Resolves #4380, check for warbird template

Resolves #4380. Adds a check for warbird (license verification) windows template. For reference please see: http://thisissecurity.net/2014/10/15/warbird-operation/
2015-07-03 02:38:52 -05:00 · 2015-07-03 02:38:52 -05:00 · 5c582b76ca
parent 5be94c12b6
commit 5c582b76ca
2 changed files with 17 additions and 3 deletions
--- a/lib/msf/core/exe/segment_injector.rb
+++ b/lib/msf/core/exe/segment_injector.rb
@ -66,9 +66,23 @@ module Exe
      shellcode.encoded + @payload
    end

+    def is_warbird?(pe)
+      pattern = /\x64\xA1\x30\x00\x00\x00\x2B\xCA\xD1\xF9\x8B\x40\x0C\x83\xC0\x0C/
+      sections = {}
+      pe.sections.each {|s| sections[s.name.to_s] = s}
+      if sections['.text'].encoded.pattern_scan(pattern).blank?
+        return false
+      end
+
+      true
+    end
+
    def generate_pe
      # Copy our Template into a new PE
      pe_orig = Metasm::PE.decode_file(template)
+      if is_warbird?(pe_orig)
+        raise RuntimeError, "The template to inject to appears to have license verification (warbird)"
+      end
      pe = pe_orig.mini_copy

      # Copy the headers and exports
--- a/6
+++ b/6
@ -274,7 +274,7 @@ if __FILE__ == $0
  begin
    generator_opts = parse_args(ARGV)
  rescue MsfVenomError, Msf::OptionValidateError => e
-    $stderr.puts e.message
+    $stderr.puts "Error: #{e.message}"
    exit(-1)
  end

@ -335,7 +335,7 @@ if __FILE__ == $0
    payload = venom_generator.generate_payload
  rescue ::Exception => e
    elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-    $stderr.puts e.message
+    $stderr.puts "Error: #{e.message}"
  end

  # No payload generated, no point to go on
@ -350,7 +350,7 @@ if __FILE__ == $0
    rescue ::Exception => e
      # If I can't save it, then I can't save it. I don't think it matters what error.
      elog("#{e.class} : #{e.message}\n#{e.backtrace * "\n"}")
-      $stderr.puts e.message
+      $stderr.puts "Error: #{e.message}"
    end
  else
    output_stream = $stdout