infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed a null pointer dereference bug (occurring in stages loaded by the PassiveX stager) that was being caused when an invalid exit funk was being patched into the stage by the PassiveX stager. This happened because the PassiveX stager uses the old type exit funks while the stages use the new type. This fix ensures the PassiveX stager gets the expected old exit funk value while the chosen stage gets the new exit funk value. This patch does not fix Bug #291 (PassiveX broken). Also I have left the PassiveX stager disabled until we can resolve the rest of the problems. 

git-svn-id: file:///home/svn/framework3/trunk@7448 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Stephen Fewer 2009-11-10 16:07:01 +00:00
parent 2c3cace80c
commit 159ca526b4
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
modules/payloads/stagers/windows/passivex.rb
View File

@ -82,6 +82,19 @@ module Metasploit3
# Generate the payload
p = super
# we must manually patch in the exit funk for this stager as it uses the old hash values
# which are generated using a different algorithm to that of the new hash values. We do this
# as this stager code has not been rewritten using the new api calling technique (see block_api.asm).
# set a default exitfunk if one is not set
datastore['EXITFUNC'] = 'thread' if not datastore['EXITFUNC']
# retrieve the offset/pack type for this stager's exitfunk
offset, pack = offsets['EXITFUNC']
# patch in the appropriate exit funk (using the old exit funk hashes).
p[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore['EXITFUNC'] == 'seh'
p[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore['EXITFUNC'] == 'thread'
p[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore['EXITFUNC'] == 'process'
# Construct the full URL that will be embedded in the payload. The uri
# attribute is derived from the value that will have been set by the
# passivex handler.
@ -102,18 +115,5 @@ module Metasploit3
# Return the updated payload
return p
end
# for now we must let this payload use the old EXITFUNC hash values.
def replace_var(raw, name, offset, pack)
super
if( name == 'EXITFUNC' )
datastore[name] = 'thread' if not datastore[name]
raw[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore[name] == 'seh'
raw[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore[name] == 'thread'
raw[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore[name] == 'process'
return true
end
return false
end
end