Commit Graph

106 Commits (70b6f94f144c319f18f771ca109edd1e88607f63)

Author SHA1 Message Date
Borja Merino 9791acd0bf Add stager ipknock shellcode (PR 2) 2014-12-27 22:03:45 +01:00
William Vu e34c37042a
Readd block_hidden_bind_tcp.asm
Because stager_hidden_bind_tcp.asm includes it.
2014-12-22 11:13:07 -06:00
Peregrino Gris c0fa8c0e3f Add stager for hidden bind shell payload 2014-12-22 17:21:11 +01:00
HD Moore e3943682a2
Improves linux/armle payloads, lands #3315 2014-12-13 18:27:14 -06:00
Michael Schierl e8728943ec Shave off two more bytes for HTTP(s) stagers 2014-12-13 11:49:30 -06:00
Michael Schierl 69c938f65a More shellcode golf 2014-12-13 11:49:15 -06:00
Mark Schloesser 9e7f6728d0 update the single sources with s/SHELLARG/ARGV0/ 2014-11-19 22:22:08 +01:00
mschloesser-r7 a5aa6b2e78 add source for linux/armle/shell_bind_tcp 2014-11-19 21:53:23 +01:00
mschloesser-r7 ebc70138f6 add source for linux/armle/shell_bind_tcp 2014-11-19 21:53:23 +01:00
mschloesser-r7 8331de2265 add source for linux/armle/shell_reverse_tcp 2014-11-19 21:53:23 +01:00
Meatballs 25ed68af6e
Land #3017, Windows x86 Shell Hidden Bind
A bind shellcode that responds as 'closed' unless the client matches the
AHOST ip.
2014-06-08 13:49:49 +01:00
Florian Gaultier bb4e9e2d4d correct error in block service_change_description 2014-05-13 16:04:39 +02:00
Florian Gaultier 6332957bd2 Try to add SERVICE_DESCRIPTION options to psexec, but it doesn't seem to work... 2014-05-13 16:04:39 +02:00
Florian Gaultier bdbb70ab71 up block_service_stopped.asm 2014-05-13 16:04:39 +02:00
Florian Gaultier e269c1e4f1 Improve service_block with service_stopped block to cleanly terminate service 2014-05-13 16:04:38 +02:00
Florian Gaultier c43e3cf581 Improve block_create_remote_process to point on shellcode everytime 2014-05-13 16:04:38 +02:00
Florian Gaultier 25d48b7300 Add create_remote_process block, now used in exe_service generation 2014-05-13 16:04:38 +02:00
Florian Gaultier 0bdf7904ff Change author of single_service_stuff.asm 2014-05-13 16:04:38 +02:00
Florian Gaultier 513f3de0f8 new service exe creation refreshed 2014-05-13 16:04:36 +02:00
Tod Beardsley 520d1e69c4
Rapid7 Comma Inc
After some more discussion with Rapid7's legal fellow.
2014-03-13 09:46:20 -05:00
Tod Beardsley 9d4ceaa3a0
Let's try to be consistent about Rapid7 Inc.
According to

http://www.sec.gov/Archives/edgar/data/1560327/000156032712000001/0001560327-12-000001.txt

Rapid7 is actually "Rapid7 Inc" not "Rapid7, LLC" any more.

This does not address the few copyright/license statements around
"Metasploit LLC," whatever that is.
2014-03-12 11:20:17 -05:00
root 1fda6b86a1 Changed cmp eax by inc eax. Saved one byte 2014-03-10 12:13:10 +01:00
root b4a22aa25d hidden bind shell payload 2014-02-20 16:19:40 +01:00
James Lee c70680cf1c
Fix infinite-retry bug
Derp, block_api clobbers ecx
2014-02-04 11:59:16 -06:00
James Lee 9c3664bd45
Unify reverse_http and reverse_https
This will make copy-pasta less painful in the future.  There's still the
problem of reverse_https_proxy being very similar, but the logic in how
it gets generated in the module is more than i want to tackle right now
2014-02-04 09:09:12 -06:00
James Lee 6d53570c22
Fix abysmal mixed indentedness. 2014-02-03 11:39:03 -06:00
James Lee c29c6be212 Shave 3 bytes off of block_api 2014-02-03 11:34:41 -06:00
James Lee bfc0ac4dd4 Golf a few bytes off of reverse_http(s) 2014-02-03 11:33:55 -06:00
jvazquez-r7 a056d937e7 Fluch data cache and improve documentation 2014-01-14 14:06:01 -06:00
jvazquez-r7 a8806887e9 Add support for MIPS reverse shell staged payloads 2014-01-14 12:25:11 -06:00
Geyslan G. Bem 030fbba539 Merge branch 'master' of https://github.com/geyslan/metasploit-framework 2013-11-11 14:22:00 -03:00
Tod Beardsley 81a7b1a9bf
Fixes for #2350, random bind shellcode
* Moved shortlink to a reference.
  * Reformat e-mail address.
  * Fixed whitespace
  * Use multiline quote per most other module descriptions

Still need to resplat the modules, but it's no big thang to do that
after landing. Also, References do not seem to appear for post modules
in the normal msfconsole. This is a bug in the UI, not for these modules
-- many payloads would benefit from being explicit on their references,
so may as well start with these.
2013-11-11 10:33:15 -06:00
Geyslan G. Bem 6492bde1c7 New Payload
Merge remote-tracking branch 'origin'
2013-10-05 09:17:14 -03:00
Ryan Wincey 38691445af Fixed memory alignment for x64 reverse_http stager 2013-09-16 16:51:37 -04:00
Geyslan G. Bem fd7b633d35 add payload source 2013-09-13 15:36:31 -03:00
Alexandre Maloteaux e28dd42992 add http authentification and socks 2013-07-15 15:36:58 +01:00
corelanc0d3r e8983a21c5 New meterpreter payload reverse_https_proxy 2013-07-12 16:45:16 -04:00
Tod Beardsley 9c771435f2 Touchup on author credit 2013-05-30 16:13:40 -05:00
Tod Beardsley 67128a3841 Land #1821, x64_reverse_https stagers 2013-05-30 13:55:13 -05:00
jvazquez-r7 e6433fc31e Add commented source code for stagers and stage 2013-05-29 14:03:46 -05:00
agix b92ae7779e change author name 2013-05-19 16:16:25 +02:00
agix 6db1fea6b9 create x64_reverse_https stagers 2013-05-13 01:41:56 +02:00
James Lee e3eef76372 Land #1223
This adds rc4-encrypting stagers for Windows.

[Closes #1223]
2013-04-10 12:14:52 -05:00
James Lee b3c78f74d2 Whitespace 2013-04-10 09:28:45 -05:00
RageLtMan 754b32e9db shameless plug for posterity in stager asm 2013-02-28 17:30:27 -05:00
RageLtMan 3778ae09e9 This commit adds DNS resolution to rev_tcp_rc4
Due to the modular structure of payload stages its pretty trivial
to add DNS resolution instead of hard-coded IP address in stage0.

The only real complication here is that ReverseConnectRetries ends
up being one byte further down than in the original shellcode. It
appears that the original rev_tcp_dns payload suffers from the same
issue.

Hostname substitution is handled in the same method as the RC4 and
XOR keys, with an offset provided and replace_vars ignoring the
hostname.

Tested in x86 native and WOW64 on XP and 2k8r2 respectively.

This is a good option for those of us needing to leave persistent
binaries/payloads on hosts for long periods. Even if the hostname
resolves to a malicious party attempting to steal our hard earned
session, they'd be hard pressed to crypt the payload with the
appropriate RC4 pass. So long as we control the NS and records, the
hardenned shellcode should provide a better night's sleep if running
shells over the WAN. Changing the RC4 password string in the
shellcode and build.py should reduce the chances of recovery by RE.

Next step will likely be to start generating elipses for ECDH SSL
in meterpreter sessions and passing them with stage2 through the
RC4 socket. If P is 768-1024 the process is relatively quick, but
we may want to precompute a few defaults as well to have 2048+.
2013-02-28 02:59:20 -05:00
Raphael Mudge 788c96566f Allow HTTP stager to work with authenticated proxies
The HttpOpenRequest function from WinINet requires the
INTERNET_FLAG_KEEP_CONNECTION flag to communicate through an
authenticated proxy.

From MSDN ( http://tinyurl.com/chwt86j ):

"Uses keep-alive semantics, if available, for the connection. This
 flag is required for Microsoft Network (MSN), NT LAN Manager (NTLM),
 and other types of authentication."

Without this flag, the HTTP stager will fail when faced with a proxy
that requires authentication. The Windows HTTPS stager does not have
this problem.

For HTTP Meterpreter to communicate through an authenticated proxy a
separate patch will need to be made to the Meterpreter source code.
This is at line 1125 of source/common/core.c in the Meterpreter source
code.

My motivation for this request is for windows/dllinject/reverse_http
to download a DLL even when faced with an authenticated proxy. These
changes accomplish this.

Test environment:

I staged a SmoothWall device with the Advanced Proxy Web Add-on. I
enabled Integrated Windows Authentication with a W2K3 DC. I verified
the HTTP stager authenticated to and communicated through the proxy
by watching the proxy access.log
2013-02-24 17:33:00 -05:00
Michael Schierl 46a5c4f4bf Improve RC4 shellcode
ESI is not clobbered; no need to clear EDX as only DL is filled before and
it is overwritten before use.

Shellcodes in ruby modules not regenerated, but I guess you want to
regenerate them again anyway :-)
2013-01-01 11:25:17 +01:00
Michael Schierl cb06262002 Add shellcode for RC4 bind and reverse stagers
Those stagers will encrypt the initial stage with a 128-bit RC4 key and
the stage length with a XOR key. Both keys are embedded in the stager.

This should provide good evasion capabilities in addition to some
protection against MITM reversing (if the stager is sent a different
route, like in an executable on an USB key).

Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the
same stager (or stagers with the same RC4 and XOR keys) more than once
since an identical key will result in an identical keystream and make
correlation attacks easy. But I doubt that matters in practice.

Also note that since communication after the initial statging is not
encrypted, these stagers should be used in combination with additional
encryption support in the payloads (like Meterpreter).
2012-12-31 22:33:29 +01:00
Michael Schierl b4fd341fb6 Add shellcode for RC4 decoding
Provided as a block to be included into stagers and/or decoder stubs.
Also included is a test shellcode that can be used for verifying that the
algorithm is compatible to Ruby's OpenSSL RC4 algorithm.
2012-12-31 22:33:28 +01:00