Fix rapid7#4414 & rapid7#4415 - exitfunc and proper null-terminated string

wchen-r7 · wchen-r7 · commit 2c0c732967c8 · 2014-12-19T03:19:06.000-06:00
This patch fixes the following for messagebox.rb Issue 1 (rapid7#4415) When exitfunc is none, the payload will not be able to generate due to an "invalid opcode" error. Issue 2: (rapid7#4414) After "user32.dll" is pushed onto the stack for the LoadLibrary call, the payload does not actually ensure bl is a null byte, it just assumes it is and uses it to modify the stack to get a null-terminated string. Fix rapid7#4414 Fix rapid7#4415
diff --git a/modules/payloads/singles/windows/messagebox.rb b/modules/payloads/singles/windows/messagebox.rb
@@ -86,14 +86,19 @@ def generate
   call [ebp+8]	;ExitProcess/Thread(0)
 EOS
 
-    # if exit is set to seh, overrule
+    # if exit is set to seh or none, overrule
     if datastore['EXITFUNC'].upcase.strip == "SEH"
       # routine to exit via exception
       doexit = <<EOS
   xor eax,eax
   call eax
 EOS
       getexitfunc = ''
+    elsif datastore['EXITFUNC'].upcase.strip == "NONE"
+      doexit = <<-EOS
+      nop
+      EOS
+      getexitfunc = ''
     end
 
     # Generate code to get ptr to Title
@@ -232,6 +237,7 @@ def generate
   push 0x41206c6c
   push 0x642e3233
   push 0x72657375    	;user32.dll
+  xor bl,bl           ;make sure we have a null byte
   mov [esp+0xA],bl		;null byte
   mov esi,esp			;put pointer to string on top of stack
   push esi
