Merge master

Squashed commit of the following: commit 1dcad7c Merge: 1a2f35d 35d29f5 Author: OJ <oj@buffered.io> Date: Thu Mar 19 14:43:27 2015 +1000 Land rapid7#4953 : Updated POSIX meterpreter binaries commit 35d29f5 Author: Brent Cook <bcook@rapid7.com> Date: Wed Mar 18 22:57:03 2015 -0500 update linux meterpreter bins commit 1a2f35d Merge: 076f15f 346b1d5 Author: OJ <oj@buffered.io> Date: Thu Mar 19 12:41:20 2015 +1000 Land rapid7#4951: Dynamic URI generation for Java/Python reverse_http(s) commit 076f15f Merge: b33e7f4 3f8ed56 Author: Spencer McIntyre <zeroSteiner@gmail.com> Date: Wed Mar 18 20:59:54 2015 -0400 Land rapid7#4792 @jakxx Publish It PUI file exploit commit 3f8ed56 Author: Spencer McIntyre <zeroSteiner@gmail.com> Date: Wed Mar 18 20:57:58 2015 -0400 Add available space to the payload info commit b33e7f4 Merge: 0d1f205 5dd718e Author: joev <joev@metasploit.com> Date: Wed Mar 18 17:17:34 2015 -0500 Land rapid7#4947, h0ng10's TWiki exploit. commit 346b1d5 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 16:24:01 2015 -0500 Revert Java back to static size for cache purposes (less cpu usage on startup) commit 33bbf7c Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 16:08:11 2015 -0500 Dynamic URI generation for python/java http(s) stagers commit 0d1f205 Merge: e943cb5 dab4333 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 15:31:22 2015 -0500 Lands rapid7#4949 which fixes rapid7#4845 commit dab4333 Author: rwhitcroft <rw81junk@gmail.com> Date: Wed Mar 18 16:07:46 2015 -0400 updated asm in block commit 7ae9739 Author: rwhitcroft <rw81junk@gmail.com> Date: Wed Mar 18 15:34:31 2015 -0400 fix x64/reverse_https stager shellcode commit e943cb5 Merge: d152c41 d1a2f58 Author: OJ <oj@buffered.io> Date: Wed Mar 18 22:34:52 2015 +1000 Land rapid7#4585 : CVE-2015-0975 XXE in OpenNMS commit d1a2f58 Author: OJ <oj@buffered.io> Date: Wed Mar 18 22:17:44 2015 +1000 Fix of regex for file capture and format tweaks commit 5dd718e Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de> Date: Wed Mar 18 09:51:51 2015 +0100 Better description commit 00de437 Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de> Date: Wed Mar 18 09:45:08 2015 +0100 Initial commit commit fa72423 Author: OJ <oj@buffered.io> Date: Wed Mar 18 18:18:54 2015 +1000 Move the module to the correct location commit d152c41 Merge: b46e5f8 b62da42 Author: OJ <oj@buffered.io> Date: Wed Mar 18 17:42:19 2015 +1000 Land rapid7#4934 : Proxy and auth support in reverse_http(s) commit b62da42 Merge: c607cf7 b46e5f8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:51:15 2015 -0500 Merge branch 'master' into feature/add-proxies-to-wininet commit b46e5f8 Merge: bd4738b 97def50 Author: OJ <oj@buffered.io> Date: Wed Mar 18 16:49:13 2015 +1000 Land rapid7#4295 : Refactory proxy-enabled payload handling commit c607cf7 Merge: 0513852 bd4738b Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:45:44 2015 -0500 Merging master commit 97def50 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:26:59 2015 -0500 Whitespace cleanup commit 8d3cb8b Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:25:42 2015 -0500 Fix up meterpreter patching arguments and names commit ef443c8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:21:53 2015 -0500 Fix overgreed search/replace commit 390a704 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:19:05 2015 -0500 Cleanup proxyhost/proxyport arguments to match new names commit f7a06d8 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:15:32 2015 -0500 Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax commit 3aa8cb6 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:08:09 2015 -0500 Fix two use cases of PROXYHOST/PROXYPORT commit 87a4899 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Dec 15 14:48:09 2014 -0600 Place an IPv6 proxy IP between brackets commit 259db26 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 15:36:14 2014 -0600 Remove user/pass and invalid class from the options commit 2ab14e7 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 01:01:10 2015 -0500 Adds IPv6 and option-related issues with the previous patch commit 0601946 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 13:29:39 2014 -0600 Don't mandate and default PROXY_HOST (miscopy from the proxy stager) commit a4df6d5 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 00:59:59 2015 -0500 Cleanup proxy handling code (consistency & bugs) One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic. commit 85fb534 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 12:57:30 2014 -0600 Fix up the offset detection again, cleanup redundant code commit 2f13988 Author: HD Moore <hd_moore@rapid7.com> Date: Tue Dec 2 