Railgun uses incorrect size for PDWORD values on x64 systems

[zeroSteiner]

Railgun uses a native-sized value for PDWORD values when it should always treat the value as a pointer to a 32-bit integer. This is likely to handle the lack of a pointer type to a native signed integer like PHANDLE or PSIZE_T which will probably need to be added. This causes issues when uninitialized 32-bits change the value which is the case for the GetFileSecurityA function which is used by the Msf::Post::Windows::Accounts mixin. When called on a 64-bit system, the 'lpnLengthNeeded' value includes the uninitialized 32-bits causing the value to be much larger than anticipated (0x41414141000000a0 IIRC on my system), leading the check to fail.

Steps to reproduce`

Test this by using the exploit/windows/local/service_permissions module.

1. Configure a service to have loose file system permissions, (grant full control to the everyone group for the directory and service executable)
2. Obtain an x64 Windows Meterpreter session on a 64-bit version of Windows
3. Use the exploit/windows/local/service_permissions module
4. Run the module and see that the file permissions techniques does not work, despite the open permissions
   • This is due to the check_dir_perms function failing because of the broken GetFileSecurityA call.

Were you following a specific guide/tutorial or reading documentation?

I was working on updating the exploit/windows/local/service_permissions module.

Expected behavior

Railgun should always treat a PDWORD as a pointer to a 32-bit integer. There should also be a PHANDLE type and possibly a PSIZE_T type to handle pointers to natively sized values. The PDWORD values that are of the out and inout types will need to be checked for accuracy to ensure that updating this will not cause values to be truncated in the event that the function expects the value to be natively signed.