Skip to content

Commit 370f600

Browse files
veritysrveritysr
committed
Refactors metsrv patching in reverse_hop_htt.rb
1 parent 1930eb1 commit 370f600

File tree

1 file changed

+15
-35
lines changed

1 file changed

+15
-35
lines changed

lib/msf/core/handler/reverse_hop_http.rb

Lines changed: 15 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ def start_handler
8484
return
8585
end
8686

87-
# Sometimes you just have to do everything yourself.
87+
# Sometimes you just have to do everything yourself.
8888
# Declare ownership of this hop and spawn a thread to monitor it.
8989
self.refs = 1
9090
ReverseHopHttp.hop_handlers[full_uri] = self
@@ -247,40 +247,20 @@ def send_new_stage
247247

248248
print_status("Preparing stage for next session #{conn_id}")
249249
blob = stage_payload
250-
251-
# Replace the user agent string with our option
252-
i = blob.index("METERPRETER_UA\x00")
253-
if i
254-
str = datastore['MeterpreterUserAgent'][0,255] + "\x00"
255-
blob[i, str.length] = str
256-
end
257-
258-
# Replace the transport string first (TRANSPORT_SOCKET_SSL)
259-
i = blob.index("METERPRETER_TRANSPORT_SSL")
260-
if i
261-
str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00"
262-
blob[i, str.length] = str
263-
end
264-
265-
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
266-
i = blob.index("https://" + ("X" * 256))
267-
if i
268-
url = full_uri + conn_id + "/\x00"
269-
blob[i, url.length] = url
270-
end
271-
print_status("Patched URL at offset #{i}...")
272-
273-
i = blob.index([0xb64be661].pack("V"))
274-
if i
275-
str = [ datastore['SessionExpirationTimeout'] ].pack("V")
276-
blob[i, str.length] = str
277-
end
278-
279-
i = blob.index([0xaf79257f].pack("V"))
280-
if i
281-
str = [ datastore['SessionCommunicationTimeout'] ].pack("V")
282-
blob[i, str.length] = str
283-
end
250+
#
251+
# Patch options into the payload
252+
#
253+
Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
254+
:ssl => ssl?,
255+
:url => url,
256+
:expiration => datastore['SessionExpirationTimeout'],
257+
:comm_timeout => datastore['SessionCommunicationTimeout'],
258+
:ua => datastore['MeterpreterUserAgent'],
259+
:proxyhost => datastore['PROXYHOST'],
260+
:proxyport => datastore['PROXYPORT'],
261+
:proxy_type => datastore['PROXY_TYPE'],
262+
:proxy_username => datastore['PROXY_USERNAME'],
263+
:proxy_password => datastore['PROXY_PASSWORD']
284264

285265
blob = encode_stage(blob)
286266

0 commit comments

Comments
 (0)