Merge pull request rapid7#2 from smcintyre-r7/pr/collab/16995

Check that the architectures are compatible

lib/rex/post/meterpreter/extensions/bofloader/bofloader.rb

@@ -150,11 +150,8 @@ def initialize(client)
 
   end
 
-  def exec_cmd(filename, args_format: nil, args: nil, entry: 'go')
-    request = Packet.create_request(COMMAND_ID_BOFLOADER_EXEC_CMD)
-
-    bof_data = ::File.binread(filename)
-    # TODO: Check if BOF file is an object file and if it's the correct arch for the meterpreter session
+  def execute(bof_data, args_format: nil, args: nil, entry: 'go')
+    request = Packet.create_request(COMMAND_ID_BOFLOADER_EXECUTE)
 
     # Pack up beacon object file data and arguments into one single binary blob
     # Hardcode the entrypoint to "go" (CobaltStrike approved)
@@ -163,9 +160,9 @@ def exec_cmd(filename, args_format: nil, args: nil, entry: 'go')
     packed_coff_data = bof.coff_pack_pack(entry, bof_data, packed_args)
 
     # Send the meterpreter TLV packet and get the output back
-    request.add_tlv(TLV_TYPE_BOFLOADER_CMD, packed_coff_data)
+    request.add_tlv(TLV_TYPE_BOFLOADER_EXECUTE_BUFFER, packed_coff_data)
     response = client.send_request(request)
-    return response.get_tlv_value(TLV_TYPE_BOFLOADER_CMD_RESULT)
+    return response.get_tlv_value(TLV_TYPE_BOFLOADER_EXECUTE_RESULT)
   end
 
 end

lib/rex/post/meterpreter/extensions/bofloader/command_ids.rb

@@ -9,7 +9,7 @@ module Bofloader
 EXTENSION_ID_BOFLOADER = 18000
 
 # Associated command ids
-COMMAND_ID_BOFLOADER_EXEC_CMD = EXTENSION_ID_BOFLOADER + 1
+COMMAND_ID_BOFLOADER_EXECUTE = EXTENSION_ID_BOFLOADER + 1
 
 end
 end

lib/rex/post/meterpreter/extensions/bofloader/tlv.rb

@@ -5,8 +5,8 @@ module Meterpreter
 module Extensions
 module Bofloader
 
-TLV_TYPE_BOFLOADER_CMD        = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 100)
-TLV_TYPE_BOFLOADER_CMD_RESULT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 101)
+TLV_TYPE_BOFLOADER_EXECUTE_BUFFER = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 100)
+TLV_TYPE_BOFLOADER_EXECUTE_RESULT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 101)
 
 end
 end

lib/rex/post/meterpreter/ui/console/command_dispatcher/bofloader.rb

@@ -108,7 +108,23 @@ def cmd_bof_cmd(*args)
       return
     end
 
-    output = client.bofloader.exec_cmd(filename, args_format: bof_args_format, args: bof_args, entry: entry)
+    bof_data = ::File.binread(filename)
+    parsed = Metasm::COFF.decode_header(bof_data[0...20])
+    bof_arch = { # map of metasm to metasploit architectures
+      'AMD64' => ARCH_X64,
+      'I386'  => ARCH_X86
+    }.fetch(parsed.header.machine, nil)
+
+    unless bof_arch
+      print_error('Unable to determine the file architecture.')
+      return
+    end
+    unless bof_arch == client.arch
+      print_error("The file architecture is incompatible with the current session (file: #{bof_arch} session: #{client.arch})")
+      return
+    end
+
+    output = client.bofloader.execute(bof_data, args_format: bof_args_format, args: bof_args, entry: entry)
     if output.nil?
       print_line("No (Nil?) output from BOF...")
     else