12:33:53 2014 -0600 Use OptPort vs OptInt and cleanup the description commit a01be36 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 18 00:59:13 2015 -0500 Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT This also cleans up the windows reverse_https_proxy stager. commit b197b7a Author: jakxx <jakx.ppr@gmail.com> Date: Tue Mar 17 19:24:13 2015 -0400 Additional Updates -Removed unused mixin -Cleaned up Module name -Cleaned up author name commit bd4738b Merge: 47a7f99 d7fa0ec Author: James Lee <egypt@metasploit.com> Date: Tue Mar 17 17:37:55 2015 -0500 Land rapid7#4827, capture and nbns fixups commit d7fa0ec Author: James Lee <egypt@metasploit.com> Date: Tue Mar 17 17:36:45 2015 -0500 Let IPAddr#hton do the calculating commit 47a7f99 Merge: d1d6378 5fd3637 Author: Brent Cook <bcook@rapid7.com> Date: Tue Mar 17 16:22:46 2015 -0500 Land rapid7#4930, @hmoore-r7 winhttp stager certificate check commit 085e6cc Author: jakxx <jakx.ppr@gmail.com> Date: Tue Mar 17 16:39:56 2015 -0400 Implemented Recommended Changes -corrected spelling error -set only option to required -dumped header data to included file -Used Rex for jmp values commit 0490af8 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:20:22 2015 -0400 Added error checks, randomness, and uuid delimeter commit f3fc400 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:19:40 2015 -0400 typo commit b92d243 Merge: e0a7f53 766a07a Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:18:32 2015 -0400 Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975 commit e0a7f53 Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Mar 17 10:10:51 2015 -0400 Added error checking, randomness, uuid delimiters commit 2ea9844 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 14:08:01 2015 -0500 while(true)->loop, use thread.join commit 5fd3637 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 14:00:51 2015 -0500 Remove the i32 size specifier (not needed) commit 69d9280 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 13:52:13 2015 -0500 Fix yard docs, retries, push.i8 instructions. See commit 0513852 Note that StagerRetryCount is not defined here, but will be in the parent class once rapid7#4934 lands commit 0513852 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 13:35:36 2015 -0500 Fix yard docs, fix retries, trim bytes, retested and working commit 69a808b Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 12:14:42 2015 -0500 StagerProxy -> PayloadProxy commit f361e4e Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 00:22:10 2015 -0500 Prefer the new-style proxy datastore options when available commit 7e89281 Author: HD Moore <hd_moore@rapid7.com> Date: Mon Mar 16 00:03:31 2015 -0500 Adds proxy (with authentication) support to reverse_http(s) commit 8e37342 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 16:52:04 2015 -0500 Comment typo commit 0d12ca4 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 16:19:13 2015 -0500 Work around lack of option normalization during size calculation commit 03019cf Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 15:53:21 2015 -0500 Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert) commit 1159380 Author: HD Moore <hd_moore@rapid7.com> Date: Sat Mar 14 15:52:23 2015 -0500 Move X509 PEM parsing into Rex::Parser::X509Certificate commit 1001061 Author: HD Moore <hd_moore@rapid7.com> Date: Wed Mar 4 18:52:18 2015 -0600 Initialize @capture_count commit 1b1716b Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 22:01:01 2015 -0600 Fix a handful of bugs that broke this modules. Fixes rapid7#4799 commit 9730a16 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 22:00:42 2015 -0600 Small cleanups to the LLMR responder module commit bdd5276 Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 21:53:47 2015 -0600 This fixes a number of issues with the Capture mixin * The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1) * The hackey code around #each_packet is no longer necessary in newer Ruby versions * The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies * The arp() function now tries up to three times to get a reply (helpful with lossy L2) * GC.start is extraneous and should be removed * Increased timeouts commit 615d71d Author: HD Moore <hd_moore@rapid7.com> Date: Sun Feb 22 21:51:33 2015 -0600 Remove extraneous calls to GC.start() commit 44a7e7e Author: jakxx <jakx.ppr@gmail.com> Date: Wed Feb 18 13:22:54 2015 -0500 publish-it fileformat exploit commit 766a07a Author: jstnkndy <jstnkndy@gmail.com> Date: Tue Jan 13 22:08:08 2015 -0500 Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2
techpeace · Mar 19, 2015 · 2056ff6 · 2056ff6
1 parent bd47a15
commit 2056ff6
Show file tree

