-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DCOM/RPC NTLM Reflection MS16-075 (Reflective DLL) #10418
Conversation
Please check with |
Should be fixed now @jmartin-r7 =) |
Travis still shows warnings not addressed.
|
Jenkins test this please. |
Praying to the Travis god this one fixes it |
Sorry still some tabs where spaces are required. https://travis-ci.org/rapid7/metasploit-framework/jobs/415146287
Run |
Fixes the damn tabs and spaces. im gonna be livid if this doesnt work
Lord I'm praying i fixed it...it appears differently in my IDE so alot of the times I dont see the damn tabs/spaces, apologies for delay @jmartin-r7 |
Aight @jmartin-r7 fixed all the problems with the module, is there any reason why the "Sanity Test Execution" would fail? |
Jenkins test this please. Looks like there may have been an issue with the run, this may clear it. |
Thanks for the PR, @realoriginal! I'm going to start working with this to get it landed over the next few days. First, I do not see documentation with this, and that would help a lot. If you have questions, feel free to ask and check out https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation. Specifically, since this has source code, please make sure to include compilation instructions. |
Would providing an SLN file help? I mostly rely on those and not entirely fluent in Visual Studio to get a derative of cl.exe & linker commands itself from it as I rely mostly on the automated "build" @bwatters-r7 and will do , I'll bust out the docs tomorrow. I was originally uncertain as I wasnt sure if you guys were happy with the reliance on incognito to impersonate the token which is why i refrained from writing on yet, but it shall be done =). Thank you! |
@realoriginal a .sln file would be great, though the current metasploit "standard" is Visual studio 2013. If you send a .sln file in that format, that's awesome, but I am willing to work with whatever you can provide. |
Added a solution file, almost done with documentation. I dont have Visual Studio 2013 and apparently on my machine it refused to installl so I used the one I compiled originally with, VS-2017. Hopefully this helps slightly. You'll have to build in Release Mode as thats the only version to which I added the preprocesser definitions / removed the reliance on precompiled headers Also in contrast to the original MSFRottenPotato.cpp I did a slight change to close the listener 6666 socket after achieving the new token. |
Documentation is complete. |
@realoriginal: I took care of it with a ninja push. I also merged
|
@realoriginal: I may have been mistaken about the CVE, so please fix it if it's wrong! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpicks
Aight I'll give those a fix and thank you very much! |
I'm pretty sure its the right CVE but I'll check again @wvu-r7 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was a quick look-over. I want to dig into the C code a bit more tomorrow.
LPORT 3312 yes The listen port Exploit target: | ||
Id Name | ||
-- ---- | ||
1 Windows x64 msf exploit(windows/local/ms16_075_reflection) > run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You may want to double-check line endings.......
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration"> | ||
<ConfigurationType>DynamicLibrary</ConfigurationType> | ||
<UseDebugLibraries>true</UseDebugLibraries> | ||
<PlatformToolset>v141</PlatformToolset> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Target toolset 120 to support VS2013
fail_with(Failure::None, 'Session is already elevated') | ||
end | ||
|
||
if sysinfo["Architecture"] =~ /wow64/i |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not move this up with the other arch checks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure that Architecture
contains wow64
any more? I thought we removed that. If the intent is to detect if the current process is wow64 then you need to check both client.arch
(to get the arch of Meterpreter) and sysinfo['Architecture']
(to get the arch of the OS).
if client.arch != sysinfo['Architecture']
# gotta be a wow64 process
end
end | ||
elsif sysinfo["Architecture"] == ARCH_X86 | ||
arch = ARCH_X86 | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this is overkill and wrong. sysinfo['Architecture']
contains the OS architecture, full stop (no wow64
or anything in it). It will either be ARCH_X86
or ARCH_X64
. It has nothing to do with the arch of the current process. That can be found in client.arch
.
end | ||
|
||
def check | ||
privs = client.sys.config.getprivs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bear in mind that getprivs
actually enables all the current privileges while enumerating them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a better way to check for SeImpersonatePrivilege? I found no other check....
Note to future self (or anyone who is as bad as I am with IIS) for setting up a test environment: |
I made a couple changes per the suggestions. I need to go back and fix the reference in the C++ to the conditional variable, as it does not compile using the v120 toolset. I've dealt with that error before, but I do forget what I did to solve it. I'll hit it again tomorrow and try to land it. |
oooop- also need to fix the markdown document name.... |
@realoriginal, I'm having trouble getting the exploit to run when I recompile it. I switched it to 2013 and fixed the error, but It fails when I run it:
I went ahead and installed 2015U3 and could compile it with no changes, and it still fails. Could you double check the solution file and source code? The original binary seems to work fine, but recompiling results in a binary that fails. Thanks |
Yes I can check the code again, shouldnt have any problems but yeah granted I only compiled in VS 2017. |
Checked, no code issues that I saw when reviewing the source. Solutions file seems to have everything needed in it to compile the RELEASE builds. Hm. I wouldn't have a clue without debugging it as a normal DLL to understand what could be wrong with building with vs 2015 and 2013 toolkits Optionally, this may be a problem : The Reflective header files / C files I used were a modified version of the https://github.com/rapid7/reflectivedllinjection/tree/vs2017 VS 2017 branch. Reasoning I used this version was since I was originally building with VS 2017, I couldn't compile the reflective functions without this version Thats my best guess of what could be the problem, perhaps with the changes in the reflective functions that allow it to build / work with VS 2017 breaks with building / working properly on 2013/2015. |
So.... uh, this is interesting. Honestly, I am not OK with this.... I need to read up on some things and double check I'm not messing something else up. |
Merge branch 'land-10418' into upstream-master
Merge branch 'land-10418' into upstream-master
Release NotesThe |
About
The module exploits the SeImpersonatePrivilege given to service accounts on Windows which enables us to forge tokens and impersonate NT AUTHORITY\SYSTEM. As it utilizes reflective injection it solves the permission issues as well as doesn't leave behind traces. It can be used in an existing session where the account has SeImpersonatePrivilege. It spawns a new notepad process and injects the RottenPotato dll into it's memory which points to the shellcode and execute it. However, once the exploit is completed we need to load the incognito extension and then impersonate the token manually.
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/local/ms16_075_reflection
set SESSION <session>
set TARGET <remote architecture index>
set PAYLOAD <payload>
run
load incognito
impersonate_token('NT AUTHORITY\SYSTEM')
Demo
gotta love session 48
I would hope to get this PR'd alot sooner but I;d been stuck and at this point I figured I may as well Pr and ask for expert advice to get this ball rolling! apologies in advance.