SecureState Blog

Read SecureState's award winning blog.

Almost a year ago the nice folks at Offensive Security released a reliable exploit for MS11-080.  This vulnerability was discovered through an in-depth review of a patch released by Microsoft.  The technical details are available from the original blog here.  This vulnerability exploits a flaw in the afd.sys driver to overwrite an address in Kernel space and the original exploit was released as a handy Python script written by Matteo Memelli.

Penetration testers try to keep modifications of their clients systems to a minimum.  As such, installing Python is not typically an attractive option, and although the Python code can easily be converted to an executable via Py2Exe, it’s still not quite as easy to use as it could be.  To make it more easily usable by a penetration tester, it has been ported to a module for the Metasploit framework.  The original exploit logic is all the same, however instead of executing a command prompt for executing SYSTEM commands, the exploit injects a new payload into a SYSTEM owned process.  After injecting the shellcode into a SYSTEM process, the exploit cleans up by restoring its token using the shellcode from the original Python exploit.  This method was adopted because elevating the current meterpreter process would cause the reference count of the SYSTEM token to be off, which would cause system instability.  This Metasploit module also has the advantage of not requiring anything to be written to disk, thus minimizing the chance of being caught by any type of anti-virus.

It should be noted that this exploit does rely on kernel memory corruption and thus all the inherent risks are applicable.  In lab scenarios the exploit has proven to be reliable; however the user must select and configure their payload carefully to ensure it doesn’t kill the SYSTEM process that it is injected into. Failure to set the payload correctly can result in the target system blue-screening… something which penetration testers definitely try to avoid causing in production environments. Finally, thanks to Matteo Memelli for such a fine example of a local kernel exploit.

The exploit can be found here.