Land #5, Add HTTPS support

Author: mkienow-r7

lib/metasploit/framework/data_service/proxy/core.rb

@@ -2,7 +2,6 @@
 require 'rex/ui'
 require 'rex/logging'
 require 'metasploit/framework/data_service/remote/http/core'
-require 'metasploit/framework/data_service/remote/http/remote_service_endpoint'
 require 'metasploit/framework/data_service/proxy/data_proxy_auto_loader'
 
 #
@@ -179,7 +178,7 @@ def run_remote_db_process(opts)
     @pid = wait_t[0].pid
     puts "Started process with pid #{@pid}"
 
-    endpoint = Metasploit::Framework::DataService::RemoteServiceEndpoint.new('localhost', 8080)
+    endpoint = URI.parse('http://localhost:8080')
     remote_host_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(endpoint)
     register_data_service(remote_host_data_service, true)
   end

lib/metasploit/framework/data_service/remote/http/core.rb

@@ -1,4 +1,3 @@
-require 'metasploit/framework/data_service/remote/http/remote_service_endpoint'
 require 'metasploit/framework/data_service'
 require 'metasploit/framework/data_service/remote/http/data_service_auto_loader'
 require 'net/http'
@@ -22,11 +21,12 @@ class RemoteHTTPDataService
   DELETE_REQUEST = 'DELETE'
 
   #
-  # @param endpoint - A RemoteServiceEndpoint. Cannot be nil
+  # @param [String] endpoint A valid http or https URL. Cannot be nil
   #
-  def initialize(endpoint)
+  def initialize(endpoint, https_opts = {})
     validate_endpoint(endpoint)
-    @endpoint = endpoint
+    @endpoint = URI.parse(endpoint)
+    @https_opts = https_opts
     build_client_pool(5)
   end
 
@@ -120,6 +120,11 @@ def make_request(request_type, path, data_hash = nil, query = nil)
           puts "HTTP #{request_type} request: #{uri.request_uri} failed with code: #{response.code} message: #{response.body}"
           return FailedResponse.new(response)
       end
+    rescue EOFError => e
+      puts "ERROR: No data was returned from the server."
+      puts "Backtrace: #{e.message}"
+      e.backtrace.each { |line| puts "#{line}\n"}
+      return FailedResponse.new("")
     rescue Exception => e
       puts "Problem with HTTP #{request_type} request: #{e.message}"
       e.backtrace.each { |line| puts "#{line}\n" }
@@ -212,7 +217,6 @@ def initialize(response)
 
   def validate_endpoint(endpoint)
     raise 'Endpoint cannot be nil' if endpoint.nil?
-    raise "Endpoint: #{endpoint.class} not of type RemoteServiceEndpoint" unless endpoint.is_a?(RemoteServiceEndpoint)
   end
 
   def append_workspace(data_hash)
@@ -257,11 +261,41 @@ def build_client_pool(size)
     @client_pool = Queue.new()
     (1..size).each {
       http = Net::HTTP.new(@endpoint.host, @endpoint.port)
-      http.use_ssl = true if @endpoint.use_ssl
+      if @endpoint.is_a?(URI::HTTPS)
+        http.use_ssl = true
+        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        unless @https_opts.empty?
+          if @https_opts[:skip_verify]
+            http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+          else
+            # https://stackoverflow.com/questions/22093042/implementing-https-certificate-pubkey-pinning-with-ruby
+            user_passed_cert = OpenSSL::X509::Certificate.new(File.read(@https_opts[:cert]))
+
+            http.verify_callback = lambda do |preverify_ok, cert_store|
+              server_cert = cert_store.chain[0]
+              return true unless server_cert.to_der == cert_store.current_cert.to_der
+              same_public_key?(server_cert, user_passed_cert)
+            end
+          end
+        end
+      end
       @client_pool << http
     }
   end
 
