Add a bind port setting to reverse listeners

This adds a `ReverseListenerBindPort` advanced setting to the reverse listeners whic
allows for the local bind port to be separated from the `LHOST` setting used in the
payload. This means that listeners can bind to different ports in cases where the
attacker isn't able to listen on the same port that the victim can call out on, but
there are NATs/portforwards/whatever in place that allow the connection to happen.

Author: OJ

lib/msf/core/handler/reverse_http.rb

@@ -83,23 +83,10 @@ def ssl?
   # addresses.
   #
   def full_uri
-    unless datastore['HIDDENHOST'].nil? or datastore['HIDDENHOST'].empty?
-      lhost = datastore['HIDDENHOST']
-    else
-      lhost = datastore['LHOST']
-    end
-    if lhost.empty? or lhost == "0.0.0.0" or lhost == "::"
-      lhost = Rex::Socket.source_address
-    end
-    lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost)
+    addrs = bind_address(datastore)
+    local_port = bind_port(datastore)
     scheme = (ssl?) ? "https" : "http"
-    unless datastore['HIDDENPORT'].nil? or datastore['HIDDENPORT'] == 0
-      uri = "#{scheme}://#{lhost}:#{datastore["HIDDENPORT"]}/"
-    else
-      uri = "#{scheme}://#{lhost}:#{datastore["LPORT"]}/"
-    end
-
-    uri
+    "#{scheme}://#{addrs[0]}:#{local_port}/"
   end
 
   #
@@ -163,6 +150,7 @@ def initialize(info = {})
         OptString.new('MeterpreterUserAgent', [ false, 'The user-agent that the payload should use for communication', 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' ]),
         OptString.new('MeterpreterServerName', [ false, 'The server header that the handler will send in response to requests', 'Apache' ]),
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptString.new('HttpUnknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ])
       ], Msf::Handler::ReverseHttp)
   end
@@ -186,17 +174,13 @@ def setup_handler
       comm = nil
     end
 
-    # Determine where to bind the HTTP(S) server to
-    bindaddrs = ipv6 ? '::' : '0.0.0.0'
-
-    if not datastore['ReverseListenerBindAddress'].to_s.empty?
-      bindaddrs = datastore['ReverseListenerBindAddress']
-    end
+    local_port = bind_port(datastore)
+    addrs = bind_address(datastore)
 
     # Start the HTTPS server service on this host/port
     self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server,
-      datastore['LPORT'].to_i,
-      bindaddrs,
+      local_port,
+      addrs[0],
       ssl?,
       {
         'Msf'        => framework,
@@ -413,6 +397,33 @@ def on_request(cli, req, obj)
     obj.service.close_client( cli )
   end
 
+protected
+
+  def bind_port(datastore)
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address(datastore)
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
 
 end
 

lib/msf/core/handler/reverse_tcp.rb

@@ -53,8 +53,9 @@ def initialize(info = {})
       [
         OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
-        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false])
       ], Msf::Handler::ReverseTcp)
 
 
@@ -72,13 +73,6 @@ def setup_handler
     end
 
     ex = false
-    # Switch to IPv6 ANY address if the LHOST is also IPv6
-    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
-    # First attempt to bind LHOST. If that fails, the user probably has
-    # something else listening on that interface. Try again with ANY_ADDR.
-    any = (addr.length == 4) ? "0.0.0.0" : "::0"
-
-    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
 
     comm  = datastore['ReverseListenerComm']
     if comm.to_s == "local"
@@ -87,19 +81,15 @@ def setup_handler
       comm = nil
     end
 
-    if not datastore['ReverseListenerBindAddress'].to_s.empty?
-      # Only try to bind to this specific interface
-      addrs = [ datastore['ReverseListenerBindAddress'] ]
+    local_port = bind_port(datastore)
+    addrs = bind_address(datastore)
 
-      # Pick the right "any" address if either wildcard is used
-      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
-    end
     addrs.each { |ip|
       begin
 
         self.listener_sock = Rex::Socket::TcpServer.create(
           'LocalHost' => ip,
-          'LocalPort' => datastore['LPORT'].to_i,
+          'LocalPort' => local_port,
           'Comm'      => comm,
           'Context'   =>
             {
@@ -119,11 +109,11 @@ def setup_handler
           via = ""
         end
 
-        print_status("Started reverse handler on #{ip}:#{datastore['LPORT']} #{via}")
+        print_status("Started reverse handler on #{ip}:#{local_port} #{via}")
         break
       rescue
         ex = $!
-        print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
+        print_error("Handler failed to bind to #{ip}:#{local_port}")
       end
     }
     raise ex if (ex)
@@ -140,7 +130,8 @@ def cleanup_handler
   # Starts monitoring for an inbound connection.
   #
   def start_handler
-    self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{datastore['LPORT']}", false) {
+    local_port = bind_port(datastore)
+    self.listener_thread = framework.threads.spawn("ReverseTcpHandlerListener-#{local_port}", false) {
       client = nil
 
       begin
@@ -159,7 +150,7 @@ def start_handler
       end while true
     }
 
-    self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{datastore['LPORT']}", false) {
+    self.handler_thread = framework.threads.spawn("ReverseTcpHandlerWorker-#{local_port}", false) {
       while true
         client = self.handler_queue.pop
         begin
@@ -241,6 +232,31 @@ def stop_handler
 
 protected
 
+  def bind_port(datastore)
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address(datastore)
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
   attr_accessor :listener_sock # :nodoc:
   attr_accessor :listener_thread # :nodoc:
   attr_accessor :handler_thread # :nodoc:

lib/msf/core/handler/reverse_tcp_ssl.rb

@@ -43,7 +43,9 @@ def initialize(info = {})
     super
     register_advanced_options(
       [
-        OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)'])
+        OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
+        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
       ], Msf::Handler::ReverseTcpSsl)
 
   end
@@ -59,13 +61,6 @@ def setup_handler
     end
 
     ex = false
-    # Switch to IPv6 ANY address if the LHOST is also IPv6
-    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
-    # First attempt to bind LHOST. If that fails, the user probably has
-    # something else listening on that interface. Try again with ANY_ADDR.
-    any = (addr.length == 4) ? "0.0.0.0" : "::0"
-
-    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
 
     comm  = datastore['ReverseListenerComm']
     if comm.to_s == "local"
@@ -74,20 +69,16 @@ def setup_handler
       comm = nil
     end
 
-    if not datastore['ReverseListenerBindAddress'].to_s.empty?
-      # Only try to bind to this specific interface
-      addrs = [ datastore['ReverseListenerBindAddress'] ]
+    local_port = bind_port(datastore)
+    addrs = bind_address(datastore)
 
-      # Pick the right "any" address if either wildcard is used
-      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
-    end
     addrs.each { |ip|
       begin
 
         comm.extend(Rex::Socket::SslTcp)
         self.listener_sock = Rex::Socket::SslTcpServer.create(
-        'LocalHost' => datastore['LHOST'],
-        'LocalPort' => datastore['LPORT'].to_i,
+        'LocalHost' => ip,
+        'LocalPort' => local_port,
         'Comm'      => comm,
         'SSLCert'	=> datastore['SSLCert'],
         'Context'   =>
@@ -108,16 +99,43 @@ def setup_handler
           via = ""
         end
 
-        print_status("Started reverse SSL handler on #{ip}:#{datastore['LPORT']} #{via}")
+        print_status("Started reverse SSL handler on #{ip}:#{local_port} #{via}")
         break
       rescue
         ex = $!
-        print_error("Handler failed to bind to #{ip}:#{datastore['LPORT']}")
+        print_error("Handler failed to bind to #{ip}:#{local_port}")
       end
     }
     raise ex if (ex)
   end
 
+protected
+
+  def bind_port(datastore)
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address(datastore)
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
 end
 
 end