added windows payload for exitfunc substitution

git-svn-id: file:///home/svn/incoming/trunk@2680 4d416f70-5f16-0410-b530-b9f4589650da
2005-07-09 01:03:11 +00:00 · 2005-07-09 01:03:11 +00:00 · 5f18b24e8b
parent 40e36360a1
commit 5f18b24e8b
4 changed files with 59 additions and 2 deletions
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@ -17,6 +17,9 @@ class Payload < Msf::Module
 	require 'Msf/Core/Payload/Single'
 	require 'Msf/Core/Payload/Stager'

+	# Platform specific includes
+	require 'Msf/Core/Payload/Windows'
+
 	# Payload types
 	module Type
 		Single = (1 << 0)
@ -97,7 +100,7 @@ class Payload < Msf::Module
 			offset, pack = info

 			# Give the derived class a chance to substitute this variable
-			next if (replace_var(raw, name, offset, pack))
+			next if (replace_var(raw, name, offset, pack) == true)

 			# Now it's our turn...
 			if ((val = datastore[name]))
@ -122,7 +125,7 @@ class Payload < Msf::Module
 	# using the given pack type.  This is here to allow derived payloads
 	# the opportunity to replace advanced variables.
 	def replace_var(raw, name, offset, pack)
-		return nil
+		return false
 	end

 	# Payload prepending and appending for various situations
--- a/lib/msf/core/payload/windows.rb
+++ b/lib/msf/core/payload/windows.rb
@ -0,0 +1,51 @@
+require 'Msf/Core'
+
+###
+#
+# Windows
+# -------
+#
+# This class is here to implement advanced variable substitution
+# for windows-based payloads, such as EXITFUNC.  Windows payloads
+# are expected to include this module if they want advanced
+# variable substitution.
+#
+###
+module Msf::Payload::Windows
+
+	# 
+	# ROR hash associations for some of the exit technique routines
+	#
+	@@exit_types = 
+		{
+			'seh'     => 0x5f048af0, # SetUnhandledExceptionFilter
+			'thread'  => 0x60e0ceef, # ExitThread
+			'process' => 0x73e2d87e, # ExitProcess
+		}
+
+	def initialize(info = {})
+		super
+		
+		register_options(
+			[
+				Msf::OptRaw.new('EXITFUNC', [ true, "Exit technique: #{@@exit_types.keys.join(", ")}", 'seh' ])
+			], Msf::Payload::Windows)
+	end
+
+	#
+	# Replace the EXITFUNC variable like madness
+	#
+	def replace_var(raw, name, offset, pack)
+		if (name == 'EXITFUNC')
+			method = datastore[name]
+			method = 'seh' if (!method or @@exit_types.include?(method) == false)
+
+			raw[offset, 4] = [ @@exit_types[method] ].pack('V')
+
+			return true
+		end
+
+		return false
+	end
+
+end
--- a/modules/payloads/stagers/windows/reverse_tcp.rb
+++ b/modules/payloads/stagers/windows/reverse_tcp.rb
@ -9,6 +9,7 @@ module Stager
 module ReverseTcp

 	include Msf::Payload::Stager
+	include Msf::Payload::Windows

 	def initialize(info = {})
 		super(merge_info(info,
--- a/modules/payloads/stages/windows/shell.rb
+++ b/modules/payloads/stages/windows/shell.rb
@ -8,6 +8,8 @@ module Stage

 module Shell

+	include Msf::Payload::Windows
+
 	def initialize(info = {})
 		super(merge_info(info,
 			'Name'          => 'Stage: Shell',