67 lines
1.5 KiB
Ruby
67 lines
1.5 KiB
Ruby
|
require 'rex/exploitation/seh'
|
||
|
|
|
||
|
|
module Msf
|
||
|
|
|
||
|
|
###
|
||
|
|
#
|
||
|
|
# Seh
|
||
|
|
# ---
|
||
|
|
#
|
||
|
|
# This mixin provides a interface to generating SEH registration records in a
|
||
|
|
# robust fashion using the Rex::Exploitation::Seh class.
|
||
|
|
#
|
||
|
|
###
|
||
|
|
module Exploit::Seh
|
||
|
|
|
||
|
|
def initialize(info = {})
|
||
|
|
super
|
||
|
|
|
||
|
|
# Register an advanced option that allows users to specify whether or
|
||
|
|
# not a dynamic SEH record should be used.
|
||
|
|
register_advanced_options(
|
||
|
|
[
|
||
|
|
OptBool.new('DynamicSehRecord', [ false, "Generate a dynamic SEH record (more stealthy)" ])
|
||
|
|
], Msf::Exploit::Seh)
|
||
|
|
end
|
||
|
|
|
||
|
|
#
|
||
|
|
# Generates an SEH record with zero or more options. The supported options
|
||
|
|
# are:
|
||
|
|
#
|
||
|
|
# EvasionLevel
|
||
|
|
#
|
||
|
|
# The evasion level to use. If none is supplied, the default is used.
|
||
|
|
#
|
||
|
|
# NopGenerator
|
||
|
|
#
|
||
|
|
# The NOP generator instance to use, if any.
|
||
|
|
#
|
||
|
|
# Space
|
||
|
|
#
|
||
|
|
# The amount of room the SEH record generator has to play with for
|
||
|
|
# random padding. This should be derived from the maximum amount of
|
||
|
|
# space available to the exploit for payloads minus the current payload
|
||
|
|
# size.
|
||
|
|
#
|
||
|
|
def generate_seh_record(handler, opts = {})
|
||
|
|
seh = Rex::Exploitation::Seh.new(
|
||
|
|
payload_badchars,
|
||
|
|
opts['Space'],
|
||
|
|
opts['NopGenerator'])
|
||
|
|
|
||
|
|
evlvl = opts['EvasionLevel'] || seh.default_evasion_level
|
||
|
|
|
||
|
|
# If the user specified that a dynamic SEH record be used, override all
|
||
|
|
# of the supplied settings.
|
||
|
|
if (datastore['DynamicSehRecord'])
|
||
|
|
evlvl = EVASION_HIGH
|
||
|
|
end
|
||
|
|
|
||
|
|
# Generate the record
|
||
|
|
seh.generate_seh_record(handler, evlvl)
|
||
|
|
end
|
||
|
|
|
||
|
|
end
|
||
|
|
|
||
|
|
end
|