Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3
module Rex
4
  module Payloads
5
    module Meterpreter
6
      module UriChecksum
7

8
        #
9
        # Define 8-bit checksums for matching URLs
10
        # These are based on charset frequency
11
        #
12
        URI_CHECKSUM_INITW      = 92 # Windows
13
        URI_CHECKSUM_INITN      = 92 # Native (same as Windows)
14
        URI_CHECKSUM_INITP      = 80 # Python
15
        URI_CHECKSUM_INITJ      = 88 # Java
16
        URI_CHECKSUM_CONN       = 98 # Existing session
17
        URI_CHECKSUM_INIT_CONN  = 95 # New stageless session
18

19
        # Mapping between checksums and modes
20
        URI_CHECKSUM_MODES = Hash[
21
          URI_CHECKSUM_INITN,      :init_native,
22
          URI_CHECKSUM_INITP,      :init_python,
23
          URI_CHECKSUM_INITJ,      :init_java,
24
          URI_CHECKSUM_INIT_CONN,  :init_connect,
25
          URI_CHECKSUM_CONN,       :connect
26
        ]
27

28
        URI_CHECKSUM_MIN_LEN = 5
29

30
        # Limit how long :connect URLs are to stay within 256 bytes when including
31
        # the hostname, colon, port, and leading slash
32
        URI_CHECKSUM_CONN_MAX_LEN = 128
33

34
        URI_CHECKSUM_UUID_MIN_LEN = URI_CHECKSUM_MIN_LEN + Msf::Payload::UUID::UriLength
35

36
        # Map "random" URIs to static strings, allowing us to randomize
37
        # the URI sent in the first request.
38
        #
39
        # @param uri [String] The URI string from the HTTP request
40
        # @return [Hash] The attributes extracted from the URI
41
        def process_uri_resource(uri)
42

43
          # Ignore non-base64url characters in the URL
44
          uri_bare = uri.gsub(/[^a-zA-Z0-9_\-]/, '')
45

46
          # Figure out the mode based on the checksum
47
          uri_csum = Rex::Text.checksum8(uri_bare)
48

49
          # Extract the UUID if the URI is long enough
50
          uri_uuid = nil
51
          if uri_bare.length >= URI_CHECKSUM_UUID_MIN_LEN
52
            uri_uuid = Msf::Payload::UUID.new(uri: uri_bare)
53
          end
54

55
          uri_mode = URI_CHECKSUM_MODES[uri_csum]
56

57
          # Return a hash of URI attributes
58
          { uri: uri_bare, sum: uri_csum, uuid: uri_uuid, mode: uri_mode }
59
        end
60

61
        # Create a URI that matches the specified checksum and payload uuid
62
        #
63
        # @param sum [Integer] A checksum mode value to use for the generated url
64
        # @param uuid [Msf::Payload::UUID] A valid UUID object
65
        # @param len [Integer] An optional URI length value, including the leading slash
66
        # @return [String] The URI string for connections
67
        def generate_uri_uuid(sum, uuid, len=nil)
68
          curl_uri_len = URI_CHECKSUM_UUID_MIN_LEN + rand(URI_CHECKSUM_CONN_MAX_LEN - URI_CHECKSUM_UUID_MIN_LEN)
69
          curl_prefix  = uuid.to_uri
70

71
          if len
72
            # Subtract a byte to take into account the leading /
73
            curl_uri_len = len - 1
74
          end
75

76
          if curl_uri_len < URI_CHECKSUM_UUID_MIN_LEN
77
            raise ArgumentError, "Length must be #{URI_CHECKSUM_UUID_MIN_LEN+1} bytes or greater"
78
          end
79

80
          # Pad out the URI and make the checksum match the specified sum
81
          "/" + generate_uri_checksum(sum, curl_uri_len, curl_prefix)
82
        end
83

84
        # Create an arbitrary length URI that matches a given checksum
85
        #
86
        # @param sum [Integer] The checksum value that the generated URI should match
87
        # @param len [Integer] The length of the URI to generate
88
        # @param prefix [String] The optional prefix to use to build the URI
89
        # @return [String] The URI string that checksums to the given value
90
        def generate_uri_checksum(sum, len=5, prefix="")
91
          # Lengths shorter than 4 bytes are unable to match all possible checksums
92
          # Lengths of exactly 4 are relatively slow to find for high checksum values
93
          # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
94
          if len < URI_CHECKSUM_MIN_LEN
95
            raise ArgumentError, "Length must be #{URI_CHECKSUM_MIN_LEN} bytes or greater"
96
          end
97

98
          gen_len = len-prefix.length
99
          if gen_len < URI_CHECKSUM_MIN_LEN
100
            raise ArgumentError, "Prefix must be at least {URI_CHECKSUM_MIN_LEN} bytes smaller than total length"
101
          end
102

103
          # Brute force a matching checksum for shorter URIs
104
          if gen_len < 40
105
            loop do
106
              uri = prefix + Rex::Text.rand_text_base64url(gen_len)
107
              return uri if Rex::Text.checksum8(uri) == sum
108
            end
109
          end
110

111
          # The rand_text_base64url() method becomes a bottleneck at around 40 bytes
112
          # Calculating a static prefix flattens out the average runtime for longer URIs
113
          prefix << Rex::Text.rand_text_base64url(gen_len-20)
114

115
          loop do
116
            uri = prefix + Rex::Text.rand_text_base64url(20)
117
            return uri if Rex::Text.checksum8(uri) == sum
118
          end
119
        end
120

121
        # Return the numerical checksum for a given mode symbol
122
        #
123
        # @param mode [Symbol] The mode symbol to lookup (:connect, :init_native, :init_python, :init_java)
124
        # @return [Integer] The URI checksum value corresponding with the mode
125
        def uri_checksum_lookup(mode)
126
          sum = URI_CHECKSUM_MODES.keys.select{|ksum| URI_CHECKSUM_MODES[ksum] == mode}.first
127
          unless sum
128
            raise ArgumentError, "Unknown checksum mode: #{mode}"
129
          end
130
          sum
131
        end
132
      end
133
    end
134
  end
135
end
136

137