Hide file tree

Showing 32 changed files with 1,066 additions and 362 deletions.
diff --git a/data/exploits/CVE-2014-0980.pui b/data/exploits/CVE-2014-0980.pui
diff --git a/data/meterpreter/ext_server_networkpug.lso b/data/meterpreter/ext_server_networkpug.lso
diff --git a/data/meterpreter/ext_server_sniffer.lso b/data/meterpreter/ext_server_sniffer.lso
diff --git a/data/meterpreter/ext_server_stdapi.lso b/data/meterpreter/ext_server_stdapi.lso
diff --git a/data/meterpreter/msflinker_linux_x86.bin b/data/meterpreter/msflinker_linux_x86.bin
diff --git a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
@@ -145,7 +145,7 @@ download_more:
   test eax,eax           ; download failed? (optional?)
   jz failure
 
-  mov rax, [rdi]
+  mov ax, word ptr [edi]
   add rbx, rax           ; buffer += bytes_received
 
   test rax,rax           ; optional?

diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb
@@ -42,7 +42,7 @@ def initialize(info = {})
                            [
                              true,
                              'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
-                             'www.metasploit.com']),
+                             '8.8.8.8']),
             OptPort.new('GATEWAY_PROBE_PORT',
                         [
                           false,
@@ -143,7 +143,6 @@ def close_pcap
         return unless self.capture
         self.capture     = nil
         self.arp_capture = nil
-        GC.start()
       end
 
       def capture_extract_ies(raw)
@@ -163,26 +162,15 @@ def capture_extract_ies(raw)
       end
 
       #
-      # This monstrosity works around a series of bugs in the interrupt
-      # signal handling of Ruby 1.9
+      # Loop through each packet
       #
       def each_packet
         return unless capture
-        begin
-          @capture_count = 0
-          reader         = framework.threads.spawn("PcapReceiver", false) do
-            capture.each do |pkt|
-              yield(pkt)
-              @capture_count += 1
-            end
-          end
-          reader.join
-        rescue ::Exception
-          raise $!
-        ensure
-          reader.kill if reader.alive?
+        @capture_count ||= 0
+        capture.each do |pkt|
+          yield(pkt)
+          @capture_count += 1
         end
-
         @capture_count
       end
 
@@ -242,10 +230,9 @@ def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
           pcap.inject(pkt)
           Rex.sleep((delay * 1.0)/1000)
         end
-        GC.start
       end
 
