Land rapid7#4918, Rework how payload prepends work

Author: scriptjunkie

lib/msf/core/encoded_payload.rb

@@ -94,7 +94,7 @@ def generate(raw = nil)
   #
   # @return [String] The raw, unencoded payload.
   def generate_raw
-    self.raw = (reqs['Prepend'] || '') + pinst.generate + (reqs['Append'] || '')
+    self.raw = (reqs['Prepend'] || '') + pinst.generate_complete + (reqs['Append'] || '')
 
     # If an encapsulation routine was supplied, then we should call it so
     # that we can get the real raw payload.

lib/msf/core/payload.rb

@@ -311,6 +311,13 @@ def generate
     internal_generate
   end
 
+  #
+  # Generates the payload and returns the raw buffer to the caller,
+  # handling any post-processing tasks, such as prepended code stubs.
+  def generate_complete
+    apply_prepends(generate)
+  end
+
   #
   # Substitutes variables with values from the module's datastore in the
   # supplied raw buffer for a given set of named offsets.  For instance,
@@ -465,6 +472,13 @@ def compatible_nops
     return nops
   end
 
+  #
+  # A placeholder stub, to be overriden by mixins
+  #
+  def apply_prepends(raw)
+    raw
+  end
+
   ##
   #
   # Event notifications.

lib/msf/core/payload/linux.rb

@@ -91,9 +91,7 @@ def initialize(info = {})
   #
   # Overload the generate() call to prefix our stubs
   #
-  def generate(*args)
-    # Call the real generator to get the payload
-    buf = super(*args)
+  def apply_prepends(buf)
     pre = ''
     app = ''
 

lib/msf/core/payload/windows.rb

@@ -38,9 +38,11 @@ module Msf::Payload::Windows
       'none'    => 0x5DE2C5AA, # GetLastError
     }
 
-
-  def generate
-    return prepends(super)
+  #
+  # Implement payload prepends for Windows payloads
+  #
+  def apply_prepends(raw)
+    apply_prepend_migrate(raw)
   end
 
   #

lib/msf/core/payload/windows/prepend_migrate.rb

@@ -34,7 +34,7 @@ def prepend_migrate?
   #
   # Overload the generate() call to prefix our stubs
   #
-  def prepends(buf)
+  def apply_prepend_migrate(buf)
     pre = ''
 
     test_arch = [ *(self.arch) ]

lib/msf/core/payload/windows/reverse_http.rb

@@ -16,6 +16,7 @@ module Msf
 
 module Payload::Windows::ReverseHttp
 
+  include Msf::Payload::Windows
   include Msf::Payload::Windows::BlockApi
   include Msf::Payload::Windows::Exitfunk
 

modules/payloads/singles/linux/x64/exec.rb

@@ -8,7 +8,7 @@
 
 module Metasploit3
 
-  CachedSize = 209
+  CachedSize = 40
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

modules/payloads/singles/linux/x64/shell_bind_tcp.rb

@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 255
+  CachedSize = 86
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb

@@ -7,7 +7,7 @@
 
 module Metasploit3
 
-  CachedSize = 226
+  CachedSize = 57
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

modules/payloads/singles/linux/x64/shell_reverse_tcp.rb

@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 243
+  CachedSize = 74
 
   include Msf::Payload::Single
   include Msf::Payload::Linux