## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' module Metasploit3 include Msf::Payload::Windows include Msf::Payload::Single def initialize(info = {}) super(merge_info(info, 'Name' => 'Windows MessageBox', 'Description' => 'Spawns a dialog via MessageBox using a customizable title, text & icon', 'Author' => [ 'corelanc0d3r', # original payload module 'jduck' # some ruby factoring ], 'License' => MSF_LICENSE, 'Version' => "$Revision$", 'Platform' => 'win', 'Arch' => ARCH_X86 )) # Register MessageBox options register_options( [ OptString.new('TITLE', [ true, "Messagebox Title (max 255 chars)", "MessageBox" ]), OptString.new('TEXT', [ true, "Messagebox Text (max 255 chars)", "Hello, from MSF!" ]), OptString.new('ICON', [ true, "Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION", "NO" ]) ], self.class) end # # Construct the payload # def generate strTitle = datastore['TITLE'] + "X" if (strTitle.length < 1) raise ArgumentError, "You must specify a title" end if (strTitle.length >= 256) raise ArgumentError, "The title must be less than 256 characters long." end strText = datastore['TEXT'] + "X" if (strText.length < 1) raise ArgumentError, "You must specify the text of the MessageBox" end if (strText.length >= 256) raise ArgumentError, "The text must be less than 256 characters long." end # exitfunc process or thread ? stackspace = "0x04" funchash = "" doexitseh = "" case datastore['EXITFUNC'].upcase.strip when 'PROCESS' stackspace = "0x08" funchash = "0x73E2D87E" when 'THREAD' stackspace = "0x08" funchash = "0x60E0CEEF" end # create exit routine for process / thread getexitfunc = < 0) str << " " * (4 - rem) end # string is now 4 byte aligned and ends with 'X' at index 'marker_idx' # push string to stack, starting at the back pushes = '' while (str.length > 0) four = str.slice!(-4, 4) dw = four.unpack('V').first pushes << "push 0x%x\n\t" % dw end pushes end end