-      # Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
+      # capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
       # a payload and a destination address. To send to the broadcast address, set bcast
       # to true (this will guarantee that packets will be sent even if ARP doesn't work
       # out).
@@ -262,24 +249,20 @@ def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
 
       # The return value either be a PacketFu::Packet object, or nil
       def inject_reply(proto=:udp, pcap=self.capture)
-        reply = nil
-        to    = (datastore['TIMEOUT'] || 500).to_f / 1000.0
-        if not pcap
-          raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
-        else
-          begin
-            ::Timeout.timeout(to) do
-              pcap.each do |r|
-                packet = PacketFu::Packet.parse(r)
-                next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
-                reply = packet
-                break
-              end
+        # Defaults to ~2 seconds
+        to = (datastore['TIMEOUT'] * 4) / 1000.0
+        raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
+        begin
+          ::Timeout.timeout(to) do
+            pcap.each do |r|
+              packet = PacketFu::Packet.parse(r)
+              next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
+              return packet
             end
-          rescue ::Timeout::Error
           end
+        rescue ::Timeout::Error
         end
-        return reply
+       nil
       end
 
       # This ascertains the correct Ethernet addresses one should use to
@@ -328,20 +311,19 @@ def probe_gateway(addr)
         end
 
         begin
-          to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
+          to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
           ::Timeout.timeout(to) do
-            while (my_packet = inject_reply(:udp, self.arp_capture))
-              if my_packet.payload == secret
-                dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
-                src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
-                return [dst_mac, src_mac]
-              else
-                next
-              end
+            loop do
+              my_packet = inject_reply(:udp, self.arp_capture)
+              next unless my_packet
+              next unless my_packet.payload == secret
+              dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
+              src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
+              return [dst_mac, src_mac]
             end
           end
         rescue ::Timeout::Error
-          # Well, that didn't work (this common on networks where there's no gatway, like
+          # Well, that didn't work (this is common on networks where there's no gateway, like
           # VMWare network interfaces. We'll need to use a fake source hardware address.
           self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
         end
@@ -354,26 +336,31 @@ def arp(target_ip=nil)
         return self.arp_cache[:gateway] unless should_arp? target_ip
         source_ip = Rex::Socket.source_address(target_ip)
         raise RuntimeError, "Could not access the capture process." unless self.arp_capture
+
         p = arp_packet(target_ip, source_ip)
-        inject_eth(:eth_type  => 0x0806,
-          :payload   => p,
-          :pcap      => self.arp_capture,
-          :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
-        )
-        begin
-          to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
-          ::Timeout.timeout(to) do
-            while (my_packet = inject_reply(:arp, self.arp_capture))
-              if my_packet.arp_saddr_ip == target_ip
+
+        # Try up to 3 times to get an ARP response
+        1.upto(3) do
+          inject_eth(:eth_type  => 0x0806,
+            :payload   => p,
+            :pcap      => self.arp_capture,
+            :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
+          )
+          begin
+            to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
+            ::Timeout.timeout(to) do
+              loop do
+                my_packet = inject_reply(:arp, self.arp_capture)
+                next unless my_packet
+                next unless my_packet.arp_saddr_ip == target_ip
                 self.arp_cache[target_ip] = my_packet.eth_saddr
                 return self.arp_cache[target_ip]
-              else
-                next
               end
             end
+          rescue ::Timeout::Error
           end
-        rescue ::Timeout::Error
         end
+        nil
       end
 
       # Creates a full ARP packet, mainly for use with inject_eth()

diff --git a/lib/msf/core/exploit/ipv6.rb b/lib/msf/core/exploit/ipv6.rb
@@ -76,7 +76,6 @@ def close_icmp_pcap()
 
     return if not @ipv6_icmp6_capture
     @ipv6_icmp6_capture = nil
-    GC.start()
   end
 
