Land rapid7#8948, allow configuring payload HTTP headers for domain fronting

Author: busterb

Gemfile.lock

@@ -17,9 +17,9 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.14)
+      metasploit-payloads (= 1.3.15)
       metasploit_data_models
-      metasploit_payloads-mettle (= 0.2.5)
+      metasploit_payloads-mettle (= 0.2.8)
       msgpack
       nessus_rest
       net-ssh
@@ -178,7 +178,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.14)
+    metasploit-payloads (1.3.15)
     metasploit_data_models (2.0.15)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -189,7 +189,7 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.2.5)
+    metasploit_payloads-mettle (0.2.8)
     method_source (0.9.0)
     mini_portile2 (2.3.0)
     minitest (5.10.3)

lib/msf/base/sessions/mettle_config.rb

@@ -27,6 +27,10 @@ def generate_uri(opts={})
         generate_uri_uuid_mode(:init_connect, uri_req_len, uuid: opts[:uuid])
       end
 
+      def generate_uri_option(opts, opt)
+        opts[opt] ? "--#{opt} '#{opts[opt].gsub(/'/, "\\'")}' " : ''
+      end
+
       def generate_http_uri(opts)
         if Rex::Socket.is_ipv6?(opts[:lhost])
           target_uri = "#{opts[:scheme]}://[#{opts[:lhost]}]"
@@ -38,7 +42,15 @@ def generate_http_uri(opts)
         target_uri << opts[:lport].to_s
         target_uri << luri
         target_uri << generate_uri(opts)
-        target_uri
+        target_uri << '|'
+        target_uri << generate_uri_option(opts, :ua)
+        target_uri << generate_uri_option(opts, :host)
+        target_uri << generate_uri_option(opts, :referer)
+        if opts[:cookie]
+          opts[:header] = "Cookie: #{opts[:cookie]}"
+          target_uri << generate_uri_option(opts, :header)
+        end
+        target_uri.strip
       end
 
       def generate_tcp_uri(opts)
@@ -57,14 +69,11 @@ def generate_config(opts={})
 
         case opts[:scheme]
         when 'http'
-          transport = transport_config_reverse_http(opts)
-          opts[:uri] = generate_http_uri(transport)
+          opts[:uri] = generate_http_uri(transport_config_reverse_http(opts))
         when 'https'
-          transport = transport_config_reverse_https(opts)
-          opts[:uri] = generate_http_uri(transport)
+          opts[:uri] = generate_http_uri(transport_config_reverse_https(opts))
         when 'tcp'
-          transport = transport_config_reverse_tcp(opts)
-          opts[:uri] = generate_tcp_uri(transport)
+          opts[:uri] = generate_tcp_uri(transport_config_reverse_tcp(opts))
         else
           raise ArgumentError, "Unknown scheme: #{opts[:scheme]}"
         end
@@ -74,7 +83,7 @@ def generate_config(opts={})
         unless opts[:stageless] == true
           guid = [SecureRandom.uuid.gsub(/-/, '')].pack('H*')
         end
-        opts[:session_guid] = Base64.encode64(guid)
+        opts[:session_guid] = Base64.encode64(guid).strip
 
         opts.slice(:uuid, :session_guid, :uri, :debug, :log_file)
       end

lib/msf/core/handler/reverse_http.rb

@@ -52,16 +52,38 @@ def initialize(info = {})
 
     register_advanced_options(
       [
-
-        OptString.new('MeterpreterUserAgent', [false, 'The user-agent that the payload should use for communication', Rex::UserAgent.shortest]),
-        OptString.new('MeterpreterServerName', [false, 'The server header that the handler will send in response to requests', 'Apache']),
-        OptAddress.new('ReverseListenerBindAddress', [false, 'The specific IP address to bind to on the local system']),
-        OptBool.new('OverrideRequestHost', [false, 'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT', false]),
-        OptString.new('OverrideLHOST', [false, 'When OverrideRequestHost is set, use this value as the host name for secondary requests']),
-        OptPort.new('OverrideLPORT', [false, 'When OverrideRequestHost is set, use this value as the port number for secondary requests']),
-        OptString.new('OverrideScheme', [false, 'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https']),
-        OptString.new('HttpUnknownRequestResponse', [false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>']),
-        OptBool.new('IgnoreUnknownPayloads', [false, 'Whether to drop connections from payloads using unknown UUIDs', false])
+        OptAddress.new('ReverseListenerBindAddress',
+          'The specific IP address to bind to on the local system'
+        ),
+        OptBool.new('OverrideRequestHost',
+          'Forces a specific host and port instead of using what the client requests, defaults to LHOST:LPORT',
+        ),
+        OptString.new('OverrideLHOST',
+          'When OverrideRequestHost is set, use this value as the host name for secondary requests'
+        ),
+        OptPort.new('OverrideLPORT',
+          'When OverrideRequestHost is set, use this value as the port number for secondary requests'
+        ),
+        OptString.new('OverrideScheme',
+          'When OverrideRequestHost is set, use this value as the scheme for secondary requests, e.g http or https'
+        ),
+        OptString.new('HttpUserAgent',
+          'The user-agent that the payload should use for communication',
+          default: Rex::UserAgent.shortest,
+          aliases: ['MeterpreterUserAgent']
+        ),
+        OptString.new('HttpServerName',
+          'The server header that the handler will send in response to requests',
+          default: 'Apache',
+          aliases: ['MeterpreterServerName']
+        ),
+        OptString.new('HttpUnknownRequestResponse',
+          'The returned HTML response body when the handler receives a request that is not from a payload',
+          default: '<html><body><h1>It works!</h1></body></html>'
+        ),
+        OptBool.new('IgnoreUnknownPayloads',
+          'Whether to drop connections from payloads using unknown UUIDs'
+        )
       ], Msf::Handler::ReverseHttp)
   end
 
