diff --git a/lib/msf/core/post/windows/reflective_dll_injection.rb b/lib/msf/core/post/windows/reflective_dll_injection.rb index 6278514b95df7..151ea9703689f 100644 --- a/lib/msf/core/post/windows/reflective_dll_injection.rb +++ b/lib/msf/core/post/windows/reflective_dll_injection.rb @@ -78,8 +78,9 @@ def inject_dll_into_process(process, dll_path, loader_name: 'ReflectiveLoader', # @return [Array] Tuple of allocated memory address and offset to the # +ReflectiveLoader+ function. def inject_dll_data_into_process(process, dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - offset = load_rdi_dll_from_data(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) - dll_mem = inject_into_process(process, dll_data) + decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + offset = load_rdi_dll_from_data(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) + dll_mem = inject_into_process(process, decrypted_dll_data) return dll_mem, offset end diff --git a/lib/msf/core/reflective_dll_loader.rb b/lib/msf/core/reflective_dll_loader.rb index b1433262b0a83..a2abd90d70730 100644 --- a/lib/msf/core/reflective_dll_loader.rb +++ b/lib/msf/core/reflective_dll_loader.rb @@ -24,8 +24,8 @@ module Msf::ReflectiveDLLLoader # @return [Array] Tuple of DLL contents and offset to the # +ReflectiveLoader+ function within the DLL. def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - dll = '' - ::File.open(dll_path, 'rb') { |f| dll = f.read } + encrypted_dll = ::File.binread(dll_path) + dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) offset = parse_pe(dll, loader_name: loader_name, loader_ordinal: loader_ordinal) @@ -43,7 +43,8 @@ def load_rdi_dll(dll_path, loader_name: 'ReflectiveLoader', loader_ordinal: EXPO # # @return [Integer] offset to the +ReflectiveLoader+ function within the DLL. def load_rdi_dll_from_data(dll_data, loader_name: 'ReflectiveLoader', loader_ordinal: EXPORT_REFLECTIVELOADER) - offset = parse_pe(dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) + decrypted_dll_data = ::MetasploitPayloads.decrypt_payload(payload: dll_data) + offset = parse_pe(decrypted_dll_data, loader_name: loader_name, loader_ordinal: loader_ordinal) unless offset raise 'Cannot find the ReflectiveLoader entry point in DLL data' diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb index ee6c9b830e976..6cff9029d125b 100644 --- a/lib/rex/post/meterpreter/extensions/priv/priv.rb +++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb @@ -82,11 +82,8 @@ def getsystem(technique=TECHNIQUE[:any]) raise RuntimeError, "#{elevators.chomp(', ')} not found", caller end - elevator_data = '' - - ::File.open(elevator_path, 'rb') { |f| - elevator_data += f.read(f.stat.size) - } + encrypted_elevator_data = ::File.binread(elevator_path) + elevator_data = ::MetasploitPayloads.decrypt_payload(payload: encrypted_elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_DLL, elevator_data) request.add_tlv(TLV_TYPE_ELEVATE_SERVICE_LENGTH, elevator_data.length) diff --git a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb index 1702730ff3453..eb0f8abf4b1e4 100644 --- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb +++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb @@ -384,8 +384,8 @@ def exploit library_path = ::File.expand_path(library_path) print_status("Reflectively injecting the exploit DLL into #{process.pid}...") - dll = '' - ::File.open(library_path, 'rb') { |f| dll = f.read } + encrypted_dll = ::File.binread(library_path) + dll = ::MetasploitPayloads.decrypt_payload(payload: encrypted_dll) patch_win32k_offsets(dll) patch_nt_offsets(dll)