Add support for custom name/ordinal for RDI #13476
Conversation
|
This stuff seems to come with changes in MSF master that haven't been pulled into 6.x yet. Sorry about that. |
OJ
force-pushed
the
support-rdi-via-ordinal
branch
from
5b0082b to
037fed5
Compare
|
Now that the payloads side is landed and the payloads gem has been bumped to v2.0.6, would you be able to update the gem file and rebase this? When I looked at merging it, there were quite a few conflicts. Thank you! |
This first bit of code aims to add a "map" to the packet functionality that is able to translate to and from "method strings" to "command ids". IDs are sent across the wire, and they're now integers. This removes the need for the strings to be present in things like native meterp, and hence makes things a little less obvious on the wire, and way less obvious on disk/in the payload. Given that we need this functionality in other Meterpreters to support the removal of strings, some code has been added that can generate source files for Python, C# and C. This code might move, but for now it's at least in a spot where it's used the most.
Typo in comments & incorrect symbol in regex.
OJ
force-pushed
the
support-rdi-via-ordinal
branch
from
037fed5 to
53b010a
Compare
|
Alright for my testing I used the same procedure I mentioned on the payloads PR. In addition to that I tried a custom reflective DLL with the
With that, I'm ready to land this. The Travis-CI build failures are due to the payload cached sizes being changed which is expected. KiTrap0d Test |
Release NotesUpdated the Reflective DLL injection capabilities used by Metasploit for payloads and exploits to resolve functions by either ordinal or name. This allows the framework to take advantage of recent payload updates that remove string names and instead resolve the necessary values by ordinal. The framework change are backwards compatible with Reflective DLLs that use the standard |
|
Woohoo! Thank you Spencer!
…On Wed, 24 Jun 2020, 23:45 Spencer McIntyre, ***@***.***> wrote:
Release Notes
This changes the Reflective DLL injection capabilities used by Metasploit
for payloads and exploits to resolve functions by either ordinal or name.
This allows the framework to take advantage of recent payload updates that
remove string names and instead resolve the necessary values by ordinal.
The framework change are backwards compatible with Reflective DLLs that use
the standard ReflectiveLoader name.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#13476 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHBYDQWJOUZ42HOTVFDOTRYH7OZANCNFSM4ND5HJQQ>
.
|
Please land the Command ID PR before this one.
Most of the details of the changes for this PR can be found in the Meterpreter PR so please take a look over there. That PR needs to lands before this.
The changes worthy of note here are that RDI now allows for a custom loader function name, or for an ordinal to be specified. It currently defaults to
ReflectiveLoaderbecause everything out there currently uses that. Over time, people can compile their own exploit DLLs with a loader that doesn't have a name (like we're now doing for Meterp) making it less obvious that it's a malicious asset.Verification
Do the things in the other PR first. Then:
KiTrap0dandbypassuac_injection) and make sure they still work.