Module: Msf::Payload::Adapter::Fetch::Server::Https

Included in:

Https, HTTP

Defined in:

lib/msf/core/payload/adapter/fetch/server/https.rb

Instance Method Summary

• #add_resource(fetch_service, uri, srvexe) ⇒ Object
• #cleanup_http_fetch_service(fetch_service, delete_resource) ⇒ Object
• #fetch_protocol ⇒ Object
• #initialize(*args) ⇒ Object

  This mixin supports both HTTP and HTTPS fetch handlers.

• #on_request_uri(cli, request, srvexe) ⇒ Object
• #payload_response(srvexe) ⇒ Object
• #ssl_cert ⇒ Object
• #ssl_cipher ⇒ Object
• #ssl_compression ⇒ Object
• #ssl_version ⇒ Object
• #start_http_fetch_handler(srvname, srvexe) ⇒ Object
• #start_https_fetch_handler(srvname, srvexe) ⇒ Object
• #start_https_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version) ⇒ Object

Instance Method Details

#add_resource(fetch_service, uri, srvexe) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 26

def add_resource(fetch_service, uri, srvexe)
  vprint_status("Adding resource #{uri}")
  if fetch_service.resources.include?(uri)
    # When we clean up, we need to leave resources alone, because we never added one.
    @delete_resource = false
    fail_with(Msf::Exploit::Failure::BadConfig, "Resource collision detected.  Set FETCH_URI to a different value to continue.")
  end
  fetch_service.add_resource(uri,
                             'Proc' => proc do |cli, req|
                               on_request_uri(cli, req, srvexe)
                             end,
                             'VirtualDirectory' => true)
rescue  ::Exception => e
  # When we clean up, we need to leave resources alone, because we never added one.
  @delete_resource = false
  fail_with(Msf::Exploit::Failure::Unknown, "Failed to add resource\n #{e}")
end

#cleanup_http_fetch_service(fetch_service, delete_resource) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 44

def cleanup_http_fetch_service(fetch_service, delete_resource)
  unless fetch_service.nil?
    escaped_srvuri = ('/' + srvuri).gsub('//', '/')
    if fetch_service.resources.include?(escaped_srvuri) && delete_resource
      fetch_service.remove_resource(escaped_srvuri)
    end
    fetch_service.deref
    if fetch_service.resources.empty?
      # if we don't call deref, we cannot start another httpserver
      # this is a reimplementation of the cleanup_service method
      # in Exploit::Remote::SocketServer
      temp_service = fetch_service
      fetch_service = nil
      temp_service.cleanup
      temp_service.deref
    end
  end
end

#fetch_protocol ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 63

def fetch_protocol
  'HTTPS'
end

#initialize(*args) ⇒ Object

This mixin supports both HTTP and HTTPS fetch handlers. If you only want HTTP, use the HTTP mixin that imports this, but removes the HTTPS options

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 5

def initialize(*args)
  super
  register_options(
    [
      Msf::OptBool.new('FETCH_CHECK_CERT', [true,"Check SSL certificate", false])

    ]
  )
  register_advanced_options(
    [
      Msf::OptString.new('FetchHttpServerName', [true, 'Http Server Name', 'Apache']),
      Msf::OptPath.new('FetchSSLCert', [ false, 'Path to a custom SSL certificate (default is randomly generated)', '']),
      Msf::OptBool.new('FetchSSLCompression', [ false, 'Enable SSL/TLS-level compression', false ]),
      Msf::OptString.new('FetchSSLCipher', [ false, 'String for SSL cipher spec - "DHE-RSA-AES256-SHA" or "ADH"']),
      Msf::OptEnum.new('FetchSSLVersion',
                       'Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate)',
                       enums: Rex::Socket::SslTcp.supported_ssl_methods)
    ]
  )
end

#on_request_uri(cli, request, srvexe) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 67

def on_request_uri(cli, request, srvexe)
  client = cli.peerhost
  vprint_status("Client #{client} requested #{request.uri}")
  if (user_agent = request.headers['User-Agent'])
    client += " (#{user_agent})"
  end
  vprint_status("Sending payload to #{client}")
  cli.send_response(payload_response(srvexe))
end

#payload_response(srvexe) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 77

def payload_response(srvexe)
  res = Rex::Proto::Http::Response.new(200, 'OK', Rex::Proto::Http::DefaultProtocol)
  res['Content-Type'] = 'text/html'
  res.body = srvexe.to_s.unpack('C*').pack('C*')
  res
end

#ssl_cert ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 84

def ssl_cert
  datastore['FetchSSLCert']
end

#ssl_cipher ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 92

def ssl_cipher
  datastore['FetchSSLCipher']
end

#ssl_compression ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 88

def ssl_compression
  datastore['FetchSSLCompression']
end

#ssl_version ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 96

def ssl_version
  datastore['FetchSSLVersion']
end

#start_http_fetch_handler(srvname, srvexe) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 100

def start_http_fetch_handler(srvname, srvexe)
  # this looks a bit funny because I converted it to use an instance variable so that if we crash in the
  # middle and don't return a value, we still have the right fetch_service to clean up.
  escaped_srvuri = ('/' + srvuri).gsub('//', '/')
  @fetch_service = start_https_server(false, nil, nil, nil, nil) if @fetch_service.nil?
  if @fetch_service.nil?
    cleanup_handler
    fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}")
  end
  vprint_status('HTTP server started')
  @fetch_service.server_name = srvname
  add_resource(@fetch_service, escaped_srvuri, srvexe)
  @fetch_service
end

#start_https_fetch_handler(srvname, srvexe) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 115

def start_https_fetch_handler(srvname, srvexe)
  # this looks a bit funny because I converted it to use an instance variable so that if we crash in the
  # middle and don't return a value, we still have the right fetch_service to clean up.
  escaped_srvuri = ('/' + srvuri).gsub('//', '/')
  @fetch_service = start_https_server(true, ssl_cert, ssl_compression, ssl_cipher, ssl_version) if @fetch_service.nil?
  if @fetch_service.nil?
    cleanup_handler
    fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}\n #{e}")
  end
  vprint_status('HTTPS server started')
  @fetch_service.server_name = srvname
  add_resource(@fetch_service, escaped_srvuri, srvexe)
  @fetch_service
end

#start_https_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version) ⇒ Object

# File 'lib/msf/core/payload/adapter/fetch/server/https.rb', line 130

def start_https_server(ssl, ssl_cert, ssl_compression, ssl_cipher, ssl_version)
  begin
    fetch_service = Rex::ServiceManager.start(
      Rex::Proto::Http::Server,
      fetch_bindport, fetch_bindhost, ssl,
      {
        'Msf' => framework,
        'MsfExploit' => self
      },
      _determine_server_comm(fetch_bindhost),
      ssl_cert,
      ssl_compression,
      ssl_cipher,
      ssl_version
    )
  rescue Exception => e
    cleanup_handler
    fail_with(Msf::Exploit::Failure::BadConfig, "Fetch Handler failed to start on #{fetch_bindhost}:#{fetch_bindport}\n #{e}")
  end
  vprint_status("Fetch Handler listening on #{fetch_bindhost}:#{fetch_bindport}")
  fetch_service
end