Land #18441, Add at rest encryption to Meterpreter payloads

rapid7 · Oct 27, 2023 · 3b4302d · 3b4302d
2 parents 369c66a + c73e815
commit 3b4302d
Show file tree

Hide file tree

Showing 15 changed files with 76 additions and 35 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -33,7 +33,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 2.0.156)
+      metasploit-payloads (= 2.0.159)
       metasploit_data_models
       metasploit_payloads-mettle (= 1.0.26)
       mqtt
@@ -278,7 +278,7 @@ GEM
       activemodel (~> 7.0)
       activesupport (~> 7.0)
       railties (~> 7.0)
-    metasploit-payloads (2.0.156)
+    metasploit-payloads (2.0.159)
     metasploit_data_models (6.0.3)
       activerecord (~> 7.0)
       activesupport (~> 7.0)

diff --git a/LICENSE_GEMS b/LICENSE_GEMS
@@ -82,7 +82,7 @@ metasploit-concern, 5.0.2, "New BSD"
 metasploit-credential, 6.0.6, "New BSD"
 metasploit-framework, 6.3.41, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.159, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
 metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT

diff --git a/lib/msf/core/payload/android.rb b/lib/msf/core/payload/android.rb
@@ -127,7 +127,13 @@ def generate_jar(opts={})
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-    jar.add_files(files, MetasploitPayloads.path("android", "apk"))
+
+    files.each do |file|
+      path = ['android', 'apk', file].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      jar.add_file(file.join('/'), contents)
+    end
+
     jar.add_file("classes.dex", fix_dex_header(classes))
     jar.build_manifest
 

diff --git a/lib/msf/core/payload/java.rb b/lib/msf/core/payload/java.rb
@@ -58,7 +58,14 @@ def generate_jar(opts={})
     jar = Rex::Zip::Jar.new
     jar.add_sub("metasploit") if opts[:random]
     jar.add_file("metasploit.dat", stager_config(opts))
-    jar.add_files(paths, ::MetasploitPayloads.path('java'))
+    jar.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      jar.add_file(path_parts.join('/'), contents)
+    end
+
     jar.build_manifest(:main_class => main_class)
 
     jar
@@ -103,7 +110,14 @@ def generate_war(opts={})
     zip.add_file('WEB-INF/', '')
     zip.add_file('WEB-INF/web.xml', web_xml)
     zip.add_file("WEB-INF/classes/", "")
-    zip.add_files(paths, MetasploitPayloads.path('java'), 'WEB-INF/classes/')
+    zip.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.add_file("WEB-INF/classes/metasploit.dat", stager_config(opts))
 
     zip
@@ -138,7 +152,14 @@ def generate_axis2(opts={})
     zip = Rex::Zip::Jar.new
     zip.add_file('META-INF/', '')
     zip.add_file('META-INF/services.xml', services_xml)
-    zip.add_files(paths, MetasploitPayloads.path('java'))
+    zip.add_file('metasploit/', '') # Create the metasploit dir
+
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.add_file('metasploit.dat', stager_config(opts))
     zip.build_manifest(:app_name => app_name)
 

diff --git a/lib/msf/core/payload/windows/dll_inject.rb b/lib/msf/core/payload/windows/dll_inject.rb
@@ -205,9 +205,8 @@ def handle_connection_stage(conn, opts = {})
     data = library_name + "\x00"
 
     begin
-      File.open(library_path, "rb") { |f|
-        data += f.read
-      }
+      encrypted_contents = ::File.binread(library_path)
+      data += ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_contents)
     rescue
       print_error("Failed to load DLL: #{$!}.")
 

diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb
@@ -78,8 +78,9 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader',
   # @return [Array] Tuple of allocated memory address and offset to the
   #   +ReflectiveLoader+ function.
   def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
-    dll_mem = inject_into_process(process, dll_data)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
+    offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    dll_mem = inject_into_process(process, decrypted_dll_data)
 
     return dll_mem, offset
   end

diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb
@@ -24,8 +24,8 @@ module Msf::ReflectiveDLLLoader
   # @return [Array] Tuple of DLL contents and offset to the
   #                 +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    dll = ''
-    ::File.open(dll_path, 'rb') { |f| dll = f.read }
+    encrypted_dll = ::File.binread(dll_path)
+    dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
 
     offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
@@ -43,7 +43,8 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO
   #
   # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = parse_pe(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
+    offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
     unless offset
       raise 'Cannot find the ReflectiveLoader entry point in DLL data'

diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1599,7 +1599,14 @@ def self.to_jar(exe, opts = {})
     paths = [
       [ "metasploit", "Payload.class" ],
     ]
-    zip.add_files(paths, MetasploitPayloads.path('java'))
+
+    zip.add_file('metasploit/', '')
+    paths.each do |path_parts|
+      path = ['java', path_parts].flatten.join('/')
+      contents = ::MetasploitPayloads.read(path)
+      zip.add_file(path_parts.join('/'), contents)
+    end
+
     zip.build_manifest :main_class => "metasploit.Payload"
     config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n"
     zip.add_file("metasploit.dat", config)

