Module: Msf::Exploit::KernelMode

Defined in:

lib/msf/core/exploit/kernel_mode.rb

Instance Method Summary

• #encapsulate_kernel_payload(reqs, raw) ⇒ Object protected

  Encapsulates the supplied raw payload within a kernel-mode payload.

• #encode_begin(real_payload, reqs) ⇒ Object

  The way that the kernel-mode mixin works is by replacing the payload to be encoded with one that encapsulates the kernel-mode payload as well.

• #wfs_delay ⇒ Object

  Increase the default delay by five seconds since some kernel-mode payloads may not run immediately.

Instance Method Details

#encapsulate_kernel_payload(reqs, raw) ⇒ Object (protected)

Encapsulates the supplied raw payload within a kernel-mode payload.

# File 'lib/msf/core/exploit/kernel_mode.rb', line 33

def encapsulate_kernel_payload(reqs, raw)
  new_raw = nil
  ext_opt = reqs['ExtendedOptions'] || {}

  # Prepend and append any buffers that were specified in the extended
  # options.  This can be used do perform stack adjustments and other
  # such things against the user-mode payload rather than the
  # encapsulating payload.
  raw =
    (ext_opt['PrependUser'] || '') +
    raw +
    (ext_opt['AppendUser'] || '')

  # If this is a win32 target platform, try to encapsulate it in a
  # win32 kernel-mode payload.
  if target_platform.supports?(Msf::Module::PlatformList.win32)
    ext_opt['UserModeStub'] = raw

    new_raw = Rex::Payloads::Win32::Kernel.construct(ext_opt)
  end

  # If we did not generate a new payload, then something broke.
  if new_raw.nil?
    raise RuntimeError, "Could not encapsulate payload in kernel-mode payload"
  else
    dlog("Encapsulated user-mode payload size #{raw.length} in kernel-mode payload size #{new_raw.length}", 'core', LEV_1)
  end

  new_raw
end

#encode_begin(real_payload, reqs) ⇒ Object

The way that the kernel-mode mixin works is by replacing the payload to be encoded with one that encapsulates the kernel-mode payload as well.

# File 'lib/msf/core/exploit/kernel_mode.rb', line 12

def encode_begin(real_payload, reqs)
  super

  reqs['EncapsulationRoutine'] = Proc.new { |reqs_, raw|
    encapsulate_kernel_payload(reqs_, raw)
  }
end

#wfs_delay ⇒ Object

Increase the default delay by five seconds since some kernel-mode payloads may not run immediately.

# File 'lib/msf/core/exploit/kernel_mode.rb', line 24

def wfs_delay
  super + 5
end