seh mixin

git-svn-id: file:///home/svn/incoming/trunk@2881 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-05 14:57:30 +01:00 · 2005-09-24 18:02:03 +00:00 · 2005-09-24 18:02:03 +00:00 · 4400f659ec
commit 4400f659ec
parent 23197c644b
2 changed files with 95 additions and 0 deletions
--- a/lib/msf/core/exploit/seh.rb
+++ b/lib/msf/core/exploit/seh.rb
@ -0,0 +1,66 @@
+require 'rex/exploitation/seh'
+
+module Msf
+
+###
+# 
+# Seh
+# ---
+#
+# This mixin provides a interface to generating SEH registration records in a
+# robust fashion using the Rex::Exploitation::Seh class.
+#
+###
+module Exploit::Seh
+
+	def initialize(info = {})
+		super
+
+		# Register an advanced option that allows users to specify whether or
+		# not a dynamic SEH record should be used.
+		register_advanced_options(
+			[
+				OptBool.new('DynamicSehRecord', [ false, "Generate a dynamic SEH record (more stealthy)" ])
+			], Msf::Exploit::Seh)
+	end
+
+	#
+	# Generates an SEH record with zero or more options.  The supported options
+	# are:
+	#
+	#   EvasionLevel
+	#
+	#     The evasion level to use.  If none is supplied, the default is used.
+	#
+	#   NopGenerator
+	#
+	#     The NOP generator instance to use, if any.
+	#
+	#   Space
+	#
+	#     The amount of room the SEH record generator has to play with for
+	#     random padding.  This should be derived from the maximum amount of
+	#     space available to the exploit for payloads minus the current payload
+	#     size.
+	# 
+	def generate_seh_record(handler, opts = {})
+		seh = Rex::Exploitation::Seh.new(
+				payload_badchars,
+				opts['Space'],
+				opts['NopGenerator'])
+
+		evlvl = opts['EvasionLevel'] || seh.default_evasion_level
+
+		# If the user specified that a dynamic SEH record be used, override all
+		# of the supplied settings.
+		if (datastore['DynamicSehRecord'])
+			evlvl = EVASION_HIGH
+		end
+
+		# Generate the record
+		seh.generate_seh_record(handler, evlvl)
+	end
+
+end
+
+end
--- a/lib/msf/core/exploit/seh.rb.ut.rb
+++ b/lib/msf/core/exploit/seh.rb.ut.rb
@ -0,0 +1,29 @@
+#!/usr/bin/ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'test/unit'
+require 'rex'
+require 'msf/core'
+require 'msf/core/exploit/seh'
+
+module Msf
+
+class Exploit::Seh::UnitTest < Test::Unit::TestCase
+
+	class Stub < Msf::Exploit::Remote
+		include Msf::Exploit::Seh
+	end
+
+	def test_seh
+		e = Stub.new
+		r = e.generate_seh_record(0x41414141,
+			'EvasionLevel' => EVASION_NORMAL)
+
+		assert_equal("\xeb\x06", r[0, 2])
+		assert_equal("\x41\x41\x41\x41", r[4, 4])
+	end
+
+end
+
+end