Land rapid7#5990, reverse_hop_http fix

Author: wvu

data/php/hop.php

@@ -33,7 +33,7 @@ function findSendDelete($tempdir, $prefix, $one=true){
 		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
 			$f = fopen($tempdir."/init", "w"); //only one init file
 		}else{
-			$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
+			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);
 			$f = fopen(tempnam($tempdir,$prefix), "w");
 		}
 		fwrite($f, $postdata);
@@ -45,9 +45,9 @@ function findSendDelete($tempdir, $prefix, $one=true){
 	//get data
 	$postdata = file_get_contents("php://input");
 	//See if we should send anything down
-	if($postdata === 'RECV'){
-		findSendDelete($tempdir, "down_" . bin2hex($url));
-		$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
+	if($postdata === "RECV\x00"){
+		findSendDelete($tempdir, "down_" . sha1($url));
+		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
 	}else{
 		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
 	}

lib/msf/core/handler/reverse_hop_http.rb

@@ -54,6 +54,13 @@ def self.general_handler_type
     "tunnel"
   end
 
+  #
+  # Returns the socket type. (hop)
+  #
+  def type?
+    return 'hop'
+  end
+
   #
   # Sets up a handler. Doesn't do much since it's all in start_handler.
   #
@@ -249,6 +256,7 @@ def send_new_stage(uri)
     # generate a new connect
     sum = uri_checksum_lookup(:connect)
     conn_id = generate_uri_uuid(sum, uuid)
+    conn_id = conn_id[1..-1] if conn_id.start_with? '/'
     url = full_uri + conn_id + "/\x00"
 
     print_status("Preparing stage for next session #{conn_id}")