Fix host-endian related pack errors. See below for details.

Ruby treats endianess in pack operators in the opposite way
of python. For example, using pack('<I') actually ignores the
endianess specifier. These need to be 'I<' or better yet, 'V'.
The endian specify must occur after the pack specifier and
multiple instances in meterpreter and exe generation were
broken in thier usage.

The summary:

Instead of I/L or I< use V
Instead of I/L or I> use N
For Q, you need to always use Q< (LE) or Q> (BE)
For c/s/l/i and other lowercase variants, you probably dont
need or want a *signed* value, so stick with vV nN and cC.

Author: HD Moore

lib/msf/util/exe.rb

@@ -340,22 +340,22 @@ def self.to_winpe_only(framework, code, opts={}, arch="x86")
 
     # look for section with entry point
     sections_header.each do |sec|
-      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
-      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
-      characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('V')[0]
+      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('V')[0]
+      characteristics = sec[1][characteristics_offset,0x4].unpack('V')[0]
 
       if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
-        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
+        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('V')[0]
         if (importsTable - addressOfEntryPoint) < code.length
           #shift original entry point to prevent tables overwritting
           addressOfEntryPoint = importsTable - (code.length + 4)
 
           entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
-          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
+          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('V')
         end
         # put this section writable
         characteristics |= 0x8000_0000
-        newcharacteristics = [characteristics].pack('L')
+        newcharacteristics = [characteristics].pack('V')
         exe[sec[0],newcharacteristics.length] = newcharacteristics
       end
     end
@@ -572,20 +572,20 @@ def self.to_win32pe_service(framework, code, opts={})
         "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
         "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
         "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
-        "\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\x8D\x85"+[svcmain_code_offset].pack('V')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
         "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
         "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
-         [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
-        "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+         [hash_code_offset].pack('V')+pushed_service_name+"\x89\xE1\x8D" +
+        "\x85"+[svcctrlhandler_code_offset].pack('V')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
         "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
         "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
         "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
         "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
         "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
         "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
-        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
+        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('V')+"\x57\x51\x68\xAE\x87" +
         "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
-         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+         [shellcode_code_offset].pack('V')+"\x54\x68"+[code.length].pack('V') +
         "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
         "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
         "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
@@ -654,8 +654,8 @@ def self.replace_msi_buffer(pe, opts)
       msi = fd.read(fd.stat.size)
     }
 
-    section_size =	2**(msi[30..31].unpack('s')[0])
-    sector_allocation_table = msi[section_size..section_size*2].unpack('l*')
+    section_size =	2**(msi[30..31].unpack('s<')[0])
+    sector_allocation_table = msi[section_size..section_size*2].unpack('l<*')
 
     buffer_chain = []
     current_secid = 5	# This is closely coupled with the template provided and ideally
@@ -841,8 +841,8 @@ def self.to_exe_elf(framework, opts, template, code, big_endian=false)
         elf[0x60,8] = [elf.length].pack('Q>') #p_filesz
         elf[0x68,8] = [elf.length + code.length].pack('Q>') #p_memsz
       else # little endian
-        elf[0x60,8] = [elf.length].pack('Q') #p_filesz
-        elf[0x68,8] = [elf.length + code.length].pack('Q') #p_memsz
+        elf[0x60,8] = [elf.length].pack('Q<') #p_filesz
+        elf[0x68,8] = [elf.length + code.length].pack('Q<') #p_memsz
       end
     else
       raise RuntimeError, "Invalid ELF template: EI_CLASS value not supported"

lib/rex/arch.rb

@@ -49,7 +49,7 @@ def self.pack_addr(arch, addr)
       when ARCH_X86
         [addr].pack('V')
       when ARCH_X86_64
-        [addr].pack('Q')
+        [addr].pack('Q<')
       when ARCH_MIPS # ambiguous
         [addr].pack('N')
       when ARCH_MIPSBE

lib/rex/post/meterpreter/extensions/stdapi/railgun/type/pointer_util.rb

@@ -27,8 +27,8 @@ def self.pack_pointer(pointer, platform)
 
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      [pointer].pack('Q')
+      # Assume little endian
+      [pointer].pack('Q<')
     when PlatformUtil::X86_32
       [pointer].pack('V')
     else
@@ -40,8 +40,8 @@ def self.pack_pointer(pointer, platform)
   def self.unpack_pointer(packed_pointer, platform)
     case platform
     when PlatformUtil::X86_64
-      # XXX: Only works if attacker and victim are like-endianed
-      packed_pointer.unpack('Q').first
+      # Assume little endian
+      packed_pointer.unpack('Q<').first
     when PlatformUtil::X86_32
       packed_pointer.unpack('V').first
     else

lib/rex/post/meterpreter/extensions/stdapi/railgun/util.rb

@@ -324,8 +324,8 @@ def initialize(railgun, platform)
   #
   def unpack_pointer(packed_pointer)
     if is_64bit
-      # XXX: Only works if attacker and victim are like-endianed
-      packed_pointer.unpack('Q')[0]
+      # Assume little endian
+      packed_pointer.unpack('Q<')[0]
     else
       packed_pointer.unpack('V')[0]
     end

lib/rex/post/meterpreter/packet.rb

@@ -251,7 +251,7 @@ def to_r
     elsif (self.type & TLV_META_TYPE_UINT == TLV_META_TYPE_UINT)
       raw = [value].pack("N")
     elsif (self.type & TLV_META_TYPE_QWORD == TLV_META_TYPE_QWORD)
-      raw = [ self.htonq( value.to_i ) ].pack("Q")
+      raw = [ self.htonq( value.to_i ) ].pack("Q<")
     elsif (self.type & TLV_META_TYPE_BOOL == TLV_META_TYPE_BOOL)
       if (value == true)
         raw = [1].pack("c")
@@ -312,7 +312,7 @@ def from_r(raw)
     elsif (self.type & TLV_META_TYPE_UINT == TLV_META_TYPE_UINT)
       self.value = raw.unpack("NNN")[2]
     elsif (self.type & TLV_META_TYPE_QWORD == TLV_META_TYPE_QWORD)
-      self.value = raw.unpack("NNQ")[2]
+      self.value = raw.unpack("NNQ<")[2]
       self.value = self.ntohq( self.value )
     elsif (self.type & TLV_META_TYPE_BOOL == TLV_META_TYPE_BOOL)
       self.value = raw.unpack("NNc")[2]
@@ -335,7 +335,7 @@ def htonq( value )
     if( [1].pack( 's' ) == [1].pack( 'n' ) )
       return value
     end
-    return [ value ].pack( 'Q' ).reverse.unpack( 'Q' ).first
+    return [ value ].pack( 'Q<' ).reverse.unpack( 'Q<' ).first
   end
 
   def ntohq( value )