Skip to content

Commit c17ee64

Browse files
author
HD Moore
committed
Merge branch 'master' into feature/uuid-registration
2 parents eac1663 + 9ce669f commit c17ee64

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

52 files changed

+1937
-747
lines changed

Gemfile.lock

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@ GEM
124124
activesupport (>= 4.0.9, < 4.1.0)
125125
railties (>= 4.0.9, < 4.1.0)
126126
metasploit-payloads (0.0.7)
127-
metasploit_data_models (1.0.1)
127+
metasploit_data_models (1.1.0)
128128
activerecord (>= 4.0.9, < 4.1.0)
129129
activesupport (>= 4.0.9, < 4.1.0)
130130
arel-helpers
@@ -146,7 +146,7 @@ GEM
146146
mini_portile (~> 0.6.0)
147147
packetfu (1.1.9)
148148
pcaprub (0.12.0)
149-
pg (0.18.1)
149+
pg (0.18.2)
150150
pg_array_parser (0.0.9)
151151
postgres_ext (2.4.1)
152152
activerecord (>= 4.0.0)
@@ -156,7 +156,7 @@ GEM
156156
coderay (~> 1.1.0)
157157
method_source (~> 0.8.1)
158158
slop (~> 3.4)
159-
rack (1.5.2)
159+
rack (1.5.3)
160160
rack-test (0.6.3)
161161
rack (>= 1.0)
162162
rails (4.0.13)
@@ -222,7 +222,7 @@ GEM
222222
thread_safe (0.3.5)
223223
tilt (1.4.1)
224224
timecop (0.7.3)
225-
tzinfo (0.3.43)
225+
tzinfo (0.3.44)
226226
xpath (2.0.0)
227227
nokogiri (~> 1.3)
228228
yard (0.8.7.6)

db/schema.rb

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
#
1212
# It's strongly recommended that you check this file into your version control system.
1313

14-
ActiveRecord::Schema.define(version: 20150421211719) do
14+
ActiveRecord::Schema.define(version: 20150514182921) do
1515

1616
# These are extensions that must be enabled in order to support this database
1717
enable_extension "plpgsql"
@@ -684,9 +684,12 @@
684684
t.datetime "exploited_at"
685685
t.integer "vuln_detail_count", default: 0
686686
t.integer "vuln_attempt_count", default: 0
687+
t.integer "origin_id"
688+
t.string "origin_type"
687689
end
688690

689691
add_index "vulns", ["name"], name: "index_vulns_on_name", using: :btree
692+
add_index "vulns", ["origin_id"], name: "index_vulns_on_origin_id", using: :btree
690693

691694
create_table "vulns_refs", force: true do |t|
692695
t.integer "ref_id"

lib/msf/core/payload/windows/exitfunk.rb

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -21,50 +21,50 @@ def asm_exitfunk(opts={})
2121

2222
when 'seh'
2323
asm << %Q^
24-
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['seh']}
25-
push.i8 0 ; push the exit function parameter
26-
push ebx ; push the hash of the exit function
27-
call ebp ; SetUnhandledExceptionFilter(0)
28-
push.i8 0
29-
ret ; Return to NULL (crash)
30-
^
24+
mov ebx, 0x#{Msf::Payload::Windows.exit_types['seh'].to_s(16)}
25+
push.i8 0 ; push the exit function parameter
26+
push ebx ; push the hash of the exit function
27+
call ebp ; SetUnhandledExceptionFilter(0)
28+
push.i8 0
29+
ret ; Return to NULL (crash)
30+
^
3131

3232
# On Windows Vista, Server 2008, and newer, it is not possible to call ExitThread
3333
# on WoW64 processes, instead we need to call RtlExitUserThread. This stub will
3434
# automatically generate the right code depending on the selected exit method.
3535

3636
when 'thread'
3737
asm << %Q^
38-
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['thread']}
39-
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
40-
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
41-
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
42-
jl exitfunk_goodbye ; Then just call the exit function...
43-
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
44-
jne exitfunk_goodbye ;
45-
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
46-
exitfunk_goodbye: ; We now perform the actual call to the exit function
47-
push.i8 0 ; push the exit function parameter
48-
push ebx ; push the hash of the exit function
49-
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
50-
^
38+
mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
39+
push 0x9DBD95A6 ; hash( "kernel32.dll", "GetVersion" )
40+
call ebp ; GetVersion(); (AL will = major version and AH will = minor version)
41+
cmp al, 6 ; If we are not running on Windows Vista, 2008 or 7
42+
jl exitfunk_goodbye ; Then just call the exit function...
43+
cmp bl, 0xE0 ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
44+
jne exitfunk_goodbye ;
45+
mov ebx, 0x6F721347 ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
46+
exitfunk_goodbye: ; We now perform the actual call to the exit function
47+
push.i8 0 ; push the exit function parameter
48+
push ebx ; push the hash of the exit function
49+
call ebp ; call ExitThread(0) || RtlExitUserThread(0)
50+
^
5151

5252
when 'process', nil
5353
asm << %Q^
54-
mov ebx, #{"0x%.8x" % Msf::Payload::Windows.exit_types['process']}
55-
push.i8 0 ; push the exit function parameter
56-
push ebx ; push the hash of the exit function
57-
call ebp ; ExitProcess(0)
58-
^
54+
mov ebx, 0x#{Msf::Payload::Windows.exit_types['process'].to_s(16)}
55+
push.i8 0 ; push the exit function parameter
56+
push ebx ; push the hash of the exit function
57+
call ebp ; ExitProcess(0)
58+
^
5959

6060
when 'sleep'
6161
asm << %Q^
62-
mov ebx, #{"0x%.8x" % Rex::Text.ror13_hash('Sleep')}
63-
push 300000 ; 300 seconds
64-
push ebx ; push the hash of the function
65-
call ebp ; Sleep(300000)
66-
jmp exitfunk ; repeat
67-
^
62+
mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'Sleep')}
63+
push 300000 ; 300 seconds
64+
push ebx ; push the hash of the function
65+
call ebp ; Sleep(300000)
66+
jmp exitfunk ; repeat
67+
^
6868
else
6969
# Do nothing and continue after the end of the shellcode
7070
end

0 commit comments

Comments
 (0)