|
1 | 1 | # -*- coding: binary -*- |
2 | 2 | ## |
3 | | -# $Id: exe.rb 14286 2011-11-20 01:41:04Z rapid7 $ |
| 3 | +# $Id$ |
4 | 4 | ## |
5 | 5 |
|
6 | 6 | ### |
@@ -74,7 +74,7 @@ def self.to_executable(framework, arch, plat, code='', opts={}) |
74 | 74 | if (arch.index(ARCH_X86)) |
75 | 75 |
|
76 | 76 | if (plat.index(Msf::Module::Platform::Windows)) |
77 | | - return to_win32pe(framework, code, opts) |
| 77 | + return to_win32pe_only(framework, code, opts) |
78 | 78 | end |
79 | 79 |
|
80 | 80 | if (plat.index(Msf::Module::Platform::Linux)) |
@@ -354,8 +354,43 @@ def self.to_win32pe(framework, code, opts={}) |
354 | 354 | exe |
355 | 355 | end |
356 | 356 |
|
| 357 | + def self.to_win32pe_only(framework, code, opts={}) |
357 | 358 |
|
358 | | - def self.to_win32pe_old(framework, code, opts={}) |
| 359 | + # Allow the user to specify their own EXE template |
| 360 | + set_template_default(opts, "template_x86_windows_old.exe") |
| 361 | + |
| 362 | + pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) |
| 363 | + |
| 364 | + exe = '' |
| 365 | + File.open(opts[:template], 'rb') { |fd| |
| 366 | + exe = fd.read(fd.stat.size) |
| 367 | + } |
| 368 | + |
| 369 | + sections_header = [] |
| 370 | + pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] } |
| 371 | + |
| 372 | + |
| 373 | + #look for section with entry point |
| 374 | + sections_header.each do |sec| |
| 375 | + virtualAddress = sec[1][0xc,0x4].unpack('L')[0] |
| 376 | + sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0] |
| 377 | + characteristics = sec[1][0x24,0x4].unpack('L')[0] |
| 378 | + if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData |
| 379 | + #put this section writable |
| 380 | + characteristics|=0x80000000 |
| 381 | + newcharacteristics = [characteristics].pack('L') |
| 382 | + exe[sec[0],newcharacteristics.length]=newcharacteristics |
| 383 | + end |
| 384 | + end |
| 385 | + |
| 386 | + #put the shellcode at the entry point, overwriting template |
| 387 | + exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code |
| 388 | + |
| 389 | + return exe |
| 390 | + end |
| 391 | + |
| 392 | + |
| 393 | + def self.to_win32pe_old(framework, code, opts={})x |
359 | 394 |
|
360 | 395 | # Allow the user to specify their own EXE template |
361 | 396 | set_template_default(opts, "template_x86_windows_old.exe") |
@@ -901,7 +936,7 @@ def self.to_vba(framework,code,opts={}) |
901 | 936 | end |
902 | 937 |
|
903 | 938 | def self.to_win32pe_vba(framework, code, opts={}) |
904 | | - to_exe_vba(to_win32pe(framework, code, opts)) |
| 939 | + to_exe_vba(to_win32pe_only(framework, code, opts)) |
905 | 940 | end |
906 | 941 |
|
907 | 942 | def self.to_exe_vbs(exes = '', opts={}) |
@@ -1169,15 +1204,15 @@ def self.to_win32pe_psh(framework, code, opts={}) |
1169 | 1204 | end |
1170 | 1205 |
|
1171 | 1206 | def self.to_win32pe_vbs(framework, code, opts={}) |
1172 | | - to_exe_vbs(to_win32pe(framework, code, opts), opts) |
| 1207 | + to_exe_vbs(to_win32pe_only(framework, code, opts), opts) |
1173 | 1208 | end |
1174 | 1209 |
|
1175 | 1210 | def self.to_win32pe_asp(framework, code, opts={}) |
1176 | | - to_exe_asp(to_win32pe(framework, code, opts), opts) |
| 1211 | + to_exe_asp(to_win32pe_only(framework, code, opts), opts) |
1177 | 1212 | end |
1178 | 1213 |
|
1179 | 1214 | def self.to_win32pe_aspx(framework, code, opts={}) |
1180 | | - to_exe_aspx(to_win32pe(framework, code, opts), opts) |
| 1215 | + to_exe_aspx(to_win32pe_only(framework, code, opts), opts) |
1181 | 1216 | end |
1182 | 1217 |
|
1183 | 1218 | # Creates a jar file that drops the provided +exe+ into a random file name |
@@ -1870,6 +1905,11 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) |
1870 | 1905 | output = Msf::Util::EXE.to_win32pe_old(framework, code, exeopts) |
1871 | 1906 | end |
1872 | 1907 |
|
| 1908 | + when 'exe-only' |
| 1909 | + if(not arch or (arch.index(ARCH_X86))) |
| 1910 | + output = Msf::Util::EXE.to_win32pe_only(framework, code, exeopts) |
| 1911 | + end |
| 1912 | + |
1873 | 1913 | when 'elf' |
1874 | 1914 | if (not plat or (plat.index(Msf::Module::Platform::Linux))) |
1875 | 1915 | if (not arch or (arch.index(ARCH_X86))) |
@@ -1900,7 +1940,7 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) |
1900 | 1940 | output = Msf::Util::EXE.to_vba(framework, code, exeopts) |
1901 | 1941 |
|
1902 | 1942 | when 'vba-exe' |
1903 | | - exe = Msf::Util::EXE.to_win32pe(framework, code, exeopts) |
| 1943 | + exe = Msf::Util::EXE.to_win32pe_only(framework, code, exeopts) |
1904 | 1944 | output = Msf::Util::EXE.to_exe_vba(exe) |
1905 | 1945 |
|
1906 | 1946 | when 'vbs' |
@@ -1934,7 +1974,7 @@ def self.to_executable_fmt(framework, arch, plat, code, fmt, exeopts) |
1934 | 1974 | end |
1935 | 1975 |
|
1936 | 1976 | def self.to_executable_fmt_formats |
1937 | | - ['dll','exe','exe-small','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net'] |
| 1977 | + ['dll','exe','exe-small','exe-only','elf','macho','vba','vba-exe','vbs','loop-vbs','asp','aspx','war','psh','psh-net'] |
1938 | 1978 | end |
1939 | 1979 |
|
1940 | 1980 | # |
|
0 commit comments