+  # Tells us whether the private keys on the passed certificates match
+  # and use the same algo
+  def same_public_key?(ref_cert, actual_cert)
+    pkr, pka = ref_cert.public_key, actual_cert.public_key
+
+    # First check if the public keys use the same crypto...
+    return false unless pkr.class == pka.class
+    # ...and then - that they have the same contents
+    return false unless pkr.to_pem == pka.to_pem
+
+    true
+  end
+
   def try_sound_effect()
     sound_file = ::File.join(Msf::Config.data_directory, "sounds", "Goliath_Online_Sound_Effect.wav")
     Rex::Compat.play_sound(sound_file)

lib/metasploit/framework/data_service/remote/http/remote_service_endpoint.rb

@@ -1,6 +1,5 @@
 require 'metasploit/framework/data_service'
 require 'metasploit/framework/data_service/remote/http/core'
-require 'metasploit/framework/data_service/remote/http/remote_service_endpoint'
 
 class MSFRedService
   JOB_CHECK_INTERVAL_SEC = 5
@@ -42,8 +41,8 @@ def load_job_handlers
   end
 
   def inject_data_service
-    remote_service_endpoint = Metasploit::Framework::DataService::RemoteServiceEndpoint.new(CONSOLE_SERVICE_HOST_NAME,  CONSOLE_SERVICE_PORT)
-    remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(remote_service_endpoint)
+    endpoint = URI.parse("http://#{CONSOLE_SERVICE_HOST_NAME}:#{CONSOLE_SERVICE_PORT}")
+    remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(endpoint)
     remote_data_service.set_header(SESSION_KEY_VALUE, @session_key)
     data_service_manager = Metasploit::Framework::DataService::DataProxy.instance
     data_service_manager.register_data_service(remote_data_service)

lib/metasploit/framework/data_service/remote/msf_red/msf_red_service.rb

@@ -16,6 +16,15 @@ def start(opts)
 
     require_environment!(parsed_options)
 
+    if opts[:ssl]
+      ssl_opts = {}
+      ssl_opts[:private_key_file] = opts[:ssl_key]
+      ssl_opts[:cert_chain_file] = opts[:ssl_cert]
+      ssl_opts[:verify_peer] = false
+      opts[:ssl] = true
+      opts[:ssl_opts] = ssl_opts
+    end
+
     init_db
     start_http_server(opts)
   end
@@ -33,6 +42,11 @@ def start_http_server(opts)
         }
       }
 
+      if opts[:ssl] && opts[:ssl] = true
+        puts "Starting in HTTPS mode"
+        server.ssl = true
+        server.ssl_options = opts[:ssl_opts]
+      end
       server.threaded = true
     end
   end

lib/msf/core/db_manager/http/http_db_manager_service.rb

@@ -6,7 +6,6 @@
 require 'msf/core/db_export'
 require 'metasploit/framework/data_service'
 require 'metasploit/framework/data_service/remote/http/core'
-require 'metasploit/framework/data_service/remote/http/remote_service_endpoint'
 
 module Msf
   module Ui
@@ -98,20 +97,49 @@ def cmd_list_data_services()
           end
 
           def cmd_add_data_service(*args)
+            protocol = "http"
+            port = 80
+            https_opts = {}
             while (arg = args.shift)
               case arg
-                when '-h'
-                  host = args.shift
+                when '-h', '--help'
+                  cmd_add_data_service_help
+                  return
                 when '-p'
                   port = args.shift
+                when '-s', '--ssl'
+                  protocol = "https"
+                when '-c', '--cert'
+                  https_opts[:cert] = args.shift
+                when '--skip-verify'
+                  https_opts[:skip_verify] = true
+                else
+                  host = arg
               end
             end
 
