metasploit-framework/lib/metasm/samples/pe-shutdown.rb

#    This file is part of Metasm, the Ruby assembly manipulation suite
#    Copyright (C) 2007 Yoann GUILLOT
#
#    Licence is LGPL, see LICENCE in the top-level directory


# 
# here we will build an executable file that will shut down the machine
# when run
# TODO #include <windows.h>, use some struct handling
#

require 'metasm'

include Metasm

pe = PE.assemble Ia32.new, <<EOS
.section '.text' r w x

.import kernel32 GetCurrentProcess getcurrentprocess
.import advapi32 OpenProcessToken  openprocesstoken
.import advapi32 LookupPrivilegeValueA lookupprivilegevalue
.import advapi32 AdjustTokenPrivileges adjusttokenprivileges
.import user32   ExitWindowsEx exitwindowsex

.entrypoint

; OpenProcessToken(GetCurrentProcess, ADJUST_PRIV | QUERY, &htok)
push htok
push 28h
call getcurrentprocess
push eax
call openprocesstoken

; LookupPrivVal(0, SE_SHUTDOWN, &tokpriv.priv[0].luid)
push tokpriv_luid
push privname
push 0
call lookupprivilegevalue

; tokpriv.privcnt = 1 ; tokpriv.priv[0].attr = ENABLED
mov dword ptr [tokpriv], 1
mov dword ptr [tokpriv_attr], 2

; AdjustTokenPrivileges(htok, 0, &tokpriv, 0, 0, 0)
xor eax, eax
push eax
push eax
push eax
push tokpriv
push eax
push dword ptr [htok]
call adjusttokenprivileges

; ExitWindowsEx(SHUTDOWN | FORCE, OS | MINORUPDATE | PLANNED)
push 80020003h
push 5
call exitwindowsex

ret

.align 4
htok dd ?
tokpriv:
 tokpriv_count dd ?
 tokpriv_luid  dd ?, ?
 tokpriv_attr  dd ?
privname db "SeShutdownPrivilege\0"

EOS
pe.encode_file 'metasm-shutup.exe'
Import the new METASM code git-svn-id: file:///home/svn/framework3/trunk@5008 4d416f70-5f16-0410-b530-b9f4589650da 2007-06-30 21:53:26 +00:00			`# This file is part of Metasm, the Ruby assembly manipulation suite`
			`# Copyright (C) 2007 Yoann GUILLOT`
			`#`
			`# Licence is LGPL, see LICENCE in the top-level directory`


			`#`
			`# here we will build an executable file that will shut down the machine`
			`# when run`
			`# TODO #include <windows.h>, use some struct handling`
			`#`

			`require 'metasm'`

			`include Metasm`

			`pe = PE.assemble Ia32.new, <<EOS`
			`.section '.text' r w x`

			`.import kernel32 GetCurrentProcess getcurrentprocess`
			`.import advapi32 OpenProcessToken openprocesstoken`
			`.import advapi32 LookupPrivilegeValueA lookupprivilegevalue`
			`.import advapi32 AdjustTokenPrivileges adjusttokenprivileges`
			`.import user32 ExitWindowsEx exitwindowsex`

			`.entrypoint`

			`; OpenProcessToken(GetCurrentProcess, ADJUST_PRIV \| QUERY, &htok)`
			`push htok`
			`push 28h`
			`call getcurrentprocess`
			`push eax`
			`call openprocesstoken`

			`; LookupPrivVal(0, SE_SHUTDOWN, &tokpriv.priv[0].luid)`
			`push tokpriv_luid`
			`push privname`
			`push 0`
			`call lookupprivilegevalue`

			`; tokpriv.privcnt = 1 ; tokpriv.priv[0].attr = ENABLED`
			`mov dword ptr [tokpriv], 1`
			`mov dword ptr [tokpriv_attr], 2`

			`; AdjustTokenPrivileges(htok, 0, &tokpriv, 0, 0, 0)`
			`xor eax, eax`
			`push eax`
			`push eax`
			`push eax`
			`push tokpriv`
			`push eax`
			`push dword ptr [htok]`
			`call adjusttokenprivileges`

			`; ExitWindowsEx(SHUTDOWN \| FORCE, OS \| MINORUPDATE \| PLANNED)`
			`push 80020003h`
			`push 5`
			`call exitwindowsex`

			`ret`

			`.align 4`
			`htok dd ?`
			`tokpriv:`
			`tokpriv_count dd ?`
			`tokpriv_luid dd ?, ?`
			`tokpriv_attr dd ?`
			`privname db "SeShutdownPrivilege\0"`

			`EOS`
			`pe.encode_file 'metasm-shutup.exe'`