metasploit-framework/lib/rex/proto/http/client_request.rb

469 lines
10 KiB
Ruby

# -*- coding: binary -*-
require 'uri'
#require 'rex/proto/http'
require 'rex/socket'
require 'rex/text'
require 'pp'
module Rex
module Proto
module Http
class ClientRequest
DefaultUserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
DefaultConfig = {
#
# Regular HTTP stuff
#
'agent' => DefaultUserAgent,
'cgi' => true,
'cookie' => nil,
'data' => '',
'headers' => nil,
'raw_headers' => '',
'method' => 'GET',
'path_info' => '',
'port' => 80,
'proto' => 'HTTP',
'query' => '',
'ssl' => false,
'uri' => '/',
'vars_get' => {},
'vars_post' => {},
'version' => '1.1',
'vhost' => nil,
#
# Evasion options
#
'encode_params' => true,
'encode' => false,
'uri_encode_mode' => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all
'uri_encode_count' => 1, # integer
'uri_full_url' => false, # bool
'pad_method_uri_count' => 1, # integer
'pad_uri_version_count' => 1, # integer
'pad_method_uri_type' => 'space', # space, tab, apache
'pad_uri_version_type' => 'space', # space, tab, apache
'method_random_valid' => false, # bool
'method_random_invalid' => false, # bool
'method_random_case' => false, # bool
'version_random_valid' => false, # bool
'version_random_invalid' => false, # bool
'version_random_case' => false, # bool
'uri_dir_self_reference' => false, # bool
'uri_dir_fake_relative' => false, # bool
'uri_use_backslashes' => false, # bool
'pad_fake_headers' => false, # bool
'pad_fake_headers_count' => 16, # integer
'pad_get_params' => false, # bool
'pad_get_params_count' => 8, # integer
'pad_post_params' => false, # bool
'pad_post_params_count' => 8, # integer
'uri_fake_end' => false, # bool
'uri_fake_params_start' => false, # bool
'header_folding' => false, # bool
'chunked_size' => 0, # integer
#
# NTLM Options
#
'usentlm2_session' => true,
'use_ntlmv2' => true,
'send_lm' => true,
'send_ntlm' => true,
'SendSPN' => true,
'UseLMKey' => false,
'domain' => 'WORKSTATION',
#
# Digest Options
#
'DigestAuthIIS' => true
}
attr_reader :opts
def initialize(opts={})
@opts = DefaultConfig.merge(opts)
@opts['headers'] ||= {}
end
def to_s
# Start GET query string
qstr = opts['query'] ? opts['query'].dup : ""
# Start POST data string
pstr = opts['data'] ? opts['data'].dup : ""
if opts['cgi']
uri_str = set_uri
if (opts['pad_get_params'])
1.upto(opts['pad_get_params_count'].to_i) do |i|
qstr << '&' if qstr.length > 0
qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1))
qstr << '='
qstr << set_encode_uri(Rex::Text.rand_text_alphanumeric(rand(32)+1))
end
end
opts['vars_get'].each_pair do |var,val|
var = var.to_s
val = val.to_s
qstr << '&' if qstr.length > 0
qstr << (opts['encode_params'] ? set_encode_uri(var) : var)
qstr << '='
qstr << (opts['encode_params'] ? set_encode_uri(val) : val)
end
if (opts['pad_post_params'])
1.upto(opts['pad_post_params_count'].to_i) do |i|
rand_var = Rex::Text.rand_text_alphanumeric(rand(32)+1)
rand_val = Rex::Text.rand_text_alphanumeric(rand(32)+1)
pstr << '&' if pstr.length > 0
pstr << (opts['encode_params'] ? set_encode_uri(rand_var) : rand_var)
pstr << '='
pstr << (opts['encode_params'] ? set_encode_uri(rand_val) : rand_val)
end
end
opts['vars_post'].each_pair do |var,val|
var = var.to_s
val = val.to_s
pstr << '&' if pstr.length > 0
pstr << (opts['encode_params'] ? set_encode_uri(var) : var)
pstr << '='
pstr << (opts['encode_params'] ? set_encode_uri(val) : val)
end
else
if opts['encode']
qstr = set_encode_uri(qstr)
end
uri_str = set_uri
end
req = ''
req << set_method
req << set_method_uri_spacer()
req << set_uri_prepend()
if opts['encode']
req << set_encode_uri(uri_str)
else
req << uri_str
end
if (qstr.length > 0)
req << '?'
