Fix payload required space, remove WOW64 code from x64

2015-07-01 13:39:05 +10:00 · 2015-07-01 13:39:05 +10:00 · 9c2cd34e92
parent a44c31052b
commit 9c2cd34e92
3 changed files with 5 additions and 19 deletions
--- a/lib/msf/core/payload/windows/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/reverse_tcp.rb
@ -76,8 +76,8 @@ module Payload::Windows::ReverseTcp
    # Start with our cached default generated size
    space = cached_size

-    # EXITFUNK processing only seems to add 8 bytes on top of the default
-    space += 8
+    # EXITFUNK 'thread' is the biggest by far, adds 29 bytes.
+    space += 29

    # Reliability adds some bytes!
    space += 44
--- a/lib/msf/core/payload/windows/x64/exitfunk.rb
+++ b/lib/msf/core/payload/windows/x64/exitfunk.rb
@ -33,25 +33,11 @@ module Payload::Windows::Exitfunk_x64
        ret                   ; Return to NULL (crash)
      ^

-    # On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
-    # on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
-    # automatically generate the right code depending on the selected exit method.
-
    when 'thread'
      asm << %Q^
-        mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
-        mov r10d, 0x9DBD95A6  ; hash( "kernel32.dll", "GetVersion" )
-        call rbp              ; GetVersion(); (AL will = major version and AH will = minor version)
-        add rsp, 40           ; cleanup the default param space on stack
-        cmp al, 6             ; If we are not running on Windows Vista, 2008 or 7
-        jl exitfunk_goodbye   ; Then just call the exit function...
-        cmp bl, 0xE0          ; If we are trying a call to kernel32.dll!ExitThread on
-                              ; Windows Vista, 2008 or 7...
-        jne exitfunk_goodbye  ;
-        mov ebx, 0x6F721347   ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
-      exitfunk_goodbye:       ; We now perform the actual call to the exit function
        push 0                ;
        pop rcx               ; set the exit function parameter
+        mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
        mov r10d, ebx         ; place the correct EXITFUNK into r10d
        call rbp              ; call EXITFUNK( 0 );
      ^
--- a/lib/msf/core/payload/windows/x64/reverse_tcp.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
@ -84,8 +84,8 @@ module Payload::Windows::ReverseTcp_x64
    # Start with our cached default generated size
    space = cached_size

-    # EXITFUNK processing adds some bytes onto the defaults
-    space += 11
+    # EXITFUNK 'seh' is the worst case, that adds 15 bytes
+    space += 15

    # Reliability adds bytes!
    space += 57