From 5151473e098bafb3441619d7eb156d4f48f17df6 Mon Sep 17 00:00:00 2001 From: Patrick Date: Mon, 11 Feb 2019 03:00:45 -0600 Subject: [PATCH] Implement sec-name and pad-nops for command dispatcher --- lib/msf/base/simple/payload.rb | 4 +++- lib/msf/core/encoded_payload.rb | 5 ++++- lib/msf/core/exe/segment_appender.rb | 1 - lib/msf/ui/console/command_dispatcher/payload.rb | 12 ++++++++++++ 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/msf/base/simple/payload.rb b/lib/msf/base/simple/payload.rb index 2a0ffb76ff..aa3ea537ac 100644 --- a/lib/msf/base/simple/payload.rb +++ b/lib/msf/base/simple/payload.rb @@ -53,6 +53,7 @@ module Payload e = EncodedPayload.create(payload, 'BadChars' => opts['BadChars'], 'MinNops' => opts['NopSledSize'], + 'PadNops' => opts['PadNops'], 'Encoder' => opts['Encoder'], 'Iterations' => opts['Iterations'], 'ForceEncode' => opts['ForceEncode'], @@ -64,7 +65,8 @@ module Payload exeopts = { :inject => opts['KeepTemplateWorking'], :template => opts['Template'], - :template_path => opts['ExeDir'] + :template_path => opts['ExeDir'], + :secname => opts['SecName'] } arch = payload.arch diff --git a/lib/msf/core/encoded_payload.rb b/lib/msf/core/encoded_payload.rb index 7b16e68665..f07fc5ca73 100644 --- a/lib/msf/core/encoded_payload.rb +++ b/lib/msf/core/encoded_payload.rb @@ -290,6 +290,7 @@ class EncodedPayload def generate_sled min = reqs['MinNops'] || 0 space = reqs['Space'] + pad_nops = reqs['PadNops'] self.nop_sled_size = min @@ -310,6 +311,9 @@ class EncodedPayload # Check for the DisableNops setting self.nop_sled_size = 0 if reqs['DisableNops'] + # Check for the PadNops setting + self.nop_sled_size = (pad_nops - self.encoded.length) if reqs['PadNops'] + # Now construct the actual sled if (self.nop_sled_size > 0) nops = pinst.compatible_nops @@ -338,7 +342,6 @@ class EncodedPayload begin nop.copy_ui(pinst) - self.nop_sled = nop.generate_sled(self.nop_sled_size, 'BadChars' => reqs['BadChars'], 'SaveRegisters' => save_regs) diff --git a/lib/msf/core/exe/segment_appender.rb b/lib/msf/core/exe/segment_appender.rb index 8531086bbb..7f06153450 100644 --- a/lib/msf/core/exe/segment_appender.rb +++ b/lib/msf/core/exe/segment_appender.rb @@ -36,7 +36,6 @@ module Exe s.name = '.' + Rex::Text.rand_text_alpha_lower(4) else s.name = '.' + secname.downcase - $stderr.puts "Created custom section \"#{s.name}\"" end s.encoded = payload_stub prefix s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE] diff --git a/lib/msf/ui/console/command_dispatcher/payload.rb b/lib/msf/ui/console/command_dispatcher/payload.rb index 11b27b2e6f..9a94236745 100644 --- a/lib/msf/ui/console/command_dispatcher/payload.rb +++ b/lib/msf/ui/console/command_dispatcher/payload.rb @@ -24,6 +24,8 @@ module Msf "-E" => [ false, "Force encoding" ], "-e" => [ true, "The encoder to use" ], "-s" => [ true, "NOP sled length." ], + "-P" => [ true, "Total desired payload size, auto-produce approproate NOPsled length"], + "-S" => [ true, "The new section name to use when generating (large) Windows binaries"], "-b" => [ true, "The list of characters to avoid example: '\\x00\\xff'" ], "-i" => [ true, "The number of times to encode the payload" ], "-x" => [ true, "Specify a custom executable file to use as a template" ], @@ -82,6 +84,8 @@ module Msf # Parse the arguments encoder_name = nil sled_size = nil + pad_nops = nil + sec_name = nil option_str = nil badchars = nil format = "ruby" @@ -102,6 +106,10 @@ module Msf force = true when '-n' sled_size = val.to_i + when '-P' + pad_nops = val.to_i + when '-S' + sec_name = val when '-f' format = val when '-o' @@ -146,6 +154,8 @@ module Msf 'Encoder' => encoder_name, 'Format' => format, 'NopSledSize' => sled_size, + 'PadNops' => pad_nops, + 'SecName' => sec_name, 'OptionStr' => option_str, 'ForceEncode' => force, 'Template' => template, @@ -178,6 +188,8 @@ module Msf '-h' => [ nil ], '-o' => [ true ], '-s' => [ true ], + '-P' => [ true ], + '-S' => [ true ], '-f' => [ :file ], '-t' => [ @@supported_formats ], '-p' => [ true ],