New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom http headers #8948

Merged
merged 14 commits into from Nov 25, 2017

Conversation

Projects
None yet
8 participants
@OJ
Contributor

OJ commented Sep 11, 2017

With "domain fronting" becoming all the rage it was high time we added some kind of support to the Meterpreter payloads that would allow for these shenanigans to work in MSF. This PR is the first attempt at such a thing, while aiming to add support for other things including Referer and Cookie. The latter field may be helpful for generated payloads that need to get out through something like Bluecoat.

PR marked as delayed while we work through a few TODOs and I get help from @busterb, @timwr and @zeroSteiner to polish things up.

The associated Payloads PR is here: rapid7/metasploit-payloads#236
The associated Mettle PR is here: (Will ask Brent for help on this one)

Generic headers

Obviously the need to set generic headers is helpful. Unfortunately, opening this door to people can cause issues because not all headers can be set in the way that we'd expect, and this varies from API to API and platform to platform. The Host header in particular can be quirky (as can be seen with the Python implementation).

As a result, I added support for three new settings which map directly to headers:

  • HttpHeaderHost
  • HttpHeaderReferer
  • HttpHeaderCookie

These can be handled on a per-implementation basis and put in the correct spots. If we feel the need to add more over time, then we can.

Domain Fronting

To support domain fronting, we really only needed to give control over the Host header. Hence to make this work in a payload:

  • Set the LHOST and LPORT parameters to what you'd expect the payload to connect to.
  • Set the HttpHeaderHost to the fronted domain.

Off you go. From here the requests should include the custom Host header. If you're using the likes of Amazon with Cloudfront, then things should just work as you'd expect.

Verification

  • Create payloads and handlers for all the http payloads using the new options. For my testing I pointed to my local listener (both staged and stageless).
  • Fire up Wireshark and make sure the filter is set up so that HTTP traffic is captured on the give port(s) that you have listeners on
  • Launch the payloads, and view the content in wireshark.
  • Verify that the connections all reach out to the address specified in LHOST.
  • Verify that the connections contain the configured host header properties.
  • Make sure that all the sessions work.

TODO

  • Make sure this works with the multi payload type.
  • Get the Mettle code going (cc @busterb).
  • Get the java payloads going (cc @timwr).

Thanks!

Fixes #8656

@OJ OJ requested review from zeroSteiner and bcook-r7 Sep 11, 2017

@OJ OJ referenced this pull request Sep 11, 2017

Merged

Add custom http headers #236

2 of 2 tasks complete
@Chiggins

This comment has been minimized.

Show comment
Hide comment
@Chiggins

Chiggins Sep 11, 2017

Contributor

Looking slick, good job OJ. If you need anyone to help testing this out, let me know, I've already got infrastructure set up for domain fronting.

Contributor

Chiggins commented Sep 11, 2017

Looking slick, good job OJ. If you need anyone to help testing this out, let me know, I've already got infrastructure set up for domain fronting.

@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ Sep 11, 2017

Contributor

Thanks @Chiggins, got a few more kinks to work out, but I'll take you up on that!

Contributor

OJ commented Sep 11, 2017

Thanks @Chiggins, got a few more kinks to work out, but I'll take you up on that!

@timwr

@OJ I'll PR you the Android/Java fixes asap

@timwr

This comment has been minimized.

Show comment
Hide comment
@timwr

timwr Sep 13, 2017

Contributor

I've PRed some fixes for Android/Java here:
OJ#20
OJ/metasploit-payloads#8
I had to add OptString.new('HttpHeaderHost', etc to lib/msf/core/payload/(android|java)/reverse_http.rb to make it work but I don't think that's the way to go. We should consider moving those options somewhere to avoid duplication.
Also perhaps we should alias MeterpreterUserAgent to HttpHeaderUserAgent.
Thoughts?

Contributor

timwr commented Sep 13, 2017

I've PRed some fixes for Android/Java here:
OJ#20
OJ/metasploit-payloads#8
I had to add OptString.new('HttpHeaderHost', etc to lib/msf/core/payload/(android|java)/reverse_http.rb to make it work but I don't think that's the way to go. We should consider moving those options somewhere to avoid duplication.
Also perhaps we should alias MeterpreterUserAgent to HttpHeaderUserAgent.
Thoughts?

@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ Sep 15, 2017

Contributor

Thanks @timwr I've merged both of the PRs. I do think that we need to look to reduce the duplication of code, but it's hard to know where best to apply it. Plus if we're going to do it here, we should look to do it in a number of other spots where duplication is rampant.

