Lands rapid7#4429 by fixing windows/messagebox with EXITFUNC=none

HD Moore · HD Moore · commit 9ede2c2ca590 · 2014-12-19T14:51:57.000-06:00
diff --git a/modules/payloads/singles/windows/messagebox.rb b/modules/payloads/singles/windows/messagebox.rb
@@ -86,14 +86,19 @@ def generate
   call [ebp+8]	;ExitProcess/Thread(0)
 EOS
 
-    # if exit is set to seh, overrule
+    # if exit is set to seh or none, overrule
     if datastore['EXITFUNC'].upcase.strip == "SEH"
       # routine to exit via exception
       doexit = <<EOS
   xor eax,eax
   call eax
 EOS
       getexitfunc = ''
+    elsif datastore['EXITFUNC'].upcase.strip == "NONE"
+      doexit = <<-EOS
+      nop
+      EOS
+      getexitfunc = ''
     end
 
     # Generate code to get ptr to Title
@@ -232,6 +237,7 @@ def generate
   push 0x41206c6c
   push 0x642e3233
   push 0x72657375    	;user32.dll
+  xor bl,bl           ;make sure we have a null byte
   mov [esp+0xA],bl		;null byte
   mov esi,esp			;put pointer to string on top of stack
   push esi
