Create verify ssl mixin, adjust some formatting

Author: OJ

lib/msf/core/handler/reverse_http.rb

@@ -4,6 +4,7 @@
 require 'msf/core/handler/reverse_http/uri_checksum'
 require 'rex/payloads/meterpreter/patch'
 require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'
 
 module Msf
 module Handler
@@ -17,6 +18,7 @@ module ReverseHttp
 
   include Msf::Handler
   include Msf::Handler::ReverseHttp::UriChecksum
+  include Msf::Payload::Windows::VerifySsl
 
   #
   # Returns the string representation of the handler type
@@ -292,21 +294,23 @@ def on_request(cli, req, obj)
 
         blob = obj.stage_payload
 
+        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                             datastore['HandlerSSLCert'])
         #
         # Patch options into the payload
         #
-        Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
           :ssl            => ssl?,
           :url            => url,
-          :ssl_cert_hash  => get_ssl_cert_hash,
+          :ssl_cert_hash  => verify_cert_hash,
           :expiration     => datastore['SessionExpirationTimeout'],
           :comm_timeout   => datastore['SessionCommunicationTimeout'],
           :ua             => datastore['MeterpreterUserAgent'],
           :proxy_host     => datastore['PayloadProxyHost'],
           :proxy_port     => datastore['PayloadProxyPort'],
           :proxy_type     => datastore['PayloadProxyType'],
           :proxy_user     => datastore['PayloadProxyUser'],
-          :proxy_pass     => datastore['PayloadProxyPass']
+          :proxy_pass     => datastore['PayloadProxyPass'])
 
         resp.body = encode_stage(blob)
 
@@ -357,20 +361,6 @@ def bind_port
     port > 0 ? port : datastore['LPORT'].to_i
   end
 
-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-    end
-
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
-  end
-
 end
 
 end

lib/msf/core/payload/windows/reverse_winhttps.rb

@@ -2,7 +2,7 @@
 
 require 'msf/core'
 require 'msf/core/payload/windows/reverse_winhttp'
-require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'
 
 module Msf
 
@@ -17,6 +17,7 @@ module Msf
 module Payload::Windows::ReverseWinHttps
 
   include Msf::Payload::Windows::ReverseWinHttp
+  include Msf::Payload::Windows::VerifySsl
 
   #
   # Register reverse_winhttps specific options
@@ -49,7 +50,8 @@ def generate_reverse_winhttps(opts={})
   #
   def generate
 
-    verify_cert_hash = get_ssl_cert_hash
+    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                         datastore['HandlerSSLCert'])
 
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
@@ -97,23 +99,6 @@ def required_space
     space
   end
 
-  #
-  # Get the SSL hash from the certificate, if required.
-  #
-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-    end
-
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
-  end
-
 end
 
 end

lib/rex/parser/x509_certificate.rb

@@ -58,7 +58,7 @@ def self.parse_pem_file(ssl_cert_file)
 
   #
   # Parse a certificate in unified PEM format and retrieve
-  #   the SHA1 hash.
+  # the SHA1 hash.
   #
   # @param [String] ssl_cert 
   # @return [String]
@@ -74,7 +74,7 @@ def self.get_cert_hash(ssl_cert)
 
   #
   # Parse a file that contains a certificate in unified PEM
-  #   format and retrieve the SHA1 hash.
+  # format and retrieve the SHA1 hash.
   #
   # @param [String] ssl_cert_file
   # @return [String]

lib/rex/payloads/meterpreter/patch.rb

@@ -99,12 +99,12 @@ def self.patch_ssl_check!(blob, ssl_cert_hash)
         # Patch options into metsrv for reverse HTTP payloads
         def self.patch_passive_service!(blob, options)
 
-          patch_transport! blob, options[:ssl]
-          patch_url! blob, options[:url]
-          patch_expiration! blob, options[:expiration]
-          patch_comm_timeout! blob, options[:comm_timeout]
-          patch_ua! blob, options[:ua]
-          patch_ssl_check! blob, options[:ssl_cert_hash]
+          patch_transport!(blob, options[:ssl])
+          patch_url!(blob, options[:url])
+          patch_expiration!(blob, options[:expiration])
+          patch_comm_timeout!(blob, options[:comm_timeout])
+          patch_ua!(blob, options[:ua])
+          patch_ssl_check!(blob, options[:ssl_cert_hash])
           patch_proxy!(blob,
             options[:proxy_host],
             options[:proxy_port],

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -16,6 +16,7 @@ module Metasploit3
 
   include Msf::Payload::Windows::StagelessMeterpreter
   include Msf::Sessions::MeterpreterOptions
+  include Msf::Payload::Windows::VerifySsl
 
   def initialize(info = {})
 
@@ -55,34 +56,23 @@ def generate
       #  end
       #end
 
-      Rex::Payloads::Meterpreter::Patch.patch_passive_service! dll,
+      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                           datastore['HandlerSSLCert'])
+
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
         :url            => url,
         :ssl            => true,
-        :ssl_cert_hash  => get_ssl_cert_hash,
+        :ssl_cert_hash  => verify_cert_hash,
         :expiration     => datastore['SessionExpirationTimeout'].to_i,
         :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
         :ua             => datastore['MeterpreterUserAgent'],
         :proxyhost      => datastore['PROXYHOST'],
         :proxyport      => datastore['PROXYPORT'],
         :proxy_type     => datastore['PROXY_TYPE'],
         :proxy_username => datastore['PROXY_USERNAME'],
-        :proxy_password => datastore['PROXY_PASSWORD']
-    end
-
-  end
-
-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
+        :proxy_password => datastore['PROXY_PASSWORD'])
     end
 
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
   end
 
 end