Contributor

OJ commented Sep 15, 2017

Thanks @timwr I've merged both of the PRs. I do think that we need to look to reduce the duplication of code, but it's hard to know where best to apply it. Plus if we're going to do it here, we should look to do it in a number of other spots where duplication is rampant.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 20, 2017

Contributor

Maybe we could just define some helper methods in the base class like 'register_http_options' that are called by each meterpreter that implements them.

Contributor

busterb commented Sep 20, 2017

Maybe we could just define some helper methods in the base class like 'register_http_options' that are called by each meterpreter that implements them.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 24, 2017

Contributor

Does the HTTP Cookies option imply that the payload should implement full-fledged cookie tracking? Or that we should fill an actual cookie-jar with assorted cookies?

Reason why I ask is I can either just add the header, or do the real deal: https://curl.haxx.se/libcurl/c/CURLOPT_COOKIE.html and wondering which is better for this purpose.

Contributor

busterb commented Sep 24, 2017

Does the HTTP Cookies option imply that the payload should implement full-fledged cookie tracking? Or that we should fill an actual cookie-jar with assorted cookies?

Reason why I ask is I can either just add the header, or do the real deal: https://curl.haxx.se/libcurl/c/CURLOPT_COOKIE.html and wondering which is better for this purpose.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 24, 2017

Contributor

The mettle-specific PR is above, note that the --cookie option is a little more complex than I think we are exposing here. I think I'll just make it assume sane defaults rather than requiring the user to set a half-dozen knobs per cookie.

Contributor

busterb commented Sep 24, 2017

The mettle-specific PR is above, note that the --cookie option is a little more complex than I think we are exposing here. I think I'll just make it assume sane defaults rather than requiring the user to set a half-dozen knobs per cookie.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Sep 24, 2017

Contributor

BTW, my other changes to this PR are at OJ#21

Contributor

busterb commented Sep 24, 2017

BTW, my other changes to this PR are at OJ#21

@OJ OJ removed the delayed label Oct 3, 2017

@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ Oct 3, 2017

Contributor

This should be good to go. I'll look into the conflicts (which really don't make sense!)

Contributor

OJ commented Oct 3, 2017

This should be good to go. I'll look into the conflicts (which really don't make sense!)

@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ Nov 6, 2017

Contributor

Selfish Bump! Would someone mind kicking off a new Travis build please?

Contributor

OJ commented Nov 6, 2017

Selfish Bump! Would someone mind kicking off a new Travis build please?

@pbarry-r7

This comment has been minimized.

Show comment
Hide comment
@pbarry-r7

pbarry-r7 Nov 7, 2017

Contributor

Hmm, looks like there's a mismatch on payload sizes causing the Travis failures...

Contributor

pbarry-r7 commented Nov 7, 2017

Hmm, looks like there's a mismatch on payload sizes causing the Travis failures...

@timwr

timwr approved these changes Nov 14, 2017

Works well on Android/OSX

OJ added some commits Aug 18, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Nov 21, 2017

Contributor

Rebased on master since the options handling code is now there. If this passes specs, will continue testing, adding mettle support, and ship.

Contributor

busterb commented Nov 21, 2017

Rebased on master since the options handling code is now there. If this passes specs, will continue testing, adding mettle support, and ship.

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Nov 25, 2017

Contributor

mettle support is pushed up now!

Contributor

busterb commented Nov 25, 2017

mettle support is pushed up now!

@busterb busterb merged commit 8645a51 into rapid7:master Nov 25, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Nov 25, 2017

Contributor

Landed, thanks all!

Contributor

busterb commented Nov 25, 2017

Landed, thanks all!

busterb added a commit that referenced this pull request Nov 25, 2017

@busterb

This comment has been minimized.

Show comment
Hide comment
@busterb

busterb Nov 25, 2017

Contributor

Release Notes

Initial support for modifying HTTP headers with Meterpreter for use in domain fronting and other evasion applications has been added.

Contributor

busterb commented Nov 25, 2017

Release Notes

Initial support for modifying HTTP headers with Meterpreter for use in domain fronting and other evasion applications has been added.

@c0rpse

This comment has been minimized.

Show comment
Hide comment
@c0rpse

c0rpse Feb 1, 2018

God job.

c0rpse commented Feb 1, 2018

God job.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment