@@ -21,50 +21,50 @@ def asm_exitfunk(opts={})
2121
2222 when 'seh'
2323 asm << %Q^
24- mov ebx, #{ "0x%.8x" % Msf ::Payload ::Windows . exit_types [ 'seh' ] }
25- push.i8 0 ; push the exit function parameter
26- push ebx ; push the hash of the exit function
27- call ebp ; SetUnhandledExceptionFilter(0)
28- push.i8 0
29- ret ; Return to NULL (crash)
30- ^
24+ mov ebx, 0x #{ Msf ::Payload ::Windows . exit_types [ 'seh' ] . to_s ( 16 ) }
25+ push.i8 0 ; push the exit function parameter
26+ push ebx ; push the hash of the exit function
27+ call ebp ; SetUnhandledExceptionFilter(0)
28+ push.i8 0
29+ ret ; Return to NULL (crash)
30+ ^
3131
3232 # On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
3333 # on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
3434 # automatically generate the right code depending on the selected exit method.
3535
3636 when 'thread'
3737 asm << %Q^
38- mov ebx, #{ "0x%.8x" % Msf ::Payload ::Windows . exit_types [ 'thread' ] }
39- push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
40- call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
41- cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
42- jl exitfunk_goodbye ; Then just call the exit function...
43- cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
44- jne exitfunk_goodbye ;
45- mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
46- exitfunk_goodbye: ; We now perform the actual call to the exit function
47- push.i8 0 ; push the exit function parameter
48- push ebx ; push the hash of the exit function
49- call ebp ; call ExitThread(0) || RtlExitUserThread(0)
50- ^
38+ mov ebx, 0x #{ Msf ::Payload ::Windows . exit_types [ 'thread' ] . to_s ( 16 ) }
39+ push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
40+ call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
41+ cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
42+ jl exitfunk_goodbye ; Then just call the exit function...
43+ cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
44+ jne exitfunk_goodbye ;
45+ mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
46+ exitfunk_goodbye: ; We now perform the actual call to the exit function
47+ push.i8 0 ; push the exit function parameter
48+ push ebx ; push the hash of the exit function
49+ call ebp ; call ExitThread(0) || RtlExitUserThread(0)
50+ ^
5151
5252 when 'process' , nil
5353 asm << %Q^
54- mov ebx, #{ "0x%.8x" % Msf ::Payload ::Windows . exit_types [ 'process' ] }
55- push.i8 0 ; push the exit function parameter
56- push ebx ; push the hash of the exit function
57- call ebp ; ExitProcess(0)
58- ^
54+ mov ebx, 0x #{ Msf ::Payload ::Windows . exit_types [ 'process' ] . to_s ( 16 ) }
55+ push.i8 0 ; push the exit function parameter
56+ push ebx ; push the hash of the exit function
57+ call ebp ; ExitProcess(0)
58+ ^
5959
6060 when 'sleep'
6161 asm << %Q^
62- mov ebx, #{ "0x%.8x" % Rex ::Text . ror13_hash ( 'Sleep' ) }
63- push 300000 ; 300 seconds
64- push ebx ; push the hash of the function
65- call ebp ; Sleep(300000)
66- jmp exitfunk ; repeat
67- ^
62+ mov ebx, #{ Rex ::Text . block_api_hash ( 'kernel32.dll' , 'Sleep' ) }
63+ push 300000 ; 300 seconds
64+ push ebx ; push the hash of the function
65+ call ebp ; Sleep(300000)
66+ jmp exitfunk ; repeat
67+ ^
6868 else
6969 # Do nothing and continue after the end of the shellcode
7070 end
0 commit comments