adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix bypassuac_injection_winsxs for x64

Browse Source 
Tested on Windows 8.1, prior to these chagnes the bad railgun definition
would cause the session to crash.
This commit is contained in:
Spencer McIntyre
2023-02-03 13:02:53 -05:00
parent b866bf59c8
commit f2e5e77e27
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/rex/post/meterpreter/extensions/stdapi/railgun/def/windows/def_kernel32.rb
+2 -2
View File
@@ -886,7 +886,7 @@ class Def_windows_kernel32
["DWORD","dwNotifyFilter","in"],
])
dll.add_function( 'FindFirstFileA', 'DWORD',[
dll.add_function( 'FindFirstFileA', 'HANDLE',[
["PCHAR","lpFileName","in"],
["PBLOB","lpFindFileData","out"],
])
@@ -909,7 +909,7 @@ class Def_windows_kernel32
["DWORD","dwAdditionalFlags","in"],
])
dll.add_function( 'FindFirstFileW', 'DWORD',[
dll.add_function( 'FindFirstFileW', 'HANDLE',[
["PWCHAR","lpFileName","in"],
["PBLOB","lpFindFileData","out"],
])
modules/exploits/windows/local/bypassuac_injection_winsxs.rb
+2 -2
View File
@@ -276,8 +276,8 @@ class MetasploitModule < Msf::Exploit::Local
andOperation = fileAttributes & client.railgun.const("FILE_ATTRIBUTE_DIRECTORY")
if andOperation
# Removes the remainder part composed of 'A' of the path and the last null character
normalizedData = findFileData[fileNamePadding, fileNamePadding + maxPath].split('AAA')[0]
path = "#{payload_filepath}\\#{normalizedData[0, normalizedData.length - 1]}"
normalizedData = findFileData[fileNamePadding, fileNamePadding + maxPath].split("\x00", 2).first
path = "#{payload_filepath}\\#{normalizedData}"
directoryNames.push(path)
end