   #

diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb
@@ -256,11 +256,11 @@ def send_new_stage
       :expiration     => datastore['SessionExpirationTimeout'],
       :comm_timeout   => datastore['SessionCommunicationTimeout'],
       :ua             => datastore['MeterpreterUserAgent'],
-      :proxyhost      => datastore['PROXYHOST'],
-      :proxyport      => datastore['PROXYPORT'],
-      :proxy_type     => datastore['PROXY_TYPE'],
-      :proxy_username => datastore['PROXY_USERNAME'],
-      :proxy_password => datastore['PROXY_PASSWORD']
+      :proxy_host     => datastore['PayloadProxyHost'],
+      :proxy_port     => datastore['PayloadProxyPort'],
+      :proxy_type     => datastore['PayloadProxyType'],
+      :proxy_user     => datastore['PayloadProxyUser'],
+      :proxy_pass     => datastore['PayloadProxyPass']
 
     blob = encode_stage(blob)
 

diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb
@@ -58,33 +58,25 @@ def initialize(info = {})
       ], Msf::Handler::ReverseHttp)
   end
 
-  # Toggle for IPv4 vs IPv6 mode
-  #
-  def ipv6?
-    Rex::Socket.is_ipv6?(datastore['LHOST'])
-  end
-
   # Determine where to bind the server
   #
   # @return [String]
   def listener_address
-    if datastore['ReverseListenerBindAddress'].to_s.empty?
-      bindaddr = (ipv6?) ? '::' : '0.0.0.0'
+    if datastore['ReverseListenerBindAddress'].to_s == ""
+      bindaddr = Rex::Socket.is_ipv6?(datastore['LHOST']) ? '::' : '0.0.0.0'
     else
       bindaddr = datastore['ReverseListenerBindAddress']
     end
 
     bindaddr
   end
 
+  # Return a URI suitable for placing in a payload
+  #
   # @return [String] A URI of the form +scheme://host:port/+
   def listener_uri
-    if ipv6?
-      listen_host = "[#{listener_address}]"
-    else
-      listen_host = listener_address
-    end
-    "#{scheme}://#{listen_host}:#{datastore['LPORT']}/"
+    uri_host = Rex::Socket.is_ipv6?(listener_address) ? "[#{listener_address}]" : listener_address
+    "#{scheme}://#{uri_host}:#{datastore['LPORT']}/"
   end
 
   # Return a URI suitable for placing in a payload.
@@ -158,6 +150,7 @@ def setup_handler
       'VirtualDirectory' => true)
 
     print_status("Started #{scheme.upcase} reverse handler on #{listener_uri}")
+    lookup_proxy_settings
   end
 
   #
@@ -175,6 +168,45 @@ def stop_handler
 
 protected
 
+  #
+  # Parses the proxy settings and returns a hash
+  #
+  def lookup_proxy_settings
+    info = {}
+    return @proxy_settings if @proxy_settings
+
+    if datastore['PayloadProxyHost'].to_s == ""
+      @proxy_settings = info
+      return @proxy_settings
+    end
+
+    info[:host] = datastore['PayloadProxyHost'].to_s
+    info[:port] = (datastore['PayloadProxyPort'] || 8080).to_i
+    info[:type] = datastore['PayloadProxyType'].to_s
+
+    uri_host = info[:host]
+
+    if Rex::Socket.is_ipv6?(uri_host)
+      uri_host = "[#{info[:host]}]"
+    end
+
+    info[:info] = "#{uri_host}:#{info[:port]}"
+
+    if info[:type] == "SOCKS"
+      info[:info] = "socks=#{info[:info]}"
+    else
+      info[:info] = "http://#{info[:info]}"
+      if datastore['PayloadProxyUser'].to_s != ""
+        info[:username] = datastore['PayloadProxyUser'].to_s
+      end
+      if datastore['PayloadProxyPass'].to_s != ""
+        info[:password] = datastore['PayloadProxyPass'].to_s
+      end
+    end
+
+    @proxy_settings = info
+  end
+
   #
   # Parses the HTTPS request
   #
@@ -204,8 +236,8 @@ def on_request(cli, req, obj)
         blob.sub!('HTTP_COMMUNICATION_TIMEOUT = 300', "HTTP_COMMUNICATION_TIMEOUT = #{datastore['SessionCommunicationTimeout']}")
         blob.sub!('HTTP_USER_AGENT = None', "HTTP_USER_AGENT = '#{var_escape.call(datastore['MeterpreterUserAgent'])}'")
 
-        unless datastore['PROXYHOST'].blank?
-          proxy_url = "http://#{datastore['PROXYHOST']}:#{datastore['PROXYPORT']}"
+        unless datastore['PayloadProxyHost'].blank?
+          proxy_url = "http://#{datastore['PayloadProxyHost']||datastore['PROXYHOST']}:#{datastore['PayloadProxyPort']||datastore['PROXYPORT']}"
           blob.sub!('HTTP_PROXY = None', "HTTP_PROXY = '#{var_escape.call(proxy_url)}'")
         end
 
@@ -268,11 +300,11 @@ def on_request(cli, req, obj)
           :expiration     => datastore['SessionExpirationTimeout'],
           :comm_timeout   => datastore['SessionCommunicationTimeout'],
           :ua             => datastore['MeterpreterUserAgent'],
-          :proxyhost      => datastore['PROXYHOST'],
-          :proxyport      => datastore['PROXYPORT'],
-          :proxy_type     => datastore['PROXY_TYPE'],
-          :proxy_username => datastore['PROXY_USERNAME'],
-          :proxy_password => datastore['PROXY_PASSWORD']
+          :proxy_host     => datastore['PayloadProxyHost'],
+          :proxy_port     => datastore['PayloadProxyPort'],
+          :proxy_type     => datastore['PayloadProxyType'],
+          :proxy_user     => datastore['PayloadProxyUser'],
+          :proxy_pass     => datastore['PayloadProxyPass']
 
         resp.body = encode_stage(blob)
 

diff --git a/lib/msf/core/handler/reverse_https_proxy.rb b/lib/msf/core/handler/reverse_https_proxy.rb
@@ -40,11 +40,11 @@ def initialize(info = {})
       [
         OptString.new('LHOST', [ true, "The local listener hostname" ,"127.0.0.1"]),
         OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
-        OptString.new('PROXYHOST', [true, "The address of the http proxy to use" ,"127.0.0.1"]),
-        OptInt.new('PROXYPORT', [ false, "The Proxy port to connect to", 8080 ]),
-        OptEnum.new('PROXY_TYPE', [true, 'Http or Socks4 proxy type', 'HTTP', ['HTTP', 'SOCKS']]),
-        OptString.new('PROXY_USERNAME', [ false, "An optional username for HTTP proxy authentification"]),
-        OptString.new('PROXY_PASSWORD', [ false, "An optional password for HTTP proxy authentification"])
+        OptString.new('PayloadProxyHost', [true, "The proxy server's IP address", "127.0.0.1"]),
+        OptPort.new('PayloadProxyPort', [true, "The proxy port to connect to", 8080 ]),
+        OptEnum.new('PayloadProxyType', [true, 'The proxy type, HTTP or SOCKS', 'HTTP', ['HTTP', 'SOCKS']]),
+        OptString.new('PayloadProxyUser', [ false, "An optional username for HTTP proxy authentication"]),
+        OptString.new('PayloadProxyPass', [ false, "An optional password for HTTP proxy authentication"])
       ], Msf::Handler::ReverseHttpsProxy)
 
     register_advanced_options(
-Original file line number
+Diff line change
@@ Expand Up / @@ -76,7 +76,6 @@ def close_icmp_pcap() @@
         return if not @ipv6_icmp6_capture
         @ipv6_icmp6_capture = nil
-        GC.start()
       end
       #
@@ Expand Down @@