@@ -204,7 +226,7 @@ def setup_handler
 
     raise ex if (ex)
 
-    self.service.server_name = datastore['MeterpreterServerName']
+    self.service.server_name = datastore['HttpServerName']
 
     # Add the new resource
     service.add_resource((luri + "/").gsub("//", "/"),
@@ -245,14 +267,14 @@ def lookup_proxy_settings
     info = {}
     return @proxy_settings if @proxy_settings
 
-    if datastore['PayloadProxyHost'].to_s == ''
+    if datastore['HttpProxyHost'].to_s == ''
       @proxy_settings = info
       return @proxy_settings
     end
 
-    info[:host] = datastore['PayloadProxyHost'].to_s
-    info[:port] = (datastore['PayloadProxyPort'] || 8080).to_i
-    info[:type] = datastore['PayloadProxyType'].to_s
+    info[:host] = datastore['HttpProxyHost'].to_s
+    info[:port] = (datastore['HttpProxyPort'] || 8080).to_i
+    info[:type] = datastore['HttpProxyType'].to_s
 
     uri_host = info[:host]
 
@@ -266,11 +288,11 @@ def lookup_proxy_settings
       info[:info] = "socks=#{info[:info]}"
     else
       info[:info] = "http://#{info[:info]}"
-      if datastore['PayloadProxyUser'].to_s != ''
-        info[:username] = datastore['PayloadProxyUser'].to_s
+      if datastore['HttpProxyUser'].to_s != ''
+        info[:username] = datastore['HttpProxyUser'].to_s
       end
-      if datastore['PayloadProxyPass'].to_s != ''
-        info[:password] = datastore['PayloadProxyPass'].to_s
+      if datastore['HttpProxyPass'].to_s != ''
+        info[:password] = datastore['HttpProxyPass'].to_s
       end
     end
 
@@ -347,8 +369,6 @@ def on_request(cli, req)
           blob = self.generate_stage(
             url:   url,
             uuid:  uuid,
-            lhost: uri.host,
-            lport: uri.port,
             uri:   conn_id
           )
 

lib/msf/core/handler/reverse_https_proxy.rb

@@ -38,14 +38,11 @@ def initialize(info = {})
 
     register_options(
       [
-        OptAddressLocal.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
-        OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
-        OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]),
-        OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]),
-        OptEnum.new('PayloadProxyType', [true, 'The proxy type, HTTP or SOCKS', 'HTTP', ['HTTP', 'SOCKS']]),
-        OptString.new('PayloadProxyUser', [ false, "An optional username for HTTP proxy authentication"]),
-        OptString.new('PayloadProxyPass', [ false, "An optional password for HTTP proxy authentication"])
-      ], Msf::Handler::ReverseHttpsProxy)
+        OptAddressLocal.new('LHOST', "The local listener hostname", default: "127.0.0.1"),
+        OptPort.new('LPORT', "The local listener port", default: 8443)
+      ] +
+      Msf::Opt::http_proxy_options,
+      Msf::Handler::ReverseHttpsProxy)
 
     register_advanced_options(
       [

lib/msf/core/handler/reverse_tcp.rb

@@ -45,15 +45,6 @@ def initialize(info = {})
     # XXX: Not supported by all modules
     register_advanced_options(
       [
-        OptInt.new(
-          'StagerRetryCount',
-          [ true, 'The number of connection attempts to try before exiting the process', 10 ],
-          aliases: ['ReverseConnectRetries']
-        ),
-        OptFloat.new(
-          'StagerRetryWait',
-          [ false, 'Number of seconds to wait for the stager between reconnect attempts', 5.0 ]
-        ),
         OptAddress.new(
           'ReverseListenerBindAddress',
           [ false, 'The specific IP address to bind to on the local system' ]
@@ -62,7 +53,8 @@ def initialize(info = {})
           'ReverseListenerThreaded',
           [ true, 'Handle every connection in a new thread (experimental)', false ]
         )
-      ],
+      ] +
+      Msf::Opt::stager_retry_options,
       Msf::Handler::ReverseTcp
     )
 

