Using the ruby methods for generating assembly blocks defined or
separated in prior commits, create a new payload from the existing
assembly blocks which performs a DNS lookup of the LHOST prior to
establishing a corresponding socket and downloading, and
decrypting the RC4 encrypted payload.
For anyone looking to learn how to build these payloads, these
three commits should provide a healthy primer. Small changes to
the payload structure can yield entropy enough to avoid signature
based detection by in-line or out-of-band static defenses. This
payload was completed in the time between this commit and the last.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Using the separation of block_recv and reverse_tcp, implement
reverse_tcp_dns using original shellcode as template with dynamic
injection of parameters. Concatenate the whole thing in the
generation call chain, and compile the resulting shellcode for
delivery.
Metasploit module pruned to bare minimum, with the LHOST OptString
moved into the library component.
Testing:
Win2k8r2
ToDo:
Update payload sizes when this branch is "complete"
Ensure UUIDs and adjacent black magic all work properly
Misc:
Clean up rc4.rb to use the rc4_keys method when generating a
stage. Makes the implementation far more readable and reduces
redundant code.
Convert reverse_tcp_rc4 and bind_tcp_rc4 from static shellcode
substitution payloads to metasm compiled assembly approach.
Splits up metasm methods for bind_tcp and reverse_tcp into socket
creation and block_recv to allow for reuse of the socket methods
with the RC4 payloads, while substituting the block_recv methods
for those carrying the appropriate decryptor stubs.
Creates a new rc4 module carrying the bulk of the decryptor and
adjacent convenince methods for standard payload generation.
Testing:
Tested against Win2k8r2, Win7x64, and WinXPx86
ToDo:
Ensure all the methods around payload sizing, UUIDs, and other
new functionality, the semantics of which i do not yet fully
understand, are appropriate and do not introduce breakage.
Added a JCL-based reverse shell. Uses the same source code as the
shellcode version does. Source code is in
external/source/shellcode/mainframe/shell_reverse_tcp.s
This pops up occasionally. This fixes a couple of anecdotal reports of missing
requires that cause the loader to fail, depending on the directory sort order.
It also fixes the problem as reported in #6460
This brings in the following changes:
Changes to support maven 3.3+
Don't fall back to 0.0.0.0
Remove all debug builds from the Windows projects
Add show_mount, ps_list, and some core tweaks
Refactor TLV layout, add more debug output, token stealing
Add incognito binding, code tidies
Update packaged libs
Add transport list binding
Add transport add command to python binding
Update python core lib archive
change source perms back to non-executable
First pass of stageless initialisation script
Finalise stageless initialisation scripts
add BOOT_COMPLETED receiver that starts the Payload
Improve the implementation of the getuid command
Switch to Utils.runCommand per timwr's suggestion
Updated init script method
also bumps msgpack 0.7.1, which fixes a failure packing messages > 256k
Brendan Watters
Brent Cook
RageLtMan
root
William Vu
wchen-r7
Tim
OJ
Bigendian Smalls
James Lee
Christian Mehlmauer
joev
jvazquez-r7
Spencer McIntyre