mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-24 18:16:24 +01:00
8070ff7771
Exploitation of the System process on Windows XP SP0 resulted in crashes when metepreter was enumerating network interfaces. It appears that the System process isn't able to read from the address that contains prefixes (stored in pPrefix in interfaces.c). In other cases, such as exploitation of svchost.exe or via an msfpayload-generated exe, there was no such crash. This is not an issue on later versions of Windows. This crash happens in the current "production" version of Meterpreter that was deployed with MSF v4.7. The MS08-067 exploit targets the System process, and hence crashes. The MS03-26 exploit targets svchost, and hence does not crash. Checking the protection of the memory in each of those cases showed that the MEM_COMMIT was set when not the System process, and was MEM_RESERVED when it was. Sample runs can be seen here: http://pastebin.com/2WHqJ90A This commit is an attempt to avoid this crash down the track, and it just does a simple check to see if querying the area of memory for the current process shows a state of MEM_COMMIT. If so, it carries on as per normal, if not it uses the other legacy code path to traverse the network interfaces. With this "fix" in place I have not seen a crash at all on Windows XP, Windows 7, Windows 8 and Windows 2012.