req << qstr
end
req << set_path_info
req << set_uri_append()
req << set_uri_version_spacer()
req << set_version
req << set_host_header
# If an explicit User-Agent header is set, then use that instead of
# the default
unless opts['headers'] and opts['headers'].keys.map{|x| x.downcase }.include?('user-agent')
req << set_agent_header
end
# Similar to user-agent, only add an automatic auth header if a
# manual one hasn't been provided
unless opts['headers'] and opts['headers'].keys.map{|x| x.downcase }.include?('authorization')
req << set_auth_header
end
req << set_cookie_header
req << set_connection_header
req << set_extra_headers
req << set_content_type_header
req << set_content_len_header(pstr.length)
req << set_chunked_header()
req << opts['raw_headers']
req << set_body(pstr)
end
protected
def set_uri
uri_str = opts['uri'].dup
if (opts['uri_dir_self_reference'])
uri_str.gsub!('/', '/./')
end
if (opts['uri_dir_fake_relative'])
buf = ""
uri_str.split('/',-1).each do |part|
cnt = rand(8)+2
1.upto(cnt) { |idx|
buf << "/" + Rex::Text.rand_text_alphanumeric(rand(32)+1)
}
buf << ("/.." * cnt)
buf << "/" + part
end
uri_str = buf
end
if (opts['uri_full_url'])
url = opts['ssl'] ? "https://" : "http://"
url << opts['vhost']
url << ((opts['port'] == 80) ? "" : ":#{opts['port']}")
url << uri_str
url
else
uri_str
end
end
def set_encode_uri(str)
a = str.to_s.dup
opts['uri_encode_count'].times {
a = Rex::Text.uri_encode(a, opts['uri_encode_mode'])
}
return a
end
def set_method
ret = opts['method'].dup
if (opts['method_random_valid'])
ret = ['GET', 'POST', 'HEAD'][rand(3)]
end
if (opts['method_random_invalid'])
ret = Rex::Text.rand_text_alpha(rand(20)+1)
end
if (opts['method_random_case'])
ret = Rex::Text.to_rand_case(ret)
end
ret
end
def set_method_uri_spacer
len = opts['pad_method_uri_count'].to_i
set = " "
buf = ""
case opts['pad_method_uri_type']
when 'tab'
set = "\t"
when 'apache'
set = "\t \x0b\x0c\x0d"
end
while(buf.length < len)
buf << set[ rand(set.length) ]
end
return buf
end
#
# Return the padding to place before the uri
#
def set_uri_prepend
prefix = ""
if (opts['uri_fake_params_start'])
prefix << '/%3fa=b/../'
end
if (opts['uri_fake_end'])
prefix << '/%20HTTP/1.0/../../'
end
prefix
end
#
# Return the HTTP path info
# TODO:
# * Encode path information
def set_path_info
opts['path_info'] ? opts['path_info'] : ''
end
#
# Return the padding to place before the uri
#
def set_uri_append
# TODO:
# * Support different padding types
""
end
#
# Return the spacing between the uri and the version
#
def set_uri_version_spacer
len = opts['pad_uri_version_count'].to_i
set = " "
buf = ""
case opts['pad_uri_version_type']
when 'tab'
set = "\t"
when 'apache'
set = "\t \x0b\x0c\x0d"
end
while(buf.length < len)
buf << set[ rand(set.length) ]
end
return buf
end
#
# Return the HTTP version string
#
def set_version
ret = opts['proto'] + "/" + opts['version']
if (opts['version_random_valid'])
ret = opts['proto'] + "/" + ['1.0', '1.1'][rand(2)]
end
if (opts['version_random_invalid'])
ret = Rex::Text.rand_text_alphanumeric(rand(20)+1)
end
if (opts['version_random_case'])
ret = Rex::Text.to_rand_case(ret)
end
ret << "\r\n"
end
#
# Return a formatted header string
#
def set_formatted_header(var, val)
if (self.opts['header_folding'])
"#{var}:\r\n\t#{val}\r\n"
else
"#{var}: #{val}\r\n"
end
end
#
# Return the HTTP agent header
#
def set_agent_header
opts['agent'] ? set_formatted_header("User-Agent", opts['agent']) : ""
end
def set_auth_header
opts['authorization'] ? set_formatted_header("Authorization", opts['authorization']) : ""
end
#
# Return the HTTP cookie header
#
def set_cookie_header
opts['cookie'] ? set_formatted_header("Cookie", opts['cookie']) : ""
end
#
# Return the HTTP connection header
#
def set_connection_header
opts['connection'] ? set_formatted_header("Connection", opts['connection']) : ""
end
#
# Return the content type header
#
def set_content_type_header
opts['ctype'] ? set_formatted_header("Content-Type", opts['ctype']) : ""
end
#
# Return the content length header
def set_content_len_header(clen)
return "" if opts['chunked_size'] > 0
set_formatted_header("Content-Length", clen)
end
#
# Return the HTTP Host header
#
def set_host_header
return "" if opts['uri_full_url']
host = opts['vhost']
# IPv6 addresses must be placed in brackets
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
# The port should be appended if non-standard
if not [80,443].include?(opts['port'])
host = host + ":#{opts['port']}"
end
set_formatted_header("Host", host)
end
#
# Return a string of formatted extra headers
#
def set_extra_headers
buf = ''
if (opts['pad_fake_headers'])
1.upto(opts['pad_fake_headers_count'].to_i) do |i|
buf << set_formatted_header(
Rex::Text.rand_text_alphanumeric(rand(32)+1),
Rex::Text.rand_text_alphanumeric(rand(32)+1)
)
end
end
opts['headers'].each_pair do |var,val|
buf << set_formatted_header(var, val)
end
buf
end
def set_chunked_header
return "" if opts['chunked_size'] == 0
set_formatted_header('Transfer-Encoding', 'chunked')
end
#
# Return the HTTP seperator and body string
#
def set_body(bdata)
return "\r\n" + bdata if opts['chunked_size'] == 0
str = bdata.dup
chunked = ''
while str.size > 0
chunk = str.slice!(0,rand(opts['chunked_size']) + 1)
chunked << sprintf("%x", chunk.size) + "\r\n" + chunk + "\r\n"
end
"\r\n" + chunked + "0\r\n\r\n"
end
end
end
end
end