Use Metasploit-Payloads Crypto to decrypt payloads

rapid7 · Oct 13, 2023 · daa8b8a · daa8b8a
1 parent b428736
commit daa8b8a
Show file tree

Hide file tree

Showing 7 changed files with 12 additions and 17 deletions.
diff --git a/lib/msf/core/payload/windows/dll_inject.rb b/lib/msf/core/payload/windows/dll_inject.rb
@@ -205,9 +205,8 @@ def handle_connection_stage(conn, opts = {})
     data = library_name + "\x00"
 
     begin
-      File.open(library_path, "rb") { |f|
-        data += f.read
-      }
+      encrypted_contents = ::File.binread(library_path)
+      data += ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_contents)
     rescue
       print_error("Failed to load DLL: #{$!}.")
 

diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb
@@ -78,7 +78,7 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader',
   # @return [Array] Tuple of allocated memory address and offset to the
   #   +ReflectiveLoader+ function.
   def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
     offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
     dll_mem = inject_into_process(process, decrypted_dll_data)
 

diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb
@@ -25,7 +25,7 @@ module Msf::ReflectiveDLLLoader
   #                 +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
     encrypted_dll = ::File.binread(dll_path)
-    dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll)
+    dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
 
     offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
@@ -43,7 +43,7 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO
   #
   # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data)
+    decrypted_dll_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: dll_data)
     offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
     unless offset

diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
@@ -258,7 +258,7 @@ def load_library(opts)
       end
 
       if library_image
-        decrypted_library_image = ::MetasploitPayloads.decrypt_payload(payload: library_image)
+        decrypted_library_image = ::MetasploitPayloads::Crypto.decrypt(ciphertext: library_image)
         request.add_tlv(TLV_TYPE_DATA, decrypted_library_image, false, client.capabilities[:zlib])
       else
         raise RuntimeError, "Failed to serialize library #{library_path}.", caller

diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -83,7 +83,7 @@ def getsystem(technique=TECHNIQUE[:any])
       end
 
       encrypted_elevator_data = ::File.binread(elevator_path)
-      elevator_data = ::MetasploitPayloads.decrypt_payload(payload: encrypted_elevator_data)
+      elevator_data = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_elevator_data)
 
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb
@@ -185,10 +185,8 @@ def screenshot( quality=50 )
           raise RuntimeError, "screenshot.x64.dll not found", caller
         end
 
-        screenshot_dll  = ''
-        ::File.open( screenshot_path, 'rb' ) do |f|
-          screenshot_dll += f.read( f.stat.size )
-        end
+        encrypted_screenshot_dll = ::File.binread(screenshot_path)
+        screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll)
 
         request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, screenshot_dll, false, true )
       end
@@ -199,10 +197,8 @@ def screenshot( quality=50 )
         raise RuntimeError, "screenshot.x86.dll not found", caller
       end
 
-      screenshot_dll  = ''
-      ::File.open( screenshot_path, 'rb' ) do |f|
-        screenshot_dll += f.read( f.stat.size )
-      end
+      encrypted_screenshot_dll = ::File.binread(screenshot_path)
+      screenshot_dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_screenshot_dll)
 
       request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, screenshot_dll, false, true )
     end

diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@@ -385,7 +385,7 @@ def exploit
 
     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
     encrypted_dll = ::File.binread(library_path)
-    dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll)
+    dll = ::MetasploitPayloads::Crypto.decrypt(ciphertext: encrypted_dll)
 
     patch_win32k_offsets(dll)
     patch_nt_offsets(dll)