2012-06-29 00:18:28 -05:00
|
|
|
# -*- coding: binary -*-
|
2006-10-16 23:59:14 +00:00
|
|
|
module Msf
|
|
|
|
|
|
2011-05-12 20:03:55 +00:00
|
|
|
require 'rex/payloads/win32/kernel'
|
2006-10-16 23:59:14 +00:00
|
|
|
|
|
|
|
|
module Exploit::KernelMode
|
|
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
#
|
|
|
|
|
# The way that the kernel-mode mixin works is by replacing the payload
|
|
|
|
|
# to be encoded with one that encapsulates the kernel-mode payload as
|
|
|
|
|
# well.
|
|
|
|
|
#
|
|
|
|
|
def encode_begin(real_payload, reqs)
|
|
|
|
|
super
|
2006-10-16 23:59:14 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
reqs['EncapsulationRoutine'] = Proc.new { |reqs_, raw|
|
|
|
|
|
encapsulate_kernel_payload(reqs_, raw)
|
|
|
|
|
}
|
|
|
|
|
end
|
2006-10-16 23:59:14 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
#
|
|
|
|
|
# Increase the default delay by five seconds since some kernel-mode
|
|
|
|
|
# payloads may not run immediately.
|
|
|
|
|
#
|
|
|
|
|
def wfs_delay
|
|
|
|
|
super + 5
|
|
|
|
|
end
|
2006-10-17 00:16:04 +00:00
|
|
|
|
2006-10-16 23:59:14 +00:00
|
|
|
protected
|
2010-09-26 21:02:00 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
#
|
|
|
|
|
# Encapsulates the supplied raw payload within a kernel-mode payload.
|
|
|
|
|
#
|
|
|
|
|
def encapsulate_kernel_payload(reqs, raw)
|
|
|
|
|
new_raw = nil
|
|
|
|
|
ext_opt = reqs['ExtendedOptions'] || {}
|
2006-10-16 23:59:14 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
# Prepend and append any buffers that were specified in the extended
|
|
|
|
|
# options. This can be used do perform stack adjustments and other
|
|
|
|
|
# such things against the user-mode payload rather than the
|
|
|
|
|
# encapsulating payload.
|
|
|
|
|
raw =
|
|
|
|
|
(ext_opt['PrependUser'] || '') +
|
|
|
|
|
raw +
|
|
|
|
|
(ext_opt['AppendUser'] || '')
|
2006-10-26 01:48:10 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
# If this is a win32 target platform, try to encapsulate it in a
|
|
|
|
|
# win32 kernel-mode payload.
|
|
|
|
|
if target_platform.supports?(Msf::Module::PlatformList.win32)
|
|
|
|
|
ext_opt['UserModeStub'] = raw
|
2006-10-16 23:59:14 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
new_raw = Rex::Payloads::Win32::Kernel.construct(ext_opt)
|
|
|
|
|
end
|
2010-09-26 21:02:00 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
# If we did not generate a new payload, then something broke.
|
|
|
|
|
if new_raw.nil?
|
|
|
|
|
raise RuntimeError, "Could not encapsulate payload in kernel-mode payload"
|
|
|
|
|
else
|
|
|
|
|
dlog("Encapsulated user-mode payload size #{raw.length} in kernel-mode payload size #{new_raw.length}", 'core', LEV_1)
|
|
|
|
|
end
|
2006-10-16 23:59:14 +00:00
|
|
|
|
2013-08-30 16:28:33 -05:00
|
|
|
new_raw
|
|
|
|
|
end
|
2006-10-16 23:59:14 +00:00
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
2011-12-02 02:02:55 -06:00
|
|
|
end
|
