Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

kernel_mode.rb 1.7KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
  1. # -*- coding: binary -*-
  2. module Msf
  3. require 'rex/payloads/win32/kernel'
  4. module Exploit::KernelMode
  5. #
  6. # The way that the kernel-mode mixin works is by replacing the payload
  7. # to be encoded with one that encapsulates the kernel-mode payload as
  8. # well.
  9. #
  10. def encode_begin(real_payload, reqs)
  11. super
  12. reqs['EncapsulationRoutine'] = Proc.new { |reqs_, raw|
  13. encapsulate_kernel_payload(reqs_, raw)
  14. }
  15. end
  16. #
  17. # Increase the default delay by five seconds since some kernel-mode
  18. # payloads may not run immediately.
  19. #
  20. def wfs_delay
  21. super + 5
  22. end
  23. protected
  24. #
  25. # Encapsulates the supplied raw payload within a kernel-mode payload.
  26. #
  27. def encapsulate_kernel_payload(reqs, raw)
  28. new_raw = nil
  29. ext_opt = reqs['ExtendedOptions'] || {}
  30. # Prepend and append any buffers that were specified in the extended
  31. # options. This can be used do perform stack adjustments and other
  32. # such things against the user-mode payload rather than the
  33. # encapsulating payload.
  34. raw =
  35. (ext_opt['PrependUser'] || '') +
  36. raw +
  37. (ext_opt['AppendUser'] || '')
  38. # If this is a win32 target platform, try to encapsulate it in a
  39. # win32 kernel-mode payload.
  40. if target_platform.supports?(Msf::Module::PlatformList.win32)
  41. ext_opt['UserModeStub'] = raw
  42. new_raw = Rex::Payloads::Win32::Kernel.construct(ext_opt)
  43. end
  44. # If we did not generate a new payload, then something broke.
  45. if new_raw.nil?
  46. raise RuntimeError, "Could not encapsulate payload in kernel-mode payload"
  47. else
  48. dlog("Encapsulated user-mode payload size #{raw.length} in kernel-mode payload size #{new_raw.length}", 'core', LEV_1)
  49. end
  50. new_raw
  51. end
  52. end
  53. end