Fix named pipe migration stubs

OJ · Brent Cook · commit 7a2a47586b56 · 2017-09-07T01:36:25.000-05:00
diff --git a/lib/msf/core/payload/windows/migrate_named_pipe.rb b/lib/msf/core/payload/windows/migrate_named_pipe.rb
@@ -13,8 +13,7 @@ module Msf
 
 module Payload::Windows::MigrateNamedPipe
 
-  include Msf::Payload::Windows
-  include Msf::Payload::Windows::BlockApi
+  include Msf::Payload::Windows::MigrateCommon
 
   def initialize(info={})
     super(update_info(info,
@@ -30,23 +29,15 @@ def initialize(info={})
   #
   # Constructs the payload
   #
-  def generate
+  def generate_migrate(opts = {})
     %Q^
-    migrate:
-      cld
-      pop esi
-      pop esi                   ; esi now contains a pointer to the migrate context
-      sub esp, 0x2000
-      call start
-      #{asm_block_api}
-    start:
-      pop ebp
+    start_migrate_pipe:
       mov edi, [esi+16]         ; The duplicated pipe handle is in the migrate context.
-    signal_event:
+    signal_pipe_event:
       push dword [esi]          ; Event handle is pointed at by esi
       push #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')}
       call ebp                  ; SetEvent(handle)
-    call_payload:
+    call_pipe_payload:
       call dword [esi+8]        ; call the associated payload
     ^
   end
diff --git a/lib/msf/core/payload/windows/x64/migrate_named_pipe.rb b/lib/msf/core/payload/windows/x64/migrate_named_pipe.rb
@@ -13,8 +13,7 @@ module Msf
 
 module Payload::Windows::MigrateNamedPipe_x64
 
-  include Msf::Payload::Windows
-  include Msf::Payload::Windows::BlockApi_x64
+  include Msf::Payload::Windows::MigrateCommon_x64
 
   def initialize(info={})
     super(update_info(info,
@@ -30,23 +29,15 @@ def initialize(info={})
   #
   # Constructs the payload
   #
-  def generate
+  def generate_migrate(opts = {})
     %Q^
-    migrate:
-      cld
-      mov rsi, rcx
-      sub rsp, 0x2000
-      and rsp, ~0xF
-      call start
-      #{asm_block_api}
-    start:
-      pop rbp
+    start_migrate_pipe:
       mov rdi, qword [rsi+16]   ; The duplicated pipe handle is in the migrate context.
-    signal_event:
+    signal_pipe_event:
       mov rcx, qword [rsi]      ; Event handle is pointed at by rsi
       mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'SetEvent')}
       call rbp                  ; SetEvent(handle)
-    call_payload:
+    call_pipe_payload:
       call qword [rsi+8]        ; call the associated payload
     ^
   end