lib/msf/core/opt.rb

@@ -65,6 +65,49 @@ def self.SSLVersion
       )
     end
 
+    def self.stager_retry_options
+      [
+        OptInt.new('StagerRetryCount',
+          'The number of times the stager should retry if the first connect fails',
+          default: 10,
+          aliases: ['ReverseConnectRetries']
+        ),
+        OptInt.new('StagerRetryWait',
+          'Number of seconds to wait for the stager between reconnect attempts',
+          default: 5
+        )
+      ]
+    end
+
+    def self.http_proxy_options
+      [
+        OptString.new('HttpProxyHost', 'An optional proxy server IP address or hostname',
+          aliases: ['PayloadProxyHost']
+        ),
+        OptPort.new('HttpProxyPort', 'An optional proxy server port',
+          aliases: ['PayloadProxyPort']
+        ),
+        OptString.new('HttpProxyUser', 'An optional proxy server username',
+          aliases: ['PayloadProxyUser']
+        ),
+        OptString.new('HttpProxyPass', 'An optional proxy server password',
+          aliases: ['PayloadProxyPass']
+        ),
+        OptEnum.new('HttpProxyType', 'The type of HTTP proxy',
+          enums: ['HTTP', 'SOCKS'],
+          aliases: ['PayloadProxyType']
+        )
+      ]
+    end
+
+    def self.http_header_options
+      [
+        OptString.new('HttpHostHeader', 'An optional value to use for the Host HTTP header'),
+        OptString.new('HttpCookie', 'An optional value to use for the Cookie HTTP header'),
+        OptString.new('HttpReferer', 'An optional value to use for the Referer HTTP header')
+      ]
+    end
+
     CHOST = CHOST()
     CPORT = CPORT()
     LHOST = LHOST()

lib/msf/core/payload/android/reverse_http.rb

@@ -18,6 +18,14 @@ module Payload::Android::ReverseHttp
   include Msf::Payload::Android
   include Msf::Payload::UUID::Options
 
+  #
+  # Register reverse_http specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options(Msf::Opt::http_header_options)
+  end
+
   #
   # Generate the transport-specific configuration
   #

lib/msf/core/payload/java/reverse_http.rb

@@ -23,10 +23,13 @@ module Payload::Java::ReverseHttp
   #
   def initialize(*args)
     super
-    register_advanced_options([
-      Msf::OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]),
-      Msf::OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)'])
-    ])
+    register_advanced_options(
+      [
+        OptInt.new('Spawn', [true, 'Number of subprocesses to spawn', 2]),
+        OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']),
+      ] +
+      Msf::Opt::http_header_options
+    )
   end
 
   #
@@ -64,6 +67,10 @@ def stager_config(opts={})
 
     c =  ''
     c << "Spawn=#{ds["Spawn"] || 2}\n"
+    c << "HeaderUser-Agent=#{ds["HttpUserAgent"]}\n" if ds["HttpUserAgent"]
+    c << "HeaderHost=#{ds["HttpHostHeader"]}\n" if ds["HttpHostHeader"]
+    c << "HeaderReferer=#{ds["HttpReferer"]}\n" if ds["HttpReferer"]
+    c << "HeaderCookie=#{ds["HttpCookie"]}\n" if ds["HttpCookie"]
     c << "URL=#{scheme}://#{ds['LHOST']}"
     c << ":#{ds['LPORT']}" if ds['LPORT']
     c << luri

lib/msf/core/payload/multi/reverse_http.rb

@@ -22,16 +22,12 @@ module Payload::Multi::ReverseHttp
   #
   def initialize(*args)
     super
-    register_advanced_options([
-        OptInt.new('StagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']),
-        OptInt.new('StagerRetryCount', [false, 'The number of times the stager should retry if the first connect fails', 10],
-          aliases: ['ReverseConnectRetries']),
-        OptString.new('PayloadProxyHost', [false, 'An optional proxy server IP address or hostname']),
-        OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']),
-        OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']),
-        OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']),
-        OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']])
-      ])
+    register_advanced_options(
+      [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] +
+      Msf::Opt::stager_retry_options +
+      Msf::Opt::http_header_options +
+      Msf::Opt::http_proxy_options
+    )
   end
 
   #
@@ -67,4 +63,3 @@ def wfs_delay
 end
 
 end
-