Fixing HTTP path parsing

[cccs-kevin]

The CAPE version of cuckoosandbox/cuckoo#3199

This sample https://www.virustotal.com/gui/file/a076938fa168d283115525aebeb972f8eba151566a82e06503c23e0d95c4dffa when run on Win7x64 calls out to http[://]208[.]67[.]105[.]179/damianozx[.]exe on port 8080.

The tcpdata for this network call (https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/network.py#L515) looks like this:

b'GET http[://]208[.]67[.]105[.]179/damianozx[.]exe HTTP/1.1\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)\r\nHost: 208[.]67[.]105[.]179\r\nProxy-Connection: Keep-Alive\r\n\r\n'

As you can see, the host is found within the "URI" portion of "GET " where the "URI" is supposed to be just the path, in this case "/damianozx[.]exe". When these components get put together using urlunparse (https://github.com/kevoreilly/CAPEv2/blob/master/modules/processing/network.py#L545), the resulting URL looks like this http[://]208[.]67[.]105[.]179[:[8080/http[://]208[.]67[.]105[.]179/damianozx[.]exe which is obviously incorrect.

We need to pop the host out of the path if it is in there. The elif is for when a non-80 port is used.