Land rapid7#7835, Add Windows Local Privilege Escalation exploit stub

Author: Brent Cook

external/source/exploits/capcom_sys_exec/capcom_sys_exec/capcom_sys_exec.c

@@ -3,14 +3,7 @@
 #include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
 #include "kernel.h"
 
-DWORD WINAPI execute_payload(LPVOID lpPayload)
-{
-	VOID(*lpCode)() = (VOID(*)())lpPayload;
-	lpCode();
-	return ERROR_SUCCESS;
-}
-
-DWORD WINAPI capcom_sys_exec(LPVOID lpPayload)
+DWORD capcom_sys_exec(LPVOID lpPayload)
 {
 	const DWORD PwnControlCode = 0xAA013044;
 	HANDLE driver = INVALID_HANDLE_VALUE;

external/source/exploits/windows-lpe-template/.gitignore

@@ -0,0 +1,151 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
+!packages/*/build/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+# =========================
+# Windows detritus
+# =========================
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store

external/source/exploits/windows-lpe-template/make.msbuild

@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\windows-lpe-template.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86;x64" />
+
+  <Target Name="x86">
+    <Message Text="Building windows-lpe-template x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="Building windows-lpe-template x64 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>

external/source/exploits/windows-lpe-template/windows-lpe-template.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.40629.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "windows-lpe-template", "windows-lpe-template\windows-lpe-template.vcxproj", "{A67BA207-7AAC-4850-BEB1-E7FA07BAC0B1}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{A67BA207-7AAC-4850-BEB1-E7FA07BAC0B1}.Release|Win32.ActiveCfg = Release|Win32
+		{A67BA207-7AAC-4850-BEB1-E7FA07BAC0B1}.Release|Win32.Build.0 = Release|Win32
+		{A67BA207-7AAC-4850-BEB1-E7FA07BAC0B1}.Release|x64.ActiveCfg = Release|x64
+		{A67BA207-7AAC-4850-BEB1-E7FA07BAC0B1}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

external/source/exploits/windows-lpe-template/windows-lpe-template/exploit.c

@@ -0,0 +1,88 @@
+// Make sure you leave these defines and includes alone.
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+#include "kernel.h"
+
+// Add your own defines/includes here.
+
+DWORD WINAPI run_exploit(LPVOID lpPayload)
+{
+	// Put your required local variables here
+	//LPVOID thing = malloc(100);
+
+	do
+	{
+		// all of your exploit stuff goes here
+
+		// Do some work, check for error, if fails, break.
+		// TODO: remove this if not needed, otherwise modify
+		// to run your own code.
+		//if (FALSE)
+		//{
+		//	break;
+		//}
+
+		// prepare for kernel exploitation after the initial work has been done.
+		// This allows for other helper functions to run inside the kernel. If
+		// you forget to do this bit, then things in kernel land will crash!
+		if (!prepare_for_kernel())
+		{
+			break;
+		}
+
+		// This is where the exploit should be run from. When executing your exploit,
+		// make sure that the `steal_process_token()` function from kernel.h is executed
+		// inside the kernel (and preferrably nothing more!). This will conduct the token stealing 
+		// under the context of the kernel.
+
+		// Check to see if things worked, and that we have a payload
+		if (was_token_replaced() && lpPayload)
+		{
+			// If so, just go ahead and execute the payload that MSF sent us.
+			execute_payload(lpPayload);
+		}
+
+	} while (0);
+
+	// Free up your stuff here.
+	//if (thing != NULL)
+	//{
+	//	free(thing);
+	//}
+
+	return 0;
+}
+
+////////////////////////////////////////////////////////////////////////////////////////////////////
+//
+//  There shouldn't be any need to modify anything below this line.
+//
+////////////////////////////////////////////////////////////////////////////////////////////////////
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		hAppInstance = hinstDLL;
+		if (lpReserved != NULL)
+		{
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		// lpReserved should have been passed in by MSF and points
+		// to the shellcode/payload that is to be executed if the
+		// exploit actually succeeds.
+		run_exploit(lpReserved);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}