Land rapid7#6016 - Fix windows x64 TCP stagers

OJ · OJ · commit 26c838033338 · 2015-09-29T09:04:24.000+10:00
Fixes rapid7#5988
diff --git a/external/source/shellcode/windows/x64/src/block/block_recv.asm b/external/source/shellcode/windows/x64/src/block/block_recv.asm
@@ -24,6 +24,7 @@ recv:
   add rsp, 32            ; we restore RSP from the api_call so we can pop off RSI next
   ; Alloc a RWX buffer for the second stage
   pop rsi                ; pop off the second stage length
+  mov esi, esi           ; only use the lower-order 32 bits for the size
   push byte 0x40         ; 
   pop r9                 ; PAGE_EXECUTE_READWRITE
   push 0x1000            ; 
diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@@ -220,6 +220,7 @@ def asm_bind_tcp(opts={})
 
         ; Alloc a RWX buffer for the second stage
         pop rsi                ; pop off the second stage length
+        mov esi, esi           ; only use the lower-order 32 bits for the size
         push 0x40              ; 
         pop r9                 ; PAGE_EXECUTE_READWRITE
         push 0x1000            ; 
diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp.rb b/lib/msf/core/payload/windows/x64/reverse_tcp.rb
@@ -219,7 +219,7 @@ def asm_reverse_tcp(opts={})
 
       ; Alloc a RWX buffer for the second stage
         pop rsi                 ; pop off the second stage length
-        movsxd rsi, esi         ; only use the lower-order 32 bits for the size
+        mov esi, esi            ; only use the lower-order 32 bits for the size
         push 0x40               ; 
         pop r9                  ; PAGE_EXECUTE_READWRITE
         push 0x1000             ; 
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 483
+  CachedSize = 485
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_ipv6_tcp_uuid.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 524
+  CachedSize = 526
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp.rb b/modules/payloads/stagers/windows/x64/bind_tcp.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 481
+  CachedSize = 483
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/bind_tcp_uuid.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 522
+  CachedSize = 524
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp.rb b/modules/payloads/stagers/windows/x64/reverse_tcp.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 450
+  CachedSize = 449
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::ReverseTcp_x64
diff --git a/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb b/modules/payloads/stagers/windows/x64/reverse_tcp_uuid.rb
@@ -9,7 +9,7 @@
 
 module Metasploit4
 
-  CachedSize = 491
+  CachedSize = 490
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::ReverseTcp_x64
