Land #418, fix fallback to 128-bit AES keys for some java versions

2025-03-24 18:16:24 +01:00 · 2020-06-30 13:50:51 +08:00 · 2020-06-30 13:50:51 +08:00 · 8ef00734b2
commit 8ef00734b2
parent c04196cab5 86c02d4b28
2 changed files with 13 additions and 8 deletions
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Transport.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Transport.java
@ -18,6 +18,7 @@ public abstract class Transport {
    public static final long MS = 1000L;
    public static final int ENC_NONE = 0;
    public static final int ENC_AES256 = 1;
+    public static final int ENC_AES128 = 2;

    private static final SecureRandom sr = new SecureRandom();

@ -100,7 +101,7 @@ public abstract class Transport {

        this.arrayCopy(packet, 32, body, 0, body.length);
        int encFlag = this.readInt(packet, 20);
-        if (encFlag == ENC_AES256 && this.aesKey != null) {
+        if (encFlag != ENC_NONE && this.aesKey != null) {
            try
            {
                body = aesDecrypt(body);
@ -162,7 +163,7 @@ public abstract class Transport {
            try
            {
                if (this.aesEnabled) {
-                    encType = ENC_AES256;
+                    encType = (this.aesKey.length == 32 ? ENC_AES256 : ENC_AES128);
                    data = aesEncrypt(data);
                }
                else
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_negotiate_tlv_encryption.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_negotiate_tlv_encryption.java
@ -1,18 +1,15 @@
 package com.metasploit.meterpreter.core;

-import javax.xml.bind.DatatypeConverter;
 import java.security.KeyFactory;
 import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.spec.X509EncodedKeySpec;
-import java.lang.String;
 import javax.crypto.Cipher;

 import com.metasploit.meterpreter.Transport;
 import com.metasploit.meterpreter.Meterpreter;
 import com.metasploit.meterpreter.TLVPacket;
 import com.metasploit.meterpreter.TLVType;
-import com.metasploit.meterpreter.Utils;
 import com.metasploit.meterpreter.command.Command;

 public class core_negotiate_tlv_encryption implements Command {
@ -21,9 +18,16 @@ public class core_negotiate_tlv_encryption implements Command {

    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
        byte[] der = request.getRawValue(TLVType.TLV_TYPE_RSA_PUB_KEY);
-        byte[] aesKey = new byte[32];
+        int encType;
+        byte[] aesKey;
+        if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
+            encType = Transport.ENC_AES128;
+            aesKey = new byte[16];
+        } else {
+            encType = Transport.ENC_AES256;
+            aesKey = new byte[32];
+        }
        sr.nextBytes(aesKey);
-
        try
        {
            PublicKey pubKey = getPublicKey(der);
@ -35,7 +39,7 @@ public class core_negotiate_tlv_encryption implements Command {
        {
            response.add(TLVType.TLV_TYPE_SYM_KEY, aesKey);
        }
-        response.add(TLVType.TLV_TYPE_SYM_KEY_TYPE, Transport.ENC_AES256);
+        response.add(TLVType.TLV_TYPE_SYM_KEY_TYPE, encType);

        meterpreter.getTransports().current().setAesEncryptionKey(aesKey);