Fix up bind stager payload sizes

OJ · OJ · commit fd827db6ddfe · 2015-05-07T10:13:27.000+10:00
diff --git a/lib/msf/core/payload/windows/bind_tcp.rb b/lib/msf/core/payload/windows/bind_tcp.rb
@@ -30,7 +30,8 @@ def generate
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
       return generate_bind_tcp({
-        :port => datastore['LPORT'].to_i
+        :port => datastore['LPORT'].to_i,
+        :reliable => false
       })
     end
 
@@ -67,8 +68,7 @@ def generate_bind_tcp(opts={})
   #
   def required_space
     # Start with our cached default generated size
-    # TODO: need help with this from the likes of HD.
-    space = 277
+    space = cached_size
 
     # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
     space += 31
diff --git a/lib/msf/core/payload/windows/x64/bind_tcp.rb b/lib/msf/core/payload/windows/x64/bind_tcp.rb
@@ -20,18 +20,15 @@ module Payload::Windows::BindTcp_x64
   include Msf::Payload::Windows::BlockApi_x64
   include Msf::Payload::Windows::Exitfunk_x64
 
-  def close_listen_socket
-    datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
-  end
-
   #
   # Generate the first stage
   #
   def generate
     # Generate the simple version of this stager if we don't have enough space
     if self.available_space.nil? || required_space > self.available_space
       return generate_bind_tcp({
-        :port => datastore['LPORT']
+        :port => datastore['LPORT'],
+        :reliable => false
       })
     end
 
@@ -70,21 +67,17 @@ def generate_bind_tcp(opts={})
   def required_space
     # Start with our cached default generated size
     # TODO: need help with this from the likes of HD.
-    space = 277
+    space = cached_size
 
     # EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
     space += 31
 
     # EXITFUNK unset will still call ExitProces, which adds 7 bytes (accounted for above)
 
+    # TODO: this is coming soon
     # Reliability checks add 4 bytes for the first check, 5 per recv check (2)
     #space += 14
 
-    # if the payload doesn't need the listen socket closed then we save space. This is
-    # the case for meterpreter payloads, as metsrv now closes the listen socket once it
-    # kicks off (needed for more reliable shells).
-    space -= 11 unless close_listen_socket
-
     # The final estimated size
     space
   end
diff --git a/modules/payloads/stagers/windows/bind_tcp.rb b/modules/payloads/stagers/windows/bind_tcp.rb
@@ -10,7 +10,7 @@
 
 module Metasploit4
 
-  CachedSize = :dynamic
+  CachedSize = 285
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp
diff --git a/modules/payloads/stagers/windows/x64/bind_tcp.rb b/modules/payloads/stagers/windows/x64/bind_tcp.rb
@@ -10,7 +10,7 @@
 
 module Metasploit4
 
-  CachedSize = :dynamic
+  CachedSize = 479
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows::BindTcp_x64
diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb
@@ -2285,7 +2285,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/dllinject'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/dllinject/bind_tcp'
   end
@@ -2571,7 +2571,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/meterpreter'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/meterpreter/bind_tcp'
   end
@@ -2789,7 +2789,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/patchupdllinject'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/patchupdllinject/bind_tcp'
   end
@@ -2932,7 +2932,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/patchupmeterpreter'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/patchupmeterpreter/bind_tcp'
   end
@@ -3075,7 +3075,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/shell'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/shell/bind_tcp'
   end
@@ -3268,7 +3268,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/upexec'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/upexec/bind_tcp'
   end
@@ -3411,7 +3411,7 @@
                               'stagers/windows/bind_tcp',
                               'stages/windows/vncinject'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/vncinject/bind_tcp'
   end
@@ -3552,7 +3552,7 @@
                               'stagers/windows/x64/bind_tcp',
                               'stages/windows/x64/meterpreter'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/x64/meterpreter/bind_tcp'
   end
@@ -3635,7 +3635,7 @@
                               'stagers/windows/x64/bind_tcp',
                               'stages/windows/x64/shell'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/x64/shell/bind_tcp'
   end
@@ -3677,7 +3677,7 @@
                               'stagers/windows/x64/bind_tcp',
                               'stages/windows/x64/vncinject'
                           ],
-                          dynamic_size: true,
+                          dynamic_size: false,
                           modules_pathname: modules_pathname,
                           reference_name: 'windows/x64/vncinject/bind_tcp'
   end
