adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Land #4377, Support DYNAMIC_BASE templates - resolves #4366

Browse Source
This commit is contained in:
Meatballs
2014-12-23 11:57:33 +00:00
parent 36404eb67f 985245e8a1
commit c2bcde24ef
1 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/util/exe.rb
+21 -3
View File
@@ -147,6 +147,22 @@ require 'msf/core/exe/segment_injector'
nil
end
# Clears the DYNAMIC_BASE flag for a Windows executable
# @param exe [String] The raw executable to be modified by the method
# @param pe [Rex::PeParsey::Pe] Use Rex::PeParsey::Pe.new_from_file
# @return [String] the modified executable
def self.clear_dynamic_base(exe, pe)
c_bits = ("%32d" %pe.hdr.opt.DllCharacteristics.to_s(2)).split('').map { |e| e.to_i }.reverse
c_bits[6] = 0 # DYNAMIC_BASE
new_dllcharacteristics = c_bits.reverse.join.to_i(2)
# PE Header Pointer offset = 60d
# SizeOfOptionalHeader offset = 94h
dll_ch_offset = exe[60, 4].unpack('h4')[0].reverse.hex + 94
exe[dll_ch_offset, 2] = [new_dllcharacteristics].pack("v")
exe
end
def self.to_win32pe(framework, code, opts = {})
# For backward compatability, this is roughly equivalent to 'exe-small' fmt
@@ -168,6 +184,7 @@ require 'msf/core/exe/segment_injector'
# Create a new PE object and run through sanity checks
fsize = File.size(opts[:template])
pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
text = nil
pe.sections.each {|sec| text = sec if sec.name == ".text"}
@@ -178,7 +195,7 @@ require 'msf/core/exe/segment_injector'
:template => opts[:template],
:arch => :x86
})
injector.generate_pe
return injector.generate_pe
end
raise RuntimeError, "No .text section found in the template" unless text
@@ -282,6 +299,7 @@ require 'msf/core/exe/segment_injector'
exe[exe.index([cks].pack('V')), 4] = [0].pack("V")
end
exe = clear_dynamic_base(exe, pe)
pe.close
exe
@@ -348,6 +366,7 @@ require 'msf/core/exe/segment_injector'
# put the shellcode at the entry point, overwriting template
entryPoint_file_offset = pe.rva_to_file_offset(addressOfEntryPoint)
exe[entryPoint_file_offset,code.length] = code
exe = clear_dynamic_base(exe, pe)
exe
end
@@ -429,7 +448,6 @@ require 'msf/core/exe/segment_injector'
end
def self.exe_sub_method(code,opts ={})
pe = self.get_file_contents(opts[:template])
case opts[:exe_type]
@@ -495,7 +513,7 @@ require 'msf/core/exe/segment_injector'
:template => opts[:template],
:arch => :x64
})
injector.generate_pe
return injector.generate_pe
end
opts[:exe_type] = :exe_sub
exe_sub_method(code,opts)