Payload 1 : download_exec_https.rb
This payload allows you to download a binary (don't think it needs to have .exe extension) from a webserver. (You need to host the binary and the webserver yourself).
The payload will download the file over HTTPS, using the IE proxy settings, drops the file on the target system (you can choose the filename) and runs it.
Payload 2 : dns_query_exec.rb
This payload allows you to read & execute shellcode from the reply for a KEY DNS record.
In order to make this work, you need the following things
Upon execution of the dns_query_exec payload, a DNS query will be performed. The corporate DNS server, or online DNS servers should be more than happy to get the KEY for you so you can read it & execute it.
Or, in other words, this allows you to retrieve bigger payload from a remote system without connecting to it :)
Payload 3 : dns_txt_query_exec.rb
This one will retrieve all TXT records for a given domain, retrieve individual shellcode parts (based on tags that contain a sequence) from the TXT records, put them in the correct order, and execute them.
If you want to test, I have set up domain corelan.eu with payload (simple messagebox).(3 TXT records)
Usage instructions are inside the payload module
Added 'download executable & run' payload, uses HTTPS and supports proxy
Added DNS KEY Query 'shellcode delivery & execute' payload
Regarding the DNS KEY query : I noticed that, on Windows7, the shellcode you want to deliver should exclude \x00, \x0a and \x0d (before the base64 action). (Just a convention I guess)
Other than that, delivering a meterpreter via the DNS key record works fine on XP SP3 with DEP on, and win7 wow64 (with DEP AlwaysOn, and Avast running)
Changed usage text and added a few more asm comments
make msftidy a little happier
Changed DNS record type to DNSKEY
Fixed some wording, updated usage guidelines
Oops, bad end, bad boy
Added payload that will retrieve TXT records for a domain, extract pa…
…yload found in the TXT records, reassemble them and execute it
Few bytes smaller
changed DNS query to use UDP instead of forcing TCP
changed tag from 'par' to '-pt'
increased virtualalloc buffer size to 0x4000 (for larger payloads)
So after discussing with egyp7 and hdm, we have concluded that (for the HTTPS download module):
Another comment from HD: It is doing a 8MB allocation in order to write to the disk. It really should be reading from internet handle/writing to file in one go. That way it doesn't even need virtualalloc, etc.
Lastly, there are two calls to ExitProcess, should be combined.
Let me close this pull request for now. When it's fixed I'll reopen again (or let me know in case I'm not paying attention). Thanks.
added exitfunc, merged parameters into a single URL, changed title & …
please reopen so I can submit changes :
I'll work on the last requirement too (writing directly to file)
just to be sure about the virtualalloc vs write to file directly :
Total length of payload may not be a lot smaller when writing directly to file, and because of stackadjust, we may hit top of stack (unlikely, but you never know)
I'll write it the way you think is best, I just want to make sure I understand why you prefer one over the other
changed routine, file will now be written directly to file instead of…
… into virtualalloc heap
Added support for http and ftp (ftp still needs to be tested). File m…
…ay need to be renamed too in the end
I think we will be able to replace the existing download_exec file with this new version, which supports http, https and ftp (it decides which protocol to use based on what the user provided in the URL parameter).
I tested https and http, didn't test ftp yet... but wanted to commit before I leave on travel
oops, forgot about the default port numbers for http & ftp
changed download chunk size to 0x300 instead of 0x100 bytes at a time…
…, should speed up the download
added some comments
fixed mistake in asm comments
Tested the http and the DNS txt payloads, the http one works like a champ, the DNS one, not so much -- the target only seems to query the first part of the 3 part payload (target was win2k3 sp
I'm going to snag the http payload directly and just commit that one to close the pull request -- can you take a look at the two DNS payloads and see what's up that? Target is win2k3 sp2, I have a pcap here:
Adding corelandc0d3r's http/https/ftp payload
Picks up the one http/https/ftp payload, but not the other two DNS
payloads listed as part of the original pull request.
If you can confirm that the dns stuff works, please reopen the pull request
I know what the issue is - I'll rewrite the module entirely (and work with ChrisJohnRiley to see if we can also build a DNS server payload hoster that would be compatible with the payload)... I'll open a new/separate pull request when I'm done
check your mail
We present a malware distribution method using 3rd party Cache DNS last year in RootedCON. Maybe you can use in your payload...
2011 Malware distribution: http://www.slideshare.net/rootedcon/francisco-jess-gmez-carlos-juan-diaz-cloud-malware-distribution-dns-will-be-your-friend-rootedcon-2011
2012 Data leak: http://www.slideshare.net/ffranz/rootedcon2012-dns-a-botnet-dialect-carlos-diaz-francisco-j-gomez