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -258,7 +258,8 @@ def load_library(opts)
       end
 
       if library_image
-        request.add_tlv(TLV_TYPE_DATA, library_image, false, client.capabilities[:zlib])
+        decrypted_library_image = ::MetasploitPayloads::Crypto.decrypt(ciphertext: library_image)
+        request.add_tlv(TLV_TYPE_DATA, decrypted_library_image, false, client.capabilities[:zlib])
       else
         raise RuntimeError, "Failed to serialize library #{library_path}.", caller
       end

diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -82,11 +82,8 @@ def getsystem(technique=TECHNIQUE[:any])
         raise RuntimeError, "#{elevators.chomp(', ')} not found", caller
       end
 
-      elevator_data = ''
-
-      ::File.open(elevator_path, 'rb') { |f|
-        elevator_data += f.read(f.stat.size)
-      }
+      encrypted_elevator_data = ::File.binread(elevator_path)
+      elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data)
 
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb
@@ -185,10 +185,8 @@ def screenshot( quality=50 )
           raise RuntimeError, "screenshot.x64.dll not found", caller
         end
 
-        screenshot_dll  = ''
-        ::File.open( screenshot_path, 'rb' ) do |f|
-          screenshot_dll += f.read( f.stat.size )
-        end
+        encrypted_screenshot_dll = ::File.binread(screenshot_path)
+        screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll)
 
         request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, screenshot_dll, false, true )
       end
@@ -199,10 +197,8 @@ def screenshot( quality=50 )
         raise RuntimeError, "screenshot.x86.dll not found", caller
       end
 
-      screenshot_dll  = ''
-      ::File.open( screenshot_path, 'rb' ) do |f|
-        screenshot_dll += f.read( f.stat.size )
-      end
+      encrypted_screenshot_dll = ::File.binread(screenshot_path)
+      screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll)
 
       request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, screenshot_dll, false, true )
     end

diff --git a/metasploit-framework.gemspec b/metasploit-framework.gemspec
@@ -72,7 +72,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model'
   # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.156'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.159'
   # Needed for the next-generation POSIX Meterpreter
   spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.26'
   # Needed by msfgui and other rpc components

diff --git a/modules/exploits/multi/misc/java_jmx_server.rb b/modules/exploits/multi/misc/java_jmx_server.rb
@@ -69,7 +69,13 @@ def on_request_uri(cli, request)
         ["metasploit", "JMXPayloadMBean.class"],
         ["metasploit", "JMXPayload.class"],
       ]
-      @jar.add_files(paths, MetasploitPayloads.path('java'))
+
+      @jar.add_file('metasploit/', '')
+      paths.each do |path_parts|
+        path = ['java', path_parts].flatten.join('/')
+        contents = ::MetasploitPayloads.read(path)
+        @jar.add_file(path_parts.join('/'), contents)
+      end
     end
 
     if request.uri =~ /mlet$/

diff --git a/modules/exploits/multi/misc/java_rmi_server.rb b/modules/exploits/multi/misc/java_rmi_server.rb
@@ -173,7 +173,13 @@ def on_request_uri(cli,  request)
         [ "metasploit", "RMILoader.class" ],
         [ "metasploit", "RMIPayload.class" ],
       ]
-      jar.add_files(paths, MetasploitPayloads.path('java'))
+
+      jar.add_file('metasploit/', '') # create metasploit dir
+      paths.each do |path_parts|
+        path = ['java', path_parts].flatten.join('/')
+        contents = ::MetasploitPayloads.read(path)
+        jar.add_file(path_parts.join('/'), contents)
+      end
 
       send_response(cli, jar.pack,
       {

diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@@ -384,8 +384,8 @@ def exploit
     library_path = ::File.expand_path(library_path)
 
     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
-    dll = ''
-    ::File.open(library_path, 'rb') { |f| dll = f.read }
+    encrypted_dll = ::File.binread(library_path)
+    dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
 
     patch_win32k_offsets(dll)
     patch_nt_offsets(dll)