Module: Rex::Payloads::Win32::Kernel::Recovery

Defined in:
lib/rex/payloads/win32/kernel/recovery.rb

Overview

Recovery stubs are responsible for ensuring that the kernel does not crash. They must ‘recover’ after the exploit has succeeded, either by consuming the thread or continuing it on with its normal execution. Recovery stubs will often be exploit dependent.

Class Method Summary collapse

Class Method Details

.default(opts = {}) ⇒ Object

The default recovery method is to spin the thread



18
19
20
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 18

def self.default(opts = {})
  spin(opts)
end

.idlethread_restart(opts = {}) ⇒ Object

Restarts the idle thread by jumping back to the entry point of KiIdleLoop. This requires a hard-coded address of KiIdleLoop. You can pass the ‘KiIdleLoopAddress’ in the options hash.



34
35
36
37
38
39
40
41
42
43
44
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 34

def self.idlethread_restart(opts = {})
  # Default to fully patched XPSP2
  opts['KiIdleLoopAddress'] = 0x804dbb27 if opts['KiIdleLoopAddress'].nil?

  "\x31\xC0" +                                     # xor eax,eax
  "\x64\xC6\x40\x24\x02" +                         # mov byte [fs:eax+0x24],0x2
  "\x8B\x1D\x1C\xF0\xDF\xFF" +                     # mov ebx,[0xffdff01c]
  "\xB8" + [opts['KiIdleLoopAddress']].pack('V') + # mov eax, 0x804dbb27
  "\x6A\x00" +                                     # push byte +0x0
  "\xFF\xE0"                                       # jmp eax
end

.spin(opts = {}) ⇒ Object

Infinite ‘hlt’ loop.



25
26
27
# File 'lib/rex/payloads/win32/kernel/recovery.rb', line 25

def self.spin(opts = {})
  "\xf4\xeb\xfd"
end