From 2c0c732967c8ecd7098c0c9667c7d4a64df764f9 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Fri, 19 Dec 2014 03:19:06 -0600
Subject: [PATCH] Fix #4414 & #4415 - exitfunc and proper null-terminated
 string

This patch fixes the following for messagebox.rb

Issue 1 (#4415)
When exitfunc is none, the payload will not be able to generate
due to an "invalid opcode" error.

Issue 2: (#4414)
After "user32.dll" is pushed onto the stack for the LoadLibrary
call, the payload does not actually ensure bl is a null byte, it
just assumes it is and uses it to modify the stack to get a
null-terminated string.

Fix #4414
Fix #4415
---
 modules/payloads/singles/windows/messagebox.rb | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/modules/payloads/singles/windows/messagebox.rb b/modules/payloads/singles/windows/messagebox.rb
index 19cab1251f..f5c6f39f0d 100644
--- a/modules/payloads/singles/windows/messagebox.rb
+++ b/modules/payloads/singles/windows/messagebox.rb
@@ -86,7 +86,7 @@ EOS
   call [ebp+8]	;ExitProcess/Thread(0)
 EOS
 
-    # if exit is set to seh, overrule
+    # if exit is set to seh or none, overrule
     if datastore['EXITFUNC'].upcase.strip == "SEH"
       # routine to exit via exception
       doexit = <<EOS
@@ -94,6 +94,11 @@ EOS
   call eax
 EOS
       getexitfunc = ''
+    elsif datastore['EXITFUNC'].upcase.strip == "NONE"
+      doexit = <<-EOS
+      nop
+      EOS
+      getexitfunc = ''
     end
 
     # Generate code to get ptr to Title
@@ -232,6 +237,7 @@ start_main:
   push 0x41206c6c
   push 0x642e3233
   push 0x72657375    	;user32.dll
+  xor bl,bl           ;make sure we have a null byte
   mov [esp+0xA],bl		;null byte
   mov esi,esp			;put pointer to string on top of stack
   push esi