-            remote_service_endpoint = Metasploit::Framework::DataService::RemoteServiceEndpoint.new(host, port)
-            remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(remote_service_endpoint)
+            if host.nil? || port.nil?
+              print_error "Host and port are required."
+              return
+            end
+
+            endpoint = "#{protocol}://#{host}:#{port}"
+            remote_data_service = Metasploit::Framework::DataService::RemoteHTTPDataService.new(endpoint, https_opts)
             framework.db.register_data_service(remote_data_service)
           end
 
+          def cmd_add_data_service_help
+            print_line "Usage: add_data_service [ options ] [ Remote Address]"
+            print_line
+            print_line "OPTIONS:"
+            print_line "  -h, --help        Show this help information."
+            print_line "  -p <port>         The port the data service is listening on. Default is 80."
+            print_line "  -s, --ssl         Enable SSL. Required for HTTPS data services."
+            print_line "  -c, --cert        Certificate file matching the server's certificate. Needed when using self-signed SSL cert."
+            print_line "  --skip-verify     Skip validating authenticity of server's certificate. NOT RECOMMENDED."
+            print_line
+          end
+
           def cmd_test_data_service_host(*args)
             host = {}
             while (arg = args.shift)

lib/msf/ui/console/command_dispatcher/db.rb

@@ -7,4 +7,76 @@
 require 'pathname'
 require Pathname.new(__FILE__).realpath.expand_path.parent.join('config', 'boot')
 require 'msf/core/db_manager/http/http_db_manager_service'
-HttpDBManagerService.new().start(:Port => '8080', :Host => '0.0.0.0')
+require 'optparse'
+
+class HelpError < StandardError; end
+
+class SwitchError < StandardError
+  def initialize(msg="Missing required switch.")
+    super(msg)
+  end
+end
+
+def parse_args(args)
+  opts = {}
+  opt = OptionParser.new
+  banner = "msfdb - A remote database process for Metasploit Framework.\n"
+  banner << "Usage: #{$0} [options] <var=val>"
+  opt.banner = banner
+  opt.separator('')
+  opt.separator('Options:')
+
+  # Defaults:
+  opts[:interface] = '0.0.0.0'
+  opts[:port] = 8080
+  opts[:ssl] = false
+  opts[:ssl_cert] = nil
+  opts[:ssl_key] = nil
+
+  opt.on('-i', '--interface  <interface>', String, 'Interface to listen on') do |p|
+    opts[:interface] = p
+  end
+
+  opt.on('-p', '--port       <port number>', Integer, 'Port to listen on') do |p|
+    opts[:port] = p
+  end
+
+  opt.on('-s', '--ssl', 'Enable SSL on the server') do |p|
+    opts[:ssl] = true
+  end
+
+  opt.on('-c', '--cert      <path/to/cert.pem>', String, 'Path to SSL Certificate file') do |p|
+    opts[:ssl_cert] = p
+  end
+
+  opt.on('-k', '--key       <path/to/key.pem>', String, 'Path to SSL Key file') do |p|
+    opts[:ssl_key] = p
+  end
+
+  opt.on_tail('-h', '--help', 'Show this message') do
+    raise HelpError, "#{opt}"
+  end
+
+  begin
+    opt.parse!(args)
+  rescue OptionParser::InvalidOption => e
+    raise UsageError, "Invalid option\n#{opt}"
+  rescue OptionParser::MissingArgument => e
+    raise UsageError, "Missing required argument for option\n#{opt}"
+  end
+
+  opts
+end
+
+begin
+  opts = parse_args(ARGV)
+  raise SwitchError.new("certificate file and key file must be specified when using -s") if opts[:ssl] && (opts[:ssl_key].nil? || opts[:ssl_cert].nil?)
+  HttpDBManagerService.new.start(:Port => opts[:port],
+                                 :Host => opts[:interface],
+                                 :ssl => opts[:ssl],
+                                 :ssl_cert => opts[:ssl_cert],
+                                 :ssl_key => opts[:ssl_key])
+rescue HelpError => e
+  $stderr.puts e.message
+end
+