Land #6016 - Fix windows x64 TCP stagers

Fixes #5988
2015-09-29 09:04:24 +10:00 · 2015-09-29 09:04:24 +10:00 · 26c8380333
parent b206de7708 b608abffbc
commit 26c8380333
9 changed files with 9 additions and 7 deletions
--- a/external/source/shellcode/windows/x64/src/block/block_recv.asm
+++ b/external/source/shellcode/windows/x64/src/block/block_recv.asm
@ -24,6 +24,7 @@ recv:
  add rsp, 32            ; we restore RSP from the api_call so we can pop off RSI next
  ; Alloc a RWX buffer for the second stage
  pop rsi                ; pop off the second stage length
+  mov esi, esi           ; only use the lower-order 32 bits for the size
  push byte 0x40         ; 
  pop r9                 ; PAGE_EXECUTE_READWRITE
  push 0x1000            ; 
--- a/lib/msf/core/payload/windows/x64/bind_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@ -220,6 +220,7 @@ module Payload::Windows::BindTcp_x64

        ; Alloc a RWX buffer for the second stage
        pop rsi                ; pop off the second stage length
+        mov esi, esi           ; only use the lower-order 32 bits for the size
        push 0x40              ; 
        pop r9                 ; PAGE_EXECUTE_READWRITE
        push 0x1000            ; 
--- a/lib/msf/core/payload/windows/x64/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
@ -219,7 +219,7 @@ module Payload::Windows::ReverseTcp_x64

      ; Alloc a RWX buffer for the second stage
        pop rsi                 ; pop off the second stage length
-        movsxd rsi, esi         ; only use the lower-order 32 bits for the size
+        mov esi, esi            ; only use the lower-order 32 bits for the size
        push 0x40               ; 
        pop r9                  ; PAGE_EXECUTE_READWRITE
        push 0x1000             ; 
--- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'

 module Metasploit4

-  CachedSize = 483
+  CachedSize = 485

  include Msf::Payload::Stager
  include Msf::Payload::Windows::BindTcp_x64
--- a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'

 module Metasploit4

-  CachedSize = 524
+  CachedSize = 526

  include Msf::Payload::Stager
  include Msf::Payload::Windows::BindTcp_x64
--- a/modules/payloads/stagers/windows/x64/bind_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'

 module Metasploit4

-  CachedSize = 481
+  CachedSize = 483

  include Msf::Payload::Stager
  include Msf::Payload::Windows::BindTcp_x64
--- a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'

 module Metasploit4

-  CachedSize = 522
+  CachedSize = 524

  include Msf::Payload::Stager
  include Msf::Payload::Windows::BindTcp_x64
--- a/modules/payloads/stagers/windows/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_tcp'

 module Metasploit4

-  CachedSize = 450
+  CachedSize = 449

  include Msf::Payload::Stager
  include Msf::Payload::Windows::ReverseTcp_x64
--- a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
@ -9,7 +9,7 @@ require 'msf/core/payload/windows/x64/reverse_tcp'

 module Metasploit4

-  CachedSize = 491
+  CachedSize = 490

  include Msf::Payload::Stager
  include Msf::Payload::Windows::ReverseTcp_x64