+data/meterpreter/*.php
+data/meterpreter/*.py
 data/meterpreter/*.bin
 data/meterpreter/*.jar
 data/meterpreter/*.lso

lib/rex/post/meterpreter/packet.rb

@@ -665,6 +665,44 @@ def initialize(type = nil, method = nil)
     end
   end
 
+  #
+  # Override the function that creates the raw byte stream for
+  # sending so that it generates an XOR key, uses it to scramble
+  # the serialized TLV content, and then returns the key plus the
+  # scrambled data as the payload.
+  #
+  def to_r
+    raw = super
+    xor_key = rand(254) + 1
+    xor_key |= (rand(254) + 1) << 8
+    xor_key |= (rand(254) + 1) << 16
+    xor_key |= (rand(254) + 1) << 24
+    result = [xor_key].pack('N') + xor_bytes(xor_key, raw)
+    result
+  end
+
+  #
+  # Override the function that reads from a raw byte stream so
+  # that the XORing of data is included in the process prior to
+  # passing it on to the default functionality that can parse
+  # the TLV values.
+  #
+  def from_r(bytes)
+    xor_key = bytes[0,4].unpack('N')[0]
+    super(xor_bytes(xor_key, bytes[4, bytes.length]))
+  end
+
+  #
+  # Xor a set of bytes with a given DWORD xor key.
+  #
+  def xor_bytes(xor_key, bytes)
+    result = ''
+    bytes.bytes.zip([xor_key].pack('V').bytes.cycle).each do |b|
+      result << (b[0].ord ^ b[1].ord).chr
+    end
+    result
+  end
+
   ##
   #
   # Conditionals

lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -117,8 +117,7 @@ def on_passive_request(cli, req)
 
     self.last_checkin = Time.now
 
-    # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
-    if req.body[0,4] == "RECV"
+    if req.method == 'GET'
       rpkt = send_queue.shift
       resp.body = rpkt || ''
       begin
@@ -176,6 +175,7 @@ def send_packet(packet, completion_routine = nil, completion_param = nil)
         end
       end
 
+
       if bytes.to_i == 0
         # Mark the session itself as dead
         self.alive = false

lib/rex/post/meterpreter/packet_parser.rb

@@ -12,6 +12,11 @@ module Meterpreter
 ###
 class PacketParser
 
+  # 4 byte xor
+  # 4 byte length
+  # 4 byte type
+  HEADER_SIZE = 12
+
   #
   # Initializes the packet parser context with an optional cipher.
   #
@@ -26,14 +31,17 @@ def initialize(cipher = nil)
   #
   def reset
     self.raw = ''
-    self.hdr_length_left = 8
+    self.hdr_length_left = HEADER_SIZE
     self.payload_length_left = 0
   end
 
   #
   # Reads data from the wire and parse as much of the packet as possible.
   #
   def recv(sock)
+    # Create a typeless packet
+    packet = Packet.new(0)
+
     if (self.hdr_length_left > 0)
       buf = sock.read(self.hdr_length_left)
 
@@ -49,7 +57,10 @@ def recv(sock)
       # payload length left to the number of bytes
       # specified in the length
       if (self.hdr_length_left == 0)
-        self.payload_length_left = raw.unpack("N")[0] - 8
+        xor_key = raw[0, 4].unpack('N')[0]
+        length_bytes = packet.xor_bytes(xor_key, raw[4, 4])
+        # header size doesn't include the xor key, which is always tacked on the front
+        self.payload_length_left = length_bytes.unpack("N")[0] - (HEADER_SIZE - 4)
       end
     elsif (self.payload_length_left > 0)
       buf = sock.read(self.payload_length_left)
@@ -67,14 +78,11 @@ def recv(sock)
     if ((self.hdr_length_left == 0) &&
         (self.payload_length_left == 0))
 
-      # Create a typeless packet
-      packet = Packet.new(0)
-
       # TODO: cipher decryption
       if (cipher)
       end
 
-      # Serialize the packet from the raw buffer
+      # Deserialize the packet from the raw buffer
       packet.from_r(self.raw)
 
       # Reset our state

metasploit-framework.gemspec

@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '1.0.0'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '1.0.23'
+  spec.add_runtime_dependency 'metasploit-payloads', '1.0.24'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # get list of network interfaces, like eth* from OS.

spec/lib/rex/post/meterpreter/packet_parser_spec.rb

@@ -20,7 +20,7 @@
 
   it "should initialise with expected defaults" do
     expect(parser.send(:raw)).to eq ""
-    expect(parser.send(:hdr_length_left)).to eq 8
+    expect(parser.send(:hdr_length_left)).to eq 12
     expect(parser.send(:payload_length_left)).to eq 0
   end