github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-11-12 11:52:01 +01:00
Code Releases Activity

Fix up bind stager payload sizes

Browse Source
This commit is contained in:
OJ 2015-05-07 10:13:27 +10:00
parent 9d7a7cb68d
commit fd827db6dd
5 changed files with 19 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/msf/core/payload/windows/bind_tcp.rb
View File

@ -30,7 +30,8 @@ module Payload::Windows::BindTcp
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp({
:port => datastore['LPORT'].to_i
:port => datastore['LPORT'].to_i,
:reliable => false
})
end
@ -67,8 +68,7 @@ module Payload::Windows::BindTcp
#
def required_space
# Start with our cached default generated size
# TODO: need help with this from the likes of HD.
space = 277
space = cached_size
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31

15
lib/msf/core/payload/windows/x64/bind_tcp.rb
View File

@ -20,10 +20,6 @@ module Payload::Windows::BindTcp_x64
include Msf::Payload::Windows::BlockApi_x64
include Msf::Payload::Windows::Exitfunk_x64
def close_listen_socket
datastore['StagerCloseListenSocket'].nil? || datastore['StagerCloseListenSocket'] == true
end
#
# Generate the first stage
#
@ -31,7 +27,8 @@ module Payload::Windows::BindTcp_x64
# Generate the simple version of this stager if we don't have enough space
if self.available_space.nil? || required_space > self.available_space
return generate_bind_tcp({
:port => datastore['LPORT']
:port => datastore['LPORT'],
:reliable => false
})
end
@ -70,21 +67,17 @@ module Payload::Windows::BindTcp_x64
def required_space
# Start with our cached default generated size
# TODO: need help with this from the likes of HD.
space = 277
space = cached_size
# EXITFUNK processing adds 31 bytes at most (for ExitThread, only ~16 for others)
space += 31
# EXITFUNK unset will still call ExitProces, which adds 7 bytes (accounted for above)
# TODO: this is coming soon
# Reliability checks add 4 bytes for the first check, 5 per recv check (2)
#space += 14
# if the payload doesn't need the listen socket closed then we save space. This is
# the case for meterpreter payloads, as metsrv now closes the listen socket once it
# kicks off (needed for more reliable shells).
space -= 11 unless close_listen_socket
# The final estimated size
space
end

2
modules/payloads/stagers/windows/bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/windows/bind_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 285
include Msf::Payload::Stager
include Msf::Payload::Windows::BindTcp

2
modules/payloads/stagers/windows/x64/bind_tcp.rb
View File

@ -10,7 +10,7 @@ require 'msf/core/payload/windows/x64/bind_tcp'
module Metasploit4
CachedSize = :dynamic
CachedSize = 479
include Msf::Payload::Stager
include Msf::Payload::Windows::BindTcp_x64

20
spec/modules/payloads_spec.rb
View File

@ -2285,7 +2285,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/dllinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/dllinject/bind_tcp'
end
@ -2571,7 +2571,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/meterpreter/bind_tcp'
end
@ -2789,7 +2789,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/patchupdllinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupdllinject/bind_tcp'
end
@ -2932,7 +2932,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/patchupmeterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/patchupmeterpreter/bind_tcp'
end
@ -3075,7 +3075,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/shell/bind_tcp'
end
@ -3268,7 +3268,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/upexec'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/upexec/bind_tcp'
end
@ -3411,7 +3411,7 @@ describe 'modules/payloads', :content do
'stagers/windows/bind_tcp',
'stages/windows/vncinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/vncinject/bind_tcp'
end
@ -3552,7 +3552,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/meterpreter'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/meterpreter/bind_tcp'
end
@ -3635,7 +3635,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/shell'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/shell/bind_tcp'
end
@ -3677,7 +3677,7 @@ describe 'modules/payloads', :content do
'stagers/windows/x64/bind_tcp',
'stages/windows/x64/vncinject'
],
dynamic_size: true,
dynamic_size: false,
modules_pathname: modules_pathname,
reference_name: 'windows/x64/vncinject/bind_tcp'
end