Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/payloads/singles/windows/x64/messagebox.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
module MetasploitModule

7
  CachedSize = 313

8


9
  include Msf::Payload::Windows

10
  include Msf::Payload::Single

11
  include Msf::Payload::Windows::BlockApi_x64

12


13
  def initialize(info = {})

14
    super(

15
      merge_info(

16
        info,

17
        'Name' => 'Windows MessageBox x64',

18
        'Description' => 'Spawn a dialog via MessageBox using a customizable title, text & icon',

19
        'Author' => [

20
          'pasta <jaguinaga[at]infobytesec.com>'

21
        ],

22
        'License' => GPL_LICENSE,

23
        'Platform' => 'win',

24
        'Arch' => ARCH_X64

25
      )

26
    )

27


28
    icon_opts = ['NO', 'ERROR', 'INFORMATION', 'WARNING', 'QUESTION']

29
    register_options(

30
      [

31
        OptString.new('TITLE', [true, 'Messagebox Title', 'MessageBox']),

32
        OptString.new('TEXT', [true, 'Messagebox Text', 'Hello, from MSF!']),

33
        OptEnum.new('ICON', [true, 'Icon type', icon_opts[0], icon_opts])

34
      ]

35
    )

36
  end

37


38
  def generate(_opts = {})

39
    style = 0x00

40
    case datastore['ICON'].upcase.strip

41
      # default = NO

42
    when 'ERROR'

43
      style = 0x10

44
    when 'QUESTION'

45
      style = 0x20

46
    when 'WARNING'

47
      style = 0x30

48
    when 'INFORMATION'

49
      style = 0x40

50
    end

51


52
    exitfunc_asm = %(

53
        xor rcx,rcx

54
        mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}

55
        call rbp

56
      )

57
    if datastore['EXITFUNC'].upcase.strip == 'THREAD'

58
      exitfunc_asm = %(

59
        mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}

60
        mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}

61
        call rbp

62
        add rsp,0x28

63
        cmp al,0x6

64
        jl use_exitthread   ; is older than Vista or Server 2003 R2?

65
        cmp bl,0xe0         ; check if GetVersion change the hash stored in EBX

66
        jne use_exitthread

67
        mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}

68


69
        use_exitthread:

70
        push 0

71
        pop rcx

72
        mov r10d,ebx

73
        call rbp

74
      )

75
    end

76
    payload_asm = %(

77
      cld

78
      and rsp,0xfffffffffffffff0

79
      call start_main

80
      #{asm_block_api}

81
    start_main:

82
      pop rbp

83
      call get_user32

84
      db "user32.dll", 0x00

85
    get_user32:

86
      pop rcx

87
      mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}

88
      call rbp

89
      mov r9, #{style}

90
      call get_text

91
      db "#{datastore['TEXT']}", 0x00

92
    get_text:

93
      pop rdx

94
      call get_title

95
      db "#{datastore['TITLE']}", 0x00

96
    get_title:

97
      pop r8

98
      xor rcx,rcx

99
      mov r10d, #{Rex::Text.block_api_hash('user32.dll', 'MessageBoxA')}

100
      call rbp

101
    exitfunk:

102
      #{exitfunc_asm}

103
    )

104
    payload_data = Metasm::Shellcode.assemble(Metasm::X64.new, payload_asm).encode_string

105
    return payload_data

106
  end

107
end

108


109