RageLtMan
3778ae09e9
Due to the modular structure of payload stages its pretty trivial to add DNS resolution instead of hard-coded IP address in stage0. The only real complication here is that ReverseConnectRetries ends up being one byte further down than in the original shellcode. It appears that the original rev_tcp_dns payload suffers from the same issue. Hostname substitution is handled in the same method as the RC4 and XOR keys, with an offset provided and replace_vars ignoring the hostname. Tested in x86 native and WOW64 on XP and 2k8r2 respectively. This is a good option for those of us needing to leave persistent binaries/payloads on hosts for long periods. Even if the hostname resolves to a malicious party attempting to steal our hard earned session, they'd be hard pressed to crypt the payload with the appropriate RC4 pass. So long as we control the NS and records, the hardenned shellcode should provide a better night's sleep if running shells over the WAN. Changing the RC4 password string in the shellcode and build.py should reduce the chances of recovery by RE. Next step will likely be to start generating elipses for ECDH SSL in meterpreter sessions and passing them with stage2 through the RC4 socket. If P is 768-1024 the process is relatively quick, but we may want to precompute a few defaults as well to have 2048+.
This directory contains the win32 payload development environment used
for creating the payloads in version 3 of the Metasploit Framework.
The 'nasm' executable must be in your path to use the included build.sh tool.
The included 'build' script automatically creates a number of file types
each time it used to compile a payload. These file types are:
- Native ELF executable
- Win32 PE executable
- Generated C source code
- Raw opcodes in ".bin" format
The PE executable templates were developed by 'rix' and used with permission.
To use this script, simply run ./build.sh <name of payload>, where the name
does not include the ".asm" suffix. To build win32_stage_api.asm, the
command line would be "./build.sh win32_stage_api".