New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WindowsKernel Exploit Mixin And Module Refactoring #3612
Conversation
Nice!
|
# @return [nil] If the name specified could not be found. | ||
# | ||
def find_sys_base(drvname) | ||
unless session.railgun.dlls.keys.include?('psapi') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not just define the dll/function in rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb? :)
Thanks for all the feedback @Meatballs1, I've implemented everything you pointed out except for putting the shellcode in external/data. Since psapi has it's definitions added to railgun now, I did remove the addition of the functions in the two novell exploits. |
# @return [nil] If the name specified could not be found. | ||
# | ||
def find_sys_base(drvname) | ||
if sysinfo['Architecture'] =~ /(x86|wow64)/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think railgun.util exposes pointer_size which is a bit neater
def pointer_size
is_64bit ? 8 : 4
end
Will see if I can get a couple of environments spun up at the weekend to test. |
This PR adds a new WindowsKernel exploit mixin which offers convenient functions and reduces the amount of copy and paste code between the current modules. The functions provided are helpful for exploits which need to determine the address of
nt!HalDispatchTable
, create token stealing shellcode, and other general tasks. Out of the 5 exploits which seem to be copy and paste descendants from each other, the following 3 have been reworked to use the mixin:The following two modules I left unchanged because I could not obtain access to the software for testing:
Verification steps: