Skip to content

Commit

Permalink
Land #19330, Add SSL opt in start_service
Browse files Browse the repository at this point in the history
The start_service method now allows users to specify their SSL
preferences directly through the opts parameter. If the ssl option is
not provided in opts, it will default to the value in datastore["SSL"]
  • Loading branch information
jheysel-r7 committed Sep 5, 2024
2 parents 6f1acf4 + 434593d commit 1527104
Show file tree
Hide file tree
Showing 19 changed files with 57 additions and 147 deletions.
7 changes: 5 additions & 2 deletions lib/msf/core/exploit/remote/http_server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -116,14 +116,17 @@ def check_dependencies
# completely on the datastore. (See dlink_upnp_exec_noauth)
def start_service(opts = {})

# Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead.
opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl']

check_dependencies

# Start a new HTTP server service.
self.service = Rex::ServiceManager.start(
Rex::Proto::Http::Server,
(opts['ServerPort'] || bindport).to_i,
opts['ServerHost'] || bindhost,
datastore['SSL'], # XXX: Should be in opts, need to test this
opts['ssl'],
{
'Msf' => framework,
'MsfExploit' => self,
Expand All @@ -149,7 +152,7 @@ def start_service(opts = {})
'Path' => opts['Path'] || resource_uri
}.update(opts['Uri'] || {})

proto = (datastore["SSL"] ? "https" : "http")
proto = (opts['ssl'] ? "https" : "http")

# SSLCompression may or may not actually be available. For example, on
# Ubuntu, it's disabled by default, unless the correct environment
Expand Down
9 changes: 3 additions & 6 deletions modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb
Original file line number Diff line number Diff line change
Expand Up @@ -154,19 +154,16 @@ def run
fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
end

if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
start_service({
'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req)
end,
'Path' => '/'
}
},
'ssl' => false
})
datastore['SSL'] = true if ssl_restore

xxe_request
rescue Timeout::Error => e
fail_with(Failure::TimeoutExpired, e.message)
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
Original file line number Diff line number Diff line change
Expand Up @@ -122,11 +122,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
Expand All @@ -144,9 +139,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/dlink_dir615_up_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
Expand All @@ -174,9 +169,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
11 changes: 3 additions & 8 deletions modules/exploits/linux/http/dlink_hnap_login_bof.rb
Original file line number Diff line number Diff line change
Expand Up @@ -253,12 +253,6 @@ def exploit
@elf_sent = false
resource_uri = '/' + downfile

#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
else
Expand All @@ -272,9 +266,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
print_status("#{peer} - Asking the device to download and execute #{service_url}")

filename = rand_text_alpha_lower(rand(8) + 2)
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/linksys_e1500_apply_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -151,11 +151,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
Expand All @@ -172,9 +167,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -304,11 +304,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
Expand All @@ -325,9 +320,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -155,11 +155,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
Expand All @@ -176,9 +171,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -270,11 +270,6 @@ def exploit
if (datastore['DOWNHOST'])
service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
else
#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
Expand All @@ -291,9 +286,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end

#
Expand Down
13 changes: 2 additions & 11 deletions modules/exploits/linux/http/vestacp_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -252,28 +252,19 @@ def on_request_uri(cli, _request)
end

def start_http_server
#
# HttpClient and HttpServer use same SSL variable :(
# We don't need SSL for payload delivery so we
# will disable it temporarily.
#
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
start_service({
'Uri' => {
'Proc' => proc do |cli, req|
on_request_uri(cli, req)
end,
'Path' => resource_uri
}
},
'ssl' => false # do not use SSL
})
print_status("Second payload download URI is #{get_uri}")
# We need to use instance variables since get_uri keeps using
# the SSL setting from the datastore.
# Once the URI is retrieved, we will restore the SSL settings within the datastore.
@second_stage_url = get_uri
datastore['SSL'] = true if ssl_restore
end
end
11 changes: 3 additions & 8 deletions modules/exploits/linux/smtp/exim4_dovecot_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -112,12 +112,6 @@ def exploit
fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
end

#do not use SSL
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

#we use SRVHOST as download IP for the coming wget command.
#SRVHOST needs a real IP address of our download host
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
Expand All @@ -134,9 +128,10 @@ def exploit
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
},
'ssl' => false # do not use SSL
})

datastore['SSL'] = true if ssl_restore
end


Expand Down
12 changes: 4 additions & 8 deletions modules/exploits/multi/http/bassmaster_js_injection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -141,12 +141,6 @@ def start_http_server
srv_host = datastore['SRVHOST']
end

# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

@service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
Expand All @@ -155,8 +149,10 @@ def start_http_server
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
},
'ssl' => false # do not use SSL
})

connect
end

Expand Down
10 changes: 3 additions & 7 deletions modules/exploits/multi/http/mutiny_subnetmask_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,6 @@ def on_new_session(session)
def start_web_service
print_status("Setting up the Web Service...")

if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

resource_uri = '/' + @elfname + '.elf'
service_url = "http://#{lookup_lhost}:#{datastore['SRVPORT']}#{resource_uri}"

Expand All @@ -127,8 +122,9 @@ def start_web_service
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
},
'ssl' => false # do not use SSL
})

return service_url
end
Expand Down
12 changes: 4 additions & 8 deletions modules/exploits/multi/http/rails_dynamic_render_code_exec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -162,12 +162,6 @@ def start_http_server
srv_host = datastore['SRVHOST']
end

# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
Expand All @@ -176,8 +170,10 @@ def start_http_server
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
},
'ssl' => false # do not use SSL
})

connect
end

Expand Down
17 changes: 2 additions & 15 deletions modules/exploits/multi/http/struts_default_action_mapper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -115,14 +115,6 @@ def on_new_session(session)
end

def start_http_service
# do not use SSL for this part
# XXX: See https://github.com/rapid7/metasploit-framework/issues/3853
# It must be possible to do this without directly editing the
# datastore.
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end

if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = Rex::Socket.source_address(rhost)
Expand All @@ -138,15 +130,10 @@ def start_http_service
on_request_uri(cli, req)
},
'Path' => '/'
}
},
'ssl' => false # do not use SSL
})

# Restore SSL preference
# XXX: See https://github.com/rapid7/metasploit-framework/issues/3853
# It must be possible to do this without directly editing the
# datastore.
datastore['SSL'] = true if ssl_restore

return service_url
end

Expand Down
Loading

0 comments on commit 1527104

Please sign in to comment.