From 9c9d333a1b05d76bc19d64487afb5d9eedca5cc4 Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 23 Mar 2015 13:21:08 +1000 Subject: [PATCH] Create verify ssl mixin, adjust some formatting --- lib/msf/core/handler/reverse_http.rb | 24 ++++++------------- .../core/payload/windows/reverse_winhttps.rb | 23 ++++-------------- lib/rex/parser/x509_certificate.rb | 4 ++-- lib/rex/payloads/meterpreter/patch.rb | 12 +++++----- .../windows/meterpreter_reverse_https.rb | 24 ++++++------------- 5 files changed, 26 insertions(+), 61 deletions(-) diff --git a/lib/msf/core/handler/reverse_http.rb b/lib/msf/core/handler/reverse_http.rb index b55725d87a..1a0707e3a8 100644 --- a/lib/msf/core/handler/reverse_http.rb +++ b/lib/msf/core/handler/reverse_http.rb @@ -4,6 +4,7 @@ require 'rex/sync/ref' require 'msf/core/handler/reverse_http/uri_checksum' require 'rex/payloads/meterpreter/patch' require 'rex/parser/x509_certificate' +require 'msf/core/payload/windows/verify_ssl' module Msf module Handler @@ -17,6 +18,7 @@ module ReverseHttp include Msf::Handler include Msf::Handler::ReverseHttp::UriChecksum + include Msf::Payload::Windows::VerifySsl # # Returns the string representation of the handler type @@ -292,13 +294,15 @@ protected blob = obj.stage_payload + verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'], + datastore['HandlerSSLCert']) # # Patch options into the payload # - Rex::Payloads::Meterpreter::Patch.patch_passive_service! blob, + Rex::Payloads::Meterpreter::Patch.patch_passive_service!(blob, :ssl => ssl?, :url => url, - :ssl_cert_hash => get_ssl_cert_hash, + :ssl_cert_hash => verify_cert_hash, :expiration => datastore['SessionExpirationTimeout'], :comm_timeout => datastore['SessionCommunicationTimeout'], :ua => datastore['MeterpreterUserAgent'], @@ -306,7 +310,7 @@ protected :proxy_port => datastore['PayloadProxyPort'], :proxy_type => datastore['PayloadProxyType'], :proxy_user => datastore['PayloadProxyUser'], - :proxy_pass => datastore['PayloadProxyPass'] + :proxy_pass => datastore['PayloadProxyPass']) resp.body = encode_stage(blob) @@ -357,20 +361,6 @@ protected port > 0 ? port : datastore['LPORT'].to_i end - def get_ssl_cert_hash - unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i - return nil - end - - unless datastore['HandlerSSLCert'] - raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" - end - - hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert']) - print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}") - hash - end - end end diff --git a/lib/msf/core/payload/windows/reverse_winhttps.rb b/lib/msf/core/payload/windows/reverse_winhttps.rb index e53aa6ae2d..4fe531ccff 100644 --- a/lib/msf/core/payload/windows/reverse_winhttps.rb +++ b/lib/msf/core/payload/windows/reverse_winhttps.rb @@ -2,7 +2,7 @@ require 'msf/core' require 'msf/core/payload/windows/reverse_winhttp' -require 'rex/parser/x509_certificate' +require 'msf/core/payload/windows/verify_ssl' module Msf @@ -17,6 +17,7 @@ module Msf module Payload::Windows::ReverseWinHttps include Msf::Payload::Windows::ReverseWinHttp + include Msf::Payload::Windows::VerifySsl # # Register reverse_winhttps specific options @@ -49,7 +50,8 @@ module Payload::Windows::ReverseWinHttps # def generate - verify_cert_hash = get_ssl_cert_hash + verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'], + datastore['HandlerSSLCert']) # Generate the simple version of this stager if we don't have enough space if self.available_space.nil? || required_space > self.available_space @@ -97,23 +99,6 @@ module Payload::Windows::ReverseWinHttps space end - # - # Get the SSL hash from the certificate, if required. - # - def get_ssl_cert_hash - unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i - return nil - end - - unless datastore['HandlerSSLCert'] - raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" - end - - hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert']) - print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}") - hash - end - end end diff --git a/lib/rex/parser/x509_certificate.rb b/lib/rex/parser/x509_certificate.rb index a1fad8a968..61a0a4b179 100644 --- a/lib/rex/parser/x509_certificate.rb +++ b/lib/rex/parser/x509_certificate.rb @@ -58,7 +58,7 @@ class X509Certificate # # Parse a certificate in unified PEM format and retrieve - # the SHA1 hash. + # the SHA1 hash. # # @param [String] ssl_cert # @return [String] @@ -74,7 +74,7 @@ class X509Certificate # # Parse a file that contains a certificate in unified PEM - # format and retrieve the SHA1 hash. + # format and retrieve the SHA1 hash. # # @param [String] ssl_cert_file # @return [String] diff --git a/lib/rex/payloads/meterpreter/patch.rb b/lib/rex/payloads/meterpreter/patch.rb index 67aba9e855..166eb7f7cf 100644 --- a/lib/rex/payloads/meterpreter/patch.rb +++ b/lib/rex/payloads/meterpreter/patch.rb @@ -99,12 +99,12 @@ module Rex # Patch options into metsrv for reverse HTTP payloads def self.patch_passive_service!(blob, options) - patch_transport! blob, options[:ssl] - patch_url! blob, options[:url] - patch_expiration! blob, options[:expiration] - patch_comm_timeout! blob, options[:comm_timeout] - patch_ua! blob, options[:ua] - patch_ssl_check! blob, options[:ssl_cert_hash] + patch_transport!(blob, options[:ssl]) + patch_url!(blob, options[:url]) + patch_expiration!(blob, options[:expiration]) + patch_comm_timeout!(blob, options[:comm_timeout]) + patch_ua!(blob, options[:ua]) + patch_ssl_check!(blob, options[:ssl_cert_hash]) patch_proxy!(blob, options[:proxy_host], options[:proxy_port], diff --git a/modules/payloads/singles/windows/meterpreter_reverse_https.rb b/modules/payloads/singles/windows/meterpreter_reverse_https.rb index e82262b61b..db2dcb9d77 100644 --- a/modules/payloads/singles/windows/meterpreter_reverse_https.rb +++ b/modules/payloads/singles/windows/meterpreter_reverse_https.rb @@ -16,6 +16,7 @@ module Metasploit3 include Msf::Payload::Windows::StagelessMeterpreter include Msf::Sessions::MeterpreterOptions + include Msf::Payload::Windows::VerifySsl def initialize(info = {}) @@ -55,10 +56,13 @@ module Metasploit3 # end #end - Rex::Payloads::Meterpreter::Patch.patch_passive_service! dll, + verify_cert_hash = get_ssl_cert_hash(datastore['StagerVerifySSLCert'], + datastore['HandlerSSLCert']) + + Rex::Payloads::Meterpreter::Patch.patch_passive_service!(dll, :url => url, :ssl => true, - :ssl_cert_hash => get_ssl_cert_hash, + :ssl_cert_hash => verify_cert_hash, :expiration => datastore['SessionExpirationTimeout'].to_i, :comm_timeout => datastore['SessionCommunicationTimeout'].to_i, :ua => datastore['MeterpreterUserAgent'], @@ -66,24 +70,10 @@ module Metasploit3 :proxyport => datastore['PROXYPORT'], :proxy_type => datastore['PROXY_TYPE'], :proxy_username => datastore['PROXY_USERNAME'], - :proxy_password => datastore['PROXY_PASSWORD'] + :proxy_password => datastore['PROXY_PASSWORD']) end end - def get_ssl_cert_hash - unless datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i - return nil - end - - unless datastore['HandlerSSLCert'] - raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" - end - - hash = Rex::Parser::X509Certificate.get_cert_file_hash(datastore['HandlerSSLCert']) - print_status("Meterpreter will verify SSL Certificate with SHA1 hash #{hash.unpack("H*").first}") - hash - end - end