Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Build the HTTPS server on top of HTTP instead of the other way around * Set the fetch service to nil after it has been cleaned up * Don't capitalize the H in the word handler * Check if the fetch_service is truthy before cleaning it up * Remove the unused FetchServerName datastore option * Fixup the description text * Don't allow slashes in fetch file names * Also add the #fetch_bindnetloc method
- Loading branch information
1 parent
d5a59ce
commit 0fd5517
Showing
10 changed files
with
131 additions
and
148 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,110 @@ | ||
module Msf::Payload::Adapter::Fetch::Server::HTTP | ||
include Msf::Payload::Adapter::Fetch::Server::Https | ||
|
||
# This mixin supports only HTTP fetch handlers but still imports the HTTPS mixin. | ||
# We just remove the HTTPS Options so the user does not see them. | ||
# | ||
# This mixin supports only HTTP fetch handlers. | ||
|
||
def initialize(*args) | ||
super | ||
deregister_options('FETCH_SSL', | ||
'FETCH_CHECK_CERT', | ||
'FetchSSLCert', | ||
'FetchSSLCompression', | ||
'FetchSSLCipher', | ||
'FetchSSLCipher', | ||
'FetchSSLVersion' | ||
register_advanced_options( | ||
[ | ||
Msf::OptString.new('FetchHttpServerName', [true, 'Fetch HTTP server name', 'Apache']) | ||
] | ||
) | ||
end | ||
|
||
def fetch_protocol | ||
'HTTP' | ||
end | ||
|
||
def srvname | ||
datastore['FetchHttpServerName'] | ||
end | ||
|
||
def add_resource(fetch_service, uri, srvexe) | ||
vprint_status("Adding resource #{uri}") | ||
if fetch_service.resources.include?(uri) | ||
# When we clean up, we need to leave resources alone, because we never added one. | ||
@delete_resource = false | ||
fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected. Set FETCH_URIPATH to a different value to continue.") | ||
end | ||
fetch_service.add_resource(uri, | ||
'Proc' => proc do |cli, req| | ||
on_request_uri(cli, req, srvexe) | ||
end, | ||
'VirtualDirectory' => true) | ||
rescue ::Exception => e | ||
# When we clean up, we need to leave resources alone, because we never added one. | ||
@delete_resource = false | ||
fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n #{e}") | ||
end | ||
|
||
def cleanup_http_fetch_service(fetch_service, delete_resource) | ||
escaped_srvuri = ('/' + srvuri).gsub('//', '/') | ||
if fetch_service.resources.include?(escaped_srvuri) && delete_resource | ||
fetch_service.remove_resource(escaped_srvuri) | ||
end | ||
fetch_service.deref | ||
if fetch_service.resources.empty? | ||
# if we don't call deref, we cannot start another httpserver | ||
# this is a reimplementation of the cleanup_service method | ||
# in Exploit::Remote::SocketServer | ||
temp_service = fetch_service | ||
temp_service.cleanup | ||
temp_service.deref | ||
end | ||
end | ||
|
||
def start_http_fetch_handler(srvname, srvexe, ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil) | ||
# this looks a bit funny because I converted it to use an instance variable so that if we crash in the | ||
# middle and don't return a value, we still have the right fetch_service to clean up. | ||
escaped_srvuri = ('/' + srvuri).gsub('//', '/') | ||
fetch_service = start_http_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version) | ||
if fetch_service.nil? | ||
cleanup_handler | ||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{fetch_bindnetloc}") | ||
end | ||
vprint_status("#{fetch_protocol} server started") | ||
fetch_service.server_name = srvname | ||
add_resource(fetch_service, escaped_srvuri, srvexe) | ||
fetch_service | ||
end | ||
|
||
def on_request_uri(cli, request, srvexe) | ||
client = cli.peerhost | ||
vprint_status("Client #{client} requested #{request.uri}") | ||
if (user_agent = request.headers['User-Agent']) | ||
client += " (#{user_agent})" | ||
end | ||
vprint_status("Sending payload to #{client}") | ||
cli.send_response(payload_response(srvexe)) | ||
end | ||
|
||
def payload_response(srvexe) | ||
res = Rex::Proto::Http::Response.new(200, 'OK', Rex::Proto::Http::DefaultProtocol) | ||
res['Content-Type'] = 'text/html' | ||
res.body = srvexe.to_s.unpack('C*').pack('C*') | ||
res | ||
end | ||
|
||
def start_http_server(ssl=false, ssl_cert=nil, ssl_compression=nil, ssl_cipher=nil, ssl_version=nil) | ||
begin | ||
fetch_service = Rex::ServiceManager.start( | ||
Rex::Proto::Http::Server, | ||
fetch_bindport, fetch_bindhost, ssl, | ||
{ | ||
'Msf' => framework, | ||
'MsfExploit' => self | ||
}, | ||
_determine_server_comm(fetch_bindhost), | ||
ssl_cert, | ||
ssl_compression, | ||
ssl_cipher, | ||
ssl_version | ||
) | ||
rescue Exception => e | ||
cleanup_handler | ||
fail_with(Msf::Exploit::Failure::BadConfig, "Fetch handler failed to start on #{fetch_bindnetloc}\n#{e}") | ||
end | ||
vprint_status("Fetch handler listening on #{fetch_bindnetloc}") | ||
fetch_service | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.