You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Railgun uses a native-sized value for PDWORD values when it should always treat the value as a pointer to a 32-bit integer. This is likely to handle the lack of a pointer type to a native signed integer like PHANDLE or PSIZE_T which will probably need to be added. This causes issues when uninitialized 32-bits change the value which is the case for the GetFileSecurityA function which is used by the Msf::Post::Windows::Accounts mixin. When called on a 64-bit system, the 'lpnLengthNeeded' value includes the uninitialized 32-bits causing the value to be much larger than anticipated (0x41414141000000a0 IIRC on my system), leading the check to fail.
Steps to reproduce`
Test this by using the exploit/windows/local/service_permissionsmodule.
Configure a service to have loose file system permissions, (grant full control to the everyone group for the directory and service executable)
Obtain an x64 Windows Meterpreter session on a 64-bit version of Windows
Use the exploit/windows/local/service_permissions module
Run the module and see that the file permissions techniques does not work, despite the open permissions
This is due to the check_dir_perms function failing because of the broken GetFileSecurityA call.
Were you following a specific guide/tutorial or reading documentation?
I was working on updating the exploit/windows/local/service_permissions module.
Expected behavior
Railgun should always treat a PDWORD as a pointer to a 32-bit integer. There should also be a PHANDLE type and possibly a PSIZE_T type to handle pointers to natively sized values. The PDWORD values that are of the out and inout types will need to be checked for accuracy to ensure that updating this will not cause values to be truncated in the event that the function expects the value to be natively signed.
The text was updated successfully, but these errors were encountered:
Railgun uses a native-sized value for
PDWORD
values when it should always treat the value as a pointer to a 32-bit integer. This is likely to handle the lack of a pointer type to a native signed integer likePHANDLE
orPSIZE_T
which will probably need to be added. This causes issues when uninitialized 32-bits change the value which is the case for theGetFileSecurityA
function which is used by theMsf::Post::Windows::Accounts
mixin. When called on a 64-bit system, the 'lpnLengthNeeded' value includes the uninitialized 32-bits causing the value to be much larger than anticipated (0x41414141000000a0 IIRC on my system), leading the check to fail.Steps to reproduce`
Test this by using the
exploit/windows/local/service_permissions
module.exploit/windows/local/service_permissions
modulecheck_dir_perms
function failing because of the brokenGetFileSecurityA
call.Were you following a specific guide/tutorial or reading documentation?
I was working on updating the
exploit/windows/local/service_permissions
module.Expected behavior
Railgun should always treat a
PDWORD
as a pointer to a 32-bit integer. There should also be aPHANDLE
type and possibly aPSIZE_T
type to handle pointers to natively sized values. The PDWORD values that are of theout
andinout
types will need to be checked for accuracy to ensure that updating this will not cause values to be truncated in the event that the function expects the value to be natively signed.The text was updated successfully, but these errors were encountered: