defc0ebe5c
This commit contains a few changes for the ppr_flatten_rec local windows exploit. First, the exploit binary itself: * Updated to use the RDI submodule. * Updated to build with VS2013. * Updated to generate a binary called `ppr_flatten_rc.x86.dll`. * Invocation of the exploit requires address of the payload to run. Second, the module in MSF behaved a little strange. I expected it to create a new session with system privs and leave the existing session alone. This wasn't the case. It used to create an instance of notepad, migrate the _existing_ session to it, and run the exploit from there. This behaviour didn't seem to be consistent with other local exploits. The changes include: * Existing session is now left alone, only used as a proxy. * New notepad instance has exploit reflectively loaded. * New notepad instance has payload directly injected. * Exploit invocation takes the payload address as a parameter. * A wait is added as the exploit is slow to run (nature of the exploit). * Payloads are executed on successful exploit. |
||
|---|---|---|
| .. | ||
| ComplexPath.h | ||
| ppr_flatten_rec.c | ||
| ppr_flatten_rec.vcxproj | ||
| ppr_flatten_rec.vcxproj.filters | ||