From 7d2a2a8b647e5fae2ad48643043c81f50370ed1e Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Sun, 20 Sep 2015 22:44:21 -0500 Subject: [PATCH 1/3] Fix issues with using hop for new core --- data/php/hop.php | 2 +- lib/msf/core/handler/reverse_hop_http.rb | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/data/php/hop.php b/data/php/hop.php index c9f323657a..aebeff0e77 100644 --- a/data/php/hop.php +++ b/data/php/hop.php @@ -45,7 +45,7 @@ if($url === "/control"){ //get data $postdata = file_get_contents("php://input"); //See if we should send anything down - if($postdata === 'RECV'){ + if($postdata === "RECV\x00"){ findSendDelete($tempdir, "down_" . bin2hex($url)); $fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll }else{ diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index 0ead3894a0..d458944d44 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -54,6 +54,13 @@ module ReverseHopHttp "tunnel" end + # + # Returns the socket type. (hop) + # + def type? + return 'hop' + end + # # Sets up a handler. Doesn't do much since it's all in start_handler. # From d90f87449a372770e16118242a459c55fcd5db56 Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Tue, 22 Sep 2015 16:55:01 -0500 Subject: [PATCH 2/3] Fix merge --- data/php/hop.php | 6 +++--- lib/msf/core/handler/reverse_hop_http.rb | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/data/php/hop.php b/data/php/hop.php index aebeff0e77..948ccfe7d2 100644 --- a/data/php/hop.php +++ b/data/php/hop.php @@ -33,7 +33,7 @@ if($url === "/control"){ if(array_key_exists('HTTP_X_INIT', $_SERVER)){ $f = fopen($tempdir."/init", "w"); //only one init file }else{ - $prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']); + $prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']); $f = fopen(tempnam($tempdir,$prefix), "w"); } fwrite($f, $postdata); @@ -46,8 +46,8 @@ if($url === "/control"){ $postdata = file_get_contents("php://input"); //See if we should send anything down if($postdata === "RECV\x00"){ - findSendDelete($tempdir, "down_" . bin2hex($url)); - $fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll + findSendDelete($tempdir, "down_" . sha1($url)); + $fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll }else{ $fname = tempnam($tempdir, "up_"); //actual data gets its own filename } diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index d458944d44..ba00c3e94e 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -17,6 +17,7 @@ module Handler module ReverseHopHttp include Msf::Handler::ReverseHttp + include Msf::Payload::UUIDOptions # # Magic bytes to know we are talking to a valid hop @@ -256,6 +257,7 @@ module ReverseHopHttp # generate a new connect sum = uri_checksum_lookup(:connect) conn_id = generate_uri_uuid(sum, uuid) + conn_id = conn_id[1..-1] if conn_id.start_with? '/' url = full_uri + conn_id + "/\x00" print_status("Preparing stage for next session #{conn_id}") From 30102d4526d98994995b03b11e5d1e9028539a9e Mon Sep 17 00:00:00 2001 From: scriptjunkie Date: Tue, 22 Sep 2015 17:05:30 -0500 Subject: [PATCH 3/3] No longer needed. --- lib/msf/core/handler/reverse_hop_http.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb index ba00c3e94e..138a373e6c 100644 --- a/lib/msf/core/handler/reverse_hop_http.rb +++ b/lib/msf/core/handler/reverse_hop_http.rb @@ -17,7 +17,6 @@ module Handler module ReverseHopHttp include Msf::Handler::ReverseHttp - include Msf::Payload::UUIDOptions # # Magic bytes to know we are talking to a valid hop