Fix up changes from timwr's review so long

2021-11-08 16:12:20 -06:00 · 2021-11-08 16:12:20 -06:00 · 3af93cbacc
parent 780a9370a2
commit 3af93cbacc
2 changed files with 4 additions and 4 deletions
--- a/documentation/modules/exploit/windows/local/cve_2021_40449.md
+++ b/documentation/modules/exploit/windows/local/cve_2021_40449.md
@ -4,7 +4,7 @@ A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k
 an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
 that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
 can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
-that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle
+that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
 with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
 attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
 kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
--- a/modules/exploits/windows/local/cve_2021_40449.rb
+++ b/modules/exploits/windows/local/cve_2021_40449.rb
@ -17,13 +17,13 @@ class MetasploitModule < Msf::Exploit::Local
      update_info(
        info,
        {
-          'Name' => '',
+          'Name' => 'Win32k NtGdiResetDC Use After Free Local Privilege Elevation',
          'Description' => %q{
            A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by
            an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
            that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
            can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
-            that is referenced byt his handle being freed. The attacker can then replace the memory referenced by the handle
+            that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
            with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
            attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
            kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Local
      return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
    end

-    build_num_raw = session.shell_command_token('cmd.exe /c ver')
+    build_num_raw = cmd_exec('cmd.exe /c ver')
    build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
    if build_num.nil?
      print_error("Couldn't retrieve the target's build number!")