Land rapid7#4274, custom ssl certs on payload handlers

Author: Tod Beardsley

lib/msf/core/exploit/tcp_server.rb

@@ -18,7 +18,8 @@ def initialize(info = {})
     register_options(
       [
         OptBool.new('SSL',        [ false, 'Negotiate SSL for incoming connections', false]),
-        OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']]),
+        # SSLVersion is currently unsupported for TCP servers (only supported by clients at the moment)
+        # OptEnum.new('SSLVersion', [ false, 'Specify the version of SSL that should be used', 'TLS1', ['SSL2', 'SSL3', 'TLS1']]),
         OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
         OptAddress.new('SRVHOST', [ true, "The local host to listen on. This must be an address on the local machine or 0.0.0.0", '0.0.0.0' ]),
         OptPort.new('SRVPORT',    [ true, "The local port to listen on.", 8080 ]),

lib/msf/core/handler/reverse_http.rb

@@ -138,7 +138,7 @@ def setup_handler
         'MsfExploit' => self,
       },
       comm,
-      (ssl?) ? datastore["SSLCert"] : nil
+      (ssl?) ? datastore["HandlerSSLCert"] : nil
     )
 
     self.service.server_name = datastore['MeterpreterServerName']

lib/msf/core/handler/reverse_https.rb

@@ -38,7 +38,12 @@ def initialize(info = {})
 
     register_options(
       [
-        OptPort.new('LPORT', [ true, "The local listener port", 8443 ])
+        OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
+      ], Msf::Handler::ReverseHttps)
+
+    register_advanced_options(
+      [
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"])
       ], Msf::Handler::ReverseHttps)
 
   end

lib/msf/core/handler/reverse_tcp.rb

@@ -197,7 +197,7 @@ def wrap_aes_socket(sock)
     m.reset
     key = m.digest(datastore["AESPassword"] || "")
 
-    Rex::ThreadFactory.spawn('AESEncryption', false) {
+    Rex::ThreadFactory.spawn('Session-AESEncrypt', false) {
       c1 = OpenSSL::Cipher.new('aes-128-cfb8')
       c1.encrypt
       c1.key=key
@@ -210,7 +210,7 @@ def wrap_aes_socket(sock)
       end
       sock.close()
     }
-    Rex::ThreadFactory.spawn('AESEncryption', false) {
+    Rex::ThreadFactory.spawn('Session-AESDecrypt', false) {
       c2 = OpenSSL::Cipher.new('aes-128-cfb8')
       c2.decrypt
       c2.key=key

lib/msf/core/handler/reverse_tcp_double_ssl.rb

@@ -47,7 +47,10 @@ def initialize(info = {})
 
     register_advanced_options(
       [
-        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
+        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
+        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse TCP even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"])
       ], Msf::Handler::ReverseTcpDoubleSSL)
 
     self.conn_threads = []
@@ -62,17 +65,54 @@ def setup_handler
     if datastore['Proxies'] and not datastore['ReverseAllowProxy']
       raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
     end
-    self.listener_sock = Rex::Socket::TcpServer.create(
-      # 'LocalHost' => datastore['LHOST'],
-      'LocalPort' => datastore['LPORT'].to_i,
-      'Comm'      => comm,
-      'SSL'       => true,
-      'Context'   =>
-        {
-          'Msf'        => framework,
-          'MsfPayload' => self,
-          'MsfExploit' => assoc_exploit
-        })
+
+    ex = false
+
+    comm  = datastore['ReverseListenerComm']
+    if comm.to_s == "local"
+      comm = ::Rex::Socket::Comm::Local
+    else
+      comm = nil
+    end
+
+    local_port = bind_port
+    addrs = bind_address
+
+    addrs.each { |ip|
+      begin
+
+        comm.extend(Rex::Socket::SslTcp)
+        self.listener_sock = Rex::Socket::SslTcpServer.create(
+        'LocalHost' => ip,
+        'LocalPort' => local_port,
+        'Comm'      => comm,
+        'SSLCert'   => datastore['HandlerSSLCert'],
+        'Context'   =>
+          {
+            'Msf'        => framework,
+            'MsfPayload' => self,
+            'MsfExploit' => assoc_exploit
+          })
+
+        ex = false
+
+        comm_used = comm || Rex::Socket::SwitchBoard.best_comm( ip )
+        comm_used = Rex::Socket::Comm::Local if comm_used == nil
+
+        if( comm_used.respond_to?( :type ) and comm_used.respond_to?( :sid ) )
+          via = "via the #{comm_used.type} on session #{comm_used.sid}"
+        else
+          via = ""
+        end
+
+        print_status("Started reverse double SSL handler on #{ip}:#{local_port} #{via}")
+        break
+      rescue
+        ex = $!
+        print_error("Handler failed to bind to #{ip}:#{local_port}")
+      end
+    }
+    raise ex if (ex)
   end
 
   #
@@ -204,6 +244,31 @@ def stop_handler
 
 protected
 
+  def bind_port
+    port = datastore['ReverseListenerBindPort'].to_i
+    port > 0 ? port : datastore['LPORT'].to_i
+  end
+
+  def bind_address
+    # Switch to IPv6 ANY address if the LHOST is also IPv6
+    addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+    # First attempt to bind LHOST. If that fails, the user probably has
+    # something else listening on that interface. Try again with ANY_ADDR.
+    any = (addr.length == 4) ? "0.0.0.0" : "::0"
+
+    addrs = [ Rex::Socket.addr_ntoa(addr), any  ]
+
+    if not datastore['ReverseListenerBindAddress'].to_s.empty?
+      # Only try to bind to this specific interface
+      addrs = [ datastore['ReverseListenerBindAddress'] ]
+
+      # Pick the right "any" address if either wildcard is used
+      addrs[0] = any if (addrs[0] == "0.0.0.0" or addrs == "::0")
+    end
+
+    addrs
+  end
+
   attr_accessor :listener_sock # :nodoc:
   attr_accessor :listener_thread # :nodoc:
   attr_accessor :conn_threads # :nodoc:

lib/msf/core/handler/reverse_tcp_ssl.rb

@@ -44,9 +44,7 @@ def initialize(info = {})
     super
     register_advanced_options(
       [
-        OptPath.new('SSLCert',    [ false, 'Path to a custom SSL certificate (default is randomly generated)']),
-        OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
-        OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ])
+        OptPath.new('HandlerSSLCert', [false, "Path to a SSL certificate in unified PEM format"])
       ], Msf::Handler::ReverseTcpSsl)
 
   end
@@ -57,8 +55,8 @@ def initialize(info = {})
   # if it fails to start the listener.
   #
   def setup_handler
-    if datastore['Proxies']
-      raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies'
+    if datastore['Proxies'] and not datastore['ReverseAllowProxy']
+      raise RuntimeError, 'TCP connect-back payloads cannot be used with Proxies. Can be overriden by setting ReverseAllowProxy to true'
     end
 
     ex = false
@@ -81,7 +79,7 @@ def setup_handler
         'LocalHost' => ip,
         'LocalPort' => local_port,
         'Comm'      => comm,
-        'SSLCert'	=> datastore['SSLCert'],
+        'SSLCert'   => datastore['HandlerSSLCert'],
         'Context'   =>
           {
             'Msf'        => framework,

modules/exploits/unix/misc/distcc_exec.rb

@@ -39,7 +39,7 @@ def initialize(info = {})
           'Compat'      =>
             {
               'PayloadType' => 'cmd',
-              'RequiredCmd' => 'generic perl ruby bash telnet',
+              'RequiredCmd' => 'generic perl ruby bash telnet openssl',
             }
         },
       'Targets'        =>