788c96566f
The HttpOpenRequest function from WinINet requires the INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an authenticated proxy. From MSDN ( http://tinyurl.com/chwt86j ): "Uses keep-alive semantics, if available, for the connection. This flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM), and other types of authentication." Without this flag, the HTTP stager will fail when faced with a proxy that requires authentication. The Windows HTTPS stager does not have this problem. For HTTP Meterpreter to communicate through an authenticated proxy a separate patch will need to be made to the Meterpreter source code. This is at line 1125 of source/common/core.c in the Meterpreter source code. My motivation for this request is for windows/dllinject/reverse_http to download a DLL even when faced with an authenticated proxy. These changes accomplish this. Test environment: I staged a SmoothWall device with the Advanced Proxy Web Add-on. I enabled Integrated Windows Authentication with a W2K3 DC. I verified the HTTP stager authenticated to and communicated through the proxy by watching the proxy access.log |
||
|---|---|---|
| .. | ||
| msf2 | ||
| speech | ||
| templates | ||
| x64 | ||
| x86 | ||
| README | ||
| build.sh | ||
| midstager.asm | ||
| single_adduser.asm | ||
| single_exec.asm | ||
| single_shell_bind_tcp.asm | ||
| single_shell_bind_tcp_xpfw.asm | ||
| single_shell_reverse_tcp.asm | ||
| stage_shell.asm | ||
| stage_upexec.asm | ||
| stager_bind_ipv6_tcp_nx.asm | ||
| stager_bind_tcp.asm | ||
| stager_bind_tcp_nx.asm | ||
| stager_find_tag.asm | ||
| stager_reverse_http.asm | ||
| stager_reverse_ipv6_tcp_nx.asm | ||
| stager_reverse_ord_tcp.asm | ||
| stager_reverse_tcp.asm | ||
| stager_reverse_tcp_nx.asm | ||
README
This directory contains the win32 payload development environment used
for creating the payloads in version 3 of the Metasploit Framework.
The 'nasm' executable must be in your path to use the included build.sh tool.
The included 'build' script automatically creates a number of file types
each time it used to compile a payload. These file types are:
- Native ELF executable
- Win32 PE executable
- Generated C source code
- Raw opcodes in ".bin" format
The PE executable templates were developed by 'rix' and used with permission.
To use this script, simply run ./build.sh <name of payload>, where the name
does not include the ".asm" suffix. To build win32_stage_api.asm, the
command line would be "./build.sh win32_stage_api".