Skip to content

Commit 91c337b

Browse files
author
Brent Cook
committed
Land rapid7#8508, fix 32-bit to 64-bit process migration on AMD cpus
2 parents 8c35e54 + 5f10e63 commit 91c337b

File tree

4 files changed

+13
-7
lines changed

4 files changed

+13
-7
lines changed

Gemfile.lock

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ PATH
1515
metasploit-concern
1616
metasploit-credential
1717
metasploit-model
18-
metasploit-payloads (= 1.2.29)
18+
metasploit-payloads (= 1.2.32)
1919
metasploit_data_models
2020
metasploit_payloads-mettle (= 0.1.9)
2121
msgpack
@@ -195,7 +195,7 @@ GEM
195195
activemodel (~> 4.2.6)
196196
activesupport (~> 4.2.6)
197197
railties (~> 4.2.6)
198-
metasploit-payloads (1.2.29)
198+
metasploit-payloads (1.2.32)
199199
metasploit_data_models (2.0.14)
200200
activerecord (~> 4.2.6)
201201
activesupport (~> 4.2.6)

external/source/shellcode/windows/x86/src/migrate/executex64.asm

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,9 @@ delta:
4040
4141
call go_all_native ; perform the transition into native x64 and return here when done.
4242
43+
mov ax, ds ; fixes an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
44+
mov ss, ax ; found and fixed by ReWolf, incorporated by RaMMicHaeL
45+
4346
add esp, (8+4+8) ; remove the 8 bytes we allocated + the return address which was never popped off + the qword pushed from native_x64
4447
pop edi ; restore the clobbered registers
4548
pop esi ;

external/source/vncdll/vncdll/inject.c

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,14 @@
1212
#endif
1313

1414
// see '/msf3/external/source/shellcode/x86/migrate/executex64.asm'
15+
// 03.06.2017: fixed an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
16+
// found and fixed by ReWolf, incorporated by RaMMicHaeL
1517
BYTE migrate_executex64[] = "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00"
16-
"\x58\x83\xC0\x25\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
17-
"\x89\x02\xE8\x09\x00\x00\x00\x83\xC4\x14\x5F\x5E\x5D\xC2\x08\x00"
18-
"\x8B\x3C\x24\xFF\x2A\x48\x31\xC0\x57\xFF\xD6\x5F\x50\xC7\x44\x24"
19-
"\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C\x24";
18+
"\x58\x83\xC0\x2B\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
19+
"\x89\x02\xE8\x0F\x00\x00\x00\x66\x8C\xD8\x66\x8E\xD0\x83\xC4\x14"
20+
"\x5F\x5E\x5D\xC2\x08\x00\x8B\x3C\xE4\xFF\x2A\x48\x31\xC0\x57\xFF"
21+
"\xD6\x5F\x50\xC7\x44\x24\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C"
22+
"\x24";
2023

2124
// see '/msf3/external/source/shellcode/x64/migrate/remotethread.asm'
2225
BYTE migrate_wownativex[] = "\xFC\x48\x89\xCE\x48\x89\xE7\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00"

metasploit-framework.gemspec

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -68,7 +68,7 @@ Gem::Specification.new do |spec|
6868
# are needed when there's no database
6969
spec.add_runtime_dependency 'metasploit-model'
7070
# Needed for Meterpreter
71-
spec.add_runtime_dependency 'metasploit-payloads', '1.2.29'
71+
spec.add_runtime_dependency 'metasploit-payloads', '1.2.32'
7272
# Needed for the next-generation POSIX Meterpreter
7373
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.1.9'
7474
# Needed by msfgui and other rpc components

0 commit comments

Comments
 (0)