OJ
defc0ebe5c
This commit contains a few changes for the ppr_flatten_rec local windows exploit. First, the exploit binary itself: * Updated to use the RDI submodule. * Updated to build with VS2013. * Updated to generate a binary called `ppr_flatten_rc.x86.dll`. * Invocation of the exploit requires address of the payload to run. Second, the module in MSF behaved a little strange. I expected it to create a new session with system privs and leave the existing session alone. This wasn't the case. It used to create an instance of notepad, migrate the _existing_ session to it, and run the exploit from there. This behaviour didn't seem to be consistent with other local exploits. The changes include: * Existing session is now left alone, only used as a proxy. * New notepad instance has exploit reflectively loaded. * New notepad instance has payload directly injected. * Exploit invocation takes the payload address as a parameter. * A wait is added as the exploit is slow to run (nature of the exploit). * Payloads are executed on successful exploit.
19 lines
609 B
XML
Executable File
19 lines
609 B
XML
Executable File
<?xml version="1.0" standalone="yes"?>
|
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
|
<PropertyGroup>
|
|
<SolutionPath>.\ppr_flatten_rec.sln</SolutionPath>
|
|
</PropertyGroup>
|
|
|
|
<Target Name="all" DependsOnTargets="x86" />
|
|
|
|
<Target Name="x86">
|
|
<Message Text="Building CVE-2013-3660 ppr_flatten_rc x86 Release version" />
|
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
|
</Target>
|
|
|
|
<Target Name="x64">
|
|
<Message Text="ppr_flatten_rec is not supported in x64" />
|
|
</Target>
|
|
</Project>
|
|
|