Module: Rex::Payloads::Win32::Kernel::Recovery

Defined in:: lib/rex/payloads/win32/kernel/recovery.rb

Overview

Recovery stubs are responsible for ensuring that the kernel does not crash. They must ‘recover’ after the exploit has succeeded, either by consuming the thread or continuing it on with its normal execution. Recovery stubs will often be exploit dependent.

Class Method Summary collapse

.default(opts = {}) ⇒ Object

The default recovery method is to spin the thread.
.idlethread_restart(opts = {}) ⇒ Object

Restarts the idle thread by jumping back to the entry point of KiIdleLoop.
.spin(opts = {}) ⇒ Object

Infinite ‘hlt’ loop.

Class Method Details

.default(opts = {}) ⇒ `Object`

The default recovery method is to spin the thread



18
19
20

# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 18

def self.default(opts = {})
  spin(opts)
end

.idlethread_restart(opts = {}) ⇒ `Object`

Restarts the idle thread by jumping back to the entry point of KiIdleLoop. This requires a hard-coded address of KiIdleLoop. You can pass the ‘KiIdleLoopAddress’ in the options hash.

# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 34

def self.idlethread_restart(opts = {})
  # Default to fully patched XPSP2
  opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?

  "\x31\xC0" +                                     # xor eax,eax
  "\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
  "\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
  "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
  "\x6A\x00" +                                     # push byte +0x0
  "\xFF\xE0"                                       # jmp eax
end

.spin(opts = {}) ⇒ `Object`

Infinite ‘hlt’ loop.



25
26
27

# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 25

def self.spin(opts = {})
  "\xf4\xeb\xfd"
end