search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.02k stars 13.94k forks source link

windows/x64/messagebox generated shellcode is broken #13724

Closed phra closed 4 years ago

phra commented 4 years ago

The x64 messagebox shellcode generated by msfvenom seems to be not working.

Steps to reproduce

  1. msfvenom -p windows/x64/messagebox TEXT=hello TITLE=hello -f c -v SHELLCODE

Expected behavior

The generated shellcode works correctly.

Current behavior

The shellcode crashes during execution. (@ +00000037)

00000000  FC                cld
00000001  4881E4F0FFFFFF    and rsp,0xfffffffffffffff0
00000008  E8D0000000        call 0xdd
0000000D  4151              push r9
0000000F  4150              push r8
00000011  52                push rdx
00000012  51                push rcx
00000013  56                push rsi
00000014  4831D2            xor rdx,rdx
00000017  65488B5260        mov rdx,[gs:rdx+0x60]
0000001C  3E488B5218        mov rdx,[ds:rdx+0x18]
00000021  3E488B5220        mov rdx,[ds:rdx+0x20]
00000026  3E488B7250        mov rsi,[ds:rdx+0x50]
0000002B  3E480FB74A4A      movzx rcx,word [ds:rdx+0x4a]
00000031  4D31C9            xor r9,r9
00000034  4831C0            xor rax,rax
00000037  AC                lodsb    <========== CRASH HERE!
00000038  3C61              cmp al,0x61
0000003A  7C02              jl 0x3e
0000003C  2C20              sub al,0x20
0000003E  41C1C90D          ror r9d,byte 0xd
00000042  4101C1            add r9d,eax
00000045  E2ED              loop 0x34
00000047  52                push rdx
00000048  4151              push r9
0000004A  3E488B5220        mov rdx,[ds:rdx+0x20]
0000004F  3E8B423C          mov eax,[ds:rdx+0x3c]
00000053  4801D0            add rax,rdx
00000056  3E8B8088000000    mov eax,[ds:rax+0x88]
0000005D  4885C0            test rax,rax
00000060  746F              jz 0xd1
00000062  4801D0            add rax,rdx
00000065  50                push rax
00000066  3E8B4818          mov ecx,[ds:rax+0x18]
0000006A  3E448B4020        mov r8d,[ds:rax+0x20]
0000006F  4901D0            add r8,rdx
00000072  E35C              jrcxz 0xd0
00000074  48FFC9            dec rcx
00000077  3E418B3488        mov esi,[ds:r8+rcx*4]
0000007C  4801D6            add rsi,rdx
0000007F  4D31C9            xor r9,r9
00000082  4831C0            xor rax,rax
00000085  AC                lodsb
00000086  41C1C90D          ror r9d,byte 0xd
0000008A  4101C1            add r9d,eax
0000008D  38E0              cmp al,ah
0000008F  75F1              jnz 0x82
00000091  3E4C034C2408      add r9,[ds:rsp+0x8]
00000097  4539D1            cmp r9d,r10d
0000009A  75D6              jnz 0x72
0000009C  58                pop rax
0000009D  3E448B4024        mov r8d,[ds:rax+0x24]
000000A2  4901D0            add r8,rdx
000000A5  663E418B0C48      mov cx,[ds:r8+rcx*2]
000000AB  3E448B401C        mov r8d,[ds:rax+0x1c]
000000B0  4901D0            add r8,rdx
000000B3  3E418B0488        mov eax,[ds:r8+rcx*4]
000000B8  4801D0            add rax,rdx
000000BB  4158              pop r8
000000BD  4158              pop r8
000000BF  5E                pop rsi
000000C0  59                pop rcx
000000C1  5A                pop rdx
000000C2  4158              pop r8
000000C4  4159              pop r9
000000C6  415A              pop r10
000000C8  4883EC20          sub rsp,byte +0x20
000000CC  4152              push r10
000000CE  FFE0              jmp rax
000000D0  58                pop rax
000000D1  4159              pop r9
000000D3  5A                pop rdx
000000D4  3E488B12          mov rdx,[ds:rdx]
000000D8  E949FFFFFF        jmp 0x26
000000DD  5D                pop rbp
000000DE  49C7C100000000    mov r9,0x0
000000E5  3E488D95FE000000  lea rdx,[ds:rbp+0xfe]
000000ED  3E4C8D8504010000  lea r8,[ds:rbp+0x104]
000000F5  4831C9            xor rcx,rcx
000000F8  41BA45835607      mov r10d,0x7568345
000000FE  FFD5              call rbp
00000100  4831C9            xor rcx,rcx
00000103  41BAF0B5A256      mov r10d,0x56a2b5f0
00000109  FFD5              call rbp
0000010B  68656C6C6F        push qword 0x6f6c6c65
00000110  006865            add [rax+0x65],ch
00000113  6C                insb
00000114  6C                insb
00000115  6F                outsd
00000116  00                db 0x00

System stuff

Metasploit version

Framework Version: 5.0.93-dev

I installed Metasploit with:

phra commented 4 years ago

It seems that the root cause is related to the environment where is running. I will close for now and reopen the issue if necessary.

NUL0x4C commented 1 year ago

@phra it is crashing from my side as well, im running it on windows 10, RWX section, same thing ...

any updates ?

hawaii67 commented 1 year ago

I have the same issue like ORCx41. Win10 as well.......

winsecurity commented 1 year ago

same issue here.

adfoster-r7 commented 1 year ago

Works for me on windows 10 with simple a OpenProcess->VirtualAllocEx(RWX)->WriteProcessMemory->CreateRemoteThread shellcode injection

I used the original shell code command msfvenom -p windows/x64/messagebox TEXT=hello TITLE=hello -f c -v SHELLCODE

unsigned char SHELLCODE[] =
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60"
"\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72"
"\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2"
"\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48"
"\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f"
"\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01"
"\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01"
"\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41"
"\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58"
"\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7"
"\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\xfe\x00\x00\x00\x3e"
"\x4c\x8d\x85\x04\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\x48\x31\xc9\x41\xba\xf0\xb5\xa2\x56\xff"
"\xd5\x68\x65\x6c\x6c\x6f\x00\x68\x65\x6c\x6c\x6f\x00";
image

Tested with windows server 2016 and windows 10

Please raise a new issue with specific replication steps on how to reproduce your errors

hawaii67 commented 1 year ago

Actually, I tried again and for me it works now too! Weird. Maybe some minor changes did the remedy..........?