Bring options over from reverse_tcp (bind address, etc).

Also includes the SSLCert => HandlerSSLCert change

lib/msf/core/handler/reverse_tcp_double_ssl.rb

@@ -47,7 +47,10 @@ module ReverseTcpDoubleSSL
 
     register_advanced_options(
       [
-        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
+        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse TCP even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"])
       ], Msf::Handler::ReverseTcpDoubleSSL)
 
     self.conn_threads = []
@@ -62,17 +65,54 @@ module ReverseTcpDoubleSSL
     if datastore['Proxies'] and not datastore['ReverseAllowProxy']
       raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
     end
-    self.listener_sock = Rex::Socket::TcpServer.create(
-      # 'LocalHost' => datastore['LHOST'],
-      'LocalPort' => datastore['LPORT'].to_i,
-      'Comm'      => comm,
-      'SSL'       => true,
-      'Context'   =>
-        {
-          'Msf'        => framework,
-          'MsfPayload' => self,
-          'MsfExploit' => assoc_exploit
-        })
+
+    ex = false
+
+    comm  = datastore['ReverseListenerComm']
+    if comm.to_s == "local"
+      comm = ::Rex::Socket::Comm::Local
+    else
+      comm = nil
+    end
+
+    local_port = bind_port
+    addrs = bind_address
+
+    addrs.each { |ip|
+      begin
+
+        comm.extend(Rex::Socket::SslTcp)
+        self.listener_sock = Rex::Socket::SslTcpServer.create(
+        'LocalHost' => ip,
+        'LocalPort' => local_port,
+        'Comm'      => comm,
+        'SSLCert'   => datastore['HandlerSSLCert'],
+        'Context'   =>
+          {
+            'Msf'        => framework,
+            'MsfPayload' => self,
+            'MsfExploit' => assoc_exploit
+          })
+
+        ex = false
+
+        comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip )
+        comm_used = Rex::Socket::Comm::Local if comm_used == nil
+
+        if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )
+          via = "via the #{comm_used.type} on session #{comm_used.sid}"
+        else
+          via = ""
+        end
+
+        print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
+        break
+      rescue
+        ex = $!
+        print_error("Handler failed to bind to #{ip}:#{local_port}")
+      end
+    }
+    raise ex if (ex)
   end
 
   #
@@ -204,6 +244,33 @@ module ReverseTcpDoubleSSL
 
 protected
 
+protected
+
+  def bind_port
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
   attr_accessor :listener_sock # :nodoc:
   attr_accessor :listener_thread # :nodoc:
   attr_accessor :conn